oss-sec mailing list archives
Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values
From: Marius Bakke <mbakke () fastmail com>
Date: Sun, 25 Mar 2018 12:52:51 +0200
Daniel Ruggeri <druggeri () apache org> writes:
CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values. Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.0.23 to 2.0.65 httpd 2.2.0 to 2.2.34 httpd 2.4.0 to 2.4.29
[...]
Mitigation: All httpd users should upgrade to 2.4.30 or later.
[...]
References: https://httpd.apache.org/security/vulnerabilities_24.html
Perhaps I'm hitting an outdated mirror (195.154.151.36), but this page lists "OptionsBleed" as the most recent CVE, and the download page shows 2.4.29 as the latest release. I found 2.4.33 by browsing my suggested mirror "manually", but it does not have the PGP signatures. https://apache.uib.no/httpd/ I had to go to <https://www-eu.apache.org/dist/httpd/> in order to verify the integrity. Please look into it, and thanks for the notices.
Attachment:
signature.asc
Description:
Current thread:
- CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Daniel Ruggeri (Mar 24)
- Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Marius Bakke (Mar 25)
- <Possible follow-ups>
- Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 27)