[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

Updated have now been released for stable releases, and openssl in Maverick is already fixed. http://www.ubuntu.com/usn/usn-990-1 ** Changed in: openssl (Ubuntu) Status: Confirmed = Fix Released ** Also affects: openssl (Ubuntu Lucid) Importance: Undecided Status: New **

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

Hi, we need the following to properly fix that issue. Fixed in 0.9.8m [25 Feb 2010] that follows http://tools.ietf.org/html/rfc5746 *) Implement RFC5746. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

Lukas, other than this issue, openssl in Ubuntu has no open security issues. We backport security fixes and openssl security in Ubuntu is fine. 0.9.8n (or backported patches) is being evaluated for inclusion in Ubuntu, but the issue is quite complicated. For more information, please see (along

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

Jamie, you are definitely right. I would like to clarify it now. To fix latest reported vulnerabilities it should be fine to update to 0.9.8n or backport patches. I'll be happy with that, because this is enough for use with Apache httpd 2.2.15 (or again backported patches) But there is also good

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

Hi, I need to re-enable renegotiation (at least temporarily) because it is needed by svnsync (Subversion over HTTPS). Unfortunately I do not understand the above comment about re-enabling it. Do you have any pointer ? Regards, -- Florent Georges -- CVE-2009-3555 OpenSSL need to be

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

** Changed in: openssl (Ubuntu) Importance: Undecided = Low -- CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack https://bugs.launchpad.net/bugs/484417 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-3555 ** Visibility changed to: Public -- CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack https://bugs.launchpad.net/bugs/484417 You received this bug notification because you are a member of Ubuntu Bugs,

[Bug 484417] Re: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack

While OpenSSL does need to be updated, it requires a protocol change to fix properly. At this time, Ubuntu is waiting on the protocol changes discussed by the IETF to be formalized before patching OpenSSL. In the meantime, since there are known attacks against the HTTPS protocol, Apache was