httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: http://httpd.apache.org/ note about 2.0.50
Date Thu, 01 Jul 2004 02:30:50 GMT
At 08:58 PM 6/30/2004, Albert Chin wrote:
>According to http://httpd.apache.org/:
>  This version of Apache is principally a bug fix release. Of particular
>  note is that 2.0.50 addresses one security vulnerability:
>
>  A remotely triggered memory leak in http header parsing can allow a
>  denial of service attack due to excessive memory consumption.
>  [CAN-2004-0493]
>
>  Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
>  (trusted) client certificate subject DN which exceeds 6K in length.
>  [CAN-2004-0488]
>
>If 2.0.50 addresses "one security vulnerability", why are two listed?

Because the other was patched much earlier, and adding the second
was a late addition.  Simple typo.

>I thought CAN-2004-0488 was for 1.3.x?

Nope, entirely not applicable to 1.3.  The ASF has no SSL provider
for Apache 1.3.

The modssl project for 1.3 was affected, of course.

Bill



Mime
View raw message