4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.007 Low
EPSS
Percentile
80.1%
CentOS Errata and Security Advisory CESA-2013:1779
The mod_nss module provides strong cryptography for the Apache HTTP Server
via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
protocols, using the Network Security Services (NSS) security library.
A flaw was found in the way mod_nss handled the NSSVerifyClient setting for
the per-directory context. When configured to not require a client
certificate for the initial connection and only require it for a specific
directory, mod_nss failed to enforce this requirement and allowed a client
to access the directory when no valid client certificate was provided.
(CVE-2013-4566)
Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this
issue.
All mod_nss users should upgrade to this updated package, which contains a
backported patch to correct this issue. The httpd service must be restarted
for this update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2013-December/082195.html
https://lists.centos.org/pipermail/centos-announce/2013-December/082201.html
Affected packages:
mod_nss
Upstream details at:
https://access.redhat.com/errata/RHSA-2013:1779
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | i686 | mod_nss | < 1.0.8-19.el6_5 | mod_nss-1.0.8-19.el6_5.i686.rpm |
CentOS | 6 | x86_64 | mod_nss | < 1.0.8-19.el6_5 | mod_nss-1.0.8-19.el6_5.x86_64.rpm |
CentOS | 5 | i386 | mod_nss | < 1.0.8-8.el5_10 | mod_nss-1.0.8-8.el5_10.i386.rpm |
CentOS | 5 | x86_64 | mod_nss | < 1.0.8-8.el5_10 | mod_nss-1.0.8-8.el5_10.x86_64.rpm |