oss-sec mailing list archives

Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values

From: Yann Ylavic <ylavic () apache org>
Date: Sun, 25 Mar 2018 15:11:21 +0200

On 03/25/2018 12:52 PM, Marius Bakke wrote:

Daniel Ruggeri <druggeri () apache org> writes:

References:
https://httpd.apache.org/security/vulnerabilities_24.html


Perhaps I'm hitting an outdated mirror (195.154.151.36), but this
page lists "OptionsBleed" as the most recent CVE, and the download
page shows 2.4.29 as the latest release.


The httpd website is missing some synchronization still, we are
currently looking into it.


I found 2.4.33 by browsing my suggested mirror "manually", but it
does not have the PGP signatures.

https://apache.uib.no/httpd/

I had to go to <https://www-eu.apache.org/dist/httpd/> in order to
verify the integrity.


The website should be updated soon too, in the meantime the tarballs
(and signatures) are available here: https://archive.apache.org/dist/httpd/

Thanks for noticing and letting us now.

Regards,
Yann.

Current thread:

CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Daniel Ruggeri (Mar 24)
- Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Marius Bakke (Mar 25)
  - Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 25)
    - Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 26)
- <Possible follow-ups>
- Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Yann Ylavic (Mar 27)