oss-sec mailing list archives

Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values

From: Marius Bakke <mbakke () fastmail com>
Date: Sun, 25 Mar 2018 12:52:51 +0200

Daniel Ruggeri <druggeri () apache org> writes:

CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values.

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.0.23 to 2.0.65
httpd 2.2.0 to 2.2.34
httpd 2.4.0 to 2.4.29


[...]

Mitigation:
All httpd users should upgrade to 2.4.30 or later.


[...]

References:
https://httpd.apache.org/security/vulnerabilities_24.html


Perhaps I'm hitting an outdated mirror (195.154.151.36), but this page
lists "OptionsBleed" as the most recent CVE, and the download page shows
2.4.29 as the latest release.

I found 2.4.33 by browsing my suggested mirror "manually", but it does
not have the PGP signatures.

https://apache.uib.no/httpd/

I had to go to <https://www-eu.apache.org/dist/httpd/> in order to
verify the integrity.

Please look into it, and thanks for the notices.

Attachment: signature.asc
Description:

Current thread:

CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Daniel Ruggeri (Mar 24)
- Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Marius Bakke (Mar 25)
  - Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 25)
    - Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 26)
- <Possible follow-ups>
- Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 27)