57379 – net-www/mod_ssl: format string vulnerability (<=2.8.19 for Apache 1.3.31)

Bug 57379 - net-www/mod_ssl: format string vulnerability (<=2.8.19 for Apache 1.3.31)

Summary: net-www/mod_ssl: format string vulnerability (<=2.8.19 for Apache 1.3.31)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://www.mail-archive.com/modssl-us...
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2004-07-17 04:57 UTC by Matthias Geerdsen (RETIRED)
Modified:	2011-10-30 22:40 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2004-07-17 04:57:14 UTC

From the Announcement on modssl-users:


    * From: Ralf S. Engelschall
    * Subject: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
    * Date: Fri, 16 Jul 2004 13:45:46 -0700 

We've today found an ssl_log() related format string vulnerability in
the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for
Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was
created which fixes this potential security hole.

Get mod_ssl-2.8.19-1.3.31.tar.gz from:

o http://www.modssl.org/source/
o  ftp://ftp.modssl.org/source/

Yours,
                                       Ralf S. Engelschall

_________________

Additional patches for non security related formatting bugs were posted in http://www.mail-archive.com/modssl-users@modssl.org/msg16855.html

Reproducible: Always
Steps to Reproduce:

Comment 1 Chuck Short (RETIRED) gentoo-dev

2004-07-17 05:20:37 UTC

In cvs, already marked stable for x86 and sparc.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2004-07-19 00:50:53 UTC

ppc, hppa, mips : please mark net-www/mod_ssl-2.8.19 stable.

Comment 3 Luca Barbato gentoo-dev

2004-07-22 01:27:06 UTC

Marked ppc

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2004-07-23 02:39:19 UTC

GLSA 200407-18

Comment 5 Joshua Kinard gentoo-dev

2004-07-27 22:27:54 UTC

stable on mips.