Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 17862

Summary: mod_ssl
Product: Gentoo Linux Reporter: Daniel Ahlberg (RETIRED) <aliz>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical    
Priority: Highest    
Version: 1.0   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Daniel Ahlberg (RETIRED) gentoo-dev 2003-03-20 04:20:51 UTC 
[prev in list] [next in list] [prev in thread] [next in thread]  
 
List:     apache-modssl 
Subject:  [ANNOUNCE] mod_ssl 2.8.13 
From:     "Ralf S. Engelschall" <rse () engelschall ! com> 
Date:     2003-03-18 14:43:16 
[Download message RAW] 
 
Another maintainance release of mod_ssl 2.8 for Apache 1.3 delivers to 
you mod_ssl 2.8.13 for Apache 1.3.27. Changes are listed below. Grab it 
from the following locations: 
 
o http://www.modssl.org/source/ 
o  ftp://ftp.modssl.org/source/ 
 
Yours, 
                                       Ralf S. Engelschall 
                                       rse@engelschall.com 
                                       www.engelschall.com 
 
  Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003) 
 
   *) Always enforce RSA blinding on RSA private keys in order to be 
      resistent to timing attacks. 
 
   *) Added timeout also to the "pre-sucking" of the trailing data in 
      POST request handling. 
 
   *) Correctly shutdown shared memory pools on fork+exec situations. 
 
   *) Bugfix SSL client certificate verification: OpenSSL was not 
      informed with SSL_set_verify_result(ssl, X509_V_OK) in case 
      mod_ssl forced the verification to be ok. 
 
   *) Consistently use OPENSSL_free() instead of plain free() to 
      deallocate memory chunks allocated inside OpenSSL. 
 
   *) Fixed various memory leaks related to X509 certificates. 
______________________________________________________________________ 
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org 
Official Announcement Mailing List          modssl-announce@modssl.org 
Automated List Manager                            majordomo@modssl.org 
[prev in list] [next in list] [prev in thread] [next in thread]  
 
 
 Configure Your Environment | About MARC | We're Hiring! | Want to add a list? Tell us about it. | 
10East
Comment 1 Richard Liu 2003-03-24 22:18:37 UTC 
Today is 2003/03/25 
but mod_ssl in portage not upgrade 

brief changlog 
======
   *) Fixed logic in the destruction of a temporary certificate
      structure and this way avoid a crash due to freeing NULL object.

   *) Removed one newly introduced X509_free() call in the context of
      SSL_get_certificate(), because this function does not increment a
      reference count (although SSL_get_peer_certificate() does).

   *) Fixed hash-table based shared memory session cache (shmht)
      implementation by making sure that the underlying hash table
      library does not crash if memory cannot be allocated.
=========
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2003-03-25 05:14:35 UTC 
glsa sent