Debian Security Advisory

DSA-2125-1 openssl -- buffer overflow

Date Reported:
22 Nov 2010
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 603709.
In Mitre's CVE dictionary: CVE-2010-3864.
More information:

A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. This allows an attacker to cause an application crash or potentially to execute arbitrary code.

However, not all OpenSSL based SSL/TLS servers are vulnerable: a server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.

This upgrade fixes this issue. After the upgrade, any services using the openssl libraries need to be restarted. The checkrestart script from the debian-goodies package or lsof can help to find out which services need to be restarted.

A note to users of the tor packages from the Debian backports or Debian volatile: this openssl update causes problems with some versions of tor. You need to update to tor or, respectively. The tor package version from Debian stable is not affected by these problems.

For the stable distribution (lenny), the problem has been fixed in openssl version 0.9.8g-15+lenny9.

For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.9.8o-3.

We recommend that you upgrade your openssl packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.