httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark A Christofferson" <mchr...@lsu.edu>
Subject [users@httpd] Apache 2.2.8 mod_ssl Vulnerability Notification Assistance
Date Mon, 21 Apr 2008 17:02:41 GMT
Hello,

 

I have asked this question previously on both the FreeBSD Mailing List
and the mod_ssl mailing list, but didn't receive a response.

 

I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform
with mod_ssl enabled.  I received the following vulnerability scan
results from my organization:

 

Vulnerability:  mod_ssl Off-By-One HTAccess Buffer Overflow
Vulnerability

Risk Level:

Signature Group: Safe

Description: The remote host is using a version of mod_ssl which is
older than 2.8.10. This version is vulnerable

to an off by one buffer overflow, which may allow a user with write
access to .htaccess files to

execute arbitrary code on the system with permissions of the web server.

Resolution: Fixes have been made available by the affected vendor. We
recommend upgrading mod_ssl to a

more recent version that contains fixes addressing this issue.

BugTraq: 5084

CVE: CVE-2002-0653

CVSS: 4.9

 

I referenced CVE-2002-0653, noting that it is from 2002, and noticed
that there is no mention of this vulnerability affecting any version of
apache paired with mod_ssl in the 2.x branches.  I also can't find a
version 2.8.10 or greater for Apache 2.2.8.  I did find a site that
mentioned certain distributions patched the apache software so that this
vulnerability is no longer a concern.  

 

Could anyone give me some insight on this issue?  Is there a document I
overlooked that outlines remedial procedures, an updated ssl module, or
has the software been patched to negate the vulnerability?

 

I greatly appreciate any assistance on this matter,

 

Mark


Mime
View raw message