Mailinglist Archive: opensuse-updates (130 mails)

< Previous Next >
openSUSE-SU-2013:1956-1: moderate: update for apache2-mod_nss
openSUSE Security Update: update for apache2-mod_nss
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:1956-1
Rating: moderate
References: #847216 #853039
Cross-References: CVE-2013-4566
Affected Products:
openSUSE 13.1
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:


- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes
CVE-2013-4566: If 'NSSVerifyClient none' is set in the
server / vhost context (i.e. when server is configured to
not request or require client certificate authentication
on the initial connection), and client certificate
authentication is expected to be required for a specific
directory via 'NSSVerifyClient require' setting, mod_nss
fails to properly require certificate authentication.
Remote attacker can use this to access content of the
restricted directories. [bnc#853039]

- glue documentation added to
/etc/apache2/conf.d/mod_nss.conf:
* simultaneaous usage of mod_ssl and mod_nss
* SNI concurrency
* SUSE framework for apache configuration, Listen
directive
* module initialization
- mod_nss-conf.patch obsoleted by scratch-version of
nss.conf.in or mod_nss.conf, respectively. This also
leads to the removal of nss.conf.in specific chunks in
mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch .
- mod_nss_migrate.pl conversion script added; not patched
from source, but partially rewritten.
- README-SUSE.txt added with step-by-step instructions on
how to convert and manage certificates and keys, as well
as a rationale about why mod_nss was included in SLES.
- package ready for submission [bnc#847216]

- generic cleanup of the package:
- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2
support came with this version - this is the objective
behind this version update of apache2-mod_nss. Tracker
bug [bnc#847216]
- change path /etc/apache2/alias to /etc/apache2/mod_nss.d
to avoid ambiguously interpreted name of directory.
- merge content of /etc/apache2/alias to
/etc/apache2/mod_nss.d if /etc/apache2/alias exists.
- set explicit filemodes 640 for %post generated *.db files
in /etc/apache2/mod_nss.d


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2013-1030

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

apache2-mod_nss-1.0.8-0.4.6.4.1
apache2-mod_nss-debuginfo-1.0.8-0.4.6.4.1
apache2-mod_nss-debugsource-1.0.8-0.4.6.4.1


References:

http://support.novell.com/security/cve/CVE-2013-4566.html
https://bugzilla.novell.com/847216
https://bugzilla.novell.com/853039


< Previous Next >
This Thread
  • No further messages