From ${URL} : A flaw was reported in the way mod_nss handled FakeBasicAuth NSSOption. Unlike mod_ssl, mod_nss only used CommonName from a client certificate's subject, rather than the whole subject DN. This made safety check inherited from mod_ssl that ensured client can not submit username and password generated by FakeBasicAuth via Authorization header without actually providing valid client certificate. Further details are in the Jared Jennings' post to the mod_nss mailing list: https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html Problem was corrected in the following upstream git commit: https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=a6c3370491ae1d3bc552e8de9353c82f73e510e3 This fix is not yet included in any released mod_nss version. The last released version to date is 1.0.8 from Jul 2008. This problem was already corrected in Red Hat Enterprise Linux 5 and 6 mod_nss packages via the following errata: https://rhn.redhat.com/errata/RHBA-2011-1656.html https://rhn.redhat.com/errata/RHBA-2013-0009.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
This looks like it was fixed in upstream release mod_nss-1.0.8-24 (looks like this issue might of been addressed in earlier one, but Red Hat has it as this release in the tracking bug) https://bugzilla.redhat.com/show_bug.cgi?id=1017675 Also corrected CVE, CVE is 2011 not 2013
fixed in 1.0.9 upstream that is already out of tree. closing noglsa