[SECURITY] [DLA 170-1] mod-gnutls security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 170-1] mod-gnutls security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sat, 14 Mar 2015 17:35:48 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.02.1503141734440.32345@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : mod-gnutls
Version        : 0.5.6-1+squeeze2
CVE ID         : CVE-2015-2091
Debian Bug     : 578663

Thomas Klute discovered that in mod-gnutls, an Apache module providing
SSL and TLS encryption with GnuTLS, a bug caused the server's client
verify mode not to be considered at all, in case the directory's
configuration was unset. Clients with invalid certificates were then
able to leverage this flaw in order to get access to that directory.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJVBGNkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHJlwP/1I3Eo3yVZ0EfmDlW5RmeDxe
/3f63FOFumeZwIn2LjyMYTJVfDHB9qfJVkCabgkxA7rzATrAJ4bad2JRB3LUeu6R
iP2SeUiY3rSVncnV2tZxWnLJRG4iznEd/lp0h22B9/8M1G9Cvjagibfs0Mu8FeFN
rm2/IIOgGtgL7rM7Xwd6PKGpPWUGjjHqVZQGYQah/+RHrCXOcKy6Y7etLxDw+nb/
Au96heqoiM7ZW7SRSv/BtCcd9+UXqEi4gNiF0gr/RVRNYHKv+WRkmx6gfk3Q/gb0
VPy6AhiYlHC1VDyUbWmaBHdFQuqJ57T+0cZZ0fsrfB1aq/onFMSEuag6LWCTRXHZ
G+/mkyDgOI3ELgb5Jsfzyx1dToDQDCIi40mhY1WSkt706/TlraCHcyNhNy69czq4
LmtffFvmIPIJRR6YvbNzkEPfJaLsHclirHpEpW3LrdWrHFgS/uz3vKAI+OnhCOPP
mug7QDUDZg1v5NNt85s86kKdMrP7DqC3mRhVkj2fIyys7/hpsVxqEuJNS1ugAN/Y
CfCbvxN2o0uyXWzwXfrbYQ41NQkngvGg4AqPlF8055bPG8ebCNsEA0Qgp5m4r8An
rxUryZWgfVPKkTJwqFFKyFAlrRl++W1HvkJihsEFZNJfWVSykV0bydz3dJGksaKs
CfweMAYE5WUC3UuE7Ts6
=fAaT
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 169-1] axis security update
Next by Date: [SECURITY] [DLA 171-1] libssh2 security update
Previous by thread: [SECURITY] [DLA 169-1] axis security update
Next by thread: [SECURITY] [DLA 171-1] libssh2 security update
Index(es):
- Date
- Thread