Bug#232630: [CAN-2004-0009] Optional client certificate vulnerability

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#232630: [CAN-2004-0009] Optional client certificate vulnerability
From: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>
Date: Sat, 14 Feb 2004 10:00:35 +0100
Message-id: <[🔎] 20040214090035.GA25889@xinara.org>
Reply-to: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>, 232630@bugs.debian.org

Package: apache-ssl
Version: 1.3.29.0.1-5
Severity: grave
Tags: security

http://www.apache-ssl.org/advisory-20040206.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0009

Candidate: CAN-2004-0009
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0009
Phase: Assigned (20040105)
Category: SF
Reference: BUGTRAQ:20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107619127531765&w=2

Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3
and SSLFakeBasicAuth enabled, allows remote attackers to forge a
client certificate by using basic authentication with the "one-line
DN" of the target user.

-- System Information:
Found unknown policy: ('500', 'testing-proposed-updates')Found unknown policy: ('500', 'testing-proposed-updates')Found unknown policy: ('500', 'testing-proposed-updates')Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-rc2-evms1.2.1
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1
-- 
Obsig: developing a new sig

Reply to:

Prev by Date: Onlin.e Ph.armacy - Whole.sale V1agra Prices
Next by Date: Bug#232668: apache: deletes foreign configuration on --purge
Previous by thread: Onlin.e Ph.armacy - Whole.sale V1agra Prices
Next by thread: Bug#232668: apache: deletes foreign configuration on --purge
Index(es):
- Date
- Thread