You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Kenneth Simpson <ke...@VirtualMachines.COM> on 2004/07/04 23:05:51 UTC
Apache 2.0.50 mod_ssl
In the event someone hasn't already pointed this out, there doesn't appear
to be patch for CAN-2004-0488 (buffer overrun in mod_ssl) in Apache 2.0.50
as indicated on http://httpd.apache.org.
I quote:
"This Announcement notes the significant changes in 2.0.50 as compared
to 2.0.49."
"Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
(trusted) client
certificate subject DN which exceeds 6K in length.| [CAN-2004-0488
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488>]"|
mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.
Re: Apache 2.0.50 mod_ssl
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, 4 Jul 2004, Kenneth Simpson wrote:
> mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.
This would happen if you had mod_ssl installed as a DSO but didn't specify
--enable-ssl=shared on the ./configure command line when upgrading. The
old module would remain.
Joshua.
Re: Apache 2.0.50 mod_ssl
Posted by André Malo <nd...@perlig.de>.
* Kenneth Simpson <ke...@VirtualMachines.COM> wrote:
> In the event someone hasn't already pointed this out, there doesn't appear
> to be patch for CAN-2004-0488 (buffer overrun in mod_ssl) in Apache 2.0.50
> as indicated on http://httpd.apache.org.
>
> I quote:
>
> "This Announcement notes the significant changes in 2.0.50 as compared
> to 2.0.49."
>
> "Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
> (trusted) client
> certificate subject DN which exceeds 6K in length.| [CAN-2004-0488
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488>]"|
>
> mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.
Sure, it does, for example:
http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.82.2.12&r2=1.82.2.13
Perhaps an error occured during your upgrade? Did you use a vanilla apache
and did you verify the download with pgp or md5?
nd
--
"Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)"
-- aus einer Rezension
<http://pub.perlig.de/books.html#apache2>