From owner-freebsd-questions@FreeBSD.ORG Thu Apr 10 16:31:44 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64A961065688 for ; Thu, 10 Apr 2008 16:31:44 +0000 (UTC) (envelope-from mchris3@lsu.edu) Received: from egate002.lsu.edu (egate002.lsu.edu [130.39.186.32]) by mx1.freebsd.org (Postfix) with ESMTP id 0D3638FC21 for ; Thu, 10 Apr 2008 16:31:43 +0000 (UTC) (envelope-from mchris3@lsu.edu) Received: from email002.lsu.edu ([130.39.186.37]) by egate002.lsu.edu with Microsoft SMTPSVC(6.0.3790.3959); Thu, 10 Apr 2008 11:19:41 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 10 Apr 2008 11:19:42 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Apache 2.2.8 and mod_ssl Thread-Index: AcibJq6jv8QyIiT1S5uMB9yXzwudWA== From: "Mark A Christofferson" To: X-OriginalArrivalTime: 10 Apr 2008 16:19:41.0793 (UTC) FILETIME=[AE738D10:01C89B26] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Apache 2.2.8 and mod_ssl X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 16:31:44 -0000 Hello, =20 I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform with mod_ssl enabled. I received the following vulnerability scan results from my organization: =20 Vulnerability: mod_ssl Off-By-One HTAccess Buffer Overflow Vulnerability Risk Level: Signature Group: Safe Description: The remote host is using a version of mod_ssl which is older than 2.8.10. This version is vulnerable to an off by one buffer overflow, which may allow a user with write access to .htaccess files to execute arbitrary code on the system with permissions of the web server. Resolution: Fixes have been made available by the affected vendor. We recommend upgrading mod_ssl to a more recent version that contains fixes addressing this issue. BugTraq: 5084 CVE: CVE-2002-0653 CVSS: 4.9 =20 I referenced CVE-2002-0653, noting that it is from 2002, and noticed that there is no mention of this vulnerability affecting any version of apache paired with mod_ssl in the 2.x branches. I also can't find a version 2.8.10 or greater for Apache 2.2.8. I did find a site that mentioned certain distributions patched the apache software so that this vulnerability is no longer a concern. =20 =20 Could anyone give me some insight on this issue? Is there a document I overlooked that outlines remedial procedures, an updated ssl module, or has the software been patched to negate the vulnerability? =20 I greatly appreciate any assistance on this matter, =20 Mark