Debian Security Advisory
DSA-120-1 mod_ssl -- buffer overflow
- Date Reported:
- 10 Mar 2002
- Affected Packages:
- libapache-mod-ssl, apache-ssl
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2002-0082.
- More information:
-
Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks.
To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server.
This problem has been fixed in version 1.3.9.13-4 of Apache-SSL and version 2.4.10-1.3.9-1potato1 of libapache-mod-ssl for the stable Debian distribution as well as in version 1.3.23.1+1.47-1 of Apache-SSL and version 2.8.7-1 of libapache-mod-ssl for the testing and unstable distribution of Debian.
We recommend that you upgrade your Apache-SSL and mod_ssl packages.
- Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.diff.gz
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.dsc
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13.orig.tar.gz
- http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9-1potato1.diff.gz
- http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9-1potato1.dsc
- http://security.debian.org/dists/stable/updates/main/source/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-4.dsc
- Architecture-independent component:
- http://security.debian.org/dists/stable/updates/main/binary-all/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato1_all.deb
- Alpha:
- http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-ssl_1.3.9.13-4_alpha.deb
- http://security.debian.org/dists/stable/updates/main/binary-alpha/libapache-mod-ssl_2.4.10-1.3.9-1potato1_alpha.deb
- http://security.debian.org/dists/stable/updates/main/binary-alpha/libapache-mod-ssl_2.4.10-1.3.9-1potato1_alpha.deb
- ARM:
- http://security.debian.org/dists/stable/updates/main/binary-arm/apache-ssl_1.3.9.13-4_arm.deb
- http://security.debian.org/dists/stable/updates/main/binary-arm/libapache-mod-ssl_2.4.10-1.3.9-1potato1_arm.deb
- http://security.debian.org/dists/stable/updates/main/binary-arm/libapache-mod-ssl_2.4.10-1.3.9-1potato1_arm.deb
- Intel ia32:
- http://security.debian.org/dists/stable/updates/main/binary-i386/apache-ssl_1.3.9.13-4_i386.deb
- http://security.debian.org/dists/stable/updates/main/binary-i386/libapache-mod-ssl_2.4.10-1.3.9-1potato1_i386.deb
- http://security.debian.org/dists/stable/updates/main/binary-i386/libapache-mod-ssl_2.4.10-1.3.9-1potato1_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-ssl_1.3.9.13-4_m68k.deb
- http://security.debian.org/dists/stable/updates/main/binary-m68k/libapache-mod-ssl_2.4.10-1.3.9-1potato1_m68k.deb
- http://security.debian.org/dists/stable/updates/main/binary-m68k/libapache-mod-ssl_2.4.10-1.3.9-1potato1_m68k.deb
- PowerPC:
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-ssl_1.3.9.13-4_powerpc.deb
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/libapache-mod-ssl_2.4.10-1.3.9-1potato1_powerpc.deb
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/libapache-mod-ssl_2.4.10-1.3.9-1potato1_powerpc.deb
- Sun Sparc:
- http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-ssl_1.3.9.13-4_sparc.deb
- http://security.debian.org/dists/stable/updates/main/binary-sparc/libapache-mod-ssl_2.4.10-1.3.9-1potato1_sparc.deb
- http://security.debian.org/dists/stable/updates/main/binary-sparc/libapache-mod-ssl_2.4.10-1.3.9-1potato1_sparc.deb
MD5 checksums of the listed files are available in the original advisory.