[csw-users] Openssl vulnerability CVE-2009-3555

Paul Lanken lanken.paul at gmail.com
Sun Dec 6 18:01:06 CET 2009


I don't get it .. that fix has been out as a package set for over a
week or more :

http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/openssl-0.9.8l,REV=2009.11.23-SunOS5.8-sparc-CSW.pkg.gz

and

http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/apache2-2.2.14,REV=2009.10.16-SunOS5.8-sparc-CSW.pkg.gz



On Sun, Dec 6, 2009 at 7:04 AM, Yann Rouillard <yann at pleiades.fr.eu.org> wrote:
> Dear users,
>
> A security vulnerability has been recently found in the TLS and SSL
> protocol part related to the handling of session renegotiation [1]. This
> vulnerability allows an attacker to inject arbitrary content at the
> beginning of a TLS/SSL connection within a Man-in-the-middle attack.
>
> This problem is caused by a design flaw in the TLS/SSL protocol and is
> difficult to fix in a clean and backward compatible way. As a result the
> new openssl release (0.9.8l) which fixes this bug simply completely
> disables renegotiation.
>
> This new package will hit csw unstable mirror very soon.
>
> This modification should not have any impact for most setups except for
> Apache https configurations which use certificate client verification
> (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a
> directory or location context.
> If that's your case, you should try to use these instructions on
> the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2],
> but you will stay vulnerable in the latter.
>
> A new protocol extension to TLS is planned to address this issue but the
> RFC draft is still under review and it will require both the client and
> the server to implement the extension.
>
> Best regards
>
> Yann
>
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
> [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line
> in pkgutil.conf:
>        exclude_pattern=CSWossl
>
>
> _______________________________________________
> users mailing list
> users at lists.opencsw.org
> https://lists.opencsw.org/mailman/listinfo/users
>



More information about the users mailing list