Bug#136801: marked as done (Apache-SSL buffer overflow (fix available))

To: Christoph Martin <christoph.martin@uni-mainz.de>
Cc: Apache maintainers <debian-apache@lists.debian.org>
Subject: Bug#136801: marked as done (Apache-SSL buffer overflow (fix available))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 05 Mar 2002 04:18:08 -0600
Message-id: <handler.136801.D136801.101532295217252.ackdone@bugs.debian.org>
In-reply-to: <E16iBlx-000829-00@pandora.debian.org>
References: <E16iBlx-000829-00@pandora.debian.org> <20020304165606.GF13968@alcor.net>

Your message dated Tue, 05 Mar 2002 11:02:17 +0100
with message-id <E16iBlx-000829-00@pandora.debian.org>
and subject line Bug#136801: fixed in apache-ssl 1.3.23.1+1.47-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Mar 2002 16:56:07 +0000
>From mdz@csh.rit.edu Mon Mar 04 10:56:07 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp02.mrf.mail.rcn.net [207.172.4.61] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16hvkt-0005gz-00; Mon, 04 Mar 2002 10:56:07 -0600
Received: from 209-6-22-177.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.22.177] helo=mizar.alcor.net)
	by smtp02.mrf.mail.rcn.net with esmtp (Exim 3.33 #10)
	id 16hvks-0001k5-00
	for submit@bugs.debian.org; Mon, 04 Mar 2002 11:56:06 -0500
Received: from mdz by mizar.alcor.net with local (Exim 3.34 #1 (Debian))
	id 16hvks-0003xE-00
	for <submit@bugs.debian.org>; Mon, 04 Mar 2002 11:56:06 -0500
Date: Mon, 4 Mar 2002 11:56:06 -0500
From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: Apache-SSL buffer overflow (fix available)
Message-ID: <20020304165606.GF13968@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: submit@bugs.debian.org

Package: apache-ssl
Severity: critical

----- Forwarded message from Ben Laurie <ben@algroup.co.uk> -----

Date: Fri, 01 Mar 2002 11:47:36 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk>,
	Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>,
	CERT Coordination Center <cert@cert.org>,
	Apache List <new-httpd@apache.org>
Subject: Apache-SSL buffer overflow (fix available)

Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)
------------------------------------------------------------------------

Synopsis
--------

A buffer overflow was recently found in mod_ssl, see:

http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html

for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.

As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.

Fix
---

Download Apache-SSL 1.3.22+1.46 from the usual places (see
http://www.apache-ssl.org/).

Acknowledgements
----------------

Thanks to Ed Moyle for finding the flaw.

Rant
----

No thanks to anyone at all for alerting me before going
public. Cheers, guys.

Links
-----

This advisory can be found at:
http://www.apache-ssl.org/advisory-20020301.txt

A mirror which definitely has the new version:
ftp://opensores.thebunker.net/pub/mirrors/apache-ssl/apache_1.3.22+ssl_1.46.tar.gz


Ben Laurie, March 1, 2002.


--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

----- End forwarded message -----

-- 
 - mdz

---------------------------------------
Received: (at 136801-close) by bugs.debian.org; 5 Mar 2002 10:09:12 +0000
>From katie@pandora.debian.org Tue Mar 05 04:09:12 2002
Return-path: <katie@pandora.debian.org>
Received: from pandora.debian.org [132.229.137.249] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16iBsd-0004UA-00; Tue, 05 Mar 2002 04:09:11 -0600
Received: from katie by pandora.debian.org with local (Exim 3.12 1 (Debian))
	id 16iBlx-000829-00; Tue, 05 Mar 2002 11:02:17 +0100
From: Christoph Martin <christoph.martin@uni-mainz.de>
To: 136801-close@bugs.debian.org
X-Katie: $Revision: 1.8 $
Subject: Bug#136801: fixed in apache-ssl 1.3.23.1+1.47-1
Message-Id: <E16iBlx-000829-00@pandora.debian.org>
Sender: Archive Administrator <katie@pandora.debian.org>
Date: Tue, 05 Mar 2002 11:02:17 +0100
Delivered-To: 136801-close@bugs.debian.org

We believe that the bug you reported is fixed in the latest version of
apache-ssl, which is due to be installed in the Debian FTP archive:

apache-ssl_1.3.23.1+1.47-1.diff.gz
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47-1.diff.gz
apache-ssl_1.3.23.1+1.47-1.dsc
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47-1.dsc
apache-ssl_1.3.23.1+1.47-1_i386.deb
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47-1_i386.deb
apache-ssl_1.3.23.1+1.47.orig.tar.gz
  to pool/non-US/main/a/apache-ssl/apache-ssl_1.3.23.1+1.47.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 136801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <christoph.martin@uni-mainz.de> (supplier of updated apache-ssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  5 Mar 2002 10:23:12 +0100
Source: apache-ssl
Binary: apache-ssl
Architecture: source i386
Version: 1.3.23.1+1.47-1
Distribution: unstable
Urgency: high
Maintainer: Apache maintainers <debian-apache@lists.debian.org>
Changed-By: Christoph Martin <christoph.martin@uni-mainz.de>
Description: 
 apache-ssl - Versatile, high-performance HTTP server with SSL support
Closes: 136801
Changes: 
 apache-ssl (1.3.23.1+1.47-1) unstable; urgency=high
 .
   * new ssl patch fixes security hole (buffer overflow) (closes: #136801)
Files: 
 1bf782c27ebe2b934d3cd987b8b4a8d8 796 non-us/main optional apache-ssl_1.3.23.1+1.47-1.dsc
 d7a4c3ee83c2dc7ffc238367258f39a9 2851149 non-us/main optional apache-ssl_1.3.23.1+1.47.orig.tar.gz
 5ccbd9f40efdebb5df7885881619c817 22810 non-us/main optional apache-ssl_1.3.23.1+1.47-1.diff.gz
 a861e01366fdbfc5dd2c295d003b482f 404910 non-us/main optional apache-ssl_1.3.23.1+1.47-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyEkOIACgkQgeVih7XOVJfC1wCgi5FeMcZY1Er6LzE3SQ7KnHk8
X4gAoJnMdZKKj6O/kWnyMlvRf6F0WZjV
=kC94
-----END PGP SIGNATURE-----

Reply to:

References:
- Bug#136801: Apache-SSL buffer overflow (fix available)
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: apache-ssl_1.3.23.1+1.47-1_i386.changes ACCEPTED
Next by Date: Re: More bugs
Previous by thread: Bug#136801: Apache-SSL buffer overflow (fix available)
Next by thread: Bug#136801: marked as done (Apache-SSL buffer overflow (fix available))
Index(es):
- Date
- Thread