diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 67041da3e9ac..2d4cfa5686c0 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -70,15 +70,15 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. <body xmlns="http://www.w3.org/1999/xhtml"> <p>From the Apache-SSL security advisory:</p> <blockquote> - If configured with SSLVerifyClient set to 1 or 3 (client + <p>If configured with SSLVerifyClient set to 1 or 3 (client certificates optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client - certificate. + certificate.</p> - All the attacker needed is the "one-line DN" of a valid + <p>All the attacker needed is the "one-line DN" of a valid user, as used by faked basic auth in Apache-SSL, and the - fixed password ("password" by default). + fixed password ("password" by default).</p> </blockquote> </body> </description> |