openSUSE Security Update: update for apache2-mod_nss ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1956-1 Rating: moderate References: #847216 #853039 Cross-References: CVE-2013-4566 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of nss.conf.in specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch . - mod_nss_migrate.pl conversion script added; not patched from source, but partially rewritten. - README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES. - package ready for submission [bnc#847216] - generic cleanup of the package: - explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216] - change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory. - merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists. - set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2013-1030 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): apache2-mod_nss-1.0.8-0.4.6.4.1 apache2-mod_nss-debuginfo-1.0.8-0.4.6.4.1 apache2-mod_nss-debugsource-1.0.8-0.4.6.4.1 References: http://support.novell.com/security/cve/CVE-2013-4566.html https://bugzilla.novell.com/847216 https://bugzilla.novell.com/853039