Bug 134825 - CAN-2004-0885 SSLCipherSuite bypass
Summary: CAN-2004-0885 SSLCipherSuite bypass
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL: http://issues.apache.org/bugzilla/sho...
Whiteboard: public=20041005,impact=low
Keywords: Security
Depends On:
Blocks: CVE-2004-0885
TreeView+ depends on / blocked
Reported: 2004-10-06 15:32 UTC by Mark J. Cox
Modified: 2008-01-29 09:32 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2004-11-12 16:38:53 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:562 normal SHIPPED_LIVE Important: httpd security update 2004-11-12 05:00:00 UTC

Description Mark J. Cox 2004-10-06 15:32:32 UTC
An issue has been discovered in the mod_ssl module when configured to
use the "SSLCipherSuite" directive in directory or location context.
If a particular location context has been configured to require a
specific set of cipher suites, then a client will be able to access
that location using any cipher suite allowed by the virtual host

This issue was reported in Apache bugzilla.

This is a fairly rare and uncommon configuration, so the security
impact is low.  We'll likely include a fix for this issue during the
next Update.

Comment 1 Josh Bressers 2004-11-03 13:31:53 UTC
This is going to be fix by RHSA-2004:562.

Comment 2 Josh Bressers 2004-11-12 16:38:53 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.