From ${URL}: Hi, mod-gnutls doesn't consider the server's client verify mode, even if the verify mode was unset in the directory configuration. As a result, invalid certificates are ignored and clients can connect and receive data as long as they presented any certificate whatsoever. Debian bug: https://bugs.debian.org/578663 Patch and detailed description: https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 Could you please assign a CVE for this issue ? Cheers, --Seb
CVE-2015-2091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2091): The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate.
This was fixed in Debian in: mod-gnutls/0.6-1.3, mod-gnutls/0.5.10-1.1+deb7u1, mod-gnutls/0.5.6-1+squeeze2
Ping for update on patching this vulnerability?
It has been some time since this Bug received an update. Since it is security related, bringing it up to the surface so it is not forgotten. Any updates?
Tt's definitely fixed in mod_gnutls-0.7.3 which I have already slated for stabilization in bug #580064
GLSA Vote: Yes New GLSA request filed.
This issue was resolved and addressed in GLSA 201709-04 at https://security.gentoo.org/glsa/201709-04 by GLSA coordinator Aaron Bauman (b-man).