[gentoo-announce] [ GLSA 200410-21 ] Apache 2, mod_ssl: Bypass of SSLCipherSuite directive - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200410-21 ] Apache 2, mod_ssl: Bypass of SSLCipherSuite directive
Date:	Thu, 21 Oct 2004 21:35:28
Message-Id:	`20041021212409.GK26288@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200410-21

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: Apache 2, mod_ssl: Bypass of SSLCipherSuite directive

9

      Date: October 21, 2004

10

      Bugs: #66807

11

        ID: 200410-21

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

In certain configurations, it can be possible to bypass restrictions

19

set by the "SSLCipherSuite" directive of mod_ssl.

20

21

Background

22

==========

23

24

The Apache HTTP server is one of the most popular web servers on the

25

internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3

26

and is also included in Apache 2.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package          /  Vulnerable  /                      Unaffected

33

    -------------------------------------------------------------------

34

  1  net-www/apache       < 2.0.52                           >= 2.0.52

35

                                                                 < 2.0

36

  2  net-www/mod_ssl      < 2.8.20                           >= 2.8.20

37

    -------------------------------------------------------------------

38

     2 affected packages on all of their supported architectures.

39

    -------------------------------------------------------------------

40

41

Description

42

===========

43

44

A flaw has been found in mod_ssl where the "SSLCipherSuite" directive

45

could be bypassed in certain configurations if it is used in a

46

directory or location context to restrict the set of allowed cipher

47

suites.

48

49

Impact

50

======

51

52

A remote attacker could gain access to a location using any cipher

53

suite allowed by the server/virtual host configuration, disregarding

54

the restrictions by "SSLCipherSuite" for that location.

55

56

Workaround

57

==========

58

59

There is no known workaround at this time.

60

61

Resolution

62

==========

63

64

All Apache 2 users should upgrade to the latest version:

65

66

    # emerge sync

67

68

    # emerge -pv ">=net-www/apache-2.0.52"

69

    # emerge ">=net-www/apache-2.0.52"

70

71

All mod_ssl users should upgrade to the latest version:

72

73

    # emerge sync

74

75

    # emerge -pv ">=net-www/mod_ssl-2.8.20"

76

    # emerge ">=net-www/mod_ssl-2.8.20"

77

78

References

79

==========

80

81

  [ 1 ] CAN-2004-0885

82

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

83

  [ 2 ] Apache HTTPD Bug 31505

84

        http://issues.apache.org/bugzilla/show_bug.cgi?id=31505

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

  http://security.gentoo.org/glsa/glsa-200410-21.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

http://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2004 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200410-21
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: Apache 2, mod_ssl: Bypass of SSLCipherSuite directive
9	Date: October 21, 2004
10	Bugs: #66807
11	ID: 200410-21
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	In certain configurations, it can be possible to bypass restrictions
19	set by the "SSLCipherSuite" directive of mod_ssl.
20
21	Background
22	==========
23
24	The Apache HTTP server is one of the most popular web servers on the
25	internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3
26	and is also included in Apache 2.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 net-www/apache < 2.0.52 >= 2.0.52
35	< 2.0
36	2 net-www/mod_ssl < 2.8.20 >= 2.8.20
37	-------------------------------------------------------------------
38	2 affected packages on all of their supported architectures.
39	-------------------------------------------------------------------
40
41	Description
42	===========
43
44	A flaw has been found in mod_ssl where the "SSLCipherSuite" directive
45	could be bypassed in certain configurations if it is used in a
46	directory or location context to restrict the set of allowed cipher
47	suites.
48
49	Impact
50	======
51
52	A remote attacker could gain access to a location using any cipher
53	suite allowed by the server/virtual host configuration, disregarding
54	the restrictions by "SSLCipherSuite" for that location.
55
56	Workaround
57	==========
58
59	There is no known workaround at this time.
60
61	Resolution
62	==========
63
64	All Apache 2 users should upgrade to the latest version:
65
66	# emerge sync
67
68	# emerge -pv ">=net-www/apache-2.0.52"
69	# emerge ">=net-www/apache-2.0.52"
70
71	All mod_ssl users should upgrade to the latest version:
72
73	# emerge sync
74
75	# emerge -pv ">=net-www/mod_ssl-2.8.20"
76	# emerge ">=net-www/mod_ssl-2.8.20"
77
78	References
79	==========
80
81	[ 1 ] CAN-2004-0885
82	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
83	[ 2 ] Apache HTTPD Bug 31505
84	http://issues.apache.org/bugzilla/show_bug.cgi?id=31505
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-200410-21.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	http://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2004 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce