CVE-2015-2091 Information

Description

The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when \GnuTLSClientVerify require\ is set which allows remote attackers to spoof clients via a crafted certificate.

Reference

http://issues.outoforder.cc/view.php?id=93 http://www.debian.org/security/2015/dsa-3177 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663 https://security.gentoo.org/glsa/201709-04