Notified: March 01, 2002 Updated: April 04, 2002
Affected
http://www.apache-ssl.org/advisory-20020301.txt
The vendor has not provided us with any further information regarding this vulnerability.
Versions of Apache-SSL prior to 1.3.22+1.47 are vulnerable.
Updated: April 02, 2002
Affected
See http://www.caldera.com/support/security/advisories/CSSA-2002-011.0.txt
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 02, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TITLE: (SSRT0817, SSRT0821) Potential Security Vulnerabilities with Compaq Secure Web Server (PHP and apache/mod_ssl) Posted at http://ftp.support.compaq.com/patches/.new/security.shtml NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. RELEASE DATE: March 2002 SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team PROBLEM SUMMARY: Compaq was recently notified of two potential vulnerabilities that impact Compaq's distributed Secure Web Server (CSWS) for OpenVMS and TRU64 UNIX. (SSRT0817) PHP PHP (Hypertext Preprocessor scripting language). PHP does not perform proper bounds checking on in functions related to Form-based File Uploads in HTML to decode MIME encoded files. This potential overflow vulnerability may allow arbitrary code to be executed. (SSRT0821) Apache/mod_ssl Apache/mod_ssl session cache management routines use an unchecked buffer that could potentially allow an overflow of a session cache buffer. Thispotential vulnerability may allow arbitrary code to be executed. VERSIONS IMPACTED: IMPACT: CSWS (SSRT0817) PHP (SSRT0821) Apache/mod_ssl OpenVMS V7.1-2 or later CSWS_PHP V1.0 CSWS V1.0-1, CSWS V1.1-1, CSWS V1.2 TRU64 UNIX V5.0A or later CSWS V5.5.2 CSWS V5.5.2 *NOTE:These reported potential vulnerabilities do not have an impact to the base operating system in the form of elevated permissions or privileges. NO IMPACT: Himalaya Web Products Compaq Management Software Web Products RESOLUTION: Compaq has corrected both problems and created patches that are now available for CSWS (Compaq Secure Web Server) for OpenVMS and TRU64 UNIX. CSWS for OpenVMS V7.1-2 or later: A Compaq Secure Web Server security update kit is available for download at: http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches .html (SSRT0817) PHP INSTALLED VERSION UPDATE KIT CSWS_PHP 1.0 CSWS_PHP10_UPDATE V1.0 NOTE: (SSRT0817) PHP - For OpenVMS - if upgrading is not possible or a patch cannot be applied immediately, the potential PHP overflow vulnerability may be minimized by adding the following line to MOD_PHP.CONF file: PHP_FLAG file_uploads OFF This will prevent using fileuploads, which may not be an acceptable short-term solution. (SSRT0821) Apache/mod_ssl Installed Version Update Kit CSWS V1.2 CSWS12_UPDATE V1.0 CSWS V1.1-1 CSWS111_UPDATE V1.0 CSWS V1.0-1 CSWS101_UPDATE V1.0 TRU64 UNIX for V5.0a or later: A Compaq Secure Web Server security update kit is available for download at: http://tru64unix.compaq.com/internet/download.htm#sws_v582 select and install the CSWS (Compaq Secure Web Server) kit V5.8.2 Installed Version Install Updated Server Kit CSWS V5.5.2 CSWS V5.8.2 After completing the update, Compaq strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the patch after a future restore operation. Also, if at some future time you upgrade your system to a later patch version, you may need to reapply the appropriate patch. SUPPORT: For further information, contact Compaq Global Services. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Compaq's Software Security Response Team via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any Compaq supported product, send email mailto:security-ssrt@compaq.com Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. "Compaq is broadly distributing this Security Advisory to notify all users of Compaq products of the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." Copyright 2002 Compaq Information Technologies Group, L.P. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Compaq and the names of Compaq products referenced herein are, either, trademarks and/or service marks or registered trademarks and/or service marks of Compaq Information Technologies Group, L.P. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPKYaXznTu2ckvbFuEQLbTQCfarAsi8kRC4LM8mftiUv84AWBHmYAn1Z7 qdlODoP4yGBrHmi2hIVqr0Ia =egdQ -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: March 04, 2002
Affected
See, http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000464&ckval=en
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 01, 2002 Updated: March 11, 2002
Affected
See, http://www.debian.org/security/2002/dsa-120
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: March 01, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 | EnGarde Secure Linux Security Advisory March 01, 2002 |
| http://www.engardelinux.org/ ESA-20020301-005 | | Package: apache (mod_ssl) |
| Summary: mod_ssl's session caching mechanisms contain a potential |
| buffer overflow | EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools. OVERVIEW There is a buffer overflow in mod_ssl, part of EnGarde's apache package,
which an attacker may potentially trigger by sending a very long client
certificate. DETAIL mod_ssl is an apache module used to provide SSL functionality using the
OpenSSL toolkit. Ed Moyle has discovered a buffer overflow in
mod_ssl's session caching mechanisms using dbm and shared memory. We would like to stress that this vulnerability is in mod_ssl, not in
apache. We are issuing an apache update because we include mod_ssl as
part of our apache package. SOLUTION All users should upgrade to the most recent version as outlined in
this advisory. Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage
system software. EnGarde users can automatically update their system
using the Guardian Digital WebTool secure interface. If choosing to manually upgrade this package, updates can be
obtained from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or
b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 01, 2002 Updated: March 27, 2002
Affected
HP Support Information Digests o Security Bulletin Digest Split The security bulletins digest has been split into multiple digests based on the operating system (HP-UX, MPE/iX, and HP Secure OS Software for Linux). You will continue to receive all security bulletin digests unless you choose to update your subscriptions. To update your subscriptions, use your browser to access the IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login using your IT Resource Center User ID and Password. Under the notifications section (near the bottom of the page), select Support Information Digests. To subscribe or unsubscribe to a specific security bulletin digest, select or unselect the checkbox beside it. Then click the "Update Subscriptions" button at the bottom of the page. o IT Resource Center World Wide Web Service If you subscribed through the IT Resource Center and would like to be REMOVED from this mailing list, access the IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under Maintenance and Support). You may then unsubscribe from the appropriate digest. Digest Name: daily HP Secure OS Software for Linux security bulletins digest Created: Fri Mar 15 3:00:03 PST 2002 Table of Contents: Document ID Title HPSBTL0203-031 Security vulnerability in Apache prior to 1.3.23 The documents are listed below. Document ID: HPSBTL0203-031 Date Loaded: 20020314 Title: Security vulnerability in Apache prior to 1.3.23 TEXT HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #031 Originally issued: 14 March '02 The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from said customer's failure to fully implement instructions in this Security Bulletin as soon as possible. PROBLEM: Security vulnerability in Apache prior to 1.3.23 and mod_ssl prior to 2.8.7. This bulletin addresses the same issues as the Red Hat Advisory RHSA-2002-041. Please, be aware, that the mod_ssl package has been altered for HP Secure OS software for Linux. Please follow instructions provided below. PLATFORM: Any system running HP Secure OS software for Linux Release 1.0 DAMAGE: Use of the client certificates could yield unexpected results in Apache prior to 1.3.23 and mod_ssl prior to 2.8.7 SOLUTION: Apply the appropriate patch (see section B below). MANUAL ACTIONS: None AVAILABILITY: The patch is available now. A. Background HP Secure OS software for Linux Release 1.0 was released with the 1.3.19 version of Apache. Since then, Apache 1.3.23 has been released to correct a number of security related problems. B. Fixing the problem Apply patch HPTL_00012. The patch is available as follows: - Use your browser to access the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login. Remember to save the User ID assigned to you, and your password. This login provides access to many useful areas of the ITRC. Under the "Maintenance and Support" section, select "Individual Patches". In the field at the bottom of the page labeled "retrieve a specific patch by entering the patch name", enter HPTL_00012. For instructions on installing the patch, please see the install text file included in the patch. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to access the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login. Remember to save the User ID assigned to you, and your password. This login provides access to many useful areas of the ITRC. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server. You may also get the security-alert PGP key by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. -----End of Document ID: HPSBTL0203-031--------------------------------------
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 01, 2002 Updated: March 08, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Mandrake Linux Security Update Advisory Package name: mod_ssl
Advisory ID: MDKSA-2002:020
Date: March 7th, 2002
Affected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1,
Single Network Firewall 7.2 Problem Description: Ed Moyle discovered a buffer overflow in mod_ssl's session caching
mechanisms that use shared memory and dbm. This could potentially be
triggered by sending a very long client certificate to the server. References: http://online.securityfocus.com/bid/4189 Updated Packages: Linux-Mandrake 7.1: 57b34a081cca5b85aae6c097d067316a 7.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm
5189233df0f03cb8fe78675dc4b7b58b 7.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm Linux-Mandrake 7.2: b1fd2e18a7d3b8d512e2bf858c040282 7.2/RPMS/mod_ssl-2.8.5-2.3mdk.i586.rpm
09c08fd15d6e826188f51a41a047b568 7.2/SRPMS/mod_ssl-2.8.5-2.3mdk.src.rpm Mandrake Linux 8.0: 25812a052c7e82db4015c80395d0a142 8.0/RPMS/mod_ssl-2.8.5-2.2mdk.i586.rpm
ae2ab6e8cd666f6171b682f69340e0df 8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm Mandrake Linux 8.0/ppc: 53b213329a866d92c4a70273cf0b591d ppc/8.0/RPMS/mod_ssl-2.8.5-2.2mdk.ppc.rpm
ae2ab6e8cd666f6171b682f69340e0df ppc/8.0/SRPMS/mod_ssl-2.8.5-2.2mdk.src.rpm Mandrake Linux 8.1: 020058f4fd26dc78480804caf5cd0044 8.1/RPMS/mod_ssl-2.8.5-2.1mdk.i586.rpm
8e9e7f26e64e15d4323e69cc9afad15e 8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm Mandrake Linux 8.1/ia64: 59974b39c67f4e2773416349c8207d54 ia64/8.1/RPMS/mod_ssl-2.8.5-2.1mdk.ia64.rpm
8e9e7f26e64e15d4323e69cc9afad15e ia64/8.1/SRPMS/mod_ssl-2.8.5-2.1mdk.src.rpm Corporate Server 1.0.1: 57b34a081cca5b85aae6c097d067316a 1.0.1/RPMS/mod_ssl-2.8.5-2.4mdk.i586.rpm
5189233df0f03cb8fe78675dc4b7b58b 1.0.1/SRPMS/mod_ssl-2.8.5-2.4mdk.src.rpm Single Network Firewall 7.2: 27f5f01c9f3ec9fda3af4661fa84c9f5 snf7.2/RPMS/mod_ssl-2.8.4-4.2mdk.i586.rpm
5421309dd07559693f07800528561612 snf7.2/SRPMS/mod_ssl-2.8.4-4.2mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5
checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of
FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command: rpm --checksig
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: March 01, 2002 Updated: March 04, 2002
Not Affected
We've checked in our implementation of ASN.1 in SSL and we are not affected by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: February 28, 2002 Updated: March 01, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Versions of mod_ssl prior to 2.8.7 for Apache 1.3.23 are vulnerable.
Notified: March 01, 2002 Updated: March 06, 2002
Affected
Red Hat Linux 7.0, 7.1, 7.2 as well as Red Hat Secure Web Server 3.2 contain a vulnerable version of mod_ssl. However to exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. Users who use client certificate authentication would be wise to upgrade or switch to the superior shared memory session cache, shmcb, which is not vulnerable to this issue. Updated mod_ssl packages will be available shortly at the following URL. Users of the Red Hat Network can use the 'up2date' tool to update their systems at the same time. http://www.redhat.com/support/errata/RHSA-2002-041.html Version 3.0 and earlier of Red Hat Stronghold contain a vulnerable version of mod_ssl. Red Hat Stronghold is set by default to use the shmcb session cache (also known as c2shm) which is not vulnerable to this issue. Updates to Stronghold will be available shortly.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: March 01, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Trustix Secure Linux Security Advisory #2002-0034 Package name: apache
Summary: Security fix and version upgrade
Date: 2002-02-28
Affected versions: TSL 1.5 Problem description: The mod_ssl module in Apache utilizes OpenSSL for the SSL implementation. The version in the old apache package made use of the underlying OpenSSL
routines in a manner which could overflow a buffer within the implementation. This release (mod_ssl-2.8.7-1.3.23) fixes the problem. Action: We recommend that all systems with this package installed are upgraded. Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system. Location: All TSL updates are available from
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.