[csw-maintainers] [Fwd: Re: [csw-users] Openssl vulnerability CVE-2009-3555]

Yann Rouillard yann at pleiades.fr.eu.org
Sun Dec 6 20:19:11 CET 2009


Hi,

I don't know exactly what is the good answer to the following question 
asked on the csw users mailing list.

Can someone enlighten me ?

Yann


-------- Message original --------
Sujet: Re: [csw-users] Openssl vulnerability CVE-2009-3555
Date: Sun, 6 Dec 2009 11:10:15 -0600
De: Mike Gerdts <mgerdts at gmail.com>
Répondre à :: Questions and discussions <users at lists.opencsw.org>
Pour :: Questions and discussions <users at lists.opencsw.org>
Références: <4B1B9DC4.9050009 at pleiades.fr.eu.org>

On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard <yann at pleiades.fr.eu.org> 
wrote:
> Dear users,
>
> A security vulnerability has been recently found in the TLS and SSL
> protocol part related to the handling of session renegotiation [1]. This
> vulnerability allows an attacker to inject arbitrary content at the
> beginning of a TLS/SSL connection within a Man-in-the-middle attack.
>
> This problem is caused by a design flaw in the TLS/SSL protocol and is
> difficult to fix in a clean and backward compatible way. As a result the
> new openssl release (0.9.8l) which fixes this bug simply completely
> disables renegotiation.
>
> This new package will hit csw unstable mirror very soon.

What is the plan for updating stable?  If there are no plans to
maintain stable, is there a documented procedure for me to create a
custom branch (e.g. mystable) that contains the fixes and updates that
I care about?  The current stable seems to be a bit stale.

-- 
Mike Gerdts
http://mgerdts.blogspot.com/
_______________________________________________
users mailing list
users at lists.opencsw.org
https://lists.opencsw.org/mailman/listinfo/users



More information about the maintainers mailing list