httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Apache-SSL buffer overflow (fix available)
Date Fri, 01 Mar 2002 11:47:36 GMT
Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)


A buffer overflow was recently found in mod_ssl, see:

for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.

As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.


Download Apache-SSL 1.3.22+1.46 from the usual places (see


Thanks to Ed Moyle for finding the flaw.


No thanks to anyone at all for alerting me before going
public. Cheers, guys.


This advisory can be found at:

A mirror which definitely has the new version:

Ben Laurie, March 1, 2002.


"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

View raw message