Apache mod_ssl ssl_util_uuencode_binary buffer overflow
| apache-modssl-uuencode-bo (16214) |  Medium Risk |
Description:
The mod_ssl authentication module for Apache HTTP Server is vulnerable to a stack-based buffer overflow, caused by a vulnerability in the ssl_util_uuencode_binary function. A remote attacker could exploit this vulnerability to overflow a buffer and possibly cause a denial of service or execute arbitrary code on the system.
Consequences:
Denial of Service
Remedy:
Upgrade to the latest mod_ssl package, as listed below. Refer to slackware-security Mailing List, Wed, 2 Jun 2004 12:24:39 -0700 (PDT) for more information. See References.Slackware Linux 8.1 and 9.0: 2.8.18_1.3.31-i386-1 or later
Slackware Linux 9.1 and -current: 2.8.18_1.3.31-i486-1 or later
For Gentoo Linux:
Upgrade to the latest version of mod_ssl (2.8.18 or later), as listed in GLSA 200406-05. See References.
For Red Hat Linux:
Upgrade to the latest mod_ssl package, as listed below. Refer to RHSA-2004:245-14 for more information. See References.
Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 1.3.27-8.ent or later
For Red Hat Linux:
Upgrade to the latest mod_ssl package, as listed below. Refer to RHSA-2004:342-10 for more information. See References.
Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 2.0.46-32.ent.3.x86_64 or later
For Red Hat Linux Stronghold:
Refer to RHSA-2005:816-10 for patch, upgrade, or suggested workaround information. See References.
For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest mod-ssl package (2.8.9-2.3 or later), as listed in DSA-532-1. See References.
For HP-UX 11.00, 11.11, 11.22, and 11.23:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX01064. See References.
For HP-UX 11.04 with Virtualvault 4.7, Virtualvault 4.6, or Virtualvault 4.5:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX01068. See References.
For Mac OS:
Apply Security Update 2004-12-02, as listed in AppleCare Knowledge Base Document 61798. See References.
For TurboLinux:
Upgrade to the latest httpd package (2.0.51-8 or later), as listed in Turbolinux Security Advisory TLSA-2005-2. See References.
For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.026 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Apply the appropriate update for your system. See References.
References:
- AppleCare Knowledge Base Document 61798: Security Update 2004-12-02.
- CIAC Information Bulletin 0-188: libapache-mod-ssl.
- CIAC Information Bulletin O-212: Apple Security Update.
- CIAC Information Bulletin P-049: Apple Security Update 2004-12-02.
- Full-Disclosure Mailing List, Mon May 17 2004 - 08:32:35 CDT: mod_ssl ssl_util_uuencode_binary potential problem.
- GLSA 200406-05: Apache: Buffer overflow in mod_ssl.
- IBM Systems Support Web site: Support for HMC.
- Slackware Security Advisories: [slackware-security] mod_ssl (SSA:2004-154-01).
- BID-10355: Apache 'mod_ssl' 'ssl_util_uuencode_binary()' Stack Buffer Overflow Vulnerability
- CVE-2004-0488: Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.
- DSA-532: libapache-mod-ssl -- several vulnerabilities
- GLSA-200406-05: Apache: Buffer overflow in mod_ssl
- MDKSA-2004:054: Updated mod_ssl package fix remote vulnerability
- MDKSA-2004:055: Updated apache2 package fix vulnerability in mod_ssl
- OpenPKG-SA-2004.026: Apache mod_ssl
- RHSA-2004-245: apache
- RHSA-2004-342: httpd security update
- RHSA-2005-816: apache
- RHSA-2008-0523: Low: Red Hat Network Proxy Server security update
Platforms Affected:
- Apache HTTP Server 1.3
- Apache HTTP Server 1.3.1
- Apache HTTP Server 1.3.11
- Apache HTTP Server 1.3.12
- Apache HTTP Server 1.3.14
- Apache HTTP Server 1.3.17
- Apache HTTP Server 1.3.18
- Apache HTTP Server 1.3.19
- Apache HTTP Server 1.3.20
- Apache HTTP Server 1.3.22
- Apache HTTP Server 1.3.23
- Apache HTTP Server 1.3.24
- Apache HTTP Server 1.3.25
- Apache HTTP Server 1.3.26
- Apache HTTP Server 1.3.27
- Apache HTTP Server 1.3.28
- Apache HTTP Server 1.3.29
- Apache HTTP Server 1.3.3
- Apache HTTP Server 1.3.31
- Apache HTTP Server 1.3.4
- Apache HTTP Server 1.3.6
- Apache HTTP Server 1.3.7
- Apache HTTP Server 1.3.9
- Apache HTTP Server 2.0
- Apache HTTP Server 2.0.28
- Apache HTTP Server 2.0.28 Beta
- Apache HTTP Server 2.0.32
- Apache HTTP Server 2.0.35
- Apache HTTP Server 2.0.36
- Apache HTTP Server 2.0.37
- Apache HTTP Server 2.0.38
- Apache HTTP Server 2.0.39
- Apache HTTP Server 2.0.40
- Apache HTTP Server 2.0.41
- Apache HTTP Server 2.0.42
- Apache HTTP Server 2.0.43
- Apache HTTP Server 2.0.44
- Apache HTTP Server 2.0.45
- Apache HTTP Server 2.0.46
- Apache HTTP Server 2.0.47
- Apache HTTP Server 2.0.48
- Apache HTTP Server 2.0.49
- Apache HTTP Server 2.0.9A
- Apple Mac OS X 10.2.8
- Apple Mac OS X 10.3.6
- Apple Mac OS X Server 10.2.8
- Apple Mac OS X Server 10.3.6
- Debian Debian Linux 3.0
- Gentoo Linux 1.4
- Gentoo Linux
- HP HP-UX 11.00
- HP HP-UX 11.04
- HP HP-UX 11.11
- HP HP-UX 11.22
- HP HP-UX 11.23
- MandrakeSoft Mandrake Linux 10.0
- MandrakeSoft Mandrake Linux 10.0 AMD64
- MandrakeSoft Mandrake Linux 9.1
- MandrakeSoft Mandrake Linux 9.1 PPC
- MandrakeSoft Mandrake Linux 9.2 AMD64
- MandrakeSoft Mandrake Linux 9.2
- MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 2.1
- MandrakeSoft Mandrake Multi Network Firewall 8.2
- OpenPKG OpenPKG 1.3
- OpenPKG OpenPKG 2.0
- OpenPKG OpenPKG CURRENT
- RedHat Enterprise Linux 2.1 AS
- RedHat Enterprise Linux 2.1 ES
- RedHat Enterprise Linux 2.1 WS
- RedHat Enterprise Linux 2.1 AW
- RedHat Enterprise Linux 3 Desktop
- RedHat Enterprise Linux 3 AS
- RedHat Enterprise Linux 3 WS
- RedHat Enterprise Linux 3 ES
- RedHat Linux 3.0
- RedHat Linux Advanced Workstation 2.1 Itanium
- RedHat Network Proxy 4.2
- RedHat Stronghold
- Slackware Slackware Linux 8.1
- Slackware Slackware Linux 9.0
- Slackware Slackware Linux 9.1
- Slackware Slackware Linux current
- Turbolinux Turbolinux 10 Desktop
- Turbolinux Turbolinux 10 F...
- Turbolinux Turbolinux 10 Server
- Turbolinux Turbolinux 7 Server
- Turbolinux Turbolinux 8 Server
- Turbolinux Turbolinux Home
- Turbolinux Turbolinux Appliance Server 1.0 Hosting Ed
- Turbolinux Turbolinux Appliance Server 1.0 Workgroup Ed
Reported:
May 17, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net