Apache ssl_hook_Access() Function May Fail to Verify Client Certificates - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Apache

Vendors: Apache Software Foundation

Apache ssl_hook_Access() Function May Fail to Verify Client Certificates

SecurityTracker Alert ID: 1014833

SecurityTracker URL: http://securitytracker.com/id/1014833

CVE Reference: CVE-2005-2700 (Links to External Site)

Updated: Mar 2 2006

Original Entry Date: Sep 1 2005

Impact: Host/resource access via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.0.x

Description: A vulnerability was reported in Apache. The server may fail to verify SSL client certificates in a certain configuration

The Apache ssl_hook_Access() function does not properly enforce the 'SSLVerifyClient require' directive in a per-location context if a virtual host is configured with the 'SSLVerifyCLient optional' directive.

The vulnerability resides in 'modules/ssl/ssl_engine_kernel.c'.

Impact: The server may fail to verify SSL client certificates in a certain configuration.

Solution: The vendor has issued a source code fix, available via SVN at:

http://svn.apache.org/viewcvs?rev=264800&view=rev

Red Hat has issued a fix for mod_ssl for Red Hat Enterprise Linux 2.1:

https://rhn.redhat.com/errata/RHSA-2005-773.html

HP has issued a fix for Apache on HP-UX:

http://www2.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01232

Vendor URL: httpd.apache.org/ (Links to External Site)

Cause: Authentication error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Sep 3 2005	(mod_ssl Issues Fix) Apach ssl_hook_Access() Function May Fail to Verify Client Certificates A fix is available for mod_ssl for Apache 1.3.33.
Sep 6 2005	(Red Hat Issues Fix) Apach ssl_hook_Access() Function May Fail to Verify Client Certificates (bugzilla@redhat.com) Red Hat has released a fix.
Sep 15 2005	(Red Hat Issues Fix) Apach ssl_hook_Access() Function May Fail to Verify Client Certificates (bugzilla@redhat.com) Red Hat has released a fix for Red Hat Enterprise Linux 2.1
Oct 6 2005	(HP Issues Fix for HP-UX) Apache ssl_hook_Access() Function May Fail to Verify Client Certificates HP has issued a fix for Apache on HP-UX.
Nov 30 2005	(Apple Issues Fix) Apach ssl_hook_Access() Function May Fail to Verify Client Certificates (Apple Product Security <product-security@apple.com>) Apple has released a fix for Mac OS X.
Mar 2 2006	(Sun Issues Fix) Apache ssl_hook_Access() Function May Fail to Verify Client Certificates Sun has issued a fix.

Source Message Contents


[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC