Date: Mon, 01 Apr 2019 20:31:27 -0500 From: Daniel Ruggeri <druggeri@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2019-0215: mod_ssl access control bypass CVE-2019-0215: mod_ssl access control bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.27 to 2.4.38 Description: In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. Mitigation: This issue can be mitigated by disabling the TLSv1.3 protocol for a VirtualHost which requires per-location or per-directory client certificate authentication. Credit: The issue was discovered by Michael Kaufmann. References: https://httpd.apache.org/security/vulnerabilities_24.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.