mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the server/vhost context, does not enforce the NSSVerifyClient setting in the directory context, which allows remote attackers to bypass intended access restrictions.

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements :

  - Fix OpenSSL ciphers stopped parsing at +.
    (CVE-2016-3099)

  - Created valgrind suppression files to ease debugging.

  - Implement SSL_PPTYPE_FILTER to call executables to get     the key password pins.

  - Improvements to migrate.pl.

  - Update default ciphers to something more modern and     secure.

  - Check for host and netstat commands in gencert before     trying to use them.

  - Add server support for DHE ciphers.

  - Extract SAN from server/client certificates into env

  - Fix memory leaks and other coding issues caught by clang     analyzer.

  - Add support for Server Name Indication (SNI).

  - Add support for SNI for reverse proxy connections.

  - Add RenegBufferSize? option.

  - Add support for TLS Session Tickets (RFC 5077).

  - Fix logical AND support in OpenSSL cipher compatibility.

  - Correctly handle disabled ciphers. (CVE-2015-5244)

  - Implement a slew more OpenSSL cipher macros.

  - Fix a number of illegal memory accesses and memory     leaks.

  - Support for SHA384 ciphers if they are available in NSS.

  - Add compatibility for mod_ssl-style cipher definitions.

  - Add TLSv1.2-specific ciphers.

  - Completely remove support for SSLv2.

  - Add support for sqlite NSS databases.

  - Compare subject CN and VS hostname during server start     up.

  - Add support for enabling TLS v1.2.

  - Don't enable SSL 3 by default. (CVE-2014-3566)

  - Fix CVE-2013-4566.

  - Move nss_pcache to /usr/libexec.

  - Support httpd 2.4+.

  - SHA256 cipher names change spelling from *_sha256 to
    *_sha_256.

  - Use apache2-systemd-ask-pass to prompt for a certificate     passphrase. (bsc#972968, bsc#975394)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements :

  - SHA256 cipher names change spelling from *_sha256 to
    *_sha_256.

  - Drop mod_nss_migrate.pl and use upstream migrate script     instead.

  - Check for Apache user owner/group read permissions of     NSS database at startup.

  - Update default ciphers to something more modern and     secure.

  - Check for host and netstat commands in gencert before     trying to use them.

  - Don't ignore NSSProtocol when NSSFIPS is enabled.

  - Use proper shell syntax to avoid creating /0 in gencert.

  - Add server support for DHE ciphers.

  - Extract SAN from server/client certificates into env.

  - Fix memory leaks and other coding issues caught by clang     analyzer.

  - Add support for Server Name Indication (SNI)

  - Add support for SNI for reverse proxy connections.

  - Add RenegBufferSize? option.

  - Add support for TLS Session Tickets (RFC 5077).

  - Implement a slew more OpenSSL cipher macros.

  - Fix a number of illegal memory accesses and memory     leaks.

  - Support for SHA384 ciphers if they are available in the     version of NSS mod_nss is built against.

  - Add the SECURE_RENEG environment variable.

  - Add some hints when NSS database cannot be initialized.

  - Code cleanup including trailing whitespace and compiler     warnings.

  - Modernize autotools configuration slightly, add     config.h.

  - Add small test suite for SNI.

  - Add compatibility for mod_ssl-style cipher definitions.

  - Add Camelia ciphers.

  - Remove Fortezza ciphers.

  - Add TLSv1.2-specific ciphers.

  - Initialize cipher list when re-negotiating handshake.

  - Completely remove support for SSLv2.

  - Add support for sqlite NSS databases.

  - Compare subject CN and VS hostname during server start     up.

  - Add support for enabling TLS v1.2.

  - Don't enable SSL 3 by default. (CVE-2014-3566)

  - Improve protocol testing.

  - Add nss_pcache man page.

  - Fix argument handling in nss_pcache.

  - Support httpd 2.4+.

  - Allow users to configure a helper to ask for certificate     passphrases via NSSPassPhraseDialog. (bsc#975394)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements :

  - Fix OpenSSL ciphers stopped parsing at +.
    (CVE-2016-3099)

  - Created valgrind suppression files to ease debugging.

  - Implement SSL_PPTYPE_FILTER to call executables to get     the key password pins.

  - Improvements to migrate.pl.

  - Update default ciphers to something more modern and     secure.

  - Check for host and netstat commands in gencert before     trying to use them.

  - Add server support for DHE ciphers.

  - Extract SAN from server/client certificates into env

  - Fix memory leaks and other coding issues caught by clang     analyzer.

  - Add support for Server Name Indication (SNI).

  - Add support for SNI for reverse proxy connections.

  - Add RenegBufferSize? option.

  - Add support for TLS Session Tickets (RFC 5077).

  - Fix logical AND support in OpenSSL cipher compatibility.

  - Correctly handle disabled ciphers. (CVE-2015-5244)

  - Implement a slew more OpenSSL cipher macros.

  - Fix a number of illegal memory accesses and memory     leaks.

  - Support for SHA384 ciphers if they are available in NSS.

  - Add compatibility for mod_ssl-style cipher definitions.

  - Add TLSv1.2-specific ciphers.

  - Completely remove support for SSLv2.

  - Add support for sqlite NSS databases.

  - Compare subject CN and VS hostname during server start     up.

  - Add support for enabling TLS v1.2.

  - Don't enable SSL 3 by default. (CVE-2014-3566)

  - Fix CVE-2013-4566.

  - Move nss_pcache to /usr/libexec.

  - Support httpd 2.4+.

  - Use apache2-systemd-ask-pass to prompt for a certificate     passphrase. (bsc#972968, bsc#975394)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes     CVE-2013-4566: If 'NSSVerifyClient none' is set in the     server / vhost context (i.e. when server is configured     to not request or require client certificate     authentication on the initial connection), and client     certificate authentication is expected to be required     for a specific directory via 'NSSVerifyClient require'     setting, mod_nss fails to properly require certificate     authentication. Remote attacker can use this to access     content of the restricted directories. [bnc#853039]

  - glue documentation added to     /etc/apache2/conf.d/mod_nss.conf :

  - simultaneaous usage of mod_ssl and mod_nss

  - SNI concurrency

  - SUSE framework for apache configuration, Listen     directive

  - module initialization

  - mod_nss-conf.patch obsoleted by scratch-version of     nss.conf.in or mod_nss.conf, respectively. This also     leads to the removal of nss.conf.in specific chunks in     mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch .

  - mod_nss_migrate.pl conversion script added; not patched     from source, but partially rewritten.

  - README-SUSE.txt added with step-by-step instructions on     how to convert and manage certificates and keys, as well     as a rationale about why mod_nss was included in SLES.

  - package ready for submission [bnc#847216]

  - generic cleanup of the package :

  - explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2     support came with this version - this is the objective     behind this version update of apache2-mod_nss. Tracker     bug [bnc#847216]

  - change path /etc/apache2/alias to /etc/apache2/mod_nss.d     to avoid ambiguously interpreted name of directory.

  - merge content of /etc/apache2/alias to     /etc/apache2/mod_nss.d if /etc/apache2/alias exists.

  - set explicit filemodes 640 for %post generated *.db     files in /etc/apache2/mod_nss.d

A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided. (CVE-2013-4566)

This update fixes the following security issues with apache2-mod_nss :

  - client certificate verification problematic     (CVE-2013-4566). (bnc#853039)

A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive). If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication. Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided. (CVE-2013-4566)

The httpd service must be restarted for this update to take effect.

An updated mod_nss package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.

A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided. (CVE-2013-4566)

Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this issue.

All mod_nss users should upgrade to this updated package, which contains a backported patch to correct this issue. The httpd service must be restarted for this update to take effect.

The remote Oracle Linux 5 / 6 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2013-1779 advisory.

    - Resolves: CVE-2013-4566

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
93767	SUSE SLES12 Security Update : apache2-mod_nss (SUSE-SU-2016:2396-1) (POODLE)	Nessus	SuSE Local Security Checks	critical
93590	SUSE SLES11 Security Update : apache2-mod_nss (SUSE-SU-2016:2329-1) (POODLE)	Nessus	SuSE Local Security Checks	low
93457	SUSE SLES12 Security Update : apache2-mod_nss (SUSE-SU-2016:2285-1) (POODLE)	Nessus	SuSE Local Security Checks	critical
74874	openSUSE Security Update : apache2-mod_nss (openSUSE-SU-2013:1956-1)	Nessus	SuSE Local Security Checks	medium
72266	Amazon Linux AMI : mod_nss (ALAS-2013-253)	Nessus	Amazon Linux Local Security Checks	medium
71614	SuSE 11.2 / 11.3 Security Update : apache2-mod_nss (SAT Patch Numbers 8610 / 8611)	Nessus	SuSE Local Security Checks	medium
71420	Fedora 20 : mod_nss-1.0.8-28.fc20 (2013-22730)	Nessus	Fedora Local Security Checks	medium
71384	Fedora 19 : mod_nss-1.0.8-27.fc19 (2013-22787)	Nessus	Fedora Local Security Checks	medium
71383	Fedora 18 : mod_nss-1.0.8-27.fc18 (2013-22786)	Nessus	Fedora Local Security Checks	medium
71304	Scientific Linux Security Update : mod_nss on SL5.x, SL6.x i386/x86_64 (20131203)	Nessus	Scientific Linux Local Security Checks	medium
71270	Amazon Linux AMI : mod24_nss (ALAS-2013-254)	Nessus	Amazon Linux Local Security Checks	medium
71190	RHEL 5 / 6 : mod_nss (RHSA-2013:1779)	Nessus	Red Hat Local Security Checks	medium
71187	Oracle Linux 5 / 6 : mod_nss (ELSA-2013-1779)	Nessus	Oracle Linux Local Security Checks	high
71179	CentOS 5 / 6 : mod_nss (CESA-2013:1779)	Nessus	CentOS Local Security Checks	medium

Detections

Analytics

CVE-2013-4566

high

Tenable Plugins

critical

low

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

high

medium