[csw-users] Openssl vulnerability CVE-2009-3555
Mike Gerdts
mgerdts at gmail.com
Sun Dec 6 18:10:15 CET 2009
On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard <yann at pleiades.fr.eu.org> wrote:
> Dear users,
>
> A security vulnerability has been recently found in the TLS and SSL
> protocol part related to the handling of session renegotiation [1]. This
> vulnerability allows an attacker to inject arbitrary content at the
> beginning of a TLS/SSL connection within a Man-in-the-middle attack.
>
> This problem is caused by a design flaw in the TLS/SSL protocol and is
> difficult to fix in a clean and backward compatible way. As a result the
> new openssl release (0.9.8l) which fixes this bug simply completely
> disables renegotiation.
>
> This new package will hit csw unstable mirror very soon.
What is the plan for updating stable? If there are no plans to
maintain stable, is there a documented procedure for me to create a
custom branch (e.g. mystable) that contains the fixes and updates that
I care about? The current stable seems to be a bit stale.
--
Mike Gerdts
http://mgerdts.blogspot.com/
More information about the users
mailing list