Debian-LTS alert DLA-170-1 (mod-gnutls)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 170-1] mod-gnutls security update | |
| Date: | Sat, 14 Mar 2015 17:35:48 +0100 (CET) | |
| Message-ID: | <alpine.DEB.2.02.1503141734440.32345@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : mod-gnutls Version : 0.5.6-1+squeeze2 CVE ID : CVE-2015-2091 Debian Bug : 578663 Thomas Klute discovered that in mod-gnutls, an Apache module providing SSL and TLS encryption with GnuTLS, a bug caused the server's client verify mode not to be considered at all, in case the directory's configuration was unset. Clients with invalid certificates were then able to leverage this flaw in order to get access to that directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJVBGNkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHJlwP/1I3Eo3yVZ0EfmDlW5RmeDxe /3f63FOFumeZwIn2LjyMYTJVfDHB9qfJVkCabgkxA7rzATrAJ4bad2JRB3LUeu6R iP2SeUiY3rSVncnV2tZxWnLJRG4iznEd/lp0h22B9/8M1G9Cvjagibfs0Mu8FeFN rm2/IIOgGtgL7rM7Xwd6PKGpPWUGjjHqVZQGYQah/+RHrCXOcKy6Y7etLxDw+nb/ Au96heqoiM7ZW7SRSv/BtCcd9+UXqEi4gNiF0gr/RVRNYHKv+WRkmx6gfk3Q/gb0 VPy6AhiYlHC1VDyUbWmaBHdFQuqJ57T+0cZZ0fsrfB1aq/onFMSEuag6LWCTRXHZ G+/mkyDgOI3ELgb5Jsfzyx1dToDQDCIi40mhY1WSkt706/TlraCHcyNhNy69czq4 LmtffFvmIPIJRR6YvbNzkEPfJaLsHclirHpEpW3LrdWrHFgS/uz3vKAI+OnhCOPP mug7QDUDZg1v5NNt85s86kKdMrP7DqC3mRhVkj2fIyys7/hpsVxqEuJNS1ugAN/Y CfCbvxN2o0uyXWzwXfrbYQ41NQkngvGg4AqPlF8055bPG8ebCNsEA0Qgp5m4r8An rxUryZWgfVPKkTJwqFFKyFAlrRl++W1HvkJihsEFZNJfWVSykV0bydz3dJGksaKs CfweMAYE5WUC3UuE7Ts6 =fAaT -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-lts-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: https://lists.debian.org/alpine.DEB.2.02.1503141734440.32...