[mod_nss/f18] Resolves: CVE-2013-4566

Wed Dec 4 01:57:14 UTC 2013

commit 443a42ee29d739e4c1e46a831186479560887335
Author: Matthew Harmsen <mharmsen at redhat.com>
Date:   Tue Dec 3 17:56:47 2013 -0800

    Resolves: CVE-2013-4566
    
    - [mod_nss-nssverifyclient.patch]
    - Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
      NSSVerifyClient in directory context [fedora-all]
    - Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
      Directory

 clog                          |    7 +++++++
 mod_nss-nssverifyclient.patch |   12 ++++++++++++
 mod_nss.spec                  |   22 ++++++++++++++++++++--
 3 files changed, 39 insertions(+), 2 deletions(-)
---

diff --git a/clog b/clog
new file mode 100644
index 0000000..9792c5d
--- /dev/null
+++ b/clog
@@ -0,0 +1,7 @@
+Resolves: CVE-2013-4566
+
+- [mod_nss-nssverifyclient.patch]
+- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
+  NSSVerifyClient in directory context [fedora-all]
+- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
+  Directory
diff --git a/mod_nss-nssverifyclient.patch b/mod_nss-nssverifyclient.patch
new file mode 100644
index 0000000..d9858c3
--- /dev/null
+++ b/mod_nss-nssverifyclient.patch
@@ -0,0 +1,12 @@
+diff -rupN mod_nss-1.0.8.patched/nss_engine_kernel.c mod_nss-1.0.8.989724/nss_engine_kernel.c
+--- mod_nss-1.0.8.patched/nss_engine_kernel.c	2007-05-31 14:36:03.000000000 -0700
++++ mod_nss-1.0.8.989724/nss_engine_kernel.c	2013-10-25 13:32:47.000000000 -0700
+@@ -275,7 +275,7 @@ int nss_hook_Access(request_rec *r)
+ 
+         if (verify == SSL_CVERIFY_REQUIRE) {
+             SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+-            SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NO_ERROR);
++            SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_ALWAYS);
+         } else if (verify == SSL_CVERIFY_OPTIONAL) {
+             SSL_OptionSet(ssl, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+             SSL_OptionSet(ssl, SSL_REQUIRE_CERTIFICATE, SSL_REQUIRE_NEVER);
diff --git a/mod_nss.spec b/mod_nss.spec
index 11c2135..d207da2 100644
--- a/mod_nss.spec
+++ b/mod_nss.spec
@@ -6,7 +6,7 @@
 
 Name: mod_nss
 Version: 1.0.8
-Release: 24%{?dist}
+Release: 27%{?dist}
 Summary: SSL/TLS module for the Apache HTTP server
 Group: System Environment/Daemons
 License: ASL 2.0
@@ -47,6 +47,11 @@ Patch16: mod_nss-proxyvariables.patch
 Patch17: mod_nss-tlsv1_1.patch
 Patch18: mod_nss-sslmultiproxy.patch
 Patch19: mod_nss-sslmultiproxy_2.patch
+#Patch20: mod_nss-docs-fix.patch
+#Patch21: mod_nss-SSLEngine-off.patch
+#Patch22: mod_nss-unused-filter_ctx.patch
+Patch23: mod_nss-nssverifyclient.patch
+#Patch24: mod_nss-usecases.patch
 
 %description
 The mod_nss module provides strong cryptography for the Apache Web
@@ -80,6 +85,11 @@ security library.
 %else
 %patch18 -p1 -b .sslmultiproxy
 %endif
+#%patch20 -p1 -b .docs-fix
+#%patch21 -p1 -b .SSLEngine-off
+#%patch22 -p1 -b .unused-filter_ctx
+%patch23 -p1 -b .nssverifyclient
+#%patch24 -p1 -b .usecases
 
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
@@ -190,9 +200,17 @@ fi
 %{_sbindir}/gencert
 
 %changelog
+* Tue Dec  3 2013 Rob Crittenden <rcritten at redhat.com> - 1.0.8-27
+- Resolves: CVE-2013-4566
+- [mod_nss-nssverifyclient.patch]
+- Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of
+  NSSVerifyClient in directory context [fedora-all]
+- Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in
+  Directory
+
 * Mon Oct 21 2013 Matthew Harmsen <mharmsen at redhat.com> - 1.0.8-24
 - Bugzilla Bug #961471 - Port Downstream Patches Upstream (mharmsen)
-- Add '--enable-ecc' option to '%configure' line under '%build' section of
+- Add '--enable-ecc' option to %%configure line under %%build section of
   this spec file (mharmsen)
 - Bumped version build/runtime requirements for NSPR and NSS (mharmsen)
 - [mod_nss-PK11_ListCerts_2.patch]
