Debian Security Advisory

DSA-120-1 mod_ssl -- buffer overflow

Date Reported:

10 Mar 2002

Affected Packages:

libapache-mod-ssl, apache-ssl

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2002-0082.

More information:

Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks.

To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server.

This problem has been fixed in version 1.3.9.13-4 of Apache-SSL and version 2.4.10-1.3.9-1potato1 of libapache-mod-ssl for the stable Debian distribution as well as in version 1.3.23.1+1.47-1 of Apache-SSL and version 2.8.7-1 of libapache-mod-ssl for the testing and unstable distribution of Debian.

We recommend that you upgrade your Apache-SSL and mod_ssl packages.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:: http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.diff.gz; http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.dsc; http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13.orig.tar.gz; http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9-1potato1.diff.gz; http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9-1potato1.dsc; http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz
Architecture-independent component:: http://security.debian.org/dists/stable/updates/main/binary-all/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato1_all.deb
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-ssl_1.3.9.13-4_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/libapache-mod-ssl_2.4.10-1.3.9-1potato1_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/apache-ssl_1.3.9.13-4_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/libapache-mod-ssl_2.4.10-1.3.9-1potato1_arm.deb
Intel ia32:: http://security.debian.org/dists/stable/updates/main/binary-i386/apache-ssl_1.3.9.13-4_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/libapache-mod-ssl_2.4.10-1.3.9-1potato1_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-ssl_1.3.9.13-4_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/libapache-mod-ssl_2.4.10-1.3.9-1potato1_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-ssl_1.3.9.13-4_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/libapache-mod-ssl_2.4.10-1.3.9-1potato1_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-ssl_1.3.9.13-4_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/libapache-mod-ssl_2.4.10-1.3.9-1potato1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.