Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 25 Mar 2018 15:11:21 +0200
From: Yann Ylavic <ylavic@...che.org>
To: oss-security@...ts.openwall.com
Cc: Marius Bakke <mbakke@...tmail.com>, Daniel Ruggeri <druggeri@...che.org>,
 security@...pd.apache.org
Subject: Re: CVE-2017-15710: Out of bound write in
 mod_authnz_ldap when using too small Accept-Language values

On 03/25/2018 12:52 PM, Marius Bakke wrote:
> Daniel Ruggeri <druggeri@...che.org> writes:
>> References:
>> https://httpd.apache.org/security/vulnerabilities_24.html
>
> Perhaps I'm hitting an outdated mirror (195.154.151.36), but this
> page lists "OptionsBleed" as the most recent CVE, and the download
> page shows 2.4.29 as the latest release.

The httpd website is missing some synchronization still, we are
currently looking into it.

>
> I found 2.4.33 by browsing my suggested mirror "manually", but it
> does not have the PGP signatures.
>
> https://apache.uib.no/httpd/
>
> I had to go to <https://www-eu.apache.org/dist/httpd/> in order to
> verify the integrity.

The website should be updated soon too, in the meantime the tarballs
(and signatures) are available here: https://archive.apache.org/dist/httpd/

Thanks for noticing and letting us now.

Regards,
Yann.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.