You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Kenneth Simpson <ke...@VirtualMachines.COM> on 2004/07/04 23:05:51 UTC

Apache 2.0.50 mod_ssl

In the event someone hasn't already pointed this out, there doesn't appear
to be patch for CAN-2004-0488  (buffer overrun in mod_ssl) in Apache 2.0.50
as indicated on http://httpd.apache.org.

I quote:

"This Announcement notes the significant changes in 2.0.50 as compared 
to 2.0.49."

"Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a 
(trusted) client
certificate subject DN which exceeds 6K in length.| [CAN-2004-0488 
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488>]"|

mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.

Re: Apache 2.0.50 mod_ssl

Posted by Joshua Slive <jo...@slive.ca>.

On Sun, 4 Jul 2004, Kenneth Simpson wrote:
> mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.

This would happen if you had mod_ssl installed as a DSO but didn't specify
--enable-ssl=shared on the ./configure command line when upgrading.  The
old module would remain.

Joshua.

Re: Apache 2.0.50 mod_ssl

Posted by André Malo <nd...@perlig.de>.

* Kenneth Simpson <ke...@VirtualMachines.COM> wrote:

> In the event someone hasn't already pointed this out, there doesn't appear
> to be patch for CAN-2004-0488  (buffer overrun in mod_ssl) in Apache 2.0.50
> as indicated on http://httpd.apache.org.
> 
> I quote:
> 
> "This Announcement notes the significant changes in 2.0.50 as compared 
> to 2.0.49."
> 
> "Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a 
> (trusted) client
> certificate subject DN which exceeds 6K in length.| [CAN-2004-0488 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488>]"|
> 
> mod_ssl doesn't change when upgrading from Apache 2.0.49 to Apache 2.0.50.

Sure, it does, for example:
http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.82.2.12&r2=1.82.2.13

Perhaps an error occured during your upgrade? Did you use a vanilla apache
and did you verify the download with pgp or md5?

nd
-- 
"Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)"
                                          -- aus einer Rezension

<http://pub.perlig.de/books.html#apache2>