On Thu, May 27, 2004 at 05:09:17PM +0200, Boyle Owen wrote: > > On Thu, May 27, 2004 at 15:21:37 +0200, Ralf S. Engelschall wrote: > > > Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004) > > > > > > *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" > > implementation > > > if the Subject-DN in the client certificate exceeds > > 6KB in length. > > > (CVE CAN-2004-0488). > > > > > > > Is that also an issue in apache-2.x? (I wasn't able to find > > that CVE, so I > > ask here ;-) > > The problem was originally identified on apache2 (see > http://www.securityfocus.com/bid/10355/) and it has already been patched > there.
Anybody wanting to patch directly can fetch this: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106 > Incidentally, AFAIK there is no vulnerability unless you are using > "SSLOptions FakeBasicAuth". It's a fairly specialised option so my > feeling is that this doesn't urgently affect a whole lot of people... Of > course, you should still upgrade just in case some time in the future > you do switch that option on. And furthermore, you must trust a CA who will issue a client cert with exploit code embedded in the subject DN. Regards, joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]