GLSA-200406-05 : Apache: Buffer overflow in mod_ssl

high Nessus Plugin ID 14516


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200406-05 (Apache: Buffer overflow in mod_ssl)

A bug in the function ssl_util_uuencode_binary in ssl_util.c may lead to a remote buffer overflow on a server configured to use FakeBasicAuth that will trust a client certificate with an issuing CA with a subject DN longer than 6k.
Impact :

Given the right server configuration, an attacker could cause a Denial of Service or execute code as the user running Apache, usually 'apache'. It is thought to be impossible to exploit this to execute code on the x86 platform, but the possibility for other platforms is unknown. This does not preclude a DoS on x86 systems.
Workaround :

A server should not be vulnerable if it is not configured to use FakeBasicAuth and to trust a client CA with a long subject DN.


Apache 1.x users should upgrade to the latest version of mod_ssl:
# emerge sync # emerge -pv '>=net-www/mod_ssl-2.8.18' # emerge '>=net-www/mod_ssl-2.8.18' Apache 2.x users should upgrade to the latest version of Apache:
# emerge sync # emerge -pv '>=www-servers/apache-2.0.49-r3' # emerge '>=www-servers/apache-2.0.49-r3'

See Also

Plugin Details

Severity: High

ID: 14516

File Name: gentoo_GLSA-200406-05.nasl

Version: 1.16

Type: local

Published: 8/30/2004

Updated: 1/6/2021

Risk Information


Risk Factor: Medium

Score: 5.5


Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:apache, p-cpe:/a:gentoo:linux:mod_ssl, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 6/9/2004

Vulnerability Publication Date: 5/17/2004

Reference Information

CVE: CVE-2004-0488

GLSA: 200406-05