|
Hello, I have asked this question previously on both the FreeBSD
Mailing List and the mod_ssl mailing list, but didn’t receive a response. I am currently running the Apache 2.2.8 port on the FreeBSD
6.3 platform with mod_ssl enabled. I received the following vulnerability
scan results from my organization: Vulnerability: mod_ssl
Off-By-One HTAccess Buffer Overflow Vulnerability Risk Level: Signature Group: Safe Description: The remote
host is using a version of mod_ssl which is older than 2.8.10. This version is
vulnerable to an off by one buffer overflow, which may allow a user
with write access to .htaccess files to execute arbitrary code on the system with permissions of the
web server. Resolution: Fixes have been
made available by the affected vendor. We recommend upgrading mod_ssl to a more recent version that contains fixes addressing this
issue. BugTraq: 5084 CVE: CVE-2002-0653 CVSS: 4.9 I referenced CVE-2002-0653, noting that it is from 2002, and
noticed that there is no mention of this vulnerability affecting any version of
apache paired with mod_ssl in the 2.x branches. I also can’t find a
version 2.8.10 or greater for Apache 2.2.8. I did find a site that
mentioned certain distributions patched the apache software so that this
vulnerability is no longer a concern. Could anyone give me some insight on this issue? Is
there a document I overlooked that outlines remedial procedures, an updated ssl
module, or has the software been patched to negate the vulnerability? I greatly appreciate any assistance on this matter, Mark |
|