Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)

Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)

by Nikola Strahija on March 3rd, 2002 A buffer overflow was recently found in mod_ssl.


http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.htmlfor details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.

As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.

Fix
---

Download Apache-SSL 1.3.22+1.46 from the usual places (see
http://www.apache-ssl.org/).

Acknowledgements
----------------

Thanks to Ed Moyle for finding the flaw.

Rant
----

No thanks to anyone at all for alerting me before going
public. Cheers, guys.

Links
-----

This advisory can be found at:
http://www.apache-ssl.org/advisory-20020301.txt

A mirror which definitely has the new version:
ftp://opensores.thebunker.net/pub/mirrors/apache-ssl/apache_1.3.22+ssl_1.46.tar.gz


Ben Laurie, March 1, 2002.


--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »