SOURCES: apache-CVE-2005-3357.patch (NEW) - mod_ssl in Apache 2.0 ...
glen
glen at pld-linux.org
Tue Feb 7 20:38:31 CET 2006
Author: glen Date: Tue Feb 7 19:38:31 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with
access control and a custom error 400 error page, allows remote attackers to
cause a denial of service (application crash) via a non-SSL request to an SSL
port, which triggers a NULL pointer dereference.
---- Files affected:
SOURCES:
apache-CVE-2005-3357.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/apache-CVE-2005-3357.patch
diff -u /dev/null SOURCES/apache-CVE-2005-3357.patch:1.1
--- /dev/null Tue Feb 7 20:38:31 2006
+++ SOURCES/apache-CVE-2005-3357.patch Tue Feb 7 20:38:25 2006
@@ -0,0 +1,21 @@
+http://bugs.gentoo.org/show_bug.cgi?id=115324
+
+--- modules/ssl/ssl_engine_kernel.c (Revision 368148)
++++ modules/ssl/ssl_engine_kernel.c (Arbeitskopie)
+@@ -202,11 +202,14 @@
+ }
+
+ /*
+- * Check to see if SSL protocol is on
++ * Check to see whether SSL is in use; if it's not, then no
++ * further access control checks are relevant. (the test for
++ * sc->enabled is probably strictly unnecessary)
+ */
+- if (!(sc->enabled || ssl)) {
++ if (!sc->enabled || !ssl) {
+ return DECLINED;
+ }
++
+ /*
+ * Support for per-directory reconfigured SSL connection parameters.
+ *
================================================================
More information about the pld-cvs-commit
mailing list