Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-532-2 libapache-mod-ssl -- several vulnerabilities

Related Vulnerabilities: CVE-2004-0488   CVE-2004-0700  

Two vulnerabilities were discovered in libapache-mod-ssl: CAN-2004-0488 Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. CAN-2004-0700 Format string vulnerability in the ssl_log function in ssl_engine_log.c in mod_ssl 2.8.19 for Apache 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS. For the current stable distribution (woody), these problems have been fixed in version 2.8.9-2.4. For the unstable distribution (sid), CAN-2004-0488 was fixed in version 2.8.18, and CAN-2004-0700 will be fixed soon. We recommend that you update your libapache-mod-ssl package.

Source

Debian Security Advisory

DSA-532-2 libapache-mod-ssl -- several vulnerabilities

Date Reported:
27 Jul 2004
Affected Packages:
libapache-mod-ssl
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2004-0488, CVE-2004-0700.
More information:

Two vulnerabilities were discovered in libapache-mod-ssl:

  • CAN-2004-0488

    Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.

  • CAN-2004-0700

    Format string vulnerability in the ssl_log function in ssl_engine_log.c in mod_ssl 2.8.19 for Apache 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS.

For the current stable distribution (woody), these problems have been fixed in version 2.8.9-2.4.

For the unstable distribution (sid), CAN-2004-0488 was fixed in version 2.8.18, and CAN-2004-0700 will be fixed soon.

We recommend that you update your libapache-mod-ssl package.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4.dsc
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4.diff.gz
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.9-2.4_all.deb
ARM:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

MD5 checksums of the listed files are available in the revised advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started