MidnightBSD

Advisories for apache-ssl

CVE-2002-0082 HIGH

The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
apache-ssl apache-ssl 1.45
apache-ssl apache-ssl 1.42
mod_ssl mod_ssl 2.8.1
mod_ssl mod_ssl 2.8.2
apache-ssl apache-ssl 1.41
mod_ssl mod_ssl 2.8
apache-ssl apache-ssl 1.40
mod_ssl mod_ssl 2.8.6
apache-ssl apache-ssl 1.44
apache-ssl apache-ssl 1.46
mod_ssl mod_ssl 2.8.4
mod_ssl mod_ssl 2.8.5
mod_ssl mod_ssl 2.7.1
mod_ssl mod_ssl 2.8.3
CVE-2004-0009 HIGH

Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
apache-ssl apache-ssl *