CVE-2008-1678

Publication date 10 July 2008

Last updated 24 July 2024

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apache2	8.10 intrepid	Not affected
	8.04 LTS hardy	Fixed 2.2.8-1ubuntu0.3
	7.10 gutsy	Fixed 2.2.4-3ubuntu0.2
	7.04 feisty	Not affected
	6.06 LTS dapper	Not affected

Notes

kees

this was fixed via SRU in hardy prior to getting a CVE.

mdeslaur

bug 224945 says gutsy is also affected.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apache2	Upstream: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?r1=654119&r2=654118&pathrev=654119

CVE-2008-1678

Status

Notes

kees

mdeslaur

Patch details

References

Related Ubuntu Security Notices (USN)

Other references