From: 	  crawdad@fnal.gov
	Subject: 	Apache/mod_ssl bugs to be fixed
	Date: 	August 11, 2004 9:30:09 CDT
	To: 	  cppm_reg_sysadmins@fnal.gov
	Cc: 	  computer_security@FNAL.GOV

mod_ssl is a separate module for the Apache web server version 1.3, and
integrated into version 2.0.  There are buffer overflows known to be
possible before mod_ssl version 2.8.19.  The possibility of remote
exploit running arbitrary code as the userid of the web server is
sufficient to rate this vulnerability as CRITICAL. All Apache web
servers with mod_ssl included (whether or not SSL is in use) must be
updated by August 27.  An updated version of the Apache product is
available in kits as v1_3_31.  Apache 2.0 servers must be updated to
2.0.50. "Fermi" Linux LTS301 includes Apache 2.0.50 if it is kept
up-to-date.  FRHL 7.3.1 ought to have updates available soon.

References
 http://www.modssl.org/news/
 http://httpd.apache.org/
 http://www.kb.cert.org/vuls/id/303448

                Matt Crawford   <crawdad@fnal.gov>
                Fermilab Computer Security Coordinator
                +1 630 840 3461
                ** Computer security contact line: +1 630 840 2345 **