Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104807 - net-www/[apache|mod_ssl]: unauthorized site access (CAN-2005-2700)
Summary: net-www/[apache|mod_ssl]: unauthorized site access (CAN-2005-2700)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa] DerCorny
Keywords:
: 104474 (view as bug list)
Depends on: 105590
Blocks: 103554
  Show dependency tree
 
Reported: 2005-09-04 07:14 UTC by Carsten Lohrke (RETIRED)
Modified: 2019-11-30 22:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-09-04 07:14:38 UTC
Apache 1:

A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where
where "SSLVerifyClient require" was not enforced in per-location context
if "SSLVerifyClient optional" was configured in the global virtual
host configuration. This bug is now fixed in mod_ssl 2.8.24 for Apache
1.3.33.

http://marc.theaimsgroup.com/?l=apache-modssl&m=112569517603897&w=2


Apache 2:

* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Ensure that
renegotiation is performed for a transition from "SSLVerifyClient
optional" to "SSLVerifyClient require".

The boolean "verify_old & SSL_VERIFY_PEER_STRICT" is true if the old
context merely has optional verification configured, since the
definition of SSL_VERIFY_PEER_STRICT is
(SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER).

ChangeLog:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/CHANGES?rev=264800&view=markup
Patch:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=264800&r1=209469&r2=264800&diff_format=h
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-04 07:52:00 UTC
Apache-team, please provide fixed ebuilds, thx in advance.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-09-04 11:40:54 UTC
*** Bug 104474 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-09-07 07:33:45 UTC
Apache herd: maybe fix bug 103554 with this one ?
Comment 4 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-08 16:40:56 UTC
If someone else from the apache herd doesn't step up to fix this, I'll take care
of it this weekend.
Comment 5 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-09-10 15:48:44 UTC
New ebuilds are in CVS.

Apache 1 old-style (stable) should upgrade to:
=net-www/apache-1.3.33-r6
=net-www/mod_ssl-2.8.24

Apache 1 new-style (testing) should upgrade to:
=net-www/apache-1.3.33-r11
=net-www/mod_ssl-2.8.24-r1

Apache 2 old-style should upgrade to:
=net-www/apache-2.0.54-r15

Apache 2 new-style should upgrade to:
=net-www/apache-2.0.54-r30
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-10 23:35:36 UTC
Arches please test and mark stable.     
     
Target keywords:     
    
net-www/apache-1.3.33-r6: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86    
net-www/apache-2.0.54-r15: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc   
x86   
net-www/mod_ssl-2.8.24-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86  
   
    
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2005-09-10 23:44:54 UTC
net-www/apache-1.3.33-r6 wants to install net-www/mod_ssl-2.8.24 instead of 
-r1. Change the dep? 
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2005-09-10 23:46:19 UTC
oh wait.. net-www/mod_ssl-2.8.24 is correct. I have only read the mails I  
received and not comment #5 :-/ 
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-10 23:50:16 UTC
Sorry my mistake.    
  
=net-www/mod_ssl-2.8.24 should be marked stable not -r1 so new and hopefully  
correct target keywords:  
 
net-www/apache-1.3.33-r6: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86     
net-www/apache-2.0.54-r15: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc    
x86    
net-www/mod_ssl-2.8.24: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86   
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-09-11 00:01:12 UTC
stable on ppc64 
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-11 07:02:48 UTC
Stable on hppa and ppc.
Comment 12 Jason Wever (RETIRED) gentoo-dev 2005-09-11 20:40:51 UTC
SPARCtastic
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2005-09-14 23:41:51 UTC
Alpha stable.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-14 23:50:55 UTC
Reopening for amd64 to mark stable. 
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2005-09-16 04:20:45 UTC
amd64 stable, sorry for the delay
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2005-09-17 17:22:15 UTC
ia64 done stabling.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-09-19 01:33:33 UTC
GLSA 200509-12