Debian Bug report logs -
#731627
libapache2-mod-nss: CVE-2013-4566: incorrect handling of NSSVerifyClient in directory context
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 7 Dec 2013 16:15:07 UTC
Severity: grave
Tags: security, upstream
Fixed in version libapache2-mod-nss/1.0.8-4
Done: Timo Aaltonen <tjaalton@ubuntu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>:
Bug#731627; Package libapache2-mod-nss.
(Sat, 07 Dec 2013 16:15:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>.
(Sat, 07 Dec 2013 16:15:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-nss
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for libapache2-mod-nss.
CVE-2013-4566[0]:
incorrect handling of NSSVerifyClient in directory context
More details are also provided in RedHat's bugzilla at [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566
http://security-tracker.debian.org/tracker/CVE-2013-4566
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1016832
Regards,
Salvatore
Reply sent
to Timo Aaltonen <tjaalton@ubuntu.com>:
You have taken responsibility.
(Mon, 24 Feb 2014 15:39:38 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 24 Feb 2014 15:39:38 GMT) (full text, mbox, link).
Message #10 received at 731627-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-nss
Source-Version: 1.0.8-4
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-nss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 731627@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@ubuntu.com> (supplier of updated libapache2-mod-nss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 03 Feb 2014 11:23:58 +0200
Source: libapache2-mod-nss
Binary: libapache2-mod-nss
Architecture: source amd64
Version: 1.0.8-4
Distribution: unstable
Urgency: medium
Maintainer: Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Description:
libapache2-mod-nss - NSS-based SSL module for Apache2
Closes: 729626 731627
Changes:
libapache2-mod-nss (1.0.8-4) unstable; urgency=medium
.
* mod_nss-clientauth.patch:
- Fix CVE-2011-4973: FakeBasicAuth authentication bypass.
(Closes: #729626)
* mod_nss-nssverifyclient.patch:
- Fix CVE-2013-4566: incorrect handling of NSSVerifyClient in
directory context. (Closes: #731627)
* control: Bump policy to 3.9.5, no changes.
Checksums-Sha1:
4fc4d8569597fb4bbe82f39e1eeead4cef4a19cd 1824 libapache2-mod-nss_1.0.8-4.dsc
69abaaba716eb0a161458a12e27f6c56d84ff221 16104 libapache2-mod-nss_1.0.8-4.debian.tar.xz
79aff158200814d8bcbaa5ac5110926e43b6f7a6 69368 libapache2-mod-nss_1.0.8-4_amd64.deb
Checksums-Sha256:
eaecfca61eadc105dcc02a1d31a32c580c5475510bc29001a444e42b81f6889d 1824 libapache2-mod-nss_1.0.8-4.dsc
7ca6e079db041e6c4dc524079939244000499ed0f2073ec576cb5071e1df2337 16104 libapache2-mod-nss_1.0.8-4.debian.tar.xz
4dcffd3c5844cf54afb378eee7df968174d33fd49357cb685c8c6d2c2958a996 69368 libapache2-mod-nss_1.0.8-4_amd64.deb
Files:
3f0ad0257a0033dca0b5cc13c133ed09 1824 web extra libapache2-mod-nss_1.0.8-4.dsc
04cc3d05599361e73c4403bee7b4aab4 16104 web extra libapache2-mod-nss_1.0.8-4.debian.tar.xz
8c4803b7afda69a8ffc8b404dcb624a1 69368 web extra libapache2-mod-nss_1.0.8-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTC1qsAAoJEFb2GnlAHawEVVsH/RsgxC+re0XxlDfyThMGzpOA
OTktuddvNw/4THy5aXa5rYBmxGcOCVaSwHS/ZG/umW/hO+3958owQUBpMPtHQCuw
FeC0cfv35HUlfqcI/votoMq1SqwDz6vfrns57Lwybti4gUdZIgnzXIluEmplLHi5
luOyeIcnNvQrtj1BAhkNA/td8fO2FUG+R9nDm+nUD9lkisp5FsFAWVELJaB/c6/R
FlWPAedp+5BMCnhad7rDrqcIoV+IeF6i0Vv3BWx6xs8BuhRfqzRFEVQ7xVUuHvYx
lLosLBACSiBXnD5YTjxJ8dn6tJIP1lE12GCAoaqikWd3cPxA7baD4vbq+o7x7ks=
=S4k1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:33:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:45:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon