Ed Moyle wrote: > > mod_ssl Buffer Overflow Condition (Update Available) > -------------------------------------------------------- > > SYNOPSIS > > mod_ssl (www.modssl.org) is a commonly used Apache module that > provides strong cryptography for the Apache web server. The > module utilizes OpenSSL (formerly SSLeay) for the SSL implementation. > modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the > underlying OpenSSL routines in a manner which could overflow a buffer > within the implementation. This situation appears difficult to > exploit in a production environment, however, for reasons detailed > below. Ooops! Apologies, I misread my code. Apache-SSL is, in fact, vulnerable to this flaw. I'll be issuing an advisory shortly. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
