GLSA-200406-05 : Apache: Buffer overflow in mod_ssl

high Nessus Plugin ID 14516

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200406-05 (Apache: Buffer overflow in mod_ssl)

A bug in the function ssl_util_uuencode_binary in ssl_util.c may lead to a remote buffer overflow on a server configured to use FakeBasicAuth that will trust a client certificate with an issuing CA with a subject DN longer than 6k.
Impact :

Given the right server configuration, an attacker could cause a Denial of Service or execute code as the user running Apache, usually 'apache'. It is thought to be impossible to exploit this to execute code on the x86 platform, but the possibility for other platforms is unknown. This does not preclude a DoS on x86 systems.
Workaround :

A server should not be vulnerable if it is not configured to use FakeBasicAuth and to trust a client CA with a long subject DN.

Solution

Apache 1.x users should upgrade to the latest version of mod_ssl:
# emerge sync # emerge -pv '>=net-www/mod_ssl-2.8.18' # emerge '>=net-www/mod_ssl-2.8.18' Apache 2.x users should upgrade to the latest version of Apache:
# emerge sync # emerge -pv '>=www-servers/apache-2.0.49-r3' # emerge '>=www-servers/apache-2.0.49-r3'

See Also

https://security.gentoo.org/glsa/200406-05

Plugin Details

Severity: High

ID: 14516

File Name: gentoo_GLSA-200406-05.nasl

Version: 1.16

Type: local

Published: 8/30/2004

Updated: 1/6/2021

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:apache, p-cpe:/a:gentoo:linux:mod_ssl, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 6/9/2004

Vulnerability Publication Date: 5/17/2004

Reference Information

CVE: CVE-2004-0488

GLSA: 200406-05