[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#136801: marked as done (Apache-SSL buffer overflow (fix available))

Your message dated Tue, 05 Mar 2002 11:02:17 +0100
with message-id <E16iBlx-000829-00@pandora.debian.org>
and subject line Bug#136801: fixed in apache-ssl
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 4 Mar 2002 16:56:07 +0000
>From mdz@csh.rit.edu Mon Mar 04 10:56:07 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp02.mrf.mail.rcn.net [] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16hvkt-0005gz-00; Mon, 04 Mar 2002 10:56:07 -0600
Received: from 209-6-22-177.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([] helo=mizar.alcor.net)
	by smtp02.mrf.mail.rcn.net with esmtp (Exim 3.33 #10)
	id 16hvks-0001k5-00
	for submit@bugs.debian.org; Mon, 04 Mar 2002 11:56:06 -0500
Received: from mdz by mizar.alcor.net with local (Exim 3.34 #1 (Debian))
	id 16hvks-0003xE-00
	for <submit@bugs.debian.org>; Mon, 04 Mar 2002 11:56:06 -0500
Date: Mon, 4 Mar 2002 11:56:06 -0500
From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: Apache-SSL buffer overflow (fix available)
Message-ID: <20020304165606.GF13968@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: submit@bugs.debian.org

Package: apache-ssl
Severity: critical

----- Forwarded message from Ben Laurie <ben@algroup.co.uk> -----

Date: Fri, 01 Mar 2002 11:47:36 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk>,
	CERT Coordination Center <cert@cert.org>,
	Apache List <new-httpd@apache.org>
Subject: Apache-SSL buffer overflow (fix available)

Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)


A buffer overflow was recently found in mod_ssl, see:


for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.

As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.


Download Apache-SSL 1.3.22+1.46 from the usual places (see


Thanks to Ed Moyle for finding the flaw.


No thanks to anyone at all for alerting me before going
public. Cheers, guys.


This advisory can be found at:

A mirror which definitely has the new version:

Ben Laurie, March 1, 2002.

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

----- End forwarded message -----

 - mdz

Received: (at 136801-close) by bugs.debian.org; 5 Mar 2002 10:09:12 +0000
>From katie@pandora.debian.org Tue Mar 05 04:09:12 2002
Return-path: <katie@pandora.debian.org>
Received: from pandora.debian.org [] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16iBsd-0004UA-00; Tue, 05 Mar 2002 04:09:11 -0600
Received: from katie by pandora.debian.org with local (Exim 3.12 1 (Debian))
	id 16iBlx-000829-00; Tue, 05 Mar 2002 11:02:17 +0100
From: Christoph Martin <christoph.martin@uni-mainz.de>
To: 136801-close@bugs.debian.org
X-Katie: $Revision: 1.8 $
Subject: Bug#136801: fixed in apache-ssl
Message-Id: <E16iBlx-000829-00@pandora.debian.org>
Sender: Archive Administrator <katie@pandora.debian.org>
Date: Tue, 05 Mar 2002 11:02:17 +0100
Delivered-To: 136801-close@bugs.debian.org

We believe that the bug you reported is fixed in the latest version of
apache-ssl, which is due to be installed in the Debian FTP archive:

  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47-1.diff.gz
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47-1.dsc
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47-1_i386.deb
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 136801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Christoph Martin <christoph.martin@uni-mainz.de> (supplier of updated apache-ssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Tue,  5 Mar 2002 10:23:12 +0100
Source: apache-ssl
Binary: apache-ssl
Architecture: source i386
Distribution: unstable
Urgency: high
Maintainer: Apache maintainers <debian-apache@lists.debian.org>
Changed-By: Christoph Martin <christoph.martin@uni-mainz.de>
 apache-ssl - Versatile, high-performance HTTP server with SSL support
Closes: 136801
 apache-ssl ( unstable; urgency=high
   * new ssl patch fixes security hole (buffer overflow) (closes: #136801)
 1bf782c27ebe2b934d3cd987b8b4a8d8 796 non-us/main optional apache-ssl_1.3.23.1+1.47-1.dsc
 d7a4c3ee83c2dc7ffc238367258f39a9 2851149 non-us/main optional apache-ssl_1.3.23.1+1.47.orig.tar.gz
 5ccbd9f40efdebb5df7885881619c817 22810 non-us/main optional apache-ssl_1.3.23.1+1.47-1.diff.gz
 a861e01366fdbfc5dd2c295d003b482f 404910 non-us/main optional apache-ssl_1.3.23.1+1.47-1_i386.deb

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Reply to: