Bug#136801: marked as done (Apache-SSL buffer overflow (fix available))
Your message dated 12 Mar 2002 16:06:15 +0100
with message-id <1015945576.29422.1.camel@woodstock>
and subject line 136801 is fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Mar 2002 16:56:07 +0000
>From mdz@csh.rit.edu Mon Mar 04 10:56:07 2002
Return-path: <mdz@csh.rit.edu>
Received: from smtp02.mrf.mail.rcn.net [207.172.4.61]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16hvkt-0005gz-00; Mon, 04 Mar 2002 10:56:07 -0600
Received: from 209-6-22-177.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.22.177] helo=mizar.alcor.net)
by smtp02.mrf.mail.rcn.net with esmtp (Exim 3.33 #10)
id 16hvks-0001k5-00
for submit@bugs.debian.org; Mon, 04 Mar 2002 11:56:06 -0500
Received: from mdz by mizar.alcor.net with local (Exim 3.34 #1 (Debian))
id 16hvks-0003xE-00
for <submit@bugs.debian.org>; Mon, 04 Mar 2002 11:56:06 -0500
Date: Mon, 4 Mar 2002 11:56:06 -0500
From: Matt Zimmerman <mdz@debian.org>
To: submit@bugs.debian.org
Subject: Apache-SSL buffer overflow (fix available)
Message-ID: <20020304165606.GF13968@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.27i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: submit@bugs.debian.org
Package: apache-ssl
Severity: critical
----- Forwarded message from Ben Laurie <ben@algroup.co.uk> -----
Date: Fri, 01 Mar 2002 11:47:36 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Apache SSL Announce <apache-sslannounce@lists.aldigital.co.uk>,
Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>,
CERT Coordination Center <cert@cert.org>,
Apache List <new-httpd@apache.org>
Subject: Apache-SSL buffer overflow (fix available)
Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)
------------------------------------------------------------------------
Synopsis
--------
A buffer overflow was recently found in mod_ssl, see:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html
for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.
As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.
Fix
---
Download Apache-SSL 1.3.22+1.46 from the usual places (see
http://www.apache-ssl.org/).
Acknowledgements
----------------
Thanks to Ed Moyle for finding the flaw.
Rant
----
No thanks to anyone at all for alerting me before going
public. Cheers, guys.
Links
-----
This advisory can be found at:
http://www.apache-ssl.org/advisory-20020301.txt
A mirror which definitely has the new version:
ftp://opensores.thebunker.net/pub/mirrors/apache-ssl/apache_1.3.22+ssl_1.46.tar.gz
Ben Laurie, March 1, 2002.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
----- End forwarded message -----
--
- mdz
---------------------------------------
Received: (at 136801-done) by bugs.debian.org; 12 Mar 2002 15:06:28 +0000
>From martin@uni-mainz.de Tue Mar 12 09:06:28 2002
Return-path: <martin@uni-mainz.de>
Received: from sky.verwaltung.uni-mainz.de [134.93.144.163]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 16knr9-000614-00; Tue, 12 Mar 2002 09:06:27 -0600
Received: from harriet.verwaltung.uni-mainz.de (root@harriet.verwaltung.uni-mainz.de [134.93.226.19])
by sky.verwaltung.uni-mainz.de (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id QAA32122
for <136801-done@bugs.debian.org>; Tue, 12 Mar 2002 16:06:17 +0100
Received: from localhost.localdomain (martin@woodstock.verwaltung.uni-mainz.de [134.93.226.8])
by harriet.verwaltung.uni-mainz.de (8.12.1/8.12.1/Debian -5) with ESMTP id g2CF6Fi6021580
for <136801-done@bugs.debian.org>; Tue, 12 Mar 2002 16:06:16 +0100
Subject: 136801 is fixed
From: Christoph Martin <martin@uni-mainz.de>
To: 136801-done@bugs.debian.org
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-nkg0Lcjnii5oolLy87MT"
X-Mailer: Evolution/1.0.2
Date: 12 Mar 2002 16:06:15 +0100
Message-Id: <1015945576.29422.1.camel@woodstock>
Mime-Version: 1.0
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
Delivered-To: 136801-done@bugs.debian.org
--=-nkg0Lcjnii5oolLy87MT
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Bug 136801 was fixed by a security update for potato.
Thanks to Joey.
Christoph
--=-nkg0Lcjnii5oolLy87MT
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
iEYEABECAAYFAjyOGWcACgkQgeVih7XOVJcywwCePTWpSpPqopUT/J+ZiAtlOhZY
2q4An3FLxGySzPG74dS3L5KXYvi8JsqQ
=0/iU
-----END PGP SIGNATURE-----
--=-nkg0Lcjnii5oolLy87MT--
Reply to: