[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fedora Legacy Test Update Notification: mod_ssl



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2004-1888
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1888
2004-09-30
- ---------------------------------------------------------------------

Name        : mod_ssl
Versions    : 7.3: 2.8.12-6.legacy
Summary     : Cryptography support for the Apache Web server.
Description : 
The mod_ssl module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols.

- ---------------------------------------------------------------------
Update Information:

A stack buffer overflow was discovered in mod_ssl which can be triggered
if
using the FakeBasicAuth option. If mod_ssl is sent a client certificate
with a subject DN field longer than 6000 characters, a stack overflow
can
occur if FakeBasicAuth has been enabled. In order to exploit this issue
the carefully crafted malicious certificate would have to be signed by a
Certificate Authority which mod_ssl is configured to trust. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name
CAN-2004-0488 to this issue.

A format string issue was discovered in mod_ssl for Apache 1.3 which can
be
triggered if mod_ssl is configured to allow a client to proxy to remote
SSL
sites. In order to exploit this issue, a user who is authorized to use
Apache as a proxy would have to attempt to connect to a carefully
crafted
hostname via SSL. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0700 to this issue.

- ---------------------------------------------------------------------
7.3 changelog:
* Wed Sep 29 2004 Marc Deslauriers <marcdeslauriers videotron ca>
2.8.12-6.legacy
 
- - Added apache and openssl-devel BuildPrereq
 
* Thu Jul 22 2004 Dominic Hargreaves <dom earth li> 2.8.12-5.legacy
 
- - Fix format string vulnerability in the ssl_log function in
ssl_engine_log.c
  [CAN-2004-0700]
- - Fix shmcb corruption for small cache sizes
 
* Wed Jun 02 2004 Michal Jaegermann <michal harddata com>
2.8.12-4.legacy
 
- - security fix for CAN-2004-0488; rediffed from a patch for
  2.8.12-8.1.91mdk by Vincent Danen <vdanen mandrakesoft com>

- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/redhat/
(sha1sums)

211714e3a8faab1152e76471f1085f3d8ef30400
7.3/updates-testing/i386/mod_ssl-2.8.12-6.legacy.i386.rpm
027bf3500924d4bb58bd8bb0ed452420a0e134bc
7.3/updates-testing/SRPMS/mod_ssl-2.8.12-6.legacy.src.rpm

- ---------------------------------------------------------------------

Please test and comment in bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBW99pLMAs/0C4zNoRAksfAJ4zMWeRLPTHmELaIwiAfrHMTHKt5gCfZZ2W
uMv5AAvE1fGKGs0TM3u8kBY=
=0lKU
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]