Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200509-12
HistorySep 19, 2005 - 12:00 a.m.

Apache, mod_ssl: Multiple vulnerabilities

2005-09-1900:00:00
Gentoo Foundation
security.gentoo.org
12

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.023 Low

EPSS

Percentile

89.6%

JSON

Background

The Apache HTTP server is one of the most popular web servers on the Internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.

Description

mod_ssl contains a security issue when “SSLVerifyClient optional” is configured in the global virtual host configuration (CAN-2005-2700). Also, Apache’s httpd includes a PCRE library, which makes it vulnerable to an integer overflow (CAN-2005-2491).

Impact

Under a specific configuration, mod_ssl does not properly enforce the client-based certificate authentication directive, “SSLVerifyClient require”, in a per-location context, which could be potentially used by a remote attacker to bypass some restrictions. By creating a specially crafted “.htaccess” file, a local attacker could possibly exploit Apache’s vulnerability, which would result in a local privilege escalation.

Workaround

There is no known workaround at this time.

Resolution

All mod_ssl users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-www/mod_ssl-2.8.24"

All Apache 2 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.54-r15"
OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-www/mod_ssl< 2.8.24UNKNOWN
Gentooanyallwww-servers/apache< 2.0.54-r15UNKNOWN

Related

openvas 63
nessus 49
suse 5
debiancve 2
httpd 2
redhat 5
f5 4
ubuntucve 2
cve 2
debian 12
cert 1
centos 7
slackware 5
osv 6
securityvulns 9
ubuntu 4
gentoo 4
freebsd 1
oraclelinux 1
openvas
openvas
Gentoo Security Advisory GLSA 200509-12 (Apache)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200509-12 (Apache)
2008-09-24 00:00:00
SLES9: Security update for Apache2
2009-10-10 00:00:00
nessus
nessus
GLSA-200509-12 : Apache, mod_ssl: Multiple vulnerabilities
2005-10-05 00:00:00
Debian DSA-807-1 : libapache-mod-ssl - acl restriction bypass
2005-09-13 00:00:00
Slackware 10.0 / 10.1 / 8.1 / 9.0 / 9.1 / current : mod_ssl (SSA:2005-251-02)
2005-10-05 00:00:00
suse
suse
local command execution, authentication bypass, in apache2
2005-09-16 12:34:21
local command execution, authentication bypass, in apache2
2005-09-12 13:00:50
remote code execution in pcre
2005-08-30 13:56:51
debiancve
debiancve
CVE-2005-2700
2005-09-06 23:03:00
CVE-2005-2491
2005-08-23 04:00:00
httpd
httpd
Apache Httpd < 2.0.55 : SSLVerifyClient bypass
2005-08-30 00:00:00
Apache Httpd < 2.0.55 : PCRE overflow
2005-10-14 00:00:00
redhat
redhat
(RHSA-2005:773) mod_ssl security update
2005-09-15 00:00:00
(RHSA-2006:0197) python security update
2006-03-09 00:00:00
(RHSA-2005:761) pcre security update
2005-09-08 00:00:00
f5
f5
K5278 : Apache mod_ssl SSLVerifyClient bypass - CAN-2005-2700
2013-03-28 00:00:00
SOL5857 - Client certificate check vulnerability in Apache - CVE-2005-2700
2007-05-16 00:00:00
K5857 : Client certificate check vulnerability in Apache - CVE-2005-2700
2013-03-28 00:00:00
ubuntucve
ubuntucve
CVE-2005-2700
2005-09-06 00:00:00
CVE-2005-2491
2005-08-23 00:00:00
cve
cve
CVE-2005-2700
2005-09-06 23:03:00
CVE-2005-2491
2005-08-23 04:00:00
debian
debian
[SECURITY] [DSA 807-1] New mod_ssl packages fix acl restriction bypass
2005-09-12 14:21:07
[SECURITY] [DSA 819-1] New python2.1 packages fix arbitrary code execution
2005-09-23 09:29:05
[SECURITY] [DSA 800-1] New pcre3 packages fix arbitrary code execution
2005-09-02 13:02:15
cert
cert
mod_ssl fails to properly enforce client certificates authentication
2005-09-09 00:00:00
centos
centos
mod_ssl security update
2005-09-16 00:34:35
pcre security update
2005-09-08 23:08:40
pcre security update
2005-09-08 18:08:23
slackware
slackware
mod_ssl
2005-09-08 15:54:45
PCRE library
2005-08-30 15:53:53
PHP
2005-08-30 15:54:11
osv
osv
libapache-mod-ssl - acl restriction bypass
2005-09-12 00:00:00
python2.2 - integer overflow
2005-09-22 00:00:00
python2.3 - integer overflow
2005-09-28 00:00:00
securityvulns
securityvulns
mod_ssl &quot;SSLVerifyClient&quot; Security Bypass Security Issue
2005-09-05 00:00:00
Apache PCRE Integer Overflow Vulnerability
2005-09-05 00:00:00
MDKSA-2005:153 - Updated gnumeric packages fix integer overflow vulnerability
2005-08-28 00:00:00
ubuntu
ubuntu
PCRE vulnerability
2005-08-25 00:00:00
PCRE vulnerability
2005-08-24 00:00:00
PCRE vulnerabilities
2005-08-31 00:00:00
gentoo
gentoo
Gnumeric: Heap overflow in the included PCRE library
2005-09-03 00:00:00
libpcre: Heap integer overflow
2005-08-25 00:00:00
Python: Heap overflow in the included PCRE library
2005-09-12 00:00:00
freebsd
freebsd
pcre -- regular expression buffer overflow
2005-08-01 00:00:00
oraclelinux
oraclelinux
python security update
2006-11-30 00:00:00

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.023 Low

EPSS

Percentile

89.6%

JSON
Related for GLSA-200509-12
openvas63nessus49suse5debiancve2httpd2redhat5f54ubuntucve2cve2debian12cert1centos7slackware5osv6securityvulns9ubuntu4gentoo4freebsd1oraclelinux1