Debian Security Advisory

DSA-393-1 openssl -- denial of service

Date Reported:
01 Oct 2003
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 8732.
In Mitre's CVE dictionary: CVE-2003-0543, CVE-2003-0544.
CERT's vulnerabilities, advisories and incident notes: CA-2003-26.
More information:

Dr. Stephen Henson (, using a test suite provided by NISCC (, discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended.

For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4.

For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1.

We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.