Bug 1259216 (CVE-2015-5244)

Summary: CVE-2015-5244 mod_nss: incorrect ciphersuite parsing
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dpal, ebenes, hkario, jsynacek, mharmsen, mhonek, mprpic, pkis, rcritten, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 04:09:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1263070    
Bug Blocks: 1259217    

Description Martin Prpič 2015-09-02 08:37:32 UTC 
The NSSCipherSuite option of mod_nss accepts OpenSSL-styled cipherstrings. It was found that the parsing of such cipherstrings is flawed. If this option is used to disable insecure ciphersuites using the common "!" syntax, e.g.:

NSSCipherSuite !eNULL:!aNULL:AESGCM+aRSA:ECDH+aRSA

it will actually enable those insecure ciphersuites.

Acknowledgements:

This issue was discovered Hubert Kario of Red Hat.
Comment 4 Huzaifa S. Sidhpurwala 2015-09-15 05:34:03 UTC 
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1263070]
Comment 5 Fedora Update System 2016-01-08 20:55:12 UTC 
mod_nss-1.0.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Huzaifa S. Sidhpurwala 2016-03-11 08:35:00 UTC 
This issue was fixed upstream via the following commit:

https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=34e1ccecb4a7d5054dba2f92b403af9b6ae1e110