Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Updated draft announcement apache.

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


dirkx at webweaving

Nov 6, 2009, 2:13 PM

Post #1 of 2 (350 views)
Permalink
Updated draft announcement apache.
With some feedback from various folks.

Thanks,

Dw.

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injectin or MiM
attack[2]).

We strongly urge you to upgrade to OpenSSL 0.9.8l; and be prepared to
deploy 0.9.8m as it becomes available[3,4]. Note that these are short
term and mid-term mitigation; the long term solution may well require a
modification of the SSL and/or TLS protocols[5].

For those who are not able to upgrade swiftly and/or for those who need
detailed logging - we recommend that you roll out this patch (URL) as
soon as possible.

If you are unable to patch and unable to roll our a newer version of
OpenSSL, and you rely on Client Side Authentication with Certificates
then we recommend that you ensure that you limit your configuratin to a
single 'SSLClient require'at VirtualHost/Sever level and remove
all other (re)negotiation changes. However this does NOT fully protect
you - it just curtails authentication in this specific setting.

A version with this patch, Apache 2.2.15, is currently beeing
readied[4]; there are no plans for a backport to 1.3.X at this time. A
further announcement will be sent out when these are available.

1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8
3: http://www.openssl.org/source/
openssl-announce mailing list on
http://www.openssl.org/support/community.html
4: http://httpd.apache.org/
5: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html


dirkx at webweaving

Nov 6, 2009, 2:30 PM

Post #2 of 2 (316 views)
Permalink
Re: Updated draft announcement apache. [In reply to]
After further editing. Timeline is to do this shortly after Joe's patch
gets the needed votes.

Dw.

To: announce [at] httpd
Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM
attack[2]).

We strongly urge you to upgrade to OpenSSL 0.9.8l; and be prepared to
deploy 0.9.8m as it becomes available[3]. Note that these are short term
and mid-term mitigation; the long term solution may well require a
modification of the SSL and/or TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for those
who need detailed logging - we recommend that you roll out this patch:

http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/xx.
sha1: xxxx
md5: xxxx

for mod_ssl as soon as possible. This is a partial fix in lieu of the
protocol issues being addressed and further changes to OpenSSL.

If you are unable to patch and unable to roll our a newer version of
OpenSSL, and you rely on Client Side Authentication with Certificates
then we recommend that you 1) ensure that you limit your configuration
to a single 'SSLClient require' on VirtualHost/Sever level and 2) remove
all other (re)negotiation/require directives. However this does NOT
fully protect you - it just curtails authentication in this specific
setting.

A version with this patch, Apache 2.2.15, is currently being readied[4].
Note that as mod_ssl is not part of the 1.3 branch distribution. A
further announcement will be sent out when these are available.

1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8
3: http://www.openssl.org/source/
openssl-announce mailing list on
http://www.openssl.org/support/community.html
4: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html
5: http://httpd.apache.org/

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.