openSUSE Security Update : apache2-mod_nss (openSUSE-SU-2013:1956-1)
Medium Nessus Plugin ID 74874
SynopsisThe remote openSUSE host is missing a security update.
Description- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039]
- glue documentation added to /etc/apache2/conf.d/mod_nss.conf :
- simultaneaous usage of mod_ssl and mod_nss
- SNI concurrency
- SUSE framework for apache configuration, Listen directive
- module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of nss.conf.in specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch .
- mod_nss_migrate.pl conversion script added; not patched from source, but partially rewritten.
- README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES.
- package ready for submission [bnc#847216]
- generic cleanup of the package :
- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216]
- change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory.
- merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists.
- set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d
SolutionUpdate the affected apache2-mod_nss packages.