[24500] in bugtraq
Re: mod_ssl Buffer Overflow Condition (Update Available)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Mar 1 16:08:24 2002
Message-ID: <3C7F57D4.A0F3A5E5@algroup.co.uk>
Date: Fri, 01 Mar 2002 10:28:36 +0000
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: Ed Moyle <emoyle@scsnet.csc.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Ed Moyle wrote:
>
> mod_ssl Buffer Overflow Condition (Update Available)
> --------------------------------------------------------
>
> SYNOPSIS
>
> mod_ssl (www.modssl.org) is a commonly used Apache module that
> provides strong cryptography for the Apache web server. The
> module utilizes OpenSSL (formerly SSLeay) for the SSL implementation.
> modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the
> underlying OpenSSL routines in a manner which could overflow a buffer
> within the implementation. This situation appears difficult to
> exploit in a production environment, however, for reasons detailed
> below.
Ooops! Apologies, I misread my code. Apache-SSL is, in fact, vulnerable
to this flaw. I'll be issuing an advisory shortly.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
