[ANNOUNCE] mod_ssl 2.8.12

Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed
maintainance version mod_ssl 2.8.12 is available for use with Apache
1.3.27.

http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com

Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002)

*) Fixed potential Cross-Site-Scripting bug.

*) Allow also 8192 bytes of shared memory data size.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: [ANNOUNCE] mod_ssl 2.8.12

Hi list,

is there any information available regarding the mentioned
potential Cross-Side-Scripting bug?
(Any CERT/CC Advisory CA-xxxxx, BUGTRAQ-Messages etc...)


Thanks in advance & kind regards,

B. Courtin


> -----Original Message-----
> From: Ralf S. Engelschall [mailto:rse@engelschall.com]
> Sent: Wednesday, October 23, 2002 11:15 AM
> To: modssl-announce@modssl.org; modssl-users@modssl.org
> Subject: [ANNOUNCE] mod_ssl 2.8.12
>
>
> Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl,
> the fixed
> maintainance version mod_ssl 2.8.12 is available for use with Apache
> 1.3.27.
>
> http://www.modssl.org/source/
> ftp://ftp.modssl.org/source/
> Ralf S. Engelschall
> rse@engelschall.com
> www.engelschall.com
>
> Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002)
>
> *) Fixed potential Cross-Site-Scripting bug.
>
> *) Allow also 8192 bytes of shared memory data size.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.12

On Wed, Oct 23, 2002 at 11:32:53AM +0200, Courtin Bert wrote:
> is there any information available regarding the mentioned
> potential Cross-Side-Scripting bug?
> (Any CERT/CC Advisory CA-xxxxx, BUGTRAQ-Messages etc...)

Hi, here are the details:

Versions of mod_ssl older than 2.8.12 suffer from a cross-site-
scripting bug: mod_ssl will send the server name unescaped in the
response to an HTTP request on an SSL port. This issue has been
assigned CVE CAN-2002-1157.

Like the other recent Apache XSS bugs, this only affects servers using
a combination of "UseCanonicalName off" (not the default in 1.3) and
wildcard DNS. Apache 2.0/mod_ssl is not vulnerable since it already
escapes this HTML.

Regards,

joe

--
Joe Orton, Red Hat Europe, Stronghold Engineering
http://stronghold.redhat.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.12

On Wed, Oct 23, 2002 at 11:15:19AM +0200, Ralf S. Engelschall wrote:
> Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed
> maintainance version mod_ssl 2.8.12 is available for use with Apache
> 1.3.27.

Thanks!

....but the snakeoil certificates are still expired:

% openssl x509 -noout -text < mod_ssl-2.8.12-1.3.27/pkg.sslcfg/snakeoil-ca-rsa.crt
....
Validity
Not Before: Oct 21 18:21:46 1999 GMT
Not After : Oct 20 18:21:46 2001 GMT

% openssl x509 -noout -text < mod_ssl-2.8.12-1.3.27/pkg.sslcfg/snakeoil-rsa.crt
....
Validity
Not Before: Oct 21 18:21:51 1999 GMT
Not After : Oct 20 18:21:51 2001 GMT

Martin
--
| Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org