Bugtraq mailing list archives
Re: Apache mod_ssl off-by-one vulnerability
From: Ken.Williams () ey com
Date: Thu, 27 Jun 2002 16:32:32 -0500
hi, i downloaded mod_ssl-2.8.9-1.3.26 from the modssl.org archive and verified that it does have the off-by-one error, so it appears that there was a mistake in the vulnerability advisory. line 3 of the advisory should read: Summary: Off-by-one in mod_ssl 2.8.9 and earlier correct me if i'm wrong. Regards, kw Ken Williams ; CISSP ; Technical Lead ; ken.williams () ey com eSecurityOnline - an eSecurity Venture of Ernst & Young ken.williams () ey com ; www.esecurityonline.com ; 1-877-eSecurity
Subject: Re: Apache mod_ssl off-by-one vulnerability From: H D Moore <sflist () digitaloffense net> Date: 2002-06-27 2:46:12 Just to confirm, the bug exists in 2.8.9 and earlier? The first part of
the
advisory mentions 2.4.9, so a casual reader may assume they are unaffected
if
they don't read all the way to the bottom... On Monday 24 June 2002 15:47, Jedi/Sector One wrote:Product: mod_ssl - http://www.modssl.org/ Date: 06/24/2002 Summary: Off-by-one in mod_ssl 2.4.9 and earlier[ snip ]The mod_ssl development team was very reactive and a new version has
just
been released. mod_ssl 2.8.10 addresses the vulnerability and it is freely available from http://www.modssl.org/ . Upgrading from an earlier release is painless.
________________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
Current thread:
- Apache mod_ssl off-by-one vulnerability Jedi/Sector One (Jun 26)
- Re: Apache mod_ssl off-by-one vulnerability H D Moore (Jun 27)
- <Possible follow-ups>
- Re: Apache mod_ssl off-by-one vulnerability Ken . Williams (Jun 28)
- Re: Apache mod_ssl off-by-one vulnerability Jedi/Sector One (Jun 29)
- Simple Wais 1.11 allows users to execute commands as SWAIS deamon. John Thornton (Jun 29)
- Re: Apache mod_ssl off-by-one vulnerability Jedi/Sector One (Jun 29)