Hello community, here is the log from the commit of package patchinfo.2403 for openSUSE:13.1:Update checked in at 2013-12-25 17:19:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/patchinfo.2403 (Old) and /work/SRC/openSUSE:13.1:Update/.patchinfo.2403.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.2403" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo> <issue id="847216" tracker="bnc">FATE#316419: apache2-mod_nss: tracker bug</issue> <issue id="853039" tracker="bnc">CVE-2013-4566: apache2-mod_nss: client certificate verification problematic</issue> <issue id="CVE-2013-4566" tracker="cve" /> <category>security</category> <rating>moderate</rating> <packager>draht</packager> <description> - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of nss.conf.in specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch . - mod_nss_migrate.pl conversion script added; not patched from source, but partially rewritten. - README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES. - package ready for submission [bnc#847216] - generic cleanup of the package: - explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216] - change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory. - merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists. - set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d </description> <summary>update for apache2-mod_nss</summary> </patchinfo> -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
