SECURITY: CAN-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration.
Submitted by: Joe Orton
Reviewed by: wrowe, trawick
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@307220
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.0.55
+ *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+ mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+ enforced in per-location context if "SSLVerifyClient optional"
+ was configured in the vhost configuration. [Joe Orton]
+
*) worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances. [Greg Ames]
RELEASE SHOWSTOPPERS:
- *) Fix CAN-2005-2700, mod_ssl SSLVerifyClient bug
- http://svn.apache.org/viewcvs?rev=264800&view=rev
- test case: perl-framework/t/security/CAN-2005-2700.t
- +1: jorton, wrowe, trawick
- wrowe cautions to backport to 2.2.x branch as well.
-
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
(!(verify_old & SSL_VERIFY_PEER) &&
(verify & SSL_VERIFY_PEER)) ||
- (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
- (verify & SSL_VERIFY_PEER_STRICT)))
+ (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
renegotiate = TRUE;
/* optimization */
projects / thirdparty / apache / httpd.git / commitdiff
