openSUSE Security Update : apache2-mod_nss (openSUSE-SU-2013:1956-1)

medium Nessus Plugin ID 74874

Synopsis

The remote openSUSE host is missing a security update.

Description

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039]

- glue documentation added to /etc/apache2/conf.d/mod_nss.conf :

- simultaneaous usage of mod_ssl and mod_nss

- SNI concurrency

- SUSE framework for apache configuration, Listen directive

- module initialization

- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of nss.conf.in specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch .

- mod_nss_migrate.pl conversion script added; not patched from source, but partially rewritten.

- README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES.

- package ready for submission [bnc#847216]

- generic cleanup of the package :

- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216]

- change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory.

- merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists.

- set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d

Solution

Update the affected apache2-mod_nss packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=847216

https://bugzilla.novell.com/show_bug.cgi?id=853039

https://lists.opensuse.org/opensuse-updates/2013-12/msg00118.html

Plugin Details

Severity: Medium

ID: 74874

File Name: openSUSE-2013-1030.nasl

Version: 1.4

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:apache2-mod_nss, p-cpe:/a:novell:opensuse:apache2-mod_nss-debuginfo, p-cpe:/a:novell:opensuse:apache2-mod_nss-debugsource, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 12/17/2013

Reference Information

CVE: CVE-2013-4566