drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Zertifikaten in mod_nss
Name: |
Mangelnde Prüfung von Zertifikaten in mod_nss |
|
ID: |
FEDORA-2013-22786 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 18 |
|
Datum: |
Fr, 13. Dezember 2013, 08:30 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566 |
|
Applikationen: |
mod_nss |
|
Originalnachricht |
Name : mod_nss Product : Fedora 18 Version : 1.0.8 Release : 27.fc18 URL : http://directory.fedoraproject.org/wiki/Mod_nss Summary : SSL/TLS module for the Apache HTTP server Description : The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library.
------------------------------------------------------------------------------- - Update Information:
A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive). If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication. Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories. ------------------------------------------------------------------------------- - ChangeLog:
* Tue Dec 3 2013 Rob Crittenden <rcritten@redhat.com> - 1.0.8-27 - Resolves: CVE-2013-4566 - [mod_nss-nssverifyclient.patch] - Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context [fedora-all] - Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in Directory * Mon Oct 21 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-24 - Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen) - Add '--enable-ecc' option to %configure line under %build section of this spec file (mharmsen) - Bumped version build/runtime requirements for NSPR and NSS (mharmsen) - [mod_nss-PK11_ListCerts_2.patch] - Bugzilla Bug #767802 - PK11_ListCerts called to retrieve all user certificates for every server (rcritten) - [mod_nss-array_overrun.patch] - Bugzilla Bug #1022717 - overrunning array when executing nss_pcache (rcritten) - [mod_nss-clientauth.patch] - Bugzilla Bug #1017675 - mod_nss: FakeBasicAuth authentication bypass [fedora-all] (rcritten) - [mod_nss-no_shutdown_if_not_init_2.patch] - Bugzilla Bug #1022722 - File descriptor leak after "service httpd reload" or httpd doesn't reload (rrelyea) - [mod_nss-proxyvariables.patch] - Bugzilla Bug #1022726 - mod_nss insists on Required value NSSCipherSuite not set. (mharmsen) - [mod_nss-tlsv1_1.patch] - Bugzilla Bug #979798 - current nss support TLS 1.1 so mod_nss should pick it up (mharmsen) - Bugzilla Bug #979718 - mod_nss documentation should mention TLS 1.1 (mharmsen) - [mod_nss-sslmultiproxy_2.patch] - Fixes Bugzilla Bug #1021469 - [RFE] Support ability to share mod_proxy with other SSL providers (jorton, mharmsen, nkinder, & rcritten) * Tue Jul 30 2013 Joe Orton <jorton@redhat.com> - 1.0.8-23 - add dependency on httpd-mmn * Wed Jul 3 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-22 - Moved 'nss_pcache' from %sbindir to %libexecdir (provided compatibility link) * Tue Jul 2 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-21.1 - rpmlint mod_nss.spec 0 packages and 1 specfiles checked; 0 errors, 0 warnings. - rpmlint mod_nss-1.0.8-21.1 (SRPM) W: spelling-error %description -l en_US nss -> ass, nos, nus 1 packages and 0 specfiles checked; 0 errors, 1 warnings. - rpmlint mod_nss-1.0.8-21.1 (RPM) W: spelling-error %description -l en_US nss -> ass, nos, nus E: non-readable /etc/httpd/alias/cert8.db 0640L E: non-readable /etc/httpd/alias/secmod.db 0640L E: non-readable /etc/httpd/alias/key3.db 0640L 1 packages and 0 specfiles checked; 3 errors, 1 warnings. - rpmlint mod_nss-debuginfo-1.0.8-21.1 (RPM) W: spelling-error Summary(en_US) nss -> ass, nos, nus W: spelling-error %description -l en_US nss -> ass, nos, nus 1 packages and 0 specfiles checked; 0 errors, 2 warnings. * Tue Jun 25 2013 Matthew Harmsen <mharmsen@redhat.com> - 1.0.8-21 - Bugzilla Bug #884115 - Package mod_nss-1.0.8-18.1.el7 failed RHEL7 RPMdiff testing - Bugzilla Bug #906082 - mod_nss requires manpages for gencert and nss_pcache - Bugzilla Bug #906089 - Fix dangling symlinks in mod_nss - Bugzilla Bug #906097 - Correct RPM Parse Warning in mod_nss.spec - Bugzilla Bug #948601 - Man page scan results for mod_nss ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1016832 - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context https://bugzilla.redhat.com/show_bug.cgi?id=1016832 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update mod_nss' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|