Apache 2.2.8 and mod_ssl

[Mark A Christofferson]

Hello,

 

I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform
with mod_ssl enabled.  I received the following vulnerability scan
results from my organization:

 

Vulnerability:  mod_ssl Off-By-One HTAccess Buffer Overflow
Vulnerability

Risk Level:

Signature Group: Safe

Description: The remote host is using a version of mod_ssl which is
older than 2.8.10. This version is vulnerable

to an off by one buffer overflow, which may allow a user with write
access to .htaccess files to

execute arbitrary code on the system with permissions of the web server.

Resolution: Fixes have been made available by the affected vendor. We
recommend upgrading mod_ssl to a

more recent version that contains fixes addressing this issue.

BugTraq: 5084

CVE: CVE-2002-0653

CVSS: 4.9

 

I referenced CVE-2002-0653, noting that it is from 2002, and noticed
that there is no mention of this vulnerability affecting any version of
apache paired with mod_ssl in the 2.x branches.  I also can't find a
version 2.8.10 or greater for Apache 2.2.8.  I did find a site that
mentioned certain distributions patched the apache software so that this
vulnerability is no longer a concern.  

 

Could anyone give me some insight on this issue?  Is there a document I
overlooked that outlines remedial procedures, an updated ssl module, or
has the software been patched to negate the vulnerability?

 

I greatly appreciate any assistance on this matter,

 

Mark