Debian DSA-532-2 : libapache-mod-ssl - several vulnerabilities

high Nessus Plugin ID 15369

Synopsis

The remote Debian host is missing a security-related update.

Description

Two vulnerabilities were discovered in libapache-mod-ssl :

- CAN-2004-0488 Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.

- CAN-2004-0700

Format string vulnerability in the ssl_log function in ssl_engine_log.c in mod_ssl 2.8.19 for Apache 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS.

Solution

For the current stable distribution (woody), these problems have been fixed in version 2.8.9-2.4.

We recommend that you update your libapache-mod-ssl package.

See Also

http://www.debian.org/security/2004/dsa-532

Plugin Details

Severity: High

ID: 15369

File Name: debian_DSA-532.nasl

Version: 1.20

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:3.0, p-cpe:/a:debian:debian_linux:libapache-mod-ssl

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 7/27/2004

Reference Information

CVE: CVE-2004-0488, CVE-2004-0700

DSA: 532