Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1319052 - (CVE-2016-3099) CVE-2016-3099 mod_nss: Invalid handling of +CIPHER operator
CVE-2016-3099 mod_nss: Invalid handling of +CIPHER operator
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160405,reported=2...
: Security
Depends On: 1323913 1323914
Blocks: 1319056 1323912
  Show dependency treegraph
 
Reported: 2016-03-18 10:30 EDT by Adam Mariš
Modified: 2016-11-04 03:59 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way mod_nss parsed certain OpenSSL-style cipher strings. As a result, mod_nss could potentially use ciphers that were not intended to be enabled.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2602 normal SHIPPED_LIVE Low: mod_nss security, bug fix, and enhancement update 2016-11-03 08:12:49 EDT

  None (edit)
Description Adam Mariš 2016-03-18 10:30:28 EDT 
It was reported that +CIPHER operator in OpenSSL changes the order of a cipher. Since cipher ordering isn't supported in NSS, the mod_nss code was supposed to return an error. Instead it returned the result of processing up to that point. Default OpenSSL cipher string:

!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES

Would not properly exclude anything because only the first 5 elements would be examined.
Comment 1 Adam Mariš 2016-03-18 10:30:35 EDT 
Acknowledgments:

Name: Rob Crittenden (Red Hat)
Comment 4 Huzaifa S. Sidhpurwala 2016-04-05 00:49:23 EDT 
Created mod_nss tracking bugs for this issue:

Affects: fedora-all [bug 1323914]
Comment 5 errata-xmlrpc 2016-11-03 17:20:27 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2602 https://rhn.redhat.com/errata/RHSA-2016-2602.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.