Bugtraq mailing list archives
Re: mod_ssl Buffer Overflow Condition (Update Available)
From: Ben Laurie <ben () algroup co uk>
Date: Fri, 01 Mar 2002 10:28:36 +0000
Ed Moyle wrote:
mod_ssl Buffer Overflow Condition (Update Available) -------------------------------------------------------- SYNOPSIS mod_ssl (www.modssl.org) is a commonly used Apache module that provides strong cryptography for the Apache web server. The module utilizes OpenSSL (formerly SSLeay) for the SSL implementation. modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment, however, for reasons detailed below.
Ooops! Apologies, I misread my code. Apache-SSL is, in fact, vulnerable to this flaw. I'll be issuing an advisory shortly. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Current thread:
- Re: mod_ssl Buffer Overflow Condition (Update Available) Ben Laurie (Mar 01)
- <Possible follow-ups>
- Re: mod_ssl Buffer Overflow Condition (Update Available) Ben Laurie (Mar 01)