17862 – mod_ssl

Bug 17862 - mod_ssl

Summary: mod_ssl

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	Highest critical (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-03-20 04:20 UTC by Daniel Ahlberg (RETIRED)
Modified:	2003-03-25 05:14 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Ahlberg (RETIRED) gentoo-dev

2003-03-20 04:20:51 UTC

[prev in list] [next in list] [prev in thread] [next in thread]  

List:     apache-modssl 
Subject:  [ANNOUNCE] mod_ssl 2.8.13 
From:     "Ralf S. Engelschall" <rse () engelschall ! com> 
Date:     2003-03-18 14:43:16 
[Download message RAW] 

Another maintainance release of mod_ssl 2.8 for Apache 1.3 delivers to 
you mod_ssl 2.8.13 for Apache 1.3.27. Changes are listed below. Grab it 
from the following locations: 

o http://www.modssl.org/source/ 
o  ftp://ftp.modssl.org/source/ 

Yours, 
                                       Ralf S. Engelschall 
                                       rse@engelschall.com 
                                       www.engelschall.com 

  Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003) 

   *) Always enforce RSA blinding on RSA private keys in order to be 
      resistent to timing attacks. 

   *) Added timeout also to the "pre-sucking" of the trailing data in 
      POST request handling. 

   *) Correctly shutdown shared memory pools on fork+exec situations. 

   *) Bugfix SSL client certificate verification: OpenSSL was not 
      informed with SSL_set_verify_result(ssl, X509_V_OK) in case 
      mod_ssl forced the verification to be ok. 

   *) Consistently use OPENSSL_free() instead of plain free() to 
      deallocate memory chunks allocated inside OpenSSL. 

   *) Fixed various memory leaks related to X509 certificates. 
______________________________________________________________________ 
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org 
Official Announcement Mailing List          modssl-announce@modssl.org 
Automated List Manager                            majordomo@modssl.org 
[prev in list] [next in list] [prev in thread] [next in thread]  

 Configure Your Environment | About MARC | We're Hiring! | Want to add a list? Tell us about it. | 
10East

Comment 1 Richard Liu 2003-03-24 22:18:37 UTC

Today is 2003/03/25 
but mod_ssl in portage not upgrade 

brief changlog 
======
   *) Fixed logic in the destruction of a temporary certificate
      structure and this way avoid a crash due to freeing NULL object.

   *) Removed one newly introduced X509_free() call in the context of
      SSL_get_certificate(), because this function does not increment a
      reference count (although SSL_get_peer_certificate() does).

   *) Fixed hash-table based shared memory session cache (shmht)
      implementation by making sure that the underlying hash table
      library does not crash if memory cannot be allocated.
=========

Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev

2003-03-25 05:14:35 UTC

glsa sent