I assume that there is no change in the EAPI part, or is there?
(I'm asking this question because we previously patched apache.1.3.9 with
the EPAI from mod_ssl 2.4.5)
Thanks,
--Yan
On Fri, 5 Nov 1999, Ralf S. Engelschall wrote:
>
> Because of the availability of a very important bugfix, I immediately release
> mod_ssl 2.4.8 with it. This version especially should solve any observed
> segfaults which not even gone away by using `SSLSessionCache none' (because
> they were not related to DBM libraries and other session cache problematic
> things). See below for details. So, if you received segfaults in the past,
> you're now strongly encouraged to upgrade to this version (because the chance
> is very high that your situation applies to the three conditions listed
> below).
>
> Greetings,
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
>
> Changes with mod_ssl 2.4.8 (02-Nov-1999 to 05-Nov-1999)
>
> *) ** IMPORTANT BUGFIX **
> If (and only if)...
> 1. a server restart at least once happened
> 2. a HTTPS request occurs from a 40-bit/export browser
> 3. the underlaying Unix flavor doesn't map DSOs always
> to the same memory address on each restart
> ...then a segfault was very likely to occur for usually
> all previous mod_ssl version.
>
> The reason was that mod_ssl's temporary RSA keys and DH parameters
> were stored in the persistent memory pool directly as OpenSSL's
> RSA and DH structures. But although these structures successfully
> survived restarts, the contained pointers, which were placed there
> by OpenSSL and which were referencing _static_ parts of OpenSSL,
> pointed to Nirvana after restarts. So on the next need for RSA
> temporary keys or DH parameters (usually caused by 40bit clients)
> the OpenSSL library internally segfaulted while processing these
> structures.
>
> This was a very long-standing bug and is now fixed by storing the
> RSA keys and DH parameters as raw (and this way safe) DER-encoded
> ASN.1 dats streams (and not structures) in the persistent memory
> pool.
>
> *) Added an FAQ entry about Verisign GIDs and the intermediate CA
> certificate which is required to fill the gap in the server certificate
> chain or browsers will complain.
>
> *) The configure.bat for Win32 now tries to complain if patches were
> rejected while they are applied to the Apache source tree.
>
> *) Updated ANNOUNCE and README documents.
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
