Apache 2.2.8 and mod_ssl
Mark A Christofferson
mchris3 at lsu.edu
Thu Apr 10 16:31:44 UTC 2008
I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform
with mod_ssl enabled. I received the following vulnerability scan
results from my organization:
Vulnerability: mod_ssl Off-By-One HTAccess Buffer Overflow
Signature Group: Safe
Description: The remote host is using a version of mod_ssl which is
older than 2.8.10. This version is vulnerable
to an off by one buffer overflow, which may allow a user with write
access to .htaccess files to
execute arbitrary code on the system with permissions of the web server.
Resolution: Fixes have been made available by the affected vendor. We
recommend upgrading mod_ssl to a
more recent version that contains fixes addressing this issue.
I referenced CVE-2002-0653, noting that it is from 2002, and noticed
that there is no mention of this vulnerability affecting any version of
apache paired with mod_ssl in the 2.x branches. I also can't find a
version 2.8.10 or greater for Apache 2.2.8. I did find a site that
mentioned certain distributions patched the apache software so that this
vulnerability is no longer a concern.
Could anyone give me some insight on this issue? Is there a document I
overlooked that outlines remedial procedures, an updated ssl module, or
has the software been patched to negate the vulnerability?
I greatly appreciate any assistance on this matter,
More information about the freebsd-questions