[csw-users] Openssl vulnerability CVE-2009-3555

Paul Lanken lanken.paul at gmail.com
Sun Dec 6 18:01:06 CET 2009

I don't get it .. that fix has been out as a package set for over a
week or more :




On Sun, Dec 6, 2009 at 7:04 AM, Yann Rouillard <yann at pleiades.fr.eu.org> wrote:
> Dear users,
> A security vulnerability has been recently found in the TLS and SSL
> protocol part related to the handling of session renegotiation [1]. This
> vulnerability allows an attacker to inject arbitrary content at the
> beginning of a TLS/SSL connection within a Man-in-the-middle attack.
> This problem is caused by a design flaw in the TLS/SSL protocol and is
> difficult to fix in a clean and backward compatible way. As a result the
> new openssl release (0.9.8l) which fixes this bug simply completely
> disables renegotiation.
> This new package will hit csw unstable mirror very soon.
> This modification should not have any impact for most setups except for
> Apache https configurations which use certificate client verification
> (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a
> directory or location context.
> If that's your case, you should try to use these instructions on
> the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2],
> but you will stay vulnerable in the latter.
> A new protocol extension to TLS is planned to address this issue but the
> RFC draft is still under review and it will require both the client and
> the server to implement the extension.
> Best regards
> Yann
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
> [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line
> in pkgutil.conf:
>        exclude_pattern=CSWossl
> _______________________________________________
> users mailing list
> users at lists.opencsw.org
> https://lists.opencsw.org/mailman/listinfo/users

More information about the users mailing list