openSUSE Security Update : apache2-mod_nss (openSUSE-SU-2013:1956-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes
CVE-2013-4566: If 'NSSVerifyClient none' is set in the
server / vhost context (i.e. when server is configured
to not request or require client certificate
authentication on the initial connection), and client
certificate authentication is expected to be required
for a specific directory via 'NSSVerifyClient require'
setting, mod_nss fails to properly require certificate
authentication. Remote attacker can use this to access
content of the restricted directories. [bnc#853039]

- glue documentation added to
/etc/apache2/conf.d/mod_nss.conf :

- simultaneaous usage of mod_ssl and mod_nss

- SNI concurrency

- SUSE framework for apache configuration, Listen
directive

- module initialization

- mod_nss-conf.patch obsoleted by scratch-version of
nss.conf.in or mod_nss.conf, respectively. This also
leads to the removal of nss.conf.in specific chunks in
mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch .

- mod_nss_migrate.pl conversion script added; not patched
from source, but partially rewritten.

- README-SUSE.txt added with step-by-step instructions on
how to convert and manage certificates and keys, as well
as a rationale about why mod_nss was included in SLES.

- package ready for submission [bnc#847216]

- generic cleanup of the package :

- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2
support came with this version - this is the objective
behind this version update of apache2-mod_nss. Tracker
bug [bnc#847216]

- change path /etc/apache2/alias to /etc/apache2/mod_nss.d
to avoid ambiguously interpreted name of directory.

- merge content of /etc/apache2/alias to
/etc/apache2/mod_nss.d if /etc/apache2/alias exists.

- set explicit filemodes 640 for %post generated *.db
files in /etc/apache2/mod_nss.d

See also :

http://lists.opensuse.org/opensuse-updates/2013-12/msg00118.html
https://bugzilla.novell.com/show_bug.cgi?id=847216
https://bugzilla.novell.com/show_bug.cgi?id=853039

Solution :

Update the affected apache2-mod_nss packages.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

Family: SuSE Local Security Checks

Nessus Plugin ID: 74874 ()

Bugtraq ID:

CVE ID: CVE-2013-4566

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now