Bug 152753

Summary: CAN-2004-0700-mod_ssl Format String Vulnerability
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch, cra, michal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0700
Whiteboard: LEGACY, rh73
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:26:15 UTC 
A vulnerability has been reported in mod_ssl, which currently has an unknown
impact but may allow malicious people to compromise a vulnerable system.

The vulnerability is reportedly caused due to a "ssl_log()" related format
string error within the "mod_proxy" hook functions.

More info:
http://secunia.com/advisories/12077/
http://marc.theaimsgroup.com/?l=secunia-sec-adv&m=108997892819062&w=2
http://marc.theaimsgroup.com/?l=apache-modssl&m=109001100906749&w=2
http://www.packetstormsecurity.com/0407-advisories/modsslFormat.txt



------- Additional Comments From marcdeslauriers 2004-07-21 10:06:44 ----

More info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0700
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=128170
http://www.securitytracker.com/alerts/2004/Jul/1010717.html
http://www.kb.cert.org/vuls/id/303448
http://www.modssl.org/news/




------- Additional Comments From marcdeslauriers 2004-07-21 10:11:37 ----

Only for Apache 1.x so only applies to rh73.



------- Additional Comments From dom 2004-07-23 03:44:31 ----

Packages (based on the ones from bug 1708) for QA:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/mod_ssl-2.8.12-5.legacy.src.rpm
http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/mod_ssl-2.8.12-5.legacy.i386.rpm



------- Additional Comments From michal 2004-07-23 06:47:02 ----

Works for me just fine.  For other distros from RH 7.x series
'rpmbuild --rebuild mod_ssl-2.8.12-5.legacy.src.rpm' may be needed due to
different library versions but chugs along as well.



------- Additional Comments From dwb7.edu 2004-08-12 11:07:42 ----

Could you postup sha1sumbs of your mod_ssl packages?

Thanks!



------- Additional Comments From dom 2004-08-12 13:20:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

7265c3757c75a8a9d8600f52dc80b6079cdb0ebc  SRPMS/mod_ssl-2.8.12-5.legacy.src.rpm
0205cfcf031a7fabd6adb4f35db2d0c2fb4d45ee  i386/mod_ssl-2.8.12-5.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBG/rZYzuFKFF44qURAqWBAKDI7EgxulZ4gR6LMY1ZKZhSVzPjqgCg07eU
vN2UPYvb5L4U3qt8I1MNDTE=
=yQeg
-----END PGP SIGNATURE-----



------- Additional Comments From dwb7.edu 2004-08-13 05:25:07 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Using:

7265c3757c75a8a9d8600f52dc80b6079cdb0ebc *mod_ssl-2.8.12-5.legacy.src.rpm

Builds ok
Installs ok
mod_ssl seems to function normally (though, we don't use any proxy stuff, here)

PUBLISH

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBHN1ASY7s7uPf/IURAgjlAJ4mBI2PvIBRZCYaJnyyae6XZnBDvwCfRtDd
8NAsA/3GUgi5rD1HJfVVCgc=
=i/1h
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-13 14:43:41 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the 7.3 package in comment 3:

7265c3757c75a8a9d8600f52dc80b6079cdb0ebc  SRPMS/mod_ssl-2.8.12-5.legacy.src.rpm

- - Sources match previous version
- - Patches look OK, sec patch matches upstream
- - Spec file looks good
- - Builds and installs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRj7VLMAs/0C4zNoRAoaXAKCji3VdY96QDeJpx61mtwnq4Z3zfwCfRMzC
ToUOLG+ywcf1X+dkI/RgYxU=
=TblZ
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-17 12:16:35 ----

Created an attachment (id=851)
Advisory draft text

Here is text for the advisory.

This covers both mod_ssl packages from bug 1888 and apache packages from bug
1737.




------- Additional Comments From dom 2004-09-29 01:10:42 ----

Personally I would rather have the advisories separate. They are different
source packages and different issues, I don't see the reason behind having them
bundled together.



------- Additional Comments From marcdeslauriers 2004-09-29 13:41:00 ----

Created an attachment (id=864)
Draft advisory for mod_all only

OK, fair enough. Here is an advisory draft that only includes mod_ssl



------- Additional Comments From marcdeslauriers 2004-09-29 15:30:23 ----

pushed to updates-testing



------- Additional Comments From cra 2004-10-02 16:51:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA/Verify rh73 packages:

211714e3a8faab1152e76471f1085f3d8ef30400  mod_ssl-2.8.12-6.legacy.i386.rpm
027bf3500924d4bb58bd8bb0ed452420a0e134bc  mod_ssl-2.8.12-6.legacy.src.rpm

- - good sigs from 1024D/731002FA 2004-01-19 Fedora Legacy
(http://www.fedoralegacy.org) <secnotice>
- - good sha1sums
- - verified that these patches apply, as mentioned in changelog:

        Patch5: mod_ssl-2.8-can-2004-0488.patch
        Patch6: mod_ssl-can-2004-0700.patch
        Patch7: mod_ssl-shmcb.patch

- - rpm-build-compare.sh shows no unintended changes between these pkgs and
2.8.12-3.
- - installs ok
- - tested with bz #1737 apache-1.3.27-5.legacy test update
- - works ok (http test page, https test page, virtual hosts for a few domains)

++VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBX2eew2eg+Um7WIYRAtUrAJ9UCsaO2pcALeiUMDwzKD/N0AYalgCghMA8
eo7YJHNQ+zGUvd2r6cGzOcs=
=Nuli
-----END PGP SIGNATURE-----




------- Additional Comments From mgerber 2004-10-11 18:58:16 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - sha1sum is ok.

  027bf3500924d4bb58bd8bb0ed452420a0e134bc  mod_ssl-2.8.12-6.legacy.src.rpm

- - GPG sig is ok.

  mod_ssl-2.8.12-6.legacy.src.rpm: md5 gpg OK

- - Old tarball and patches are unmodified (compared to 2.8.12-3).

- - Patches verified (output by rpm-build-compare reviewed):

  +Patch5: mod_ssl-2.8-can-2004-0488.patch
  +Patch6: mod_ssl-can-2004-0700.patch
  +Patch7: mod_ssl-shmcb.patch

- - Builds fine.

- - RPM works fine in my environment.

++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBa2Kuvsz686DVvkARApB2AKCBQVjO7Ml3/fN2/2IlXHzD2UMADQCdH2sF
J5Bpy90xWQOd3XrCim5OjI8=
=D50F
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-13 12:53:35 ----

Pushed to official updates



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 1888 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1888
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Advisory draft text
https://bugzilla.fedora.us/attachment.cgi?action=view&id=851
Draft advisory for mod_all only
https://bugzilla.fedora.us/attachment.cgi?action=view&id=864

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.