Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200410-21 ] Apache 2, mod_ssl: Bypass of SSLCipherSuite directive
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Thu Oct 21, 2004 11:34 pm    Post subject: [ GLSA 200410-21 ] Apache 2, mod_ssl: Bypass of SSLCipherSui Reply with quote

Gentoo Linux Security Advisory

Title: Apache 2, mod_ssl: Bypass of SSLCipherSuite directive (GLSA 200410-21)
Severity: low
Exploitable: remote
Date: October 21, 2004
Updated: December 30, 2007
Bug(s): #66807
ID: 200410-21

Synopsis


In certain configurations, it can be possible to bypass restrictions set by
the "SSLCipherSuite" directive of mod_ssl.


Background


The Apache HTTP server is one of the most popular web servers on the
internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and
is also included in Apache 2.


Affected Packages

Package: www-servers/apache
Vulnerable: < 2.0.52
Unaffected: >= 2.0.52
Unaffected: < 2.0
Architectures: All supported architectures

Package: net-www/mod_ssl
Vulnerable: < 2.8.20
Unaffected: >= 2.8.20
Architectures: All supported architectures


Description


A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could
be bypassed in certain configurations if it is used in a directory or
location context to restrict the set of allowed cipher suites.


Impact


A remote attacker could gain access to a location using any cipher suite
allowed by the server/virtual host configuration, disregarding the
restrictions by "SSLCipherSuite" for that location.


Workaround


There is no known workaround at this time.


Resolution


All Apache 2 users should upgrade to the latest version:
Code:
# emerge sync

    # emerge -pv ">=www-servers/apache-2.0.52"
    # emerge ">=www-servers/apache-2.0.52"

All mod_ssl users should upgrade to the latest version:
Code:
# emerge sync

    # emerge -pv ">=net-www/mod_ssl-2.8.20"
    # emerge ">=net-www/mod_ssl-2.8.20"


References

CAN-2004-0885
Apache HTTPD Bug 31505


Last edited by GLSA on Fri Dec 16, 2011 4:17 am; edited 4 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum