It's a remotely-triggered NULL pointer dereference (so interesting only if you use a threaded MPM), affects server configurations with an SSL vhost configured with access control and a custom 400 errordocument
Apache herd, please advise/patch ?
Looks like we need this patch to fix the problem: http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=354394&view=diff&r1=354394&r2=354393&p1=httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c&p2=/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Best regards, Stu
The supplied patch is for the apache trunk and won't apply correctly to 2.0.55. We need a backport from upstream unless someone more knowledgable in c/c++ wants to step up to the plate.
Given the very specific nature of this vulnerability I would wait for an upstream release to pick it up.
Backports at : http://issues.apache.org/bugzilla/show_bug.cgi?id=37791#c3 This should be grouped with bug 118875 for a common GLSA.
fixed in CVS. see bug 118875.
See stable marking handled on bug 118875
Common GLSA with bug 118875
GLSA 200602-03 Apache note that new old style versions might be flagged as vulnerable by this GLSA. So we have to update it if you put out new versions.