At 08:58 PM 6/30/2004, Albert Chin wrote: >According to http://httpd.apache.org/: > This version of Apache is principally a bug fix release. Of particular > note is that 2.0.50 addresses one security vulnerability: > > A remotely triggered memory leak in http header parsing can allow a > denial of service attack due to excessive memory consumption. > [CAN-2004-0493] > > Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a > (trusted) client certificate subject DN which exceeds 6K in length. > [CAN-2004-0488] > >If 2.0.50 addresses "one security vulnerability", why are two listed?
Because the other was patched much earlier, and adding the second was a late addition. Simple typo. >I thought CAN-2004-0488 was for 1.3.x? Nope, entirely not applicable to 1.3. The ASF has no SSL provider for Apache 1.3. The modssl project for 1.3 was affected, of course. Bill
