Date: Sun, 25 Mar 2018 12:52:51 +0200 From: Marius Bakke <mbakke@...tmail.com> To: Daniel Ruggeri <druggeri@...che.org>, oss-security@...ts.openwall.com, security@...pd.apache.org Subject: Re: CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Daniel Ruggeri <druggeri@...che.org> writes: > CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values. > > Severity: Low > > Vendor: The Apache Software Foundation > > Versions Affected: > httpd 2.0.23 to 2.0.65 > httpd 2.2.0 to 2.2.34 > httpd 2.4.0 to 2.4.29 [...] > Mitigation: > All httpd users should upgrade to 2.4.30 or later. [...] > References: > https://httpd.apache.org/security/vulnerabilities_24.html Perhaps I'm hitting an outdated mirror (22.214.171.124), but this page lists "OptionsBleed" as the most recent CVE, and the download page shows 2.4.29 as the latest release. I found 2.4.33 by browsing my suggested mirror "manually", but it does not have the PGP signatures. https://apache.uib.no/httpd/ I had to go to <https://www-eu.apache.org/dist/httpd/> in order to verify the integrity. Please look into it, and thanks for the notices. Download attachment "signature.asc" of type "application/pgp-signature" (488 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.