mod_ssl 2.8.18-1.3.31: Security Fix
Arkadiusz Patyk
areq w pld-linux.org
Pią, 28 Maj 2004, 09:40:06 CEST
Witam
Wykryto buga w mod_ssl < 2.8.18-1.3.31.
Vulnerability: arbitrary code execution
Description:
Georgi Guninski discovered [1] a stack-based buffer overflow in
the "SSLOptions +FakeBasicAuth" implementation of Apache's SSL/TLS
extension module mod_ssl [0]. The overflow can occur if the Subject-DN
in the client certificate exceeds 6KB in length and mod_ssl is
configured to trust the issuing CA. The Common Vulnerabilities and
Exposures (CVE) project assigned the id CAN-2004-0488 [2] to the
problem.
Zaktualizowałem na HEAD i RA-branch. Proszę o puszczenie na buildery
i umieszenia na ftp ASAP.
--
Arkadiusz Patyk [areq(at)pld-linux.org] [http://rescuecd.pld-linux.org]
[IRC:areq ICQ:16231667 GG:1383] [AP3-6BONE] [AP14126-RIPE]
Więcej informacji o liście dyskusyjnej pld-devel-pl