httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: Apache 2.0.50 mod_ssl
Date Sun, 04 Jul 2004 21:31:08 GMT
* Kenneth Simpson <ken@VirtualMachines.COM> wrote:

> In the event someone hasn't already pointed this out, there doesn't appear
> to be patch for CAN-2004-0488  (buffer overrun in mod_ssl) in Apache 2.0.50
> as indicated on http://httpd.apache.org.
> 
> I quote:
> 
> "This Announcement notes the significant changes in 2.0.50 as compared 
> to 2.0.49."
> 
> "Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a 
> (trusted) client
> certificate subject DN which exceeds 6K in length.| [CAN-2004-0488 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488>]"|
> 
> mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.

Sure, it does, for example:
http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.82.2.12&r2=1.82.2.13

Perhaps an error occured during your upgrade? Did you use a vanilla apache
and did you verify the download with pgp or md5?

nd
-- 
"Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)"
                                          -- aus einer Rezension

<http://pub.perlig.de/books.html#apache2>

Mime
View raw message