Gentoo Logo

Apache 2, mod_ssl: Bypass of SSLCipherSuite directive

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200410-21 / apache
Release Date October 21, 2004
Latest Revision December 30, 2007: 02
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-servers/apache < 2.0.52 >= 2.0.52, < 2.0 All supported architectures
net-www/mod_ssl < 2.8.20 >= 2.8.20 All supported architectures

Related bugreports: #66807

Synopsis

In certain configurations, it can be possible to bypass restrictions set by the "SSLCipherSuite" directive of mod_ssl.

2.  Impact Information

Background

The Apache HTTP server is one of the most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.

Description

A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.

Impact

A remote attacker could gain access to a location using any cipher suite allowed by the server/virtual host configuration, disregarding the restrictions by "SSLCipherSuite" for that location.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Apache 2 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=www-servers/apache-2.0.52"
# emerge ">=www-servers/apache-2.0.52"

All mod_ssl users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=net-www/mod_ssl-2.8.20"
# emerge ">=net-www/mod_ssl-2.8.20"

4.  References



Print

Page updated October 21, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.