Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2005-2700

ssl_engine_kernel.c in mod_ssl before 2.8.24, when using “SSLVerifyClient optional” in the global virtual host configuration, does not properly enforce “SSLVerifyClient require” in a per-location context, which allows remote attackers to bypass intended access restrictions.

CVE
#perl#ssl

Index: modules/ssl/ssl_engine_kernel.c =================================================================== — modules/ssl/ssl_engine_kernel.c (revision 264993) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -406,8 +406,8 @@ (!(verify_old & SSL_VERIFY_PEER) && (verify & SSL_VERIFY_PEER)) || - (!(verify_old & SSL_VERIFY_PEER_STRICT) && - (verify & SSL_VERIFY_PEER_STRICT))) + (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) && + (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; /* optimization */

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907