Date: Thu, 10 Apr 2008 11:19:42 -0500 From: "Mark A Christofferson" <mchris3@lsu.edu> To: <freebsd-questions@freebsd.org> Subject: Apache 2.2.8 and mod_ssl Message-ID: <DF0DF291F4F90D47B0686CF1B5136473F5EE23@email002.lsu.edu>
next in thread | raw e-mail | index | archive | help
Hello, =20 I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform with mod_ssl enabled. I received the following vulnerability scan results from my organization: =20 Vulnerability: mod_ssl Off-By-One HTAccess Buffer Overflow Vulnerability Risk Level: Signature Group: Safe Description: The remote host is using a version of mod_ssl which is older than 2.8.10. This version is vulnerable to an off by one buffer overflow, which may allow a user with write access to .htaccess files to execute arbitrary code on the system with permissions of the web server. Resolution: Fixes have been made available by the affected vendor. We recommend upgrading mod_ssl to a more recent version that contains fixes addressing this issue. BugTraq: 5084 CVE: CVE-2002-0653 CVSS: 4.9 =20 I referenced CVE-2002-0653, noting that it is from 2002, and noticed that there is no mention of this vulnerability affecting any version of apache paired with mod_ssl in the 2.x branches. I also can't find a version 2.8.10 or greater for Apache 2.2.8. I did find a site that mentioned certain distributions patched the apache software so that this vulnerability is no longer a concern. =20 =20 Could anyone give me some insight on this issue? Is there a document I overlooked that outlines remedial procedures, an updated ssl module, or has the software been patched to negate the vulnerability? =20 I greatly appreciate any assistance on this matter, =20 Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DF0DF291F4F90D47B0686CF1B5136473F5EE23>