SOURCES: apache-CVE-2005-3357.patch (NEW) - mod_ssl in Apache 2.0 ...

glen glen at pld-linux.org
Tue Feb 7 20:38:31 CET 2006


Author: glen                         Date: Tue Feb  7 19:38:31 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with
  access control and a custom error 400 error page, allows remote attackers to
  cause a denial of service (application crash) via a non-SSL request to an SSL
  port, which triggers a NULL pointer dereference.

---- Files affected:
SOURCES:
   apache-CVE-2005-3357.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/apache-CVE-2005-3357.patch
diff -u /dev/null SOURCES/apache-CVE-2005-3357.patch:1.1
--- /dev/null	Tue Feb  7 20:38:31 2006
+++ SOURCES/apache-CVE-2005-3357.patch	Tue Feb  7 20:38:25 2006
@@ -0,0 +1,21 @@
+http://bugs.gentoo.org/show_bug.cgi?id=115324
+
+--- modules/ssl/ssl_engine_kernel.c	(Revision 368148)
++++ modules/ssl/ssl_engine_kernel.c	(Arbeitskopie)
+@@ -202,11 +202,14 @@
+     }
+ 
+     /*
+-     * Check to see if SSL protocol is on
++     * Check to see whether SSL is in use; if it's not, then no
++     * further access control checks are relevant.  (the test for
++     * sc->enabled is probably strictly unnecessary)
+      */
+-    if (!(sc->enabled || ssl)) {
++    if (!sc->enabled || !ssl) {
+         return DECLINED;
+     }
++
+     /*
+      * Support for per-directory reconfigured SSL connection parameters.
+      *
================================================================


More information about the pld-cvs-commit mailing list