Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 48210] TLS / SSL Man-In-The-Middle Renegotiation Vulnerability

  

 
Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Nov 17, 2009, 2:27 AM

Post #1 of 2 (518 views)
Permalink
[Bug 48210] TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=48210

--- Comment #1 from Alberto Colosi <alcol [at] hotmail> 2009-11-17 02:26:57 UTC ---
TLS / SSL Man-In-The-Middle Renegotiation Vulnerability

CVE #:
CVE-2009-3555
Release Date:
November 4, 2009
Vulnerable OS:
Any
Vulnerable Application:
N/A
Risk Type:
Unauthorized Access
Summary:
TLS 1.0 and SSL 3.0 contain a man-in-the-middle renegotiation vulnerability.
Info:
TLS 1.0 (and higher) and SSL 3.0 (and higher) are vulnerable to
man-in-the-middle style attacks.

The flaw is specific to the renegotiation phase within the protocol. An
attacker can potentially inject arbitrary plaintext into an application's
protocol stream. This action can lead to numerous results, including attacks
on Certificate Authentication mechanisms. This issue affects multiple
platforms/vendors/applications which use the affected protocols.
General Fix:
Apply the appropriate patch from your vendor. Several vendors have released
httpd update packages.

The OpenSSL Repository also contains an update for OpenSSL.

It should be noted that initial patches simply mitigate the problem by
disabling renegotiation rather than solving the problem completely.
References:
BugTraq SecurityFocus BID 36935

CERT
CERT Vulnerability Note VU#120541

Cisco
Cisco Advisory ID: cisco-sa-20091109-tls

Foundstone
Faultline ID 7312

Mandriva
Mandriva Security Advisory MDVSA-2009:295

OAR
MSS-OAR-E01-2009:3405.1
MSS-OAR-E01-2009:3456.1
MSS-OAR-E01-2009:3457.1
MSS-OAR-E01-2009:3458.1
MSS-OAR-E01-2009:3464.1

Other
OpenSSL CVS Repository Check-in 18790
Citrix Document ID: CTX123359

RedHat
Red Hat Security Advisory RHSA-2009-1579
Red Hat Security Advisory RHSA-2009-1580

XForce
XForce tls-renegotiation-weak-security (54158)

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 17, 2009, 4:50 AM

Post #2 of 2 (490 views)
Permalink
[Bug 48210] TLS / SSL Man-In-The-Middle Renegotiation Vulnerability [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=48210

Ruediger Pluem <rpluem [at] apache> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk,
| |PatchAvailable
Status|NEW |RESOLVED
Resolution| |FIXED

--- Comment #2 from Ruediger Pluem <rpluem [at] apache> 2009-11-17 05:50:17 CET ---
See
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
and ongoing discusssion on dev list.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.