[gentoo-announce] [ GLSA 201709-04 ] mod_gnutls: Certificate validation error - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201709-04 ] mod_gnutls: Certificate validation error
Date:	Sun, 17 Sep 2017 15:44:45
Message-Id:	`9132087.0dVuK4Bvx6@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201709-04

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: mod_gnutls: Certificate validation error

9

     Date: September 17, 2017

10

     Bugs: #541038

11

       ID: 201709-04

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability in mod_gnutls allows remote attackers to spoof clients

19

via crafted certificates.

20

21

Background

22

==========

23

24

mod_gnutls is an extension for ​Apache's httpd. It uses the ​GnuTLS

25

library to provide HTTPS. It supports some protocols and features that

26

mod_ssl does not.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  www-apache/mod_gnutls        < 0.7.3                    >= 0.7.3 

35

36

Description

37

===========

38

39

It was discovered that the authentication hook in mod_gnutls does not

40

validate client's certificates even when option "GnuTLSClientVerify" is

41

set to "require".

42

43

Impact

44

======

45

46

A remote attacker could present a crafted certificate and spoof clients

47

data.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All mod_gnutls users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=www-apache/mod_gnutls-0.7.3"

61

62

References

63

==========

64

65

[ 1 ] CVE-2015-2091

66

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2091

67

68

Availability

69

============

70

71

This GLSA and any updates to it are available for viewing at

72

the Gentoo Security Website:

73

74

 https://security.gentoo.org/glsa/201709-04

75

76

Concerns?

77

=========

78

79

Security is a primary focus of Gentoo Linux and ensuring the

80

confidentiality and security of our users' machines is of utmost

81

importance to us. Any security concerns should be addressed to

82

security@g.o or alternatively, you may file a bug at

83

https://bugs.gentoo.org.

84

85

License

86

=======

87

88

Copyright 2017 Gentoo Foundation, Inc; referenced text

89

belongs to its owner(s).

90

91

The contents of this document are licensed under the

92

Creative Commons - Attribution / Share Alike license.

93

94

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201709-04
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: mod_gnutls: Certificate validation error
9	Date: September 17, 2017
10	Bugs: #541038
11	ID: 201709-04
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability in mod_gnutls allows remote attackers to spoof clients
19	via crafted certificates.
20
21	Background
22	==========
23
24	mod_gnutls is an extension for Apache's httpd. It uses the GnuTLS
25	library to provide HTTPS. It supports some protocols and features that
26	mod_ssl does not.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 www-apache/mod_gnutls < 0.7.3 >= 0.7.3
35
36	Description
37	===========
38
39	It was discovered that the authentication hook in mod_gnutls does not
40	validate client's certificates even when option "GnuTLSClientVerify" is
41	set to "require".
42
43	Impact
44	======
45
46	A remote attacker could present a crafted certificate and spoof clients
47	data.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All mod_gnutls users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=www-apache/mod_gnutls-0.7.3"
61
62	References
63	==========
64
65	[ 1 ] CVE-2015-2091
66	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2091
67
68	Availability
69	============
70
71	This GLSA and any updates to it are available for viewing at
72	the Gentoo Security Website:
73
74	https://security.gentoo.org/glsa/201709-04
75
76	Concerns?
77	=========
78
79	Security is a primary focus of Gentoo Linux and ensuring the
80	confidentiality and security of our users' machines is of utmost
81	importance to us. Any security concerns should be addressed to
82	security@g.o or alternatively, you may file a bug at
83	https://bugs.gentoo.org.
84
85	License
86	=======
87
88	Copyright 2017 Gentoo Foundation, Inc; referenced text
89	belongs to its owner(s).
90
91	The contents of this document are licensed under the
92	Creative Commons - Attribution / Share Alike license.
93
94	http://creativecommons.org/licenses/by-sa/2.5