This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.
The remote Gentoo host is missing one or more security-related
The remote host is affected by the vulnerability described in GLSA-200509-12
(Apache, mod_ssl: Multiple vulnerabilities)
mod_ssl contains a security issue when 'SSLVerifyClient optional' is
configured in the global virtual host configuration (CAN-2005-2700).
Also, Apache's httpd includes a PCRE library, which makes it vulnerable
to an integer overflow (CAN-2005-2491).
Under a specific configuration, mod_ssl does not properly enforce the
client-based certificate authentication directive, 'SSLVerifyClient
require', in a per-location context, which could be potentially used by
a remote attacker to bypass some restrictions. By creating a specially
crafted '.htaccess' file, a local attacker could possibly exploit
Apache's vulnerability, which would result in a local privilege
There is no known workaround at this time.
See also :
All mod_ssl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-www/mod_ssl-2.8.24'
All Apache 2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-servers/apache-2.0.54-r15'
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.7
Public Exploit Available : false
Family: Gentoo Local Security Checks
Nessus Plugin ID: 19811 (gentoo_GLSA-200509-12.nasl)
Bugtraq ID: 14620
CVE ID: CVE-2005-2491CVE-2005-2700
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.