Hello *, Are the suse-rpms of apache and mod_ssl vulnerable too? Debian, Redhat, Mandrake and others have released new packages? If they are vulnerable, where and when can I get can the new releases? Thanks in advance ---snip---
- -------------------------------------------------------------------------- Debian Security Advisory DSA 120-1 security@debian.org http://www.debian.org/security/ Martin Schulze March 10th, 2002 - --------------------------------------------------------------------------
Package : libapache-mod-ssl, apache-ssl Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no
Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks.
To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. ---snip---
participants (1)
-
Mitchel-Martin Timm