mod_gnutls: Certificate validation error — GLSA 201709-04

A vulnerability in mod_gnutls allows remote attackers to spoof clients via crafted certificates.

Affected Packages

www-apache/mod_gnutls on all architectures
Affected versions < 0.7.3
Unaffected versions >= 0.7.3

Background

mod_gnutls is an extension for ​Apache’s httpd. It uses the ​GnuTLS library to provide HTTPS. It supports some protocols and features that mod_ssl does not.

Description

It was discovered that the authentication hook in mod_gnutls does not validate client’s certificates even when option “GnuTLSClientVerify” is set to “require”.

Impact

A remote attacker could present a crafted certificate and spoof clients data.

Workaround

There is no known workaround at this time.

Resolution

All mod_gnutls users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apache/mod_gnutls-0.7.3"
 

References

Release Date
September 17, 2017

Latest Revision
September 17, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries