search menu icon-carat-right cmu-wordmark

CERT Coordination Center

mod_ssl and Apache_SSL modules contain a buffer overflow in the implementation of the OpenSSL "i2d_SSL_SESSION" routine

Vulnerability Note VU#234971

Original Release Date: 2002-03-01 | Last Revised: 2002-04-22

Overview

There is a remotely exploitable buffer overflow in two modules that implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol. This can be used to execute arbitrary code.

Description

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are used to provide a secure connection between a client and server for higher level protocols such as HTTP. Apache_SSL and mod_ssl are two modules for Apache that both call an OpenSSL routine i2d_SSL_SESSION() to help create an SSL/TLS session. This routine converts the SSL/TLS session data into a format that can be stored in the session cache. The OpenSSL d2i_SSL_SESSION.pod document states that the routine should be called to first determine the size of the buffer needed to store the session data. Then the appropriately sized buffer should be allocated and finally the routine should be called again to convert the data.

These two modules fail to follow this procedure, and use a statically defined buffer to store the results of the i2d_SSL_SESSION() routine. By establishing an SSL Session, with a large crafted client certificate signed by a trusted CA, an attacker may be able to execute arbitrary code. If the target server trusts multiple CAs, then the target server's risk of receiving a malicious certificate is increased.

Client certificates are generated when a Certificate Signature Request (CSR) is made of a Certificate Authority (CA). The CA signs the CSR with their server certificate and the resulting certificate is sent back to the client. Since some of the data in the CSR is entered by the person making the request, it is possible to submit a large crafted CSR for signature and have the CA sign it without suspicion.

It should be noted that for testing purposes mod_ssl ships a static "snakeoil" CA server certificate. It is clearly stated that this certificate should not be used for production environments, and steps are given to dynamically generate a server certificate for the CA. If, however, a system uses this static "snakeoil" server certificate as their own CA signing certificate, then it is trivial for an attacker to craft and sign their own client side certificate that would be accepted by the victim site as being signed by the trusted CA. The MD5 checksum for these static certificates from mod_ssl version 2.8.4 for Apache version 1.3.20 are as follows:

9bd1d1069c69fafed5a86ea931ae45f9 ca-bundle.crt
b21689366a43829d83728b023b6d04b8 Makefile.crl
0de94cb2a39ed0fc158edd053b425255 Makefile.crt
fbb7ae5d7e39607a39b1e36d30048683 README.CRL
84bfd413a53d6a8036311b57faa8f0c8 README.CRT
a3351dacc96ebc615d986dfdb371c856 README.CSR
2284a70fae1cb3c1101494cff135f1f7 README.KEY
9a611f57078e624b672222197b8ff377 README.PRM
b269a8269073c62bd83e6635d56ec11b server.crt
4ff42eeddd6571a29e0a7682d06137e4 server.csr
ad5dc80749418c15c3d99962f00eb2b1 server.key
3c392576b27d8f79ab92eb39fce681f3 snakeoil-ca-dsa.crt
05cc51fdcc3c8ef6ed6a777f460e675a snakeoil-ca-dsa.key
3c9bf8ebd0586ce0633e7c6a85ed345a snakeoil-ca-dsa.prm
e76c1653eb00e4c2168a9c590fcf4ed7 snakeoil-ca-rsa.crt
a55527f1b3ad826052b8f6395d0da3e4 snakeoil-ca-rsa.key
d1701e1c69a9867943ad61432f1f44b1 snakeoil-dsa.crt
bc6e0ae4c628088f78e22c7287647b0a snakeoil-dsa.key
3c9bf8ebd0586ce0633e7c6a85ed345a snakeoil-dsa.prm
6c7a7d92f67c8dbd6ca57a30da7bc3bb snakeoil-rsa.crt
ec09a963da45ee792d5eb284568894da snakeoil-rsa.key
c98761828d8f030f973894f73e751e80 sslcfg.patch

According to the timestamps, it appears that most of these test files have not changed since 1998-1999.

Impact

An attacker may be able to execute arbitrary code on the system with the privileges of the ssl module.

Solution

Upgrade to mod_ssl 2.8.7 or Apache_SSL 1.3.22+1.47, or apply the patch provided by your vendor.

Vendor Information

234971
 
Affected   Unknown   Unaffected

Apache-SSL

Notified:  March 01, 2002 Updated:  April 04, 2002

Status

  Vulnerable

Vendor Statement

http://www.apache-ssl.org/advisory-20020301.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Versions of Apache-SSL prior to 1.3.22+1.47 are vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Updated:  April 02, 2002

Status

  Vulnerable

Vendor Statement

See http://www.caldera.com/support/security/advisories/CSSA-2002-011.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Updated:  April 02, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TITLE: (SSRT0817, SSRT0821) Potential Security Vulnerabilities
with Compaq Secure Web Server (PHP and apache/mod_ssl)

Posted at http://ftp.support.compaq.com/patches/.new/security.shtml

NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

RELEASE DATE: March 2002

SOURCE:
Compaq Computer Corporation
Compaq Services
Software Security Response Team

X-REFERENCE: CVE Candidate - PHP (CAN-2002-0081) ,
Apache/mod_ssl(CAN-2002-0082)

PROBLEM SUMMARY:

Compaq was recently notified of two potential vulnerabilities
that impact Compaq's distributed Secure Web Server (CSWS) for
OpenVMS and TRU64 UNIX.

(SSRT0817) PHP

PHP (Hypertext Preprocessor scripting language). PHP does not
perform proper bounds checking on in functions related to
Form-based File Uploads in HTML to decode MIME encoded files.
This potential overflow vulnerability may allow arbitrary code
to be executed.



(SSRT0821) Apache/mod_ssl

Apache/mod_ssl session cache management routines use an unchecked
buffer that could potentially allow an overflow of a session cache
buffer. Thispotential vulnerability may allow arbitrary code to be
executed.

VERSIONS IMPACTED:

IMPACT:

CSWS (SSRT0817) PHP (SSRT0821)
Apache/mod_ssl

OpenVMS V7.1-2
or
later CSWS_PHP V1.0 CSWS V1.0-1,
CSWS V1.1-1,
CSWS V1.2


TRU64 UNIX V5.0A
or
later CSWS V5.5.2 CSWS V5.5.2


*NOTE:These reported potential vulnerabilities do not
have an impact to the base operating system in the form
of elevated permissions or privileges.


NO IMPACT:

Himalaya Web Products

Compaq Management Software Web Products


RESOLUTION:

Compaq has corrected both problems and created patches that are now
available for CSWS (Compaq Secure Web Server) for OpenVMS and TRU64
UNIX.

CSWS for OpenVMS V7.1-2 or later:

A Compaq Secure Web Server security update kit is available for
download at:
http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches
.html

(SSRT0817) PHP

INSTALLED VERSION UPDATE KIT

CSWS_PHP 1.0 CSWS_PHP10_UPDATE V1.0


NOTE: (SSRT0817) PHP - For OpenVMS - if upgrading is not
possible or a patch cannot be applied immediately, the
potential PHP overflow vulnerability may be minimized by
adding the following line to MOD_PHP.CONF file:
PHP_FLAG file_uploads OFF
This will prevent using fileuploads, which may not be
an acceptable short-term solution.

(SSRT0821) Apache/mod_ssl

Installed Version Update Kit

CSWS V1.2 CSWS12_UPDATE V1.0
CSWS V1.1-1 CSWS111_UPDATE V1.0
CSWS V1.0-1 CSWS101_UPDATE V1.0




TRU64 UNIX for V5.0a or later:

A Compaq Secure Web Server security update kit is available for
download at:
http://tru64unix.compaq.com/internet/download.htm#sws_v582
select and install the CSWS (Compaq Secure Web Server) kit V5.8.2


Installed Version Install Updated Server Kit

CSWS V5.5.2 CSWS V5.8.2


After completing the update, Compaq strongly recommends that you
perform an immediate backup of your system disk so that any
subsequent restore operations begin with updated software. Otherwise,
you must reapply the patch after a future restore operation. Also, if
at some future time you upgrade your system to a later patch version,
you may need to reapply the appropriate patch.


SUPPORT:

For further information, contact Compaq Global Services.


SUBSCRIBE:

To subscribe to automatically receive future Security Advisories from
the Compaq's Software Security Response Team via electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml

REPORT:

To report a potential security vulnerability with any Compaq
supported product, send email mailto:security-ssrt@compaq.com

Compaq appreciates your cooperation and patience. We regret
any inconvenience applying this information may cause. As always,
Compaq urges you to periodically review your system management and
security procedures. Compaq will continue to review and enhance the
security features of its products and work with customers to maintain
and improve the security and integrity of their systems.

"Compaq is broadly distributing this Security Advisory to notify all
users of Compaq products of the important security information
contained in this Advisory. Compaq recommends that all users
determine the applicability of this information to their individual
situations and take appropriate action. Compaq does not warrant that
this information is necessarily accurate or complete for all user
situations and, consequently, Compaq will not be responsible for any
damages resulting from user's use or disregard of the information
provided in this Advisory."

Copyright 2002 Compaq Information Technologies Group, L.P. Compaq
shall not be liable for technical or editorial errors or omissions
contained herein. The information in this document is subject to
change without notice. Compaq and the names of Compaq products
referenced herein are, either, trademarks and/or service marks or
registered trademarks and/or service marks of Compaq Information
Technologies Group, L.P. Other product and company names mentioned
herein may be trademarks and/or service marks of their respective
owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPKYaXznTu2ckvbFuEQLbTQCfarAsi8kRC4LM8mftiUv84AWBHmYAn1Z7
qdlODoP4yGBrHmi2hIVqr0Ia
=egdQ
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  March 04, 2002

Status

  Vulnerable

Vendor Statement

See, http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464&ckval=en

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  March 01, 2002 Updated:  March 11, 2002

Status

  Vulnerable

Vendor Statement

See, http://www.debian.org/security/2002/dsa-120

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Updated:  March 01, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory March 01, 2002 |
|
http://www.engardelinux.org/ ESA-20020301-005 |
| |
| Package: apache (mod_ssl) |
| Summary: mod_ssl's session caching mechanisms contain a potential |
| buffer overflow |
+------------------------------------------------------------------------+

EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.


OVERVIEW
- --------
There is a buffer overflow in mod_ssl, part of EnGarde's apache package,
which an attacker may potentially trigger by sending a very long client
certificate.


DETAIL
- ------
mod_ssl is an apache module used to provide SSL functionality using the
OpenSSL toolkit. Ed Moyle has discovered a buffer overflow in
mod_ssl's session caching mechanisms using dbm and shared memory.

We would like to stress that this vulnerability is in mod_ssl, not in
apache. We are issuing an apache update because we include mod_ssl as
part of our apache package.


SOLUTION
- --------
All users should upgrade to the most recent version as outlined in
this advisory.

Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage
system software. EnGarde users can automatically update their system
using the Guardian Digital WebTool secure interface.

If choosing to manually upgrade this package, updates can be
obtained from:

ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

Before upgrading the package, the machine must either:

a) be booted into a "standard" kernel; or
b) have LIDS disabled.

To disable LIDS, execute the command:

# /sbin/lidsadm -S -- -LIDS_GLOBAL

To install the updated package, execute the command:

# rpm -Uvh <filename>

You must now update the LIDS configuration by executing the command:

# /usr/sbin/config_lids.pl

To re-enable LIDS (if it was disabled), execute the command:

# /sbin/lidsadm -S -- +LIDS_GLOBAL

To verify the signatures of the updated packages, execute the command:

# rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

Source Packages:

SRPMS/apache-1.3.23-1.0.27.src.rpm
MD5 Sum: 412c8ed8f0151dc023372b70aac0475c

Binary Packages:

i386/apache-1.3.23-1.0.27.i386.rpm
MD5 Sum: 66b23a6224b1916983c4350e95c35fd6

i686/apache-1.3.23-1.0.27.i686.rpm
MD5 Sum: 4dc0650fb82a15aa00927cabcb02b230


REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

Credit for the discovery of this bug goes to:
Ed Moyle <emoyle@scsnet.csc.com>

mod_ssl's Official Web Site:
http://www.modssl.org/

Security Contact: security@guardiandigital.com
EnGarde Advisories:
http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020301-005-apache,v 1.3 2002/03/01 05:24:50 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

iD8DBQE8fxtOHD5cqd57fu0RAs4YAJwI63Bvsu3ovXom2fpYe3uUVwaQhQCcDmhE
mkmxGGvF3L1LAN+eT5D8uU0=
=dudS
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  March 01, 2002 Updated:  March 27, 2002

Status

  Vulnerable

Vendor Statement

HP Support Information Digests

===============================================================================
o Security Bulletin Digest Split
------------------------------

The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions.

To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at:

http://www.itresourcecenter.hp.com/

Under the Maintenance and Support Menu, click on the "more..." link.
Then use the 'login' link at the left side of the screen to login
using your IT Resource Center User ID and Password.

Under the notifications section (near the bottom of the page), select
Support Information Digests.

To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
"Update Subscriptions" button at the bottom of the page.

o IT Resource Center World Wide Web Service
---------------------------------------------------

If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:

http://www.itresourcecenter.hp.com/

Login using your IT Resource Center User ID and Password.
Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest.
===============================================================================


Digest Name: daily HP Secure OS Software for Linux security bulletins digest
Created: Fri Mar 15 3:00:03 PST 2002

Table of Contents:

Document ID Title
--------------- -----------
HPSBTL0203-031 Security vulnerability in Apache prior to 1.3.23

The documents are listed below.
-------------------------------------------------------------------------------


Document ID: HPSBTL0203-031
Date Loaded: 20020314
Title: Security vulnerability in Apache prior to 1.3.23

TEXT





---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #031
Originally issued: 14 March '02
---------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from said customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.

---------------------------------------------------------------
PROBLEM: Security vulnerability in Apache prior to 1.3.23 and mod_ssl
prior to 2.8.7. This bulletin addresses the same issues as the
Red Hat Advisory RHSA-2002-041. Please, be aware, that the
mod_ssl package has been altered for HP Secure OS software
for Linux. Please follow instructions provided below.

PLATFORM: Any system running HP Secure OS software for Linux Release 1.0

DAMAGE: Use of the client certificates could yield unexpected results
in Apache prior to 1.3.23 and mod_ssl prior to 2.8.7

SOLUTION: Apply the appropriate patch (see section B below).

MANUAL ACTIONS: None

AVAILABILITY: The patch is available now.
---------------------------------------------------------------
A. Background
HP Secure OS software for Linux Release 1.0 was released
with the 1.3.19 version of Apache. Since then, Apache 1.3.23
has been released to correct a number of security related problems.

B. Fixing the problem
Apply patch HPTL_00012.

The patch is available as follows: -

Use your browser to access the HP IT Resource Center page
at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to save the
User ID assigned to you, and your password. This login provides
access to many useful areas of the ITRC.

Under the "Maintenance and Support" section, select "Individual Patches".

In the field at the bottom of the page labeled "retrieve a specific patch
by entering the patch name", enter HPTL_00012.

For instructions on installing the patch, please see the install text file
included in the patch.

C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:

Use your browser to access the HP IT Resource Center page at:

http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to
save the User ID assigned to you, and your password. This
login provides access to many useful areas of the ITRC.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.

D. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server. You may also get the security-alert PGP key by
sending a message with a -subject- (not body) of
'get key' (no quotes) to security-alert@hp.com.

Permission is granted for copying and circulating this
Bulletin to Hewlett-Packard (HP) customers (or the Internet
community) for the purpose of alerting them to problems,
if and only if, the Bulletin is not edited or changed in
any way, is attributed to HP, and provided such reproduction
and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID: HPSBTL0203-031--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  March 01, 2002 Updated:  March 08, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name: mod_ssl
Advisory ID: MDKSA-2002:020
Date: March 7th, 2002
Affected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1,
Single Network Firewall 7.2
________________________________________________________________________

Problem Description:

Ed Moyle discovered a buffer overflow in mod_ssl's session caching
mechanisms that use shared memory and dbm. This could potentially be
triggered by sending a very long client certificate to the server.
________________________________________________________________________

References:

http://online.securityfocus.com/bid/4189
________________________________________________________________________

Updated Packages:

Linux-Mandrake 7.1:
57b34a081cca5b85aae6c097d067316a 7.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm
5189233df0f03cb8fe78675dc4b7b58b 7.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm

Linux-Mandrake 7.2:
b1fd2e18a7d3b8d512e2bf858c040282 7.2/RPMS/mod_ssl-2.8.5-2.3mdk.i586.rpm
09c08fd15d6e826188f51a41a047b568 7.2/SRPMS/mod_ssl-2.8.5-2.3mdk.src.rpm

Mandrake Linux 8.0:
25812a052c7e82db4015c80395d0a142 8.0/RPMS/mod_ssl-2.8.5-2.2mdk.i586.rpm
ae2ab6e8cd666f6171b682f69340e0df 8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm

Mandrake Linux 8.0/ppc:
53b213329a866d92c4a70273cf0b591d ppc/8.0/RPMS/mod_ssl-2.8.5-2.2mdk.ppc.rpm
ae2ab6e8cd666f6171b682f69340e0df ppc/8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm

Mandrake Linux 8.1:
020058f4fd26dc78480804caf5cd0044 8.1/RPMS/mod_ssl-2.8.5-2.1mdk.i586.rpm
8e9e7f26e64e15d4323e69cc9afad15e 8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm

Mandrake Linux 8.1/ia64:
59974b39c67f4e2773416349c8207d54 ia64/8.1/RPMS/mod_ssl-2.8.5-2.1mdk.ia64.rpm
8e9e7f26e64e15d4323e69cc9afad15e ia64/8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm

Corporate Server 1.0.1:
57b34a081cca5b85aae6c097d067316a 1.0.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm
5189233df0f03cb8fe78675dc4b7b58b 1.0.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm

Single Network Firewall 7.2:
27f5f01c9f3ec9fda3af4661fa84c9f5 snf7.2/RPMS/mod_ssl-2.8.4-4.2mdk.i586.rpm
5421309dd07559693f07800528561612 snf7.2/SRPMS/mod_ssl-2.8.4-4.2mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

________________________________________________________________________

To upgrade automatically, use MandrakeUpdate. The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of
FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:

rpm --checksig <filename>

All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team from:

https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security@linux-mandrake.com
________________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security@linux-mandrake.com>


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8iD4ymqjQ0CJFipgRApoOAKDHTMIWmVyawBQQ7EpuhcTsf3DFswCg8Avh
ivsKSso3VTP3qYIhaPKTAfA=
=JG5R
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mod_ssl

Notified:  February 28, 2002 Updated:  March 01, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Versions of mod_ssl prior to 2.8.7 for Apache 1.3.23 are vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat

Notified:  March 01, 2002 Updated:  March 06, 2002

Status

  Vulnerable

Vendor Statement

Red Hat Linux 7.0, 7.1, 7.2 as well as Red Hat Secure Web Server 3.2 contain a vulnerable version of mod_ssl. However to exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. Users who use client certificate authentication would be wise to upgrade or switch to the superior shared memory session cache, shmcb, which is not vulnerable to this issue. Updated mod_ssl packages will be available shortly at the following URL. Users of the Red Hat Network can use the 'up2date' tool to update their systems at the same time.

http://www.redhat.com/support/errata/RHSA-2002-041.html

Version 3.0 and earlier of Red Hat Stronghold contain a vulnerable version of mod_ssl. Red Hat Stronghold is set by default to use the shmcb session cache (also known as c2shm) which is not vulnerable to this issue. Updates to Stronghold will be available shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix

Updated:  March 01, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0034

Package name: apache
Summary: Security fix and version upgrade
Date: 2002-02-28
Affected versions: TSL 1.5

- --------------------------------------------------------------------------

Problem description:
The mod_ssl module in Apache utilizes OpenSSL for the SSL implementation.
The version in the old apache package made use of the underlying OpenSSL
routines in a manner which could overflow a buffer within the implementation.
This release (mod_ssl-2.8.7-1.3.23) fixes the problem.

Action:
We recommend that all systems with this package installed are upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.


Location:
All TSL updates are available from
<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.

Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:http://www.trustix.net/pub/Trustix/testing/>
<URI:ftp://ftp.trustix.net/pub/Trustix/testing/>


Questions?
Check out our mailing lists:
<URI:http://www.trustix.net/support/>


Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:http://www.trustix.net/TSL-GPG-KEY>

The advisory itself is available from the errata pages at
<URI:http://www.trustix.net/errata/trustix-1.5/>
or directly at
<URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0034-apache.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
c75115bb82f788f2d673e13faf66254b ./1.5/SRPMS/apache-1.3.23-1tr.src.rpm
7ea8c94b43b43cdbc2a9b31be96e40b5 ./1.5/RPMS/apache-devel-1.3.23-1tr.i586.rpm
eea37ac2ee6c2611d9434977fa389475 ./1.5/RPMS/apache-1.3.23-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8fj8XwRTcg4BxxS0RAmMvAJ9NUotASETlF+AZ7NA9bCxX9RScHQCfQa3g
UKIuLd2Zg8uRINq1N67j48k=
=3Cg+
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft

Notified:  March 01, 2002 Updated:  March 04, 2002

Status

  Not Vulnerable

Vendor Statement

We've checked in our implementation of ASN.1 in SSL and we are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Ed Moyle discovered and analyzed this vulnerability.

This document was written by Jason Rafail with assistance from Roman Danyliw, Sean Levy, and Jeff Havrilla.

Other Information

CVE IDs: CVE-2002-0082
Severity Metric: 15.50
Date Public: 2002-02-27
Date First Published: 2002-03-01
Date Last Updated: 2002-04-22 20:44 UTC
Document Revision: 26

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.