[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] buffer overflow in mod_ssl

To: linux-security
Subject: [linux-security] buffer overflow in mod_ssl
From: Martin Siegert <siegert@sfu.ca>
Date: Thu, 8 Aug 2002 19:25:44 -0700
User-Agent: Mutt/1.4i

Topic
=====
buffer overflow in mod_ssl package allows priviledge elevation

Problem Description
===================
The mod_ssl module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols.  Versions of mod_ssl prior to 2.8.10 are subject to a
single NULL overflow that can cause arbitrary code execution.

In order to exploit this vulnerability, the Apache Web server has to be
configured to allow overriding of configuration settings on a per-directory
basis, and untrusted local users must be able to modify a directory in
which the server is configured to allow overriding.  The local attacker may
then become the user that Apache is running as (usually 'www' or 'nobody').

Note that regardless of this bug, local users can obtain the same
privileges if the server is configured to allow them to create CGI scripts
which run as the Web server user, or if PHP is enabled but not configured
in "safe mode".

Affected Systems
================
web servers with mod_ssl versions < 2.8.10

Solution
========
Upgrade to mod_ssl-2.8.10 (or patched version for your distribution)

RedHat 7.0, 7.1
---------------
rpm -Fvh mod_ssl-2.8.5-5.i386.rpm

RedHat 7.2
----------
rpm -Fvh mod_ssl-2.8.5-6.i386.rpm

RedHat 7.3
----------
rpm -Fvh mod_ssl-2.8.7-6.i386.rpm

Debian 2.2 (potato)
-------------------
upgrade to libapache-mod-ssl_2.4.10-1.3.9-1potato2_i386.deb

Debian 3.0 (woody)
------------------
upgrade to libapache-mod-ssl_2.8.9-2_i386.deb

SuSE 7.0
--------
rpm -Fvh apache-1.3.19-128.i386.rpm \
         mod_ssl-2.8.2-38.i386.rpm \
         mod_perl-1.24-147.i386.rpm \
         mod_php4-4.0.4pl1-135.i386.rpm \
         mod_php-3.0.17RC1-58.i386.rpm \
         backhand-1.1.0-111.i386.rpm \
         mod_dav-1.0.0-76.i386.rpm \
         jserv-1.1.2-502.i386.rpm \
         authldap-1.4.3-128.i386.rpm \
         midgard-1.2.5-139.i386.rpm \
         modcontr-1.0.7-180.i386.rpm

SuSE 7.1
--------
rpm -Fvh apache-1.3.19-126.i386.rpm \
         mod_ssl-2.8.1-3.i386.rpm \
         mod_perl-1.24-154.i386.rpm \
         mod_php4-4.0.4pl1-142.i386.rpm \
         mod_php-3.0.17RC1-65.i386.rpm \
         backhand-1.1.0-120.i386.rpm \
         mod_dav-1.0.2-460.i386.rpm \
         jserv-1.1.2-521.i386.rpm \
         mod_python-2.7.1-40.i386.rpm \
         authldap-1.4.3-135.i386.rpm \
         apache-contrib-1.0.8-44.i386.rpm

SuSE 7.2
--------
rpm -Fvh apache-1.3.19-127.i386.rpm \
         apache-devel-1.3.19-127.i386.rpm \
         apache-doc-1.3.19-127.i386.rpm \
         mod_ssl-2.8.3-60.i386.rpm \
         mod_perl-1.25-77.i386.rpm \
         mod_php4-4.0.6-179.i386.rpm \
         mod_php4-core-4.0.6-179.i386.rpm \
         backhand-1.1.0-121.i386.rpm \
         mod_dav-1.0.2-461.i386.rpm \
         jserv-1.1.2-522.i386.rpm \
         mod_python-2.7.2-79.i386.rpm \
         authldap-1.4.8-121.i386.rpm \
         apache-contrib-1.0.9-385.i386.rpm \
         midgard-1.4-218.i386.rpm

SuSE 7.3
--------
rpm -Fvh apache-1.3.20-70.i386.rpm \
         apache-devel-1.3.20-70.i386.rpm \
         apache-doc-1.3.20-70.i386.rpm \
         mod_ssl-2.8.4-70.i386.rpm \
         mod_perl-1.26-348.i386.rpm \
         mod_php4-4.0.6-179.i386.rpm \
         mod_php4-aolserver-4.0.6-179.i386.rpm \
         mod_php4-core-4.0.6-179.i386.rpm \
         mod_php4-servlet-4.0.6-179.i386.rpm \
         backhand-1.2.0-251.i386.rpm \
         mod_dav-1.0.2-462.i386.rpm \
         jserv-1.1.2-524.i386.rpm \
         mod_python-2.7.5-128.i386.rpm \
         authldap-1.6.0-321.i386.rpm \
         apache-contrib-1.0.9-386.i386.rpm \
         midgard-1.4-219.i386.rpm

SuSE 8.0
--------
rpm -Fvh apache-1.3.23-137.i386.rpm \
         apache-devel-1.3.23-137.i386.rpm \
         apache-doc-1.3.23-137.i386.rpm \
         mod_ssl-2.8.7-105.i386.rpm \
         mod_perl-1.26-347.i386.rpm \
         mod_php4-4.1.0-244.i386.rpm \
         mod_php4-aolserver-4.1.0-244.i386.rpm \
         mod_php4-core-4.1.0-244.i386.rpm \
         mod_php4-servlet-4.1.0-244.i386.rpm \
         mod_php4-devel-4.1.0-244.i386.rpm \
         backhand-1.2.1-117.i386.rpm \
         mod_dav-1.0.2-461.i386.rpm \
         jserv-1.1.2-523.i386.rpm \
         mod_python-2.7.6-234.i386.rpm \
         authldap-1.6.0-320.i386.rpm \
         apache-contrib-1.0.9-385.i386.rpm \
         midgard-1.4.2-231.i386.rpm

Caldera OpenLinux 3.1.1, 3.1 (Server, Workstation)
--------------------------------------------------
rpm -Fvh mod_ssl-2.8.5_1.3.22-3.i386.rpm \
         mod_ssl-sxnet-2.8.5_1.3.22-3.i386.rpm

Prev by Date: [linux-security] gallery remote exploit (Debian)
Next by Date: [linux-security] mm temp file vulnerability
Prev by thread: [linux-security] mm temp file vulnerability
Next by thread: [linux-security] gallery remote exploit (Debian)
Index(es):
- Date
- Thread