Hide Forgot
Common Vulnerabilities and Exposures assigned an identifier CVE-2004-0885 to the following vulnerability: The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the " SSLCipherSuite " directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration. References: http://www.apacheweek.com/features/security-20 http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01123 http://www.redhat.com/support/errata/RHSA-2004-600.html http://www.redhat.com/support/errata/RHSA-2004-562.html http://www.redhat.com/support/errata/RHSA-2005-816.html http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1 http://www.ubuntu.com/usn/usn-177-1 http://marc.theaimsgroup.com/?l=bugtraq&m=109786159119069&w=2 http://www.securityfocus.com/bid/11360 http://www.frsirt.com/english/advisories/2006/0789 http://secunia.com/advisories/19072 http://xforce.iss.net/xforce/xfdb/17671
An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. This issue was reported in Apache bugzilla. This is a fairly rare and uncommon configuration, so the security impact is low. We'll likely include a fix for this issue during the next Update.