On Tue, May 25, 2004 at 09:42:58AM +0200, Boyle Owen wrote: > Greetings, > > This "alert" has appeared recently. Is anyone aware of it?
Yes, this is CVE CAN-2004-0488. It can only be triggered if mod_ssl is configured to use FakeBasicAuth and will trust a CA which issues a client cert with a >6K long subject DN. I checked in a fix for 2.0 earlier: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106 fixes for mod_ssl 2.8 should be forthcoming. > http://www.securityfocus.com/bid/10355/info/ Regards, joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
