You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
gentoo-overlay/metadata/glsa/glsa-201709-04.xml

56 lines
1.8 KiB

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-04">
<title>mod_gnutls: Certificate validation error</title>
<synopsis>A vulnerability in mod_gnutls allows remote attackers to spoof
clients via crafted certificates.
</synopsis>
<product type="ebuild">mod_gnutls</product>
<announced>2017-09-17</announced>
<revised count="1">2017-09-17</revised>
<bug>541038</bug>
<access>remote</access>
<affected>
<package name="www-apache/mod_gnutls" auto="yes" arch="*">
<unaffected range="ge">0.7.3</unaffected>
<vulnerable range="lt">0.7.3</vulnerable>
</package>
</affected>
<background>
<p>mod_gnutls is an extension for Apaches httpd. It uses the
GnuTLS library to provide HTTPS. It supports some protocols and
features that mod_ssl does not.
</p>
</background>
<description>
<p>It was discovered that the authentication hook in mod_gnutls does not
validate clients certificates even when option
“GnuTLSClientVerify” is set to “require”.
</p>
</description>
<impact type="normal">
<p>A remote attacker could present a crafted certificate and spoof clients
data.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All mod_gnutls users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-apache/mod_gnutls-0.7.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2091">
CVE-2015-2091
</uri>
</references>
<metadata tag="requester" timestamp="2017-06-17T21:37:14Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:43:18Z">chrisadr</metadata>
</glsa>