Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Apache mod_ssl off-by-one vulnerability
From: Ken.Williams () ey com
Date: Thu, 27 Jun 2002 16:32:32 -0500


i downloaded mod_ssl-2.8.9-1.3.26 from the modssl.org archive and verified
it does have the off-by-one error, so it appears that there was a mistake
in the
vulnerability advisory.

line 3 of the advisory should read:
Summary: Off-by-one in mod_ssl 2.8.9 and earlier

correct me if i'm wrong.


Ken Williams ; CISSP ; Technical Lead ; ken.williams () ey com
eSecurityOnline - an eSecurity Venture of Ernst & Young
ken.williams () ey com ; www.esecurityonline.com ; 1-877-eSecurity

Subject:  Re: Apache mod_ssl off-by-one vulnerability
From:     H D Moore <sflist () digitaloffense net>
Date:     2002-06-27 2:46:12

Just to confirm, the bug exists in 2.8.9 and earlier? The first part of
advisory mentions 2.4.9, so a casual reader may assume they are unaffected
they don't read all the way to the bottom...

On Monday 24 June 2002 15:47, Jedi/Sector One wrote:
Product: mod_ssl - http://www.modssl.org/
Date: 06/24/2002
Summary: Off-by-one in mod_ssl 2.4.9 and earlier

[ snip ]

The mod_ssl development team was very reactive and a new version has
been released. mod_ssl 2.8.10 addresses the vulnerability and it is
freely available from http://www.modssl.org/ . Upgrading from an earlier
release is painless.

The information contained in this message may be privileged and confidential and protected from disclosure.  If the 
reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message 
to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Ernst & Young LLP

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]