Dailydave mailing list archives
Re: [Full-Disclosure] [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities
From: "Evgeny Demidov" <demidov () gleg net>
Date: Fri, 23 Jul 2004 13:50:56 +0400
On Thu, 22 Jul 2004 20:29:33 -0700 debian-security-announce () lists debian org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1- -------------------------------------------------------------------------- Debian Security Advisory DSA 532-1 security () debian org http://www.debian.org/security/ Matt Zimmerman July 22nd, 2004 http://www.debian.org/security/faq - --------------------------------------------------------------------------Package : libapache-mod-ssl Vulnerability : several Problem-Type : remote Debian-specific: no CVE Ids : CAN-2004-0488 CAN-2004-0700 Two vulnerabilities were discovered in libapache-mod-ssl: CAN-2004-0488 - Stack-based buffer overflow in thessl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with along subject DN.CAN-2004-0700 - Format string vulnerability in the ssl_log function in ssl_engine_log.c in mod_ssl 2.8.19 for Apache 1.3.31 may allow remote attackers to execute arbitrary messages via format stringspecifiers in certain log messages for HTTPS.
Hmm, 'execute arbitrary messages via format string specifiers' you say?
Best regards -Evgeny Demidov _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: [Full-Disclosure] [SECURITY] [DSA 532-1] New libapache-mod-ssl packages fix multiple vulnerabilities Evgeny Demidov (Jul 23)