1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200410-21 / apache |
| Release Date | October 21, 2004 |
| Latest Revision | December 30, 2007: 02 |
| Impact | low |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| www-servers/apache | < 2.0.52 | >= 2.0.52, < 2.0 | All supported architectures |
| net-www/mod_ssl | < 2.8.20 | >= 2.8.20 | All supported architectures |
Related bugreports: #66807
In certain configurations, it can be possible to bypass restrictions set by the "SSLCipherSuite" directive of mod_ssl.
The Apache HTTP server is one of the most popular web servers on the internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3 and is also included in Apache 2.
A flaw has been found in mod_ssl where the "SSLCipherSuite" directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.
A remote attacker could gain access to a location using any cipher suite allowed by the server/virtual host configuration, disregarding the restrictions by "SSLCipherSuite" for that location.
There is no known workaround at this time.
All Apache 2 users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge sync # emerge -pv ">=www-servers/apache-2.0.52" # emerge ">=www-servers/apache-2.0.52" |
All mod_ssl users should upgrade to the latest version:
Code Listing 3.2: Resolution |
# emerge sync # emerge -pv ">=net-www/mod_ssl-2.8.20" # emerge ">=net-www/mod_ssl-2.8.20" |