496112 – (CVE-2013-4566) <www-apache/mod_nss-1.0.11: Auth bypass via NSSVerifyClient (CVE-2013-4566)

Bug 496112 (CVE-2013-4566) - <www-apache/mod_nss-1.0.11: Auth bypass via NSSVerifyClient (CVE-2013-4566)

Summary: <www-apache/mod_nss-1.0.11: Auth bypass via NSSVerifyClient (CVE-2013-4566)

Status:	RESOLVED FIXED

Alias:	CVE-2013-4566

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-12-27 01:47 UTC by GLSAMaker/CVETool Bot
Modified:	2016-02-09 23:26 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2013-12-27 01:47:59 UTC

CVE-2013-4566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4566):
  mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the
  server/vhost context, does not enforce the NSSVerifyClient setting in the
  directory context, which allows remote attackers to bypass intended access
  restrictions.


Patch available at http://pkgs.fedoraproject.org/cgit/mod_nss.git/tree/mod_nss-nssverifyclient.patch?id=63709b8. As with the other mod_nss CVE, probably just should revbump, upstream's been inactive quite a while.

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-02-09 23:25:24 UTC

Fixed in 1.0.9 upstream , already out of tree closing noglsa