Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104474 - net-www/{apache|mod_ssl?} CAN-2005-2700
Summary: net-www/{apache|mod_ssl?} CAN-2005-2700
Status: RESOLVED DUPLICATE of bug 104807
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-01 06:01 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-08-16 18:34 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
CAN-2005-2700.diff (CAN-2005-2700.diff,685 bytes, patch)
2005-09-01 06:02 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-01 06:01:32 UTC
A new mod_ssl issue reported upstream this week; if "SSLVerifyClient  
optional" has been configured at the vhost context then "SSLVerifyClient  
require" is not enforced in a location context within that vhost;  
effectively allowing clients to bypass client-cert authentication  
checks. 
 
Affects: all 2.0.x releases <= 2.0.54, and I believe also all  
mod_ssl-for-1.3 releases (by code review only, I haven't confirmed that  
yet)
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-01 06:02:14 UTC
Created attachment 67407 [details, diff]
CAN-2005-2700.diff
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-04 11:40:54 UTC
Public followup on bug 104807

*** This bug has been marked as a duplicate of 104807 ***