Important: Red Hat Security Advisory: openssl, php, mod_ssl, mod_imap security update for Stronghold

Updated versions of cross-platform Stronghold that fix security issues in modssl, modimap, OpenSSL, and PHP are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. Stronghold 4 contains a number of open source technologies, includin...

Apache 2, mod_ssl: Bypass of SSLCipherSuite directive

Background The Apache HTTP server is one of the most popular web servers on the internet. modssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2. Description A flaw has been found in modssl where the "SSLCipherSuite" directive could be bypassed in certain...

Re: Another flaw in Apache?

Further investigation show that the flaw is not in Apache itself, but in modssl, so it's probably not an OpenBSD-specific bug. It's just not triggered on systems where modssl isn't compiled in. The overflow is the sslcompatdirective function in src/modules/ssl/sslenginecompat.c . -- /- Frank DENI...