Skip to content
  1. Dec 17, 2009
  2. Dec 16, 2009
  3. Dec 14, 2009
  4. Dec 12, 2009
  5. Dec 07, 2009
  6. Dec 03, 2009
  7. Nov 30, 2009
  8. Nov 29, 2009
  9. Nov 21, 2009
  10. Nov 20, 2009
  11. Nov 19, 2009
  12. Nov 18, 2009
  13. Nov 17, 2009
  14. Nov 16, 2009
  15. Nov 08, 2009
  16. Nov 07, 2009
    • Joe Orton's avatar
      Merge r833582, r833593 from trunk: · 0c75010d
      Joe Orton authored
      SECURITY: Partial fix for CVE-2009-3555:
      
      Reject client-initiated renegotiations; this is sufficient to prevent
      the attack for any configuration which does not require renegotiation
      due to per-directory/per-location access control configuration.
      
      Configuration with per-directory/per-location access control
      requirements (such as "SSLVerifyClient require") are still vulnerable
      to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
      
      * modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
        (ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
      
      * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
        the (renamed) info callback unconditionally.
      
      * modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
        to SSLConnRec.
        (bio_filter_out_write, bio_filter_in_read): Fail with
        APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
      
      * modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
        of ssl_callback_LogTracingState.
        (ssl_callback_Info): New function.
      
      Submitted by: jorton, rpluem
      Reviewed by: jorton, rpluem, dirkx
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@833622 13f79535-47bb-0310-9956-ffa450edef68
      0c75010d
  17. Nov 05, 2009
  18. Nov 04, 2009
  19. Nov 02, 2009
  20. Nov 01, 2009
  21. Oct 29, 2009
  22. Oct 27, 2009