Author: sf Date: 2008-12-25 19:53:03 +0000 (Thu, 25 Dec 2008) New Revision: 10799 Modified: data/CVE/list Log: apache-ssl no-dsa Modified: data/CVE/list ==================================================================--- data/CVE/list 2008-12-25 13:42:25 UTC (rev 10798) +++ data/CVE/list 2008-12-25 19:53:03 UTC (rev 10799) @@ -12255,7 +12255,18 @@ NOT-FOR-US: OpenCA PKI Project CVE-2008-0555 (The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 ...) - apache <removed> - TODO: check if this needs a DSA + [etch] - apache <no-dsa> (only exploitable in very specific setups) + NOTE: Only affects the apache-ssl package, not apache or apache-perl. + NOTE: Only relevant if the attacker can get a CA that is trusted by the server + NOTE: to sign client certs with arbitrary CN, but cannot influence the contents + NOTE: of the other DN fields. + NOTE: OTOH, the configuration used in Debian''s apache-ssl 1.55 (per-dir + NOTE: ssl-renegotiation switched off), has obviously not been tested by upstream + NOTE: with 1.59 (it doesn''t even compile). + NOTE: Also, upstream''s fix breaks API/ABI compatibility in some corner cases. + NOTE: While these cases are not really supported by Debian, all in all the low + NOTE: severity of the issue is not in proportion to the risk of breaking something + NOTE: with the fix. CVE-2008-0552 (Cross-site scripting (XSS) vulnerability in index.php in eTicket ...) NOT-FOR-US: eTicket CVE-2008-0551 (The NamoInstaller.NamoInstall.1 ActiveX control in NamoInstaller.dll ...)