Apache 2.2.8 and mod_ssl

Mark A Christofferson mchris3 at lsu.edu
Thu Apr 10 16:31:44 UTC 2008



I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform
with mod_ssl enabled.  I received the following vulnerability scan
results from my organization:


Vulnerability:  mod_ssl Off-By-One HTAccess Buffer Overflow

Risk Level:

Signature Group: Safe

Description: The remote host is using a version of mod_ssl which is
older than 2.8.10. This version is vulnerable

to an off by one buffer overflow, which may allow a user with write
access to .htaccess files to

execute arbitrary code on the system with permissions of the web server.

Resolution: Fixes have been made available by the affected vendor. We
recommend upgrading mod_ssl to a

more recent version that contains fixes addressing this issue.

BugTraq: 5084

CVE: CVE-2002-0653

CVSS: 4.9


I referenced CVE-2002-0653, noting that it is from 2002, and noticed
that there is no mention of this vulnerability affecting any version of
apache paired with mod_ssl in the 2.x branches.  I also can't find a
version 2.8.10 or greater for Apache 2.2.8.  I did find a site that
mentioned certain distributions patched the apache software so that this
vulnerability is no longer a concern.  


Could anyone give me some insight on this issue?  Is there a document I
overlooked that outlines remedial procedures, an updated ssl module, or
has the software been patched to negate the vulnerability?


I greatly appreciate any assistance on this matter,



More information about the freebsd-questions mailing list