openSUSE Security Update : apache2-mod_nss (openSUSE-SU-2013:1956-1)

Medium Nessus Plugin ID 74874


The remote openSUSE host is missing a security update.


- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039]

- glue documentation added to /etc/apache2/conf.d/mod_nss.conf :

- simultaneaous usage of mod_ssl and mod_nss

- SNI concurrency

- SUSE framework for apache configuration, Listen directive

- module initialization

- mod_nss-conf.patch obsoleted by scratch-version of or mod_nss.conf, respectively. This also leads to the removal of specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch .

- conversion script added; not patched from source, but partially rewritten.

- README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES.

- package ready for submission [bnc#847216]

- generic cleanup of the package :

- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216]

- change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory.

- merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists.

- set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d


Update the affected apache2-mod_nss packages.

See Also

Plugin Details

Severity: Medium

ID: 74874

File Name: openSUSE-2013-1030.nasl

Version: $Revision: 1.1 $

Type: local

Agent: unix

Published: 2014/06/13

Modified: 2014/06/13

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:apache2-mod_nss, p-cpe:/a:novell:opensuse:apache2-mod_nss-debuginfo, p-cpe:/a:novell:opensuse:apache2-mod_nss-debugsource, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2013/12/17

Reference Information

CVE: CVE-2013-4566