On Thu, May 27, 2004 at 17:21:07 +0100, Joe Orton wrote: > On Thu, May 27, 2004 at 05:09:17PM +0200, Boyle Owen wrote: > >> On Thu, May 27, 2004 at 15:21:37 +0200, Ralf S. Engelschall wrote: > > >> Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004) > > >> > > >> *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" > >> implementation > > >> if the Subject-DN in the client certificate exceeds > >> 6KB in length. > > >> (CVE CAN-2004-0488). > > >> > >> > >> Is that also an issue in apache-2.x? (I wasn't able to find > >> that CVE, so I > >> ask here ;-) >> >> The problem was originally identified on apache2 (see >> http://www.securityfocus.com/bid/10355/) and it has already been patched >> there. > > Anybody wanting to patch directly can fetch this: > > http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106
Thanks, that was very helpful. Best regards Udo Schweigert -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 CT IC CERT, Siemens CERT | Fax : +49 89 636 41166 D-81730 M�nchen / Germany | email : [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
