Debian Linux Information for VU#744929

mod_ssl fails to properly enforce client certificates authentication

Status

Affected

Vendor Statement

For Apache 2.0:

The old stable distribution (woody) does not contain Apache2 packages.

For the stable distribution (sarge) these problems have been fixed in version 2.0.54-5.

For the unstable distribution (sid) these problems have been fixed in version 2.0.54-5.

For Apache 1.3:

For the old stable distribution (woody) this problem has been fixed in version 2.8.9-2.5.

For the stable distribution (sarge) this problem has been fixed in version 2.8.22-1sarge1.

For the unstable distribution (sid) this problem has been fixed in version 2.8.24-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Debian Security Advisory DBA-805-1 contains additional details for the apache2 package.

Debian Security Advisory DBA-807-1 contains vulnerability and remediation details for mod_ssl (package name libapache-mod-ssl).

If you have feedback, comments, or additional information about this vulnerability, please send us email.