Bug 134826 - CAN-2004-0885 SSLCipherSuite bypass
Summary: CAN-2004-0885 SSLCipherSuite bypass
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: mod_ssl
Version: 2.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL: http://issues.apache.org/bugzilla/sho...
Whiteboard: impact=moderate,public=20041005
Depends On:
Blocks: CVE-2004-0885
TreeView+ depends on / blocked
Reported: 2004-10-06 15:33 UTC by Mark J. Cox
Modified: 2008-01-29 09:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2004-12-13 19:26:25 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:600 0 normal SHIPPED_LIVE Moderate: apache, mod_ssl security update 2004-12-13 05:00:00 UTC

Description Mark J. Cox 2004-10-06 15:33:20 UTC
An issue has been discovered in the mod_ssl module when configured to
use the "SSLCipherSuite" directive in directory or location context.
If a particular location context has been configured to require a
specific set of cipher suites, then a client will be able to access
that location using any cipher suite allowed by the virtual host

This issue was reported in Apache bugzilla.

This is a fairly rare and uncommon configuration, so the security
impact is low.  We'll likely include a fix for this issue during the
next Update.

Comment 1 John Flanagan 2004-12-13 19:26:25 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.