Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 128170 - CAN-2004-0700 mod_ssl format string vulnerability
CAN-2004-0700 mod_ssl format string vulnerability
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: mod_ssl (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-19 12:05 EDT by Josh Bressers
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-07 11:37:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:408 normal SHIPPED_LIVE Important: mod_ssl security update 2004-09-07 00:00:00 EDT

  None (edit)
Description Josh Bressers 2004-07-19 12:05:00 EDT 
Triggered by a report to Packet Storm [1] from Virulent, a format
  string vulnerability was found in mod_ssl [2], the Apache SSL/TLS
  interface to OpenSSL, version (up to and including) 2.8.18 for Apache
  1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability
  could be exploitable if Apache is used as a proxy for HTTPS URLs and
  the attacker established a own specially prepared DNS and origin
  server environment.

More information here:
http://packetstormsecurity.org/filedesc/modsslFormat.txt.html

We're still investigating if this is actually an issue.
Comment 1 Mark J. Cox 2004-07-27 15:39:30 EDT 
An errata is in progress for this issue, but it a low risk.  From the
upcoming advisory text:

"A format string issue was discovered in mod_ssl for Apache 1.3 which
can be triggered if mod_ssl is configured to allow a client to proxy
to remote SSL sites. If mod_ssl is forced to connect to a remote SSL
server using a carefully crafted hostname, an attacker may be able to
crash an Apache child process. This issue is not known to allow
arbitrary execution of code."
Comment 5 Josh Bressers 2004-09-07 11:37:30 EDT 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-408.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.