GLSA Bodhisattva
Joined: 13 Jun 2003 Posts: 4087 Location: Dresden, Germany
|
Posted: Thu Oct 21, 2004 11:34 pm Post subject: [ GLSA 200410-21 ] Apache 2, mod_ssl: Bypass of SSLCipherSui |
|
|
Gentoo Linux Security Advisory
Title: Apache 2, mod_ssl: Bypass of SSLCipherSuite directive (GLSA 200410-21)
Severity: low
Exploitable: remote
Date: October 21, 2004
Updated: December 30, 2007
Bug(s): #66807
ID: 200410-21
Synopsis
In certain configurations, it can be possible to bypass restrictions set by
the "SSLCipherSuite" directive of mod_ssl.
Background
The Apache HTTP server is one of the most popular web servers on the
internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and
is also included in Apache 2.
Affected Packages
Package: www-servers/apache
Vulnerable: < 2.0.52
Unaffected: >= 2.0.52
Unaffected: < 2.0
Architectures: All supported architectures
Package: net-www/mod_ssl
Vulnerable: < 2.8.20
Unaffected: >= 2.8.20
Architectures: All supported architectures
Description
A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could
be bypassed in certain configurations if it is used in a directory or
location context to restrict the set of allowed cipher suites.
Impact
A remote attacker could gain access to a location using any cipher suite
allowed by the server/virtual host configuration, disregarding the
restrictions by "SSLCipherSuite" for that location.
Workaround
There is no known workaround at this time.
Resolution
All Apache 2 users should upgrade to the latest version:
Code: | # emerge sync
# emerge -pv ">=www-servers/apache-2.0.52"
# emerge ">=www-servers/apache-2.0.52" |
All mod_ssl users should upgrade to the latest version:
Code: | # emerge sync
# emerge -pv ">=net-www/mod_ssl-2.8.20"
# emerge ">=net-www/mod_ssl-2.8.20" |
References
CAN-2004-0885
Apache HTTPD Bug 31505
Last edited by GLSA on Fri Dec 16, 2011 4:17 am; edited 4 times in total |
|