Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Apache Mod_SSL/Apache-SSL Buffer Overflow Vulnerability

Apache Mod_SSL/Apache-SSL Buffer Overflow Vulnerability

by Nikola Strahija on March 2nd, 2002 A buffer overflow vulnerability exists in mod_ssl and Apache-SSL that may allow for attackers to execute arbitrary code. The overflow exists when the modules attempt to cache SSL(Secure Socket Layer) sessions. Vulnerable versions of mod_ssl and Apache-SSL are incapable of handling large session representations.


To exploit this vulnerability, the attacker must somehow increase the size of the data representing the session. This may be accomplished through the use of an extremely large client certificate. This is only possible if verification of client certificates is enabled, and if the certificate is verified by a CA trusted by the webserver. Though these requirements make this vulnerability theoretical, administrators are still urged to upgrade.

This is a remote vulnerability and there is no known exploit in the wild at the time we're writing this.


However, an upgrade is available for the following versions:
- Apache-SSL Apache-SSL 1.40
- Apache-SSL Apache-SSL 1.41
- Apache-SSL Apache-SSL 1.42
- Apache-SSL Apache-SSL 1.42
- Apache-SSL Apache-SSL 1.44
- Apache-SSL Apache-SSL 1.45
- Apache-SSL Apache-SSL 1.46
- mod_ssl mod_ssl 2.7.1:


RPMs are available that fix this vulnerability for Engarde Linux Distribution.

Engarde Secure Linux RPM apache-1.3.23-1.0.27.i386.rpm

Engarde Secure Linux RPM apache-1.3.23-1.0.27.i686.rpm

Engarde Secure Linux RPM apache-1.3.23-1.0.27.src.rpm Source RPM.

Here's is the mod_ssl version upgrade path, basically every version needs to be updated to the latest available, which is mod_ssl 2.8.7. Below are version upgrade paths for various combinations of mod_ssl and apache.

mod_ssl mod_ssl 2.8:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz

Mod_SSL version 2.8.7 for Apache 1.3.23.

Trustix Upgrade apache-1.3.23-1tr.i586.rpm

Trustix Upgrade apache-1.3.23-1tr.src.rpm

Trustix Upgrade apache-devel-1.3.23-1tr.i586.rpm

mod_ssl mod_ssl 2.8.1:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz

Mod_SSL version 2.8.7 for Apache 1.3.23.

mod_ssl mod_ssl 2.8.2:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz

Mod_SSL version 2.8.7 for Apache 1.3.23.
mod_ssl mod_ssl 2.8.3:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz

Mod_SSL version 2.8.7 for Apache 1.3.23.

mod_ssl mod_ssl 2.8.4:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz
Mod_SSL version 2.8.7 for Apache 1.3.23.

mod_ssl mod_ssl 2.8.5:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz

Mod_SSL version 2.8.7 for Apache 1.3.23.

mod_ssl mod_ssl 2.8.6:

mod_ssl Upgrade mod_ssl-2.8.7-1.3.23.tar.gz


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »