Описание
Security update for apache2-mod_nss
This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements:
- Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099)
- Created valgrind suppression files to ease debugging.
- Implement SSL_PPTYPE_FILTER to call executables to get the key password pins.
- Improvements to migrate.pl.
- Update default ciphers to something more modern and secure.
- Check for host and netstat commands in gencert before trying to use them.
- Add server support for DHE ciphers.
- Extract SAN from server/client certificates into env
- Fix memory leaks and other coding issues caught by clang analyzer.
- Add support for Server Name Indication (SNI).
- Add support for SNI for reverse proxy connections.
- Add RenegBufferSize? option.
- Add support for TLS Session Tickets (RFC 5077).
- Fix logical AND support in OpenSSL cipher compatibility.
- Correctly handle disabled ciphers. (CVE-2015-5244)
- Implement a slew more OpenSSL cipher macros.
- Fix a number of illegal memory accesses and memory leaks.
- Support for SHA384 ciphers if they are available in NSS.
- Add compatibility for mod_ssl-style cipher definitions.
- Add TLSv1.2-specific ciphers.
- Completely remove support for SSLv2.
- Add support for sqlite NSS databases.
- Compare subject CN and VS hostname during server start up.
- Add support for enabling TLS v1.2.
- Don't enable SSL 3 by default. (CVE-2014-3566)
- Fix CVE-2013-4566.
- Move nss_pcache to /usr/libexec.
- Support httpd 2.4+.
- Use apache2-systemd-ask-pass to prompt for a certificate passphrase. (bsc#972968, bsc#975394)
Список пакетов
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
Ссылки
- Link for SUSE-SU-2016:2285-1
- E-Mail link for SUSE-SU-2016:2285-1
- SUSE Security Ratings
- SUSE Bug 972968
- SUSE Bug 975394
- SUSE Bug 979688
- SUSE CVE CVE-2013-4566 page
- SUSE CVE CVE-2014-3566 page
- SUSE CVE CVE-2015-5244 page
- SUSE CVE CVE-2016-3099 page
Описание
mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the server/vhost context, does not enforce the NSSVerifyClient setting in the directory context, which allows remote attackers to bypass intended access restrictions.
Затронутые продукты
Ссылки
- CVE-2013-4566
- SUSE Bug 853039
Описание
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
Затронутые продукты
Ссылки
- CVE-2014-3566
- SUSE Bug 1011293
- SUSE Bug 1031023
- SUSE Bug 901223
- SUSE Bug 901254
- SUSE Bug 901277
- SUSE Bug 901748
- SUSE Bug 901757
- SUSE Bug 901759
- SUSE Bug 901889
- SUSE Bug 901968
- SUSE Bug 902229
- SUSE Bug 902233
- SUSE Bug 902476
- SUSE Bug 903405
- SUSE Bug 903684
- SUSE Bug 904889
- SUSE Bug 905106
- SUSE Bug 914041
- SUSE Bug 994144
Описание
The NSSCipherSuite option with ciphersuites enabled in mod_nss before 1.0.12 allows remote attackers to bypass application restrictions.
Затронутые продукты
Ссылки
- CVE-2015-5244
- SUSE Bug 945905
Описание
mod_ns in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to force the use of ciphers that were not intended to be enabled.
Затронутые продукты
Ссылки
- CVE-2016-3099
- SUSE Bug 973996