[SECURITY] Fedora 20 Update: mod_nss-1.0.8-28.fc20

updates at fedoraproject.org updates at fedoraproject.org
Sat Dec 14 03:03:31 UTC 2013

Fedora Update Notification
2013-12-05 00:21:46

Name        : mod_nss
Product     : Fedora 20
Version     : 1.0.8
Release     : 28.fc20
URL         : http://directory.fedoraproject.org/wiki/Mod_nss
Summary     : SSL/TLS module for the Apache HTTP server
Description :
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.

Update Information:

A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive).  If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication.  Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.

* Tue Dec  3 2013 Rob Crittenden <rcritten at redhat.com> - 1.0.8-28
- Resolves: CVE-2013-4566, bz #1036940
- [mod_nss-nssverifyclient.patch]
- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
  NSSVerifyClient in directory context [fedora-all] (rcritten)
- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
  Directory (rcritten)
- [mod_nss-usecases.patch]
- Bugzilla Bug #1036940 - [DOC] making mod_nss work in FIPS mode (mharmsen)

  [ 1 ] Bug #1016832 - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context

This update can be installed with the "yum" update program.  Use 
su -c 'yum update mod_nss' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list