In association with heise online

29 March 2010, 12:33

'Record of Death' takes out OpenSSL servers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Crafted TLS packets can crash OpenSSL servers and clients. The problem is caused by an error in the ssl3_get_record() function, which processes SSL records. Data is transferred between end points in SSL records. According to an advisory from the OpenSSL development team, incorrectly formatted records can cause a memory access error.

OpenSSL versions 0.9.8f to 0.9.8m are in theory affected, however the bug depends on the C compiler used. Where 'short' is defined as a 16 bit integer (which is almost always the case) only 0.9.8m is affected. Updating to OpenSSL version 0.9.8n resolves the problem.

See also:

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-965939
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit