Bug 171696 - CVE-2004-0488 mod_ssl flaws (CVE-2004-0885 CVE-2005-2700)
CVE-2004-0488 mod_ssl flaws (CVE-2004-0885 CVE-2005-2700)
Product: Stronghold for Red Hat Linux
Classification: Retired
Component: stronghold-mod_ssl (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Stronghold Engineering List
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-10-25 08:24 EDT by Mark J. Cox
Modified: 2007-04-18 13:33 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2005-816
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-11-02 04:21:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox 2005-10-25 08:24:25 EDT
Multiple flaws in Stronghold 4.0 mod_ssl

A stack buffer overflow in mod_ssl. If FakeBasicAuth had been enabled, a
carefully crafted client certificate sent to mod_ssl can cause a stack
overflow. In order to exploit this issue, the malicious certificate would
have to be signed by a Certificate Authority which mod_ssl is configured to
trust. (CVE-2004-0488)

The mod_ssl module, when using the "SSLCipherSuite" directive in directory
or location context, allowed remote clients to bypass intended restrictions
by using any cipher suite that is allowed by the virtual host
configuration. (CVE-2004-0885)

A flaw in mod_ssl triggered if a virtual host was configured using
"SSLVerifyClient optional" and a directive "SSLVerifyClient required" is
set for a specific location. For servers configured in this fashion, an
attacker may be able to access resources that should otherwise be
protected. (CVE-2005-2700)
Comment 1 Red Hat Bugzilla 2005-11-02 04:21:22 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.