Nessus Plugin #14551
Plugin Index
Note: This file has been created from a
downloaded version of the Nessus Plugins
from
http://www.nessus.org/.
Therefore, the information here can be outdated.
[GLSA-200407-18] mod_ssl: Format string vulnerability
- Family:
- Gentoo Local Security Checks
- Category:
- infos
- Copyright:
- (C) 2004 Michel Arboi
- Summary:
- mod_ssl: Format string vulnerability
- Version:
- $Revision: 1.1 $
- Cve_id:
- -
- Bugtraq_id:
- -
- Xrefs:
- GLSA:200407-18
- Description:
- The remote host is affected by the vulnerability described in GLSA-200407-18
(mod_ssl: Format string vulnerability)
A bug in ssl_engine_ext.c makes mod_ssl vulnerable to a ssl_log() related
format string vulnerability in the mod_proxy hook functions.
Impact
Given the right server configuration, an attacker could execute code as the
user running Apache, usually "apache".
Workaround
A server should not be vulnerable if it is not using both mod_ssl and
mod_proxy. Otherwise there is no workaround other than to disable mod_ssl.
References:
http://marc.theaimsgroup.com/?l=apache-modssl&m=109001100906749&w=2
Solution:
All mod_ssl users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=net-www/mod_ssl-2.8.19"
# emerge ">=net-www/mod_ssl-2.8.19"
Risk Factor : Medium
Generiert am 27.04.2005 um 18:49:54 Uhr.