Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

mod_gnutls: Certificate validation error — GLSA 201709-04

A vulnerability in mod_gnutls allows remote attackers to spoof clients via crafted certificates.

Affected packages

Package www-apache/mod_gnutls on all architectures
Affected versions < 0.7.3
Unaffected versions >= 0.7.3

Background

mod_gnutls is an extension for ​Apache’s httpd. It uses the ​GnuTLS library to provide HTTPS. It supports some protocols and features that mod_ssl does not.

Description

It was discovered that the authentication hook in mod_gnutls does not validate client’s certificates even when option “GnuTLSClientVerify” is set to “require”.

Impact

A remote attacker could present a crafted certificate and spoof clients data.

Workaround

There is no known workaround at this time.

Resolution

All mod_gnutls users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apache/mod_gnutls-0.7.3"

References

Release date
September 17, 2017

Latest revision
September 17, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries