| Name | CVE-2008-0555 |
| Description | The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 does not properly handle (1) '/' and (2) '=' characters in a Distinguished Name (DN) in a client certificate, which might allow remote attackers to bypass authentication via a crafted DN that triggers overwriting of environment variables. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| apache | source | (unstable) | (unfixed) | | | |
Notes
[etch] - apache <no-dsa> (only exploitable in very specific setups)
Only affects the apache-ssl package, not apache or apache-perl.
Only relevant if the attacker can get a CA that is trusted by the server
to sign client certs with arbitrary CN, but cannot influence the contents
of the other DN fields.
OTOH, the configuration used in Debian's apache-ssl 1.55 (per-dir
ssl-renegotiation switched off), has obviously not been tested by upstream
with 1.59 (it doesn't even compile).
Also, upstream's fix breaks API/ABI compatibility in some corner cases.
While these cases are not really supported by Debian, all in all the low
severity of the issue is not in proportion to the risk of breaking something
with the fix.