Bugtraq mailing list archives

Re: mod_ssl Buffer Overflow Condition (Update Available)

From: Ben Laurie <ben () algroup co uk>
Date: Fri, 01 Mar 2002 10:28:36 +0000

Ed Moyle wrote:


mod_ssl Buffer Overflow Condition (Update Available)
--------------------------------------------------------

SYNOPSIS

mod_ssl (www.modssl.org) is a commonly used Apache module that
provides strong cryptography for the Apache web server.  The
module utilizes OpenSSL (formerly SSLeay) for the SSL implementation.
modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the
underlying OpenSSL routines in a manner which could overflow a buffer
within the implementation.  This situation appears difficult to
exploit in a production environment, however, for reasons detailed
below.


Ooops! Apologies, I misread my code. Apache-SSL is, in fact, vulnerable
to this flaw. I'll be issuing an advisory shortly.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Current thread:

Re: mod_ssl Buffer Overflow Condition (Update Available) Ben Laurie (Mar 01)
- <Possible follow-ups>
- Re: mod_ssl Buffer Overflow Condition (Update Available) Ben Laurie (Mar 01)