Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 57379

Summary: net-www/mod_ssl: format string vulnerability (<=2.8.19 for Apache 1.3.31)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16853.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-07-17 04:57:14 UTC 
From the Announcement on modssl-users:


    * From: Ralf S. Engelschall
    * Subject: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
    * Date: Fri, 16 Jul 2004 13:45:46 -0700 

We've today found an ssl_log() related format string vulnerability in
the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for
Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was
created which fixes this potential security hole.

Get mod_ssl-2.8.19-1.3.31.tar.gz from:

o http://www.modssl.org/source/
o  ftp://ftp.modssl.org/source/

Yours,
                                       Ralf S. Engelschall

_________________

Additional patches for non security related formatting bugs were posted in http://www.mail-archive.com/modssl-users@modssl.org/msg16855.html

Reproducible: Always
Steps to Reproduce:
Comment 1 Chuck Short (RETIRED) gentoo-dev 2004-07-17 05:20:37 UTC 
In cvs, already marked stable for x86 and sparc.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-07-19 00:50:53 UTC 
ppc, hppa, mips : please mark net-www/mod_ssl-2.8.19 stable.
Comment 3 Luca Barbato gentoo-dev 2004-07-22 01:27:06 UTC 
Marked ppc
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-07-23 02:39:19 UTC 
GLSA 200407-18
Comment 5 Joshua Kinard gentoo-dev 2004-07-27 22:27:54 UTC 
stable on mips.