Login
Newsletter
Werbung

Sicherheit: Mangelnde Prüfung von Zertifikaten in mod_nss
Aktuelle Meldungen Distributionen
Name: Mangelnde Prüfung von Zertifikaten in mod_nss
ID: FEDORA-2013-22787
Distribution: Fedora
Plattformen: Fedora 19
Datum: Fr, 13. Dezember 2013, 08:30
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566
Applikationen: mod_nss

Originalnachricht

Name        : mod_nss
Product : Fedora 19
Version : 1.0.8
Release : 27.fc19
URL : http://directory.fedoraproject.org/wiki/Mod_nss
Summary : SSL/TLS module for the Apache HTTP server
Description :
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.

-------------------------------------------------------------------------------
-
Update Information:

A flaw was found in the way NSSVerifyClient was handled when used in both
server / vhost context as well as directory context (specified either via <Directory> or <Location> directive). If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication. Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.
-------------------------------------------------------------------------------
-
ChangeLog:

* Tue Dec 3 2013 Rob Crittenden <rcritten@redhat.com> - 1.0.8-27
- Resolves: CVE-2013-4566
- [mod_nss-nssverifyclient.patch]
- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
NSSVerifyClient in directory context [fedora-all]
- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
Directory
* Mon Oct 21 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-24
- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
- Add '--enable-ecc' option to %configure line under %build section of
this spec file (mharmsen)
- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
- [mod_nss-PK11_ListCerts_2.patch]
- Bugzilla Bug #767802 - PK11_ListCerts called to retrieve all user
certificates for every server (rcritten)
- [mod_nss-array_overrun.patch]
- Bugzilla Bug #1022717 - overrunning array when executing nss_pcache
(rcritten)
- [mod_nss-clientauth.patch]
- Bugzilla Bug #1017675 - mod_nss: FakeBasicAuth authentication bypass
[fedora-all] (rcritten)
- [mod_nss-no_shutdown_if_not_init_2.patch]
- Bugzilla Bug #1022722 - File descriptor leak after "service httpd
reload"
or httpd doesn't reload (rrelyea)
- [mod_nss-proxyvariables.patch]
- Bugzilla Bug #1022726 - mod_nss insists on Required value NSSCipherSuite
not set. (mharmsen)
- [mod_nss-tlsv1_1.patch]
- Bugzilla Bug #979798 - current nss support TLS 1.1 so mod_nss should pick
it up (mharmsen)
- Bugzilla Bug #979718 - mod_nss documentation should mention TLS 1.1
(mharmsen)
- [mod_nss-sslmultiproxy_2.patch]
- Fixes Bugzilla Bug #1021469 - [RFE] Support ability to share mod_proxy with
other SSL providers (jorton, mharmsen, nkinder, & rcritten)
* Tue Jul 30 2013 Joe Orton <jorton@redhat.com> - 1.0.8-23
- add dependency on httpd-mmn
* Wed Jul 3 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-22
- Moved 'nss_pcache' from %sbindir to %libexecdir
(provided compatibility link)
* Tue Jul 2 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-21.1
- rpmlint mod_nss.spec
0 packages and 1 specfiles checked; 0 errors, 0 warnings.
- rpmlint mod_nss-1.0.8-21.1 (SRPM)
W: spelling-error %description -l en_US nss -> ass, nos, nus
1 packages and 0 specfiles checked; 0 errors, 1 warnings.
- rpmlint mod_nss-1.0.8-21.1 (RPM)
W: spelling-error %description -l en_US nss -> ass, nos, nus
E: non-readable /etc/httpd/alias/cert8.db 0640L
E: non-readable /etc/httpd/alias/secmod.db 0640L
E: non-readable /etc/httpd/alias/key3.db 0640L
1 packages and 0 specfiles checked; 3 errors, 1 warnings.
- rpmlint mod_nss-debuginfo-1.0.8-21.1 (RPM)
W: spelling-error Summary(en_US) nss -> ass, nos, nus
W: spelling-error %description -l en_US nss -> ass, nos, nus
1 packages and 0 specfiles checked; 0 errors, 2 warnings.
* Tue Jun 25 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-21
- Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff
testing
- Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache
- Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss
- Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec
- Bugzilla Bug #948601 - Man page scan results for mod_nss
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1016832 - CVE-2013-4566 mod_nss: incorrect handling of
NSSVerifyClient in directory context
https://bugzilla.redhat.com/show_bug.cgi?id=1016832
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update mod_nss' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung