[csw-users] Openssl vulnerability CVE-2009-3555

Mike Gerdts mgerdts at gmail.com
Sun Dec 6 18:10:15 CET 2009

On Sun, Dec 6, 2009 at 6:04 AM, Yann Rouillard <yann at pleiades.fr.eu.org> wrote:
> Dear users,
> A security vulnerability has been recently found in the TLS and SSL
> protocol part related to the handling of session renegotiation [1]. This
> vulnerability allows an attacker to inject arbitrary content at the
> beginning of a TLS/SSL connection within a Man-in-the-middle attack.
> This problem is caused by a design flaw in the TLS/SSL protocol and is
> difficult to fix in a clean and backward compatible way. As a result the
> new openssl release (0.9.8l) which fixes this bug simply completely
> disables renegotiation.
> This new package will hit csw unstable mirror very soon.

What is the plan for updating stable?  If there are no plans to
maintain stable, is there a documented procedure for me to create a
custom branch (e.g. mystable) that contains the fixes and updates that
I care about?  The current stable seems to be a bit stale.

Mike Gerdts

More information about the users mailing list