Gentoo Bug 104807 - net-www/[apache|mod_ssl]: unauthorized site access (CAN-2005-2700)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	104807
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 104807 depends on:	105590		Show dependency tree
Bug 104807 blocks:	103554		Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-09-04 07:14 0000

Apache 1:

A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where
where "SSLVerifyClient require" was not enforced in per-location context
if "SSLVerifyClient optional" was configured in the global virtual
host configuration. This bug is now fixed in mod_ssl 2.8.24 for Apache
1.3.33.

http://marc.theaimsgroup.com/?l=apache-modssl&m=112569517603897&w=2


Apache 2:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that
renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require".

The boolean "verify_old & SSL_VERIFY_PEER_STRICT" is true if the old
context merely has optional verification configured, since the
definition of SSL_VERIFY_PEER_STRICT is
(SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER).

ChangeLog:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/CHANGES?rev=264800&view=markup
Patch:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=264800&r1=209469&r2=264800&diff_format=h

------- Comment #1 From Stefan Cornelius (RETIRED) 2005-09-04 07:52:00 0000 -------

Apache-team, please provide fixed ebuilds, thx in advance.

------- Comment #2 From Thierry Carrez (RETIRED) 2005-09-04 11:40:54 0000 -------

*** Bug 104474 has been marked as a duplicate of this bug. ***

------- Comment #3 From Thierry Carrez (RETIRED) 2005-09-07 07:33:45 0000 -------

Apache herd: maybe fix bug 103554 with this one ?

------- Comment #4 From Michael Stewart (vericgar) (RETIRED) 2005-09-08 16:40:56 0000 -------

If someone else from the apache herd doesn't step up to fix this, I'll take
care
of it this weekend.

------- Comment #5 From Michael Stewart (vericgar) (RETIRED) 2005-09-10 15:48:44 0000 -------

New ebuilds are in CVS.

Apache 1 old-style (stable) should upgrade to:
=net-www/apache-1.3.33-r6
=net-www/mod_ssl-2.8.24

Apache 1 new-style (testing) should upgrade to:
=net-www/apache-1.3.33-r11
=net-www/mod_ssl-2.8.24-r1

Apache 2 old-style should upgrade to:
=net-www/apache-2.0.54-r15

Apache 2 new-style should upgrade to:
=net-www/apache-2.0.54-r30

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-09-10 23:35:36 0000 -------

Arches please test and mark stable.     
     
Target keywords:     
    
net-www/apache-1.3.33-r6: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86    
net-www/apache-2.0.54-r15: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc   
x86   
net-www/mod_ssl-2.8.24-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86

------- Comment #7 From Markus Rothe 2005-09-10 23:44:54 0000 -------

net-www/apache-1.3.33-r6 wants to install net-www/mod_ssl-2.8.24 instead of 
-r1. Change the dep?

------- Comment #8 From Markus Rothe 2005-09-10 23:46:19 0000 -------

oh wait.. net-www/mod_ssl-2.8.24 is correct. I have only read the mails I  
received and not comment #5 :-/

------- Comment #9 From Sune Kloppenborg Jeppesen 2005-09-10 23:50:16 0000 -------

Sorry my mistake.    
  
=net-www/mod_ssl-2.8.24 should be marked stable not -r1 so new and hopefully  
correct target keywords:  
 
net-www/apache-1.3.33-r6: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86     
net-www/apache-2.0.54-r15: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc    
x86    
net-www/mod_ssl-2.8.24: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86

------- Comment #10 From Markus Rothe 2005-09-11 00:01:12 0000 -------

stable on ppc64

------- Comment #11 From Michael Hanselmann (hansmi) (RETIRED) 2005-09-11 07:02:48 0000 -------

Stable on hppa and ppc.

------- Comment #12 From Jason Wever (RETIRED) 2005-09-11 20:40:51 0000 -------

SPARCtastic

------- Comment #13 From Bryan Østergaard (RETIRED) 2005-09-14 23:41:51 0000 -------

Alpha stable.

------- Comment #14 From Sune Kloppenborg Jeppesen 2005-09-14 23:50:55 0000 -------

Reopening for amd64 to mark stable.

------- Comment #15 From Simon Stelling (RETIRED) 2005-09-16 04:20:45 0000 -------

amd64 stable, sorry for the delay

------- Comment #16 From Bryan Østergaard (RETIRED) 2005-09-17 17:22:15 0000 -------

ia64 done stabling.

------- Comment #17 From Thierry Carrez (RETIRED) 2005-09-19 01:33:33 0000 -------

GLSA 200509-12

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 104807

net-www/[apache|mod_ssl]: unauthorized site access (CAN-2005-2700)

Last modified: 2005-09-23 21:34:18 0000