541038 – (CVE-2015-2091) <www-apache/mod_gnutls-0.7.3: TLS Client auth: Check server verify mode if unset for dir (CVE-2015-2091)

Bug 541038 (CVE-2015-2091) - <www-apache/mod_gnutls-0.7.3: TLS Client auth: Check server verify mode if unset for dir (CVE-2015-2091)

Summary: <www-apache/mod_gnutls-0.7.3: TLS Client auth: Check server verify mode if un...

Status:	RESOLVED FIXED

Alias:	CVE-2015-2091

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2015/q1/638
Whiteboard:	B3 [glsa cve]
Keywords:

Depends on:	580064 616610
Blocks:
	Show dependency tree

Reported:	2015-02-22 12:40 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2017-09-17 15:44 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-22 12:40:10 UTC

From ${URL}:
Hi,

mod-gnutls doesn't consider the server's client verify mode, even if the
verify mode was unset in the directory configuration. As a result,
invalid certificates are ignored and clients can connect and receive
data as long as they presented any certificate whatsoever.

  Debian bug: https://bugs.debian.org/578663
  Patch and detailed description: https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2

Could you please assign a CVE for this issue ?

Cheers,

--Seb

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2015-06-14 21:33:36 UTC

CVE-2015-2091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2091):
  The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier
  does not validate client certificates when "GnuTLSClientVerify require" is
  set, which allows remote attackers to spoof clients via a crafted
  certificate.

Comment 2 Yury German Gentoo Infrastructure

2015-07-16 11:51:10 UTC

This was fixed in Debian in:
mod-gnutls/0.6-1.3, mod-gnutls/0.5.10-1.1+deb7u1, mod-gnutls/0.5.6-1+squeeze2

Comment 3 Yury German Gentoo Infrastructure

2015-09-02 13:40:52 UTC

Ping for update on patching this vulnerability?

Comment 4 Yury German Gentoo Infrastructure

2015-12-21 13:45:47 UTC

It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten.

Any updates?

Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-04-23 05:31:09 UTC

Tt's definitely fixed in mod_gnutls-0.7.3 which I have already slated for stabilization in bug #580064

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-17 21:35:51 UTC

GLSA Vote: Yes

New GLSA request filed.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2017-09-17 15:44:24 UTC

This issue was resolved and addressed in
 GLSA 201709-04 at https://security.gentoo.org/glsa/201709-04
by GLSA coordinator Aaron Bauman (b-man).