[Secure-testing-commits] r10799 - data/CVE
sf at alioth.debian.org
sf at alioth.debian.org
Thu Dec 25 19:53:03 UTC 2008
Author: sf
Date: 2008-12-25 19:53:03 +0000 (Thu, 25 Dec 2008)
New Revision: 10799
Modified:
data/CVE/list
Log:
apache-ssl no-dsa
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-12-25 13:42:25 UTC (rev 10798)
+++ data/CVE/list 2008-12-25 19:53:03 UTC (rev 10799)
@@ -12255,7 +12255,18 @@
NOT-FOR-US: OpenCA PKI Project
CVE-2008-0555 (The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 ...)
- apache <removed>
- TODO: check if this needs a DSA
+ [etch] - apache <no-dsa> (only exploitable in very specific setups)
+ NOTE: Only affects the apache-ssl package, not apache or apache-perl.
+ NOTE: Only relevant if the attacker can get a CA that is trusted by the server
+ NOTE: to sign client certs with arbitrary CN, but cannot influence the contents
+ NOTE: of the other DN fields.
+ NOTE: OTOH, the configuration used in Debian's apache-ssl 1.55 (per-dir
+ NOTE: ssl-renegotiation switched off), has obviously not been tested by upstream
+ NOTE: with 1.59 (it doesn't even compile).
+ NOTE: Also, upstream's fix breaks API/ABI compatibility in some corner cases.
+ NOTE: While these cases are not really supported by Debian, all in all the low
+ NOTE: severity of the issue is not in proportion to the risk of breaking something
+ NOTE: with the fix.
CVE-2008-0552 (Cross-site scripting (XSS) vulnerability in index.php in eTicket ...)
NOT-FOR-US: eTicket
CVE-2008-0551 (The NamoInstaller.NamoInstall.1 ActiveX control in NamoInstaller.dll ...)
More information about the Secure-testing-commits
mailing list