 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.53577 |
| Category: | Debian Local Security Checks |
| Title: | Debian Security Advisory DSA 120-1 (libapache-mod-ssl, apache-ssl) |
| Summary: | The remote host is missing an update to libapache-mod-ssl, apache-ssl;announced via advisory DSA 120-1. |
| Description: | Summary: The remote host is missing an update to libapache-mod-ssl, apache-ssl announced via advisory DSA 120-1. Vulnerability Insight: Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks. To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. This problem has been fixed in version 1.3.9.13-4 of Apache-SSL and version 2.4.10-1.3.9-1potato1 of libapache-mod-ssl for the stable Debian distribution as well as in version 1.3.23.1+1.47-1 of Apache-SSL and version 2.8.7-1 of libapache-mod-ssl for the testing and unstable distribution of Debian. Solution: We recommend that you upgrade your Apache-SSL and mod_ssl packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2002-0082 BugTraq ID: 4189 http://www.securityfocus.com/bid/4189 Bugtraq: 20020227 mod_ssl Buffer Overflow Condition (Update Available) (Google Search) http://online.securityfocus.com/archive/1/258646 Bugtraq: 20020228 TSLSA-2002-0034 - apache (Google Search) Bugtraq: 20020301 Apache-SSL buffer overflow (fix available) (Google Search) http://marc.info/?l=bugtraq&m=101518491916936&w=2 Bugtraq: 20020304 Apache-SSL 1.3.22+1.47 - update to security fix (Google Search) http://marc.info/?l=bugtraq&m=101528358424306&w=2 Caldera Security Advisory: CSSA-2002-011.0 http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt COMPAQ Service Security Patch: SSRT0817 http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml Conectiva Linux advisory: CLA-2002:465 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465 Debian Security Information: DSA-120 (Google Search) http://www.debian.org/security/2002/dsa-120 En Garde Linux Advisory: ESA-20020301-005 http://www.linuxsecurity.com/advisories/other_advisory-1923.html HPdes Security Advisory: HPSBTL0203-031 http://www.securityfocus.com/advisories/3965 HPdes Security Advisory: HPSBUX0204-190 http://www.securityfocus.com/advisories/4008 http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-020.php http://packetstormsecurity.com/files/153567/Apache-mod_ssl-OpenSSL-Remote-Buffer-Overflow.html http://www.redhat.com/support/errata/RHSA-2002-041.html http://www.redhat.com/support/errata/RHSA-2002-042.html http://www.redhat.com/support/errata/RHSA-2002-045.html http://www.iss.net/security_center/static/8308.php |
| Copyright | Copyright (C) 2008 E-Soft Inc. |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |