Hi All,

From my reading of the bugtraq info, the problem is in the
zlib_stateful_init() function in Openssl versions 0.9.8f through 0.9.8h
which can be exploited via any application utilizing openssl, including
Apache.

Here is a reference from the OpenSSL Project:
http://marc.info/?l=openssl-dev&m=121060672602371&w=2
and the change introducing the bug: http://cvs.openssl.org/chngview?cn=15897


Please tell this bug is in openssl or Apache .

Please Help.Its is urgent need.

Thanks

Joshi Chandran


Dustin Kirkland-2 wrote:
>
> I'm trying to solve a reproducible memory leak that manifests itself
> with SSL + Apache2:
> https://bugs.launchpad.net/ubuntu/+s...e2/+bug/224945
>
> Valgrind, plus our own research, points to a possible memory leak in
> crypto/comp/c_zlib.c in libssl0.9.8g.
>
> We see:
> struct zlib_state *state = -> (struct zlib_state
> *)OPENSSL_malloc(sizeof(struct zlib_state));
> allocating the data.
>
> However, it does not seem that a zlib_stateful_free_ex_data() is called
> to free it.
>
>
> Thanks,
> :-Dustin
>
> Dustin Kirkland
> Ubuntu Server Developer
> Canonical, LTD
> GPG: 1024D/83A61194
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majordomo@openssl.org
>
>


--
View this message in context: http://www.nabble.com/possible-memor...p20280458.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org