CVE-2009-1378

Vulnerability Description

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.ascBroken LinkThird Party Advisory
• http://cvs.openssl.org/chngview?cn=18188Broken LinkPatchVendor Advisory
• http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444Broken LinkThird Party Advisory
• http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlMailing ListThird Party Advisory
• http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlThird Party Advisory
• http://marc.info/?l=openssl-dev&m=124247679213944&w=2Mailing ListPatchThird Party Advisory
• http://marc.info/?l=openssl-dev&m=124263491424212&w=2ExploitMailing ListThird Party Advisory
• http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guestBroken LinkThird Party Advisory
• http://secunia.com/advisories/35128Not ApplicableThird Party Advisory
• http://secunia.com/advisories/35416Not ApplicableThird Party Advisory
• http://secunia.com/advisories/35461Not ApplicableThird Party Advisory
• http://secunia.com/advisories/35571Not ApplicableThird Party Advisory
• http://secunia.com/advisories/35729Not ApplicableThird Party Advisory
• http://secunia.com/advisories/36533Not ApplicableThird Party Advisory
• http://secunia.com/advisories/37003Not ApplicableThird Party Advisory