delphij's Chaos

选择chaos这个词是因为~~实在很难找到一个更合适的词来形容这儿了……

29 May 2004

Apache又来了安全公告。。。

#Security

刚刚想睡觉的时候收到了commit mail:


clement     2004/05/28 08:27:02 PDT

  FreeBSD ports repository
  Modified files:
    www/apache2          Makefile 
  Added files:
    www/apache2/files    patch-modules:ssl:ssl_engine_kernel.c 
  Log:
  - Import security fix from Apache CVS...
  * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
  overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
  length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
  functions.
  - ... and of course bump PORTREVISION.
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
  http://secunia.com/advisories/11534/
  
  Reported by:    Charles-Damien Orbello <tazma@cultdeadsheep.org>
  
  Revision  Changes    Path
  1.178     +1 -0      ports/www/apache2/Makefile
  1.1       +39 -0     ports/www/apache2/files/patch-modules:ssl:ssl_engine_kernel.c (new)

确切地知道自己vulnerable,所以。。。