Home page logo

bugtraq logo Bugtraq mailing list archives

Apache-SSL buffer overflow (fix available)
From: Ben Laurie <ben () algroup co uk>
Date: Fri, 01 Mar 2002 11:47:36 +0000

Apache-SSL buffer overflow condition (all versions prior to 1.3.22+1.46)


A buffer overflow was recently found in mod_ssl, see:


for details. The offending code in mod_ssl was, in fact, derived from
Apache-SSL, and Apache-SSL is also vulnerable.

As in mod_ssl, this flaw can only be exploited if client certificates
are being used, and the certificate in question must be issued by a
trusted CA.


Download Apache-SSL 1.3.22+1.46 from the usual places (see


Thanks to Ed Moyle for finding the flaw.


No thanks to anyone at all for alerting me before going
public. Cheers, guys.


This advisory can be found at:

A mirror which definitely has the new version:

Ben Laurie, March 1, 2002.

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

  By Date           By Thread  

Current thread:
  • Apache-SSL buffer overflow (fix available) Ben Laurie (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]