From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- metadata/glsa/glsa-201709-04.xml | 55 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 metadata/glsa/glsa-201709-04.xml (limited to 'metadata/glsa/glsa-201709-04.xml') diff --git a/metadata/glsa/glsa-201709-04.xml b/metadata/glsa/glsa-201709-04.xml new file mode 100644 index 000000000000..d64934455429 --- /dev/null +++ b/metadata/glsa/glsa-201709-04.xml @@ -0,0 +1,55 @@ + + + + mod_gnutls: Certificate validation error + A vulnerability in mod_gnutls allows remote attackers to spoof + clients via crafted certificates. + + mod_gnutls + 2017-09-17 + 2017-09-17: 1 + 541038 + remote + + + 0.7.3 + 0.7.3 + + + +

mod_gnutls is an extension for ​Apache’s httpd. It uses the + ​GnuTLS library to provide HTTPS. It supports some protocols and + features that mod_ssl does not. +

+ + + +

It was discovered that the authentication hook in mod_gnutls does not + validate client’s certificates even when option + “GnuTLSClientVerify” is set to “require”. +

+ + +

A remote attacker could present a crafted certificate and spoof clients + data. +

+ + +

There is no known workaround at this time.

+ + +

All mod_gnutls users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_gnutls-0.7.3" + + + + + CVE-2015-2091 + + + whissi + chrisadr + -- cgit v1.2.3