[mod_nss/f18] Resolves: CVE-2013-4566
mharmsen
mharmsen at fedoraproject.org
Wed Dec 4 01:57:14 UTC 2013
commit 443a42ee29d739e4c1e46a831186479560887335
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Tue Dec 3 17:56:47 2013 -0800
Resolves: CVE-2013-4566
- [mod_nss-nssverifyclient.patch]
- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
NSSVerifyClient in directory context [fedora-all]
- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
Directory
clog | 7 +++++++
mod_nss-nssverifyclient.patch | 12 ++++++++++++
mod_nss.spec | 22 ++++++++++++++++++++--
3 files changed, 39 insertions(+), 2 deletions(-)
---
diff --git a/clog b/clog
new file mode 100644
index 0000000..9792c5d
--- /dev/null
+++ b/clog
@@ -0,0 +1,7 @@
+Resolves: CVE-2013-4566
+
+- [mod_nss-nssverifyclient.patch]
+- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
+ NSSVerifyClient in directory context [fedora-all]
+- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
+ Directory
diff --git a/mod_nss-nssverifyclient.patch b/mod_nss-nssverifyclient.patch
new file mode 100644
index 0000000..d9858c3
--- /dev/null
+++ b/mod_nss-nssverifyclient.patch
@@ -0,0 +1,12 @@
+diff -rupN mod_nss-1.0.8.patched/nss_engine_kernel.c mod_nss-1.0.8.989724/nss_engine_kernel.c
+--- mod_nss-1.0.8.patched/nss_engine_kernel.c 2007-05-31 14:36:03.000000000 -0700
++++ mod_nss-1.0.8.989724/nss_engine_kernel.c 2013-10-25 13:32:47.000000000 -0700
+@@ -275,7 +275,7 @@ int nss_hook_Access(request_rec *r)
+
+ if (verify == SSL_CVERIFY_REQUIRE) {
+ SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+- SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
++ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
+ } else if (verify == SSL_CVERIFY_OPTIONAL) {
+ SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+ SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
diff --git a/mod_nss.spec b/mod_nss.spec
index 11c2135..d207da2 100644
--- a/mod_nss.spec
+++ b/mod_nss.spec
@@ -6,7 +6,7 @@
Name: mod_nss
Version: 1.0.8
-Release: 24%{?dist}
+Release: 27%{?dist}
Summary: SSL/TLS module for the Apache HTTP server
Group: System Environment/Daemons
License: ASL 2.0
@@ -47,6 +47,11 @@ Patch16: mod_nss-proxyvariables.patch
Patch17: mod_nss-tlsv1_1.patch
Patch18: mod_nss-sslmultiproxy.patch
Patch19: mod_nss-sslmultiproxy_2.patch
+#Patch20: mod_nss-docs-fix.patch
+#Patch21: mod_nss-SSLEngine-off.patch
+#Patch22: mod_nss-unused-filter_ctx.patch
+Patch23: mod_nss-nssverifyclient.patch
+#Patch24: mod_nss-usecases.patch
%description
The mod_nss module provides strong cryptography for the Apache Web
@@ -80,6 +85,11 @@ security library.
%else
%patch18 -p1 -b .sslmultiproxy
%endif
+#%patch20 -p1 -b .docs-fix
+#%patch21 -p1 -b .SSLEngine-off
+#%patch22 -p1 -b .unused-filter_ctx
+%patch23 -p1 -b .nssverifyclient
+#%patch24 -p1 -b .usecases
# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]
@@ -190,9 +200,17 @@ fi
%{_sbindir}/gencert
%changelog
+* Tue Dec 3 2013 Rob Crittenden <rcritten at redhat.com> - 1.0.8-27
+- Resolves: CVE-2013-4566
+- [mod_nss-nssverifyclient.patch]
+- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
+ NSSVerifyClient in directory context [fedora-all]
+- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
+ Directory
+
* Mon Oct 21 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-24
- Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
-- Add '--enable-ecc' option to '%configure' line under '%build' section of
+- Add '--enable-ecc' option to %%configure line under %%build section of
this spec file (mharmsen)
- Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
- [mod_nss-PK11_ListCerts_2.patch]
More information about the scm-commits
mailing list