I am running apache-mod_ssl-1.3.20.2.8.4-2, and I like it very much. It
is a complete package of apache and ssl, and, as it was packaged into a
RedHat rpm, was easy to install. However, the recent security advisory
concerning the buffer overflow in mod_ssl (appended below) demonstrates
my need for an update. I am unable to locate an rpm which corrects this
problem. Is there another way to correct this, short of uninstalling
apache-mod_ssl and then installing apache-1.3.23 and
mod_ssl-2.8.7-1.3.23 serarately?
INFORMATION BULLETIN
mod_ssl and Apache_SSL Modules Contain a Buffer Overflow
[CERT Vulnerability Note VU#234971]
March 6, 2002 00:00 GMT Number
M-053
____________________________________________________________________________
__
PROBLEM: There is a remotely exploitable buffer overflow in two
modules
that implement the Secure Sockets Layer
(SSL) and Transport
Layer Security (TLS) protocol.
PLATFORM: mod_ssl in all versions prior to 2.8.7-1.3.23.
Apache-SSL in all version prior to
1.3.22+1.4.6.
DAMAGE: An attacker may be able to execute arbitrary code on the
system with the privileges of the ssl
module.
SOLUTION: Upgrade to mod_ssl 2.8.7 or Apache_SSL 1.3.22+1.46, or
apply
the patch provided by your vendor.
____________________________________________________________________________
__
VULNERABILITY The risk is MEDIUM. To exploit the overflow, the server
must be
ASSESSMENT: configured to allow client certificates, and an attacker
must
obtain a carefully crafted client certificate that has
been
signed by a Certificate Authority (CA) which is trusted
by the server.
--
R. J. Goyette
Argonne National Laboratory
[EMAIL PROTECTED]
http://www.pns.anl.gov
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
