8085386 2002-03-01 11:47 +0000 /61 rader/ Ben Laurie <ben@algroup.co.uk> Sänt av: joel@lysator.liu.se Importerad: 2002-03-03 21:13 av Brevbäraren Extern mottagare: Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk> Extern mottagare: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM> Extern mottagare: CERT Coordination Center <cert@cert.org> Extern mottagare: Apache List <new-httpd@apache.org> Mottagare: Bugtraq (import) <21242> Ärende: Apache-SSL buffer overflow (fix available) ------------------------------------------------------------ From: Ben Laurie <ben@algroup.co.uk> To: Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk>, Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>, CERT Coordination Center <cert@cert.org>, Apache List <new-httpd@apache.org> Message-ID: <3C7F6A58.6CA6A724@algroup.co.uk> Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46) ------------------------------------------------------------------------ Synopsis -------- A buffer overflow was recently found in mod_ssl, see: http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html for details. The offending code in mod_ssl was, in fact, derived from Apache-SSL, and Apache-SSL is also vulnerable. As in mod_ssl, this flaw can only be exploited if client certificates are being used, and the certificate in question must be issued by a trusted CA. Fix --- Download Apache-SSL 1.3.22+1.46 from the usual places (see http://www.apache-ssl.org/). Acknowledgements ---------------- Thanks to Ed Moyle for finding the flaw. Rant ---- No thanks to anyone at all for alerting me before going public. Cheers, guys. Links ----- This advisory can be found at: http://www.apache-ssl.org/advisory-20020301.txt A mirror which definitely has the new version: ftp://opensores.thebunker.net/pub/mirrors/apache-ssl/apache_1.3.22+ssl_1.46.tar.gz Ben Laurie, March 1, 2002. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff (8085386) /Ben Laurie <ben@algroup.co.uk>/(Ombruten) 8091422 2002-03-04 14:47 +0000 /31 rader/ Ben Laurie <ben@algroup.co.uk> Sänt av: joel@lysator.liu.se Importerad: 2002-03-05 00:42 av Brevbäraren Extern mottagare: Apache SSL <apache-ssl@lists.aldigital.co.uk> Extern mottagare: Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk> Extern mottagare: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM> Extern mottagare: CERT Coordination Center <cert@cert.org> Mottagare: Bugtraq (import) <21256> Ärende: Apache-SSL 1.3.22+1.47 - update to security fix ------------------------------------------------------------ From: Ben Laurie <ben@algroup.co.uk> To: Apache SSL <apache-ssl@lists.aldigital.co.uk>, Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk>, Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>, CERT Coordination Center <cert@cert.org> Message-ID: <3C838917.B5B5501D@algroup.co.uk> On Friday 1st March 2002 I released a security alert for Apache-SSL, announcing a fix to a buffer overflow. Unfortunately, because the fix had to be released in haste (since I had not been alerted before public disclosure), the fix had a bug. Fortunately, the bug did not leave Apache-SSL vulnerable, but it did prevent correct operation. I have, therefore, released an updated version of Apache-SSL today, 1.3.22+1.47, which is available from all the usual places. Users of versions prior to this should upgrade immediately. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff (8091422) /Ben Laurie <ben@algroup.co.uk>/(Ombruten)