Hello,
I have asked this question previously on both the FreeBSD Mailing List and the mod_ssl mailing list, but didn't receive a response. I am currently running the Apache 2.2.8 port on the FreeBSD 6.3 platform with mod_ssl enabled. I received the following vulnerability scan results from my organization: Vulnerability: mod_ssl Off-By-One HTAccess Buffer Overflow Vulnerability Risk Level: Signature Group: Safe Description: The remote host is using a version of mod_ssl which is older than 2.8.10. This version is vulnerable to an off by one buffer overflow, which may allow a user with write access to .htaccess files to execute arbitrary code on the system with permissions of the web server. Resolution: Fixes have been made available by the affected vendor. We recommend upgrading mod_ssl to a more recent version that contains fixes addressing this issue. BugTraq: 5084 CVE: CVE-2002-0653 CVSS: 4.9 I referenced CVE-2002-0653, noting that it is from 2002, and noticed that there is no mention of this vulnerability affecting any version of apache paired with mod_ssl in the 2.x branches. I also can't find a version 2.8.10 or greater for Apache 2.2.8. I did find a site that mentioned certain distributions patched the apache software so that this vulnerability is no longer a concern. Could anyone give me some insight on this issue? Is there a document I overlooked that outlines remedial procedures, an updated ssl module, or has the software been patched to negate the vulnerability? I greatly appreciate any assistance on this matter, Mark
