An OpenSource VooDoo cIRCle - security advisory 20091012-01

Persistent URL of this advisory is available at


In Win32/64 binary releases there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.


From Secunia's advisory at
Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets.

2) An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages.

3) A use-after-free error in the "dtls1_retrieve_buffered_fragment()" function can be exploited to cause a crash in a client context.

4) An error in the "dtls1_process_out_of_seq_message()" function can be exploited to crash a DTLS server via a specially crafted out of sequence DTLS packet.

See vendor's advisories:

All versions prior to 1.1.37 are affected by these security vulnerabilities. VooDoo cIRCle 1.1.37 binary relases for Win32/64 are not affected by these security vulnerabilities. Versions using older OpenSSL library, though on any platform, or custom builds, are vulnerable, that is, both all binary-distributed versions of VooDoo cIRCle prior to 1.1.37, and those linked against vulnerable OpenSSL library are affected by these vulnerabilities.

Binary builds of VooDoo cIRCle project for both Win32 and x64 contain OpenSSL library from CVS snapshot taken from, that is, as of 2009-10-10 retrieved the same day.


There is no known workaround at this time.


Update to the latest version, VooDoo cIRCle 1.1.37, which is not vulnerable.

Since OpenSSL maintainers does not take security vulnerabilities seriously, from 16th May 2009 they have not released fixed source code. These four vulnerabilities are only fixed in CVS so far (!). It is recommended to download snapshot of CVS repository of "branch" version 0.9.8-stable from vendor's site at, and build the library yourself.
All Windows users using binary builds are strongly encouraged to download the latest version of VooDoo cIRCle.

Time line

2009-05-18 - Received notification about four OpenSSL vulnerabilities from
2009-10-12 - Release of VooDoo cIRCle 1.1.37, public disclosure - this advisory.


2009-10-12 - Initial revision

Legal notice

Some names used in this document may be registered trademarks of their respective owners.

Get VooDoo cIRCle at Fast, secure and Free Open Source software downloads