Skip to navigation

Security Advisory Moderate: mod_nss security update

Advisory: RHSA-2013:1779-2
Type: Security Advisory
Severity: Moderate
Issued on: 2013-12-03
Last updated on: 2013-12-03
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.5)
Red Hat Enterprise Linux Server EUS (v. 6.5.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-4566

Details

An updated mod_nss package that fixes one security issue is now available
for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The mod_nss module provides strong cryptography for the Apache HTTP Server
via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
protocols, using the Network Security Services (NSS) security library.

A flaw was found in the way mod_nss handled the NSSVerifyClient setting for
the per-directory context. When configured to not require a client
certificate for the initial connection and only require it for a specific
directory, mod_nss failed to enforce this requirement and allowed a client
to access the directory when no valid client certificate was provided.
(CVE-2013-4566)

Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this
issue.

All mod_nss users should upgrade to this updated package, which contains a
backported patch to correct this issue. The httpd service must be restarted
for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
mod_nss-1.0.8-8.el5_10.src.rpm     MD5: 496fc1f34b74372ee7cb3354d2f12b66
SHA-256: 1414d7b34922bd98898b3ea638af8b89de23428f60641157d5380af8ded6737a
 
IA-32:
mod_nss-1.0.8-8.el5_10.i386.rpm     MD5: 3bd3b5aaf589757f334197a946810e88
SHA-256: 088993b95f129bf9568d84aa192583fe5bfe4a469b0a9ecceec62993ca95dc5a
mod_nss-debuginfo-1.0.8-8.el5_10.i386.rpm     MD5: 584bc2b68a060b3bc10f2ccc21815c06
SHA-256: 87e526a50cd38bb3430bd37f9cabcb74202a0d9d81d3d3437d067e17e1be4d6f
 
IA-64:
mod_nss-1.0.8-8.el5_10.ia64.rpm     MD5: 1437cc8bf42e9667fffb629e8487d6a5
SHA-256: 25aa8de233132e262cea42aac243d3cc992f3caec080dccc149a6bf666230220
mod_nss-debuginfo-1.0.8-8.el5_10.ia64.rpm     MD5: 4dd70e90bd00b91b43136e0861300c9b
SHA-256: bfeab2225af02e535b80b47aff1d1dfad101f282d4ee6d6aea40b01deb2357d4
 
PPC:
mod_nss-1.0.8-8.el5_10.ppc.rpm     MD5: a62abf0ab96c725d1b706ddb9aac3dd4
SHA-256: 60f66288e2d8b59d4d258f261f22e4d44989d7f89f0b867b0bcfa629431da49d
mod_nss-debuginfo-1.0.8-8.el5_10.ppc.rpm     MD5: 5867b0903af650414bd0712646fb70a4
SHA-256: 18c9e8461c149b8957a8fceb4288efbeb0752fab44f992d8cae7da442591e7b0
 
s390x:
mod_nss-1.0.8-8.el5_10.s390x.rpm     MD5: d39753b4638397117907facd41a85a7f
SHA-256: f4b686db386a1fd73cdd802ec8cb4f34fcd653b03c7a074b721b67db513ec519
mod_nss-debuginfo-1.0.8-8.el5_10.s390x.rpm     MD5: 15a5b80851a2ae3afe652d5e6cb7ce25
SHA-256: f0de64047fb8a805194f1e35643e10688c34e1bab5418f70d1f90d519219df6d
 
x86_64:
mod_nss-1.0.8-8.el5_10.x86_64.rpm     MD5: 3a0d0906c94ce80f7e98bb019098d06b
SHA-256: 86ad836830fcf5cca4c5ad284ae645508a941dca37f2ba216f95f1958d444275
mod_nss-debuginfo-1.0.8-8.el5_10.x86_64.rpm     MD5: eab55c87c53c777e9bf1178cdce2712e
SHA-256: c09fc7913a9545824c31a28c422b302419fef1d67278c0667cc13b4cb701b68c
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
mod_nss-1.0.8-8.el5_10.src.rpm     MD5: 496fc1f34b74372ee7cb3354d2f12b66
SHA-256: 1414d7b34922bd98898b3ea638af8b89de23428f60641157d5380af8ded6737a
 
IA-32:
mod_nss-1.0.8-8.el5_10.i386.rpm     MD5: 3bd3b5aaf589757f334197a946810e88
SHA-256: 088993b95f129bf9568d84aa192583fe5bfe4a469b0a9ecceec62993ca95dc5a
mod_nss-debuginfo-1.0.8-8.el5_10.i386.rpm     MD5: 584bc2b68a060b3bc10f2ccc21815c06
SHA-256: 87e526a50cd38bb3430bd37f9cabcb74202a0d9d81d3d3437d067e17e1be4d6f
 
x86_64:
mod_nss-1.0.8-8.el5_10.x86_64.rpm     MD5: 3a0d0906c94ce80f7e98bb019098d06b
SHA-256: 86ad836830fcf5cca4c5ad284ae645508a941dca37f2ba216f95f1958d444275
mod_nss-debuginfo-1.0.8-8.el5_10.x86_64.rpm     MD5: eab55c87c53c777e9bf1178cdce2712e
SHA-256: c09fc7913a9545824c31a28c422b302419fef1d67278c0667cc13b4cb701b68c
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
mod_nss-1.0.8-19.el6_5.src.rpm     MD5: b3ff787e4291505ebc5cb2cbc58cf374
SHA-256: a81210f57409a9b40bbfac7acecd30e0c6d9d5908fa57da61ae6b09c1f7cbfa1
 
IA-32:
mod_nss-1.0.8-19.el6_5.i686.rpm     MD5: f5a4648f2f46b277e3ccef3b03a88c13
SHA-256: a99ba153f50560eeec859cb94595e1971195b92f14c6ed3dc389eb4c56cbcaa1
mod_nss-debuginfo-1.0.8-19.el6_5.i686.rpm     MD5: 1f4f9b97668cb47cc0181052f33ad3c1
SHA-256: 30c2c8e5d4840383ecc6839f10c9f00f676f10b506cdb0a8d33dc89def26c568
 
x86_64:
mod_nss-1.0.8-19.el6_5.x86_64.rpm     MD5: d9b975bec11211fe778876c223487afd
SHA-256: 7aaee9e767c7394b1b9dec8d520173b8e05d6852879ec681b9fc9efff70a1b3a
mod_nss-debuginfo-1.0.8-19.el6_5.x86_64.rpm     MD5: b77be3aefb7f07facd3af76dd4c7c94d
SHA-256: 72bd597a67b299b7f3f0c9be8344ffdc88fbe4fc8faac437a6b6579a8958119c
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
mod_nss-1.0.8-19.el6_5.src.rpm     MD5: b3ff787e4291505ebc5cb2cbc58cf374
SHA-256: a81210f57409a9b40bbfac7acecd30e0c6d9d5908fa57da61ae6b09c1f7cbfa1
 
x86_64:
mod_nss-1.0.8-19.el6_5.x86_64.rpm     MD5: d9b975bec11211fe778876c223487afd
SHA-256: 7aaee9e767c7394b1b9dec8d520173b8e05d6852879ec681b9fc9efff70a1b3a
mod_nss-debuginfo-1.0.8-19.el6_5.x86_64.rpm     MD5: b77be3aefb7f07facd3af76dd4c7c94d
SHA-256: 72bd597a67b299b7f3f0c9be8344ffdc88fbe4fc8faac437a6b6579a8958119c
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
mod_nss-1.0.8-19.el6_5.src.rpm     MD5: b3ff787e4291505ebc5cb2cbc58cf374
SHA-256: a81210f57409a9b40bbfac7acecd30e0c6d9d5908fa57da61ae6b09c1f7cbfa1
 
IA-32:
mod_nss-1.0.8-19.el6_5.i686.rpm     MD5: f5a4648f2f46b277e3ccef3b03a88c13
SHA-256: a99ba153f50560eeec859cb94595e1971195b92f14c6ed3dc389eb4c56cbcaa1
mod_nss-debuginfo-1.0.8-19.el6_5.i686.rpm     MD5: 1f4f9b97668cb47cc0181052f33ad3c1
SHA-256: 30c2c8e5d4840383ecc6839f10c9f00f676f10b506cdb0a8d33dc89def26c568
 
PPC:
mod_nss-1.0.8-19.el6_5.ppc64.rpm     MD5: 5b409ede9606882f86fd221a42e0213e
SHA-256: 857f25cb6df52853b0c7cb811a34d7c57b7aef2285c98d0fc4f484550d64fb25
mod_nss-debuginfo-1.0.8-19.el6_5.ppc64.rpm     MD5: af8ceec7b3a72c363a7289b76774d744
SHA-256: 1660249121dcf0c27c46f8bb3bff80e72a82655c47ac336ffd580b3bf46b7a1e
 
s390x:
mod_nss-1.0.8-19.el6_5.s390x.rpm     MD5: 83bf081fd4a83022c58f6fd751385937
SHA-256: f45c5bba53089358e0d6fd7ab87b60301fefecd7ac22f3524c75cedca2e436a5
mod_nss-debuginfo-1.0.8-19.el6_5.s390x.rpm     MD5: 81364c0bb93f64e487ec2ad9787a4098
SHA-256: dcbd773f40f647a397ca0626d70db7c35d0de974b9fcb86d8866efad7e7bbf30
 
x86_64:
mod_nss-1.0.8-19.el6_5.x86_64.rpm     MD5: d9b975bec11211fe778876c223487afd
SHA-256: 7aaee9e767c7394b1b9dec8d520173b8e05d6852879ec681b9fc9efff70a1b3a
mod_nss-debuginfo-1.0.8-19.el6_5.x86_64.rpm     MD5: b77be3aefb7f07facd3af76dd4c7c94d
SHA-256: 72bd597a67b299b7f3f0c9be8344ffdc88fbe4fc8faac437a6b6579a8958119c
 
Red Hat Enterprise Linux Server AUS (v. 6.5)

SRPMS:
mod_nss-1.0.8-19.el6_5.src.rpm     MD5: b3ff787e4291505ebc5cb2cbc58cf374
SHA-256: a81210f57409a9b40bbfac7acecd30e0c6d9d5908fa57da61ae6b09c1f7cbfa1
 
x86_64:
mod_nss-1.0.8-19.el6_5.x86_64.rpm     MD5: d9b975bec11211fe778876c223487afd
SHA-256: 7aaee9e767c7394b1b9dec8d520173b8e05d6852879ec681b9fc9efff70a1b3a
mod_nss-debuginfo-1.0.8-19.el6_5.x86_64.rpm     MD5: b77be3aefb7f07facd3af76dd4c7c94d
SHA-256: 72bd597a67b299b7f3f0c9be8344ffdc88fbe4fc8faac437a6b6579a8958119c
 
Red Hat Enterprise Linux Server EUS (v. 6.5.z)

SRPMS:
mod_nss-1.0.8-19.el6_5.src.rpm     MD5: b3ff787e4291505ebc5cb2cbc58cf374
SHA-256: a81210f57409a9b40bbfac7acecd30e0c6d9d5908fa57da61ae6b09c1f7cbfa1
 
IA-32:
mod_nss-1.0.8-19.el6_5.i686.rpm     MD5: f5a4648f2f46b277e3ccef3b03a88c13
SHA-256: a99ba153f50560eeec859cb94595e1971195b92f14c6ed3dc389eb4c56cbcaa1
mod_nss-debuginfo-1.0.8-19.el6_5.i686.rpm     MD5: 1f4f9b97668cb47cc0181052f33ad3c1
SHA-256: 30c2c8e5d4840383ecc6839f10c9f00f676f10b506cdb0a8d33dc89def26c568
 
PPC:
mod_nss-1.0.8-19.el6_5.ppc64.rpm     MD5: 5b409ede9606882f86fd221a42e0213e
SHA-256: 857f25cb6df52853b0c7cb811a34d7c57b7aef2285c98d0fc4f484550d64fb25
mod_nss-debuginfo-1.0.8-19.el6_5.ppc64.rpm     MD5: af8ceec7b3a72c363a7289b76774d744
SHA-256: 1660249121dcf0c27c46f8bb3bff80e72a82655c47ac336ffd580b3bf46b7a1e
 
s390x:
mod_nss-1.0.8-19.el6_5.s390x.rpm     MD5: 83bf081fd4a83022c58f6fd751385937
SHA-256: f45c5bba53089358e0d6fd7ab87b60301fefecd7ac22f3524c75cedca2e436a5
mod_nss-debuginfo-1.0.8-19.el6_5.s390x.rpm     MD5: 81364c0bb93f64e487ec2ad9787a4098
SHA-256: dcbd773f40f647a397ca0626d70db7c35d0de974b9fcb86d8866efad7e7bbf30
 
x86_64:
mod_nss-1.0.8-19.el6_5.x86_64.rpm     MD5: d9b975bec11211fe778876c223487afd
SHA-256: 7aaee9e767c7394b1b9dec8d520173b8e05d6852879ec681b9fc9efff70a1b3a
mod_nss-debuginfo-1.0.8-19.el6_5.x86_64.rpm     MD5: b77be3aefb7f07facd3af76dd4c7c94d
SHA-256: 72bd597a67b299b7f3f0c9be8344ffdc88fbe4fc8faac437a6b6579a8958119c
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
mod_nss-1.0.8-19.el6_5.src.rpm     MD5: b3ff787e4291505ebc5cb2cbc58cf374
SHA-256: a81210f57409a9b40bbfac7acecd30e0c6d9d5908fa57da61ae6b09c1f7cbfa1
 
IA-32:
mod_nss-1.0.8-19.el6_5.i686.rpm     MD5: f5a4648f2f46b277e3ccef3b03a88c13
SHA-256: a99ba153f50560eeec859cb94595e1971195b92f14c6ed3dc389eb4c56cbcaa1
mod_nss-debuginfo-1.0.8-19.el6_5.i686.rpm     MD5: 1f4f9b97668cb47cc0181052f33ad3c1
SHA-256: 30c2c8e5d4840383ecc6839f10c9f00f676f10b506cdb0a8d33dc89def26c568
 
x86_64:
mod_nss-1.0.8-19.el6_5.x86_64.rpm     MD5: d9b975bec11211fe778876c223487afd
SHA-256: 7aaee9e767c7394b1b9dec8d520173b8e05d6852879ec681b9fc9efff70a1b3a
mod_nss-debuginfo-1.0.8-19.el6_5.x86_64.rpm     MD5: b77be3aefb7f07facd3af76dd4c7c94d
SHA-256: 72bd597a67b299b7f3f0c9be8344ffdc88fbe4fc8faac437a6b6579a8958119c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1016832 - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/