Skip to content
  1. Nov 17, 2009
  2. Nov 16, 2009
  3. Nov 08, 2009
  4. Nov 07, 2009
    • Joe Orton's avatar
      Merge r833582, r833593 from trunk: · 0c75010d
      Joe Orton authored
      SECURITY: Partial fix for CVE-2009-3555:
      
      Reject client-initiated renegotiations; this is sufficient to prevent
      the attack for any configuration which does not require renegotiation
      due to per-directory/per-location access control configuration.
      
      Configuration with per-directory/per-location access control
      requirements (such as "SSLVerifyClient require") are still vulnerable
      to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).
      
      * modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
        (ssl_callback_Info): Renamed from ssl_callback_LogTracingState.
      
      * modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
        the (renamed) info callback unconditionally.
      
      * modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
        to SSLConnRec.
        (bio_filter_out_write, bio_filter_in_read): Fail with
        APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.
      
      * modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
        of ssl_callback_LogTracingState.
        (ssl_callback_Info): New function.
      
      Submitted by: jorton, rpluem
      Reviewed by: jorton, rpluem, dirkx
      
      
      git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@833622 13f79535-47bb-0310-9956-ffa450edef68
      0c75010d
  5. Nov 05, 2009
  6. Nov 04, 2009
  7. Nov 02, 2009
  8. Nov 01, 2009
  9. Oct 29, 2009
  10. Oct 27, 2009
  11. Oct 26, 2009
  12. Oct 25, 2009
  13. Oct 23, 2009
  14. Oct 20, 2009
  15. Oct 18, 2009
  16. Oct 17, 2009
  17. Oct 16, 2009
  18. Oct 14, 2009
  19. Oct 13, 2009
  20. Oct 07, 2009
  21. Oct 06, 2009
  22. Oct 05, 2009
  23. Oct 03, 2009