Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104474

Summary: net-www/{apache|mod_ssl?} CAN-2005-2700
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
CAN-2005-2700.diff none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-01 06:01:32 UTC 
A new mod_ssl issue reported upstream this week; if "SSLVerifyClient  
optional" has been configured at the vhost context then "SSLVerifyClient  
require" is not enforced in a location context within that vhost;  
effectively allowing clients to bypass client-cert authentication  
checks. 
 
Affects: all 2.0.x releases <= 2.0.54, and I believe also all  
mod_ssl-for-1.3 releases (by code review only, I haven't confirmed that  
yet)
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-01 06:02:14 UTC 
Created attachment 67407 [details, diff]
CAN-2005-2700.diff
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-04 11:40:54 UTC 
Public followup on bug 104807

*** This bug has been marked as a duplicate of 104807 ***