Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Backport proposal for CVE-2009-3555

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


rainer.jung at kippdata

Nov 9, 2009, 2:28 PM

Post #1 of 2 (509 views)
Permalink
Backport proposal for CVE-2009-3555
I did a first try on backporting the CVE-2009-3555 patch to 2.0:

http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch

I hadn't yet time for intensive testing, but first tests looked OK.
I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a
Windows thing. Hadn't yet time and access to test on Unix resp. test on
Windows without patch.

I'll be unfortunately offline for about 10 hours not responding to comments.

Regards,

Rainer


rainer.jung at kippdata

Nov 19, 2009, 4:08 AM

Post #2 of 2 (407 views)
Permalink
Re: Backport proposal for CVE-2009-3555 [In reply to]
On 09.11.2009 23:28, Rainer Jung wrote:
> I did a first try on backporting the CVE-2009-3555 patch to 2.0:
>
> http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch
>
> I hadn't yet time for intensive testing, but first tests looked OK.
> I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a
> Windows thing. Hadn't yet time and access to test on Unix resp. test on
> Windows without patch.

Testing looked good, client initiated reneg is not allowed, server side
reneg worked. The previously observed missing SSL_SESSION_ID in the
access logs was due to the client using TLS session ticket extension in
combination with HTTP-Keepalive.

I'll add it to 2.0.x STATUS soon.

Regards,

Rainer

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.