Bugzilla – Bug 973996
VUL-1: CVE-2016-3099: apache2-mod_nss: Invalid handling of +CIPHER operator
Last modified: 2016-04-28 06:38:28 UTC
rh#1319052 It was reported that +CIPHER operator in OpenSSL changes the order of a cipher. Since cipher ordering isn't supported in NSS, the mod_nss code was supposed to return an error. Instead it returned the result of processing up to that point. Default OpenSSL cipher string: !SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES Would not properly exclude anything because only the first 5 elements would be examined. Acknowledgments: Rob Crittenden (Red Hat) References: https://bugzilla.redhat.com/show_bug.cgi?id=1319052 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3099
Only Factory is affected. Other distributions have mod_nss 1.0.8, which doesn't support openssl style cipherlist. (The feature was added in 1.0.11)
Factory package updated to 1.0.14.
This is an autogenerated message for OBS integration: This bug (973996) was mentioned in https://build.opensuse.org/request/show/390637 Factory / apache2-mod_nss