[gentoo-announce] [ GLSA 200407-18 ] mod_ssl: Format string vulnerability - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200407-18 ] mod_ssl: Format string vulnerability
Date:	Thu, 22 Jul 2004 14:06:49
Message-Id:	`20040722132310.GJ24932@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200407-18

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: mod_ssl: Format string vulnerability

9

      Date: July 22, 2004

10

      Bugs: #57379

11

        ID: 200407-18

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A bug in mod_ssl may allow a remote attacker to execute arbitrary code

19

when Apache is configured to use mod_ssl and mod_proxy.

20

21

Background

22

==========

23

24

mod_ssl provides Secure Sockets Layer encryption and authentication to

25

Apache 1.3.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package          /   Vulnerable   /                    Unaffected

32

    -------------------------------------------------------------------

33

  1  net-www/mod_ssl       <= 2.8.18                         >= 2.8.19

34

35

Description

36

===========

37

38

A bug in ssl_engine_ext.c makes mod_ssl vulnerable to a ssl_log()

39

related format string vulnerability in the mod_proxy hook functions.

40

41

Impact

42

======

43

44

Given the right server configuration, an attacker could execute code as

45

the user running Apache, usually "apache".

46

47

Workaround

48

==========

49

50

A server should not be vulnerable if it is not using both mod_ssl and

51

mod_proxy. Otherwise there is no workaround other than to disable

52

mod_ssl.

53

54

Resolution

55

==========

56

57

All mod_ssl users should upgrade to the latest version:

58

59

    # emerge sync

60

61

    # emerge -pv ">=net-www/mod_ssl-2.8.19"

62

    # emerge ">=net-www/mod_ssl-2.8.19"

63

64

References

65

==========

66

67

  [ 1 ] mod_ssl Announcement

68

        http://marc.theaimsgroup.com/?l=apache-modssl&m=109001100906749&w=2

69

70

Availability

71

============

72

73

This GLSA and any updates to it are available for viewing at

74

the Gentoo Security Website:

75

76

    http://security.gentoo.org/glsa/glsa-200407-18.xml

77

78

Concerns?

79

=========

80

81

Security is a primary focus of Gentoo Linux and ensuring the

82

confidentiality and security of our users machines is of utmost

83

importance to us. Any security concerns should be addressed to

84

security@g.o or alternatively, you may file a bug at

85

http://bugs.gentoo.org.

86

87

License

88

=======

89

90

Copyright 2004 Gentoo Foundation, Inc; referenced text

91

belongs to its owner(s).

92

93

The contents of this document are licensed under the

94

Creative Commons - Attribution / Share Alike license.

95

96

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200407-18
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: mod_ssl: Format string vulnerability
9	Date: July 22, 2004
10	Bugs: #57379
11	ID: 200407-18
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A bug in mod_ssl may allow a remote attacker to execute arbitrary code
19	when Apache is configured to use mod_ssl and mod_proxy.
20
21	Background
22	==========
23
24	mod_ssl provides Secure Sockets Layer encryption and authentication to
25	Apache 1.3.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-www/mod_ssl <= 2.8.18 >= 2.8.19
34
35	Description
36	===========
37
38	A bug in ssl_engine_ext.c makes mod_ssl vulnerable to a ssl_log()
39	related format string vulnerability in the mod_proxy hook functions.
40
41	Impact
42	======
43
44	Given the right server configuration, an attacker could execute code as
45	the user running Apache, usually "apache".
46
47	Workaround
48	==========
49
50	A server should not be vulnerable if it is not using both mod_ssl and
51	mod_proxy. Otherwise there is no workaround other than to disable
52	mod_ssl.
53
54	Resolution
55	==========
56
57	All mod_ssl users should upgrade to the latest version:
58
59	# emerge sync
60
61	# emerge -pv ">=net-www/mod_ssl-2.8.19"
62	# emerge ">=net-www/mod_ssl-2.8.19"
63
64	References
65	==========
66
67	[ 1 ] mod_ssl Announcement
68	http://marc.theaimsgroup.com/?l=apache-modssl&m=109001100906749&w=2
69
70	Availability
71	============
72
73	This GLSA and any updates to it are available for viewing at
74	the Gentoo Security Website:
75
76	http://security.gentoo.org/glsa/glsa-200407-18.xml
77
78	Concerns?
79	=========
80
81	Security is a primary focus of Gentoo Linux and ensuring the
82	confidentiality and security of our users machines is of utmost
83	importance to us. Any security concerns should be addressed to
84	security@g.o or alternatively, you may file a bug at
85	http://bugs.gentoo.org.
86
87	License
88	=======
89
90	Copyright 2004 Gentoo Foundation, Inc; referenced text
91	belongs to its owner(s).
92
93	The contents of this document are licensed under the
94	Creative Commons - Attribution / Share Alike license.
95
96	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce