Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87r2o8jukc.fsf@fastmail.com>
Date: Sun, 25 Mar 2018 12:52:51 +0200
From: Marius Bakke <mbakke@...tmail.com>
To: Daniel Ruggeri <druggeri@...che.org>, oss-security@...ts.openwall.com, security@...pd.apache.org
Subject: Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values

Daniel Ruggeri <druggeri@...che.org> writes:

> CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values.
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> httpd 2.0.23 to 2.0.65
> httpd 2.2.0 to 2.2.34
> httpd 2.4.0 to 2.4.29

[...]

> Mitigation:
> All httpd users should upgrade to 2.4.30 or later.

[...]

> References:
> https://httpd.apache.org/security/vulnerabilities_24.html

Perhaps I'm hitting an outdated mirror (195.154.151.36), but this page
lists "OptionsBleed" as the most recent CVE, and the download page shows
2.4.29 as the latest release.

I found 2.4.33 by browsing my suggested mirror "manually", but it does
not have the PGP signatures.

https://apache.uib.no/httpd/

I had to go to <https://www-eu.apache.org/dist/httpd/> in order to
verify the integrity.

Please look into it, and thanks for the notices.

Download attachment "signature.asc" of type "application/pgp-signature" (488 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.