Summary: | net-www/apache, net-www/mod_ssl: possible buffer overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Weisserth <tobias> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hanno, langthang, wschlich, zul |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Weisserth
2004-05-18 02:03:39 UTC
After some research : http://marc.theaimsgroup.com/?l=apache-modssl&m=108549001500319&w=2 This appears to be CAN-2004-0488. Note : "It can only be triggered if mod_ssl is configured to use FakeBasicAuth and will trust a CA which issues a client cert with a >6K long subject DN." Fix for apache 2.0.x is : http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106 Fix for mod_ssl 2.8 (apache 1.3.x) is not available yet. zul : we can patch or wait. Your call... I would wait for the apache 1.3.x version so we can do them both at the same time. OK, so we are waiting for upstream fix in mod_ssl. mod_ssl 2.8.18 is out : http://marc.theaimsgroup.com/?l=apache-modssl&m=108566416009373&w=2 Waiting for an apache-2.0.49-r3 and mod_ssl-2.8.18 ? Ive added the patch to 2.0.49 and above. Ill will be commiting a 2.0.49-r3 tongiht. 1.3.31-r1 and mod_ssl 2.8.18 is in as well. Arches, please mark stable : apache-1.3.31-r1 = "x86 ppc sparc mips alpha hppa amd64 ia64" apache-2.0.49-r3 = "x86 ppc sparc mips alpha hppa amd64 ia64 s390" mod_ssl-2.8.18 = "x86 ppc sparc mips alpha hppa" Thanks ! Stable on alpha. Stable on mips & sparc Marked stable on amd64. *** Bug 52802 has been marked as a duplicate of this bug. *** GLSA is ready ppc, hppa : please mark apache-1.3.31-r1 apache-2.0.49-r3 and mod_ssl-2.8.18 stable ia64 : please mark apache-1.3.31-r1 and apache-2.0.49-r3 stable stable on ia64 Good to go on ppc. Ready to send All done for hppa. Sorry for the delay but I had exams :-/ GLSA 200406-05 |