mod-gnutls does not validate client certificates when GnuTLSClientVerify require is set in a directory context, which allows remote attackers to spoof clients via a crafted certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mod_gnutls | Mod_gnutls_project | - (including) | - (including) |
| Mod-gnutls | Ubuntu | lucid | * |
| Mod-gnutls | Ubuntu | upstream | * |
References
- http://issues.outoforder.cc/view.php?id=93
- http://www.openwall.com/lists/oss-security/2015/02/26/6
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663
- https://bugzilla.redhat.com/show_bug.cgi?id=1197127
- http://issues.outoforder.cc/view.php?id=93
- http://www.openwall.com/lists/oss-security/2015/02/26/6
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663
- https://bugzilla.redhat.com/show_bug.cgi?id=1197127