Description of problem: Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. Version-Release number of selected component (if applicable): all versions of mod_ssl, all versions of httpd before 2.0.47
*** Bug 101784 has been marked as a duplicate of this bug. ***
This bug was opened on July 9 to address a security issue and it remains a "NEW" status issue. When can we expect movement on this so that Redhat users and RHN subscribers aren't being encouraged to use outdated and insecure software packages?
I guess it should really be "assigned" since we did start through our internal errata process which will lead to an errata. This issue is classed as a low priority however as the SSL renegotiation options were for a long time considered experimental and are rarely used.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-240.html