#use wml::debian::translation-check translation="1.2" maintainer=""
#pddp rafalm80
<define-tag description>several vulnerabilities</define-tag>
<define-tag moreinfo>
<p>Two vulnerabilities were discovered in libapache-mod-ssl:</p>

<ul>

<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488">CAN-2004-0488</a>
  <p>Stack-based buffer overflow in the
  ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl,
  when mod_ssl is configured to trust the issuing CA, may allow remote
  attackers to execute arbitrary code via a client certificate with a
  long subject DN.</p>

<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700">CAN-2004-0700</a>
  <p>Format string vulnerability in the ssl_log function
  in ssl_engine_log.c in mod_ssl 2.8.19 for Apache 1.3.31 may allow
  remote attackers to execute arbitrary messages via format string
  specifiers in certain log messages for HTTPS.</p>

</ul>

<p>For the current stable distribution (woody), these problems have been
fixed in version 2.8.9-2.4.</p>

<p>For the unstable distribution (sid), <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488">CAN-2004-0488</a> was fixed in
version 2.8.18, and <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700">CAN-2004-0700</a> will be fixed soon.</p>

<p>We recommend that you update your libapache-mod-ssl package.</p>
</define-tag>

# do not modify the following line
#include "$(ENGLISHDIR)/security/2004/dsa-532.data"