Date: Sun, 25 Mar 2018 12:52:51 +0200 From: Marius Bakke <mbakke@...tmail.com> To: Daniel Ruggeri <druggeri@...che.org>, oss-security@...ts.openwall.com, security@...pd.apache.org Subject: Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Daniel Ruggeri <druggeri@...che.org> writes: > CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values. > > Severity: Low > > Vendor: The Apache Software Foundation > > Versions Affected: > httpd 2.0.23 to 2.0.65 > httpd 2.2.0 to 2.2.34 > httpd 2.4.0 to 2.4.29 [...] > Mitigation: > All httpd users should upgrade to 2.4.30 or later. [...] > References: > https://httpd.apache.org/security/vulnerabilities_24.html Perhaps I'm hitting an outdated mirror (22.214.171.124), but this page lists "OptionsBleed" as the most recent CVE, and the download page shows 2.4.29 as the latest release. I found 2.4.33 by browsing my suggested mirror "manually", but it does not have the PGP signatures. https://apache.uib.no/httpd/ I had to go to <https://www-eu.apache.org/dist/httpd/> in order to verify the integrity. Please look into it, and thanks for the notices. Download attachment "signature.asc" of type "application/pgp-signature" (488 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ