Apache 1: A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. This bug is now fixed in mod_ssl 2.8.24 for Apache 1.3.33. http://marc.theaimsgroup.com/?l=apache-modssl&m=112569517603897&w=2 Apache 2: * modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that renegotiation is performed for a transition from "SSLVerifyClient optional" to "SSLVerifyClient require". The boolean "verify_old & SSL_VERIFY_PEER_STRICT" is true if the old context merely has optional verification configured, since the definition of SSL_VERIFY_PEER_STRICT is (SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER). ChangeLog: http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/CHANGES?rev=264800&view=markup Patch: http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=264800&r1=209469&r2=264800&diff_format=h
Apache-team, please provide fixed ebuilds, thx in advance.
*** Bug 104474 has been marked as a duplicate of this bug. ***
Apache herd: maybe fix bug 103554 with this one ?
If someone else from the apache herd doesn't step up to fix this, I'll take care of it this weekend.
New ebuilds are in CVS. Apache 1 old-style (stable) should upgrade to: =net-www/apache-1.3.33-r6 =net-www/mod_ssl-2.8.24 Apache 1 new-style (testing) should upgrade to: =net-www/apache-1.3.33-r11 =net-www/mod_ssl-2.8.24-r1 Apache 2 old-style should upgrade to: =net-www/apache-2.0.54-r15 Apache 2 new-style should upgrade to: =net-www/apache-2.0.54-r30
Arches please test and mark stable. Target keywords: net-www/apache-1.3.33-r6: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 net-www/apache-2.0.54-r15: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86 net-www/mod_ssl-2.8.24-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86
net-www/apache-1.3.33-r6 wants to install net-www/mod_ssl-2.8.24 instead of -r1. Change the dep?
oh wait.. net-www/mod_ssl-2.8.24 is correct. I have only read the mails I received and not comment #5 :-/
Sorry my mistake. =net-www/mod_ssl-2.8.24 should be marked stable not -r1 so new and hopefully correct target keywords: net-www/apache-1.3.33-r6: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 net-www/apache-2.0.54-r15: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86 net-www/mod_ssl-2.8.24: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86
stable on ppc64
Stable on hppa and ppc.
SPARCtastic
Alpha stable.
Reopening for amd64 to mark stable.
amd64 stable, sorry for the delay
ia64 done stabling.
GLSA 200509-12