Bugzilla – Bug 853039
VUL-0: CVE-2013-4566: apache2-mod_nss: client certificate verification problematic
Last modified: 2016-09-21 02:46:15 UTC
embargoed, CRD Dec 3, between 1500 and 2000 utc Albert Smith of OUSD(AT&L) reported this problem to Redhat. CVE-2013-4566 The flaw is in the NSSVerifyClient (which is equivalent to mod_ssl's SSLVerifyClient) setting enforcement. If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. Patch attached. -- Tomas Hoger / Red Hat Security Response Team
Created attachment 569721 [details] mod_nss-CVE-2013-4566.patch attached patch
bugbot adjusting priority
package submitted against SUSE:SLE-11-SP1:Update:Test, request id 29744.
The SWAMPID for this issue is 55314. This issue was rated as moderate. Please submit fixed packages until 2013-12-17. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
is public now
This is an autogenerated message for OBS integration: This bug (853039) was mentioned in https://build.opensuse.org/request/show/211193 13.1 / apache2-mod_nss
Update released for: apache2-mod_nss, apache2-mod_nss-debuginfo, apache2-mod_nss-debugsource Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: apache2-mod_nss, apache2-mod_nss-debuginfo, apache2-mod_nss-debugsource Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: apache2-mod_nss, apache2-mod_nss-debuginfo, apache2-mod_nss-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
SUSE-SU-2013:1926-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 853039 CVE References: CVE-2013-4566 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): apache2-mod_nss-1.0.8-0.4.7.1 SUSE Linux Enterprise Server 11 SP3 (src): apache2-mod_nss-1.0.8-0.4.7.1 SUSE Linux Enterprise Server 11 SP2 for VMware (src): apache2-mod_nss-1.0.8-0.4.7.1 SUSE Linux Enterprise Server 11 SP2 (src): apache2-mod_nss-1.0.8-0.4.7.1
openSUSE-SU-2013:1956-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 847216,853039 CVE References: CVE-2013-4566 Sources used: openSUSE 13.1 (src): apache2-mod_nss-1.0.8-0.4.6.4.1
done
This is an autogenerated message for OBS integration: This bug (853039) was mentioned in https://build.opensuse.org/request/show/223307 Factory / apache2-mod_nss
The SLES-11-SP1 was affected by this CVE? I need a submission for huawei costomer.