https://issues.apache.org/bugzilla/show_bug.cgi?id=48210
--- Comment #1 from Alberto Colosi <[email protected]> 2009-11-17 02:26:57 UTC --- TLS / SSL Man-In-The-Middle Renegotiation Vulnerability CVE #: CVE-2009-3555 Release Date: November 4, 2009 Vulnerable OS: Any Vulnerable Application: N/A Risk Type: Unauthorized Access Summary: TLS 1.0 and SSL 3.0 contain a man-in-the-middle renegotiation vulnerability. Info: TLS 1.0 (and higher) and SSL 3.0 (and higher) are vulnerable to man-in-the-middle style attacks. The flaw is specific to the renegotiation phase within the protocol. An attacker can potentially inject arbitrary plaintext into an application's protocol stream. This action can lead to numerous results, including attacks on Certificate Authentication mechanisms. This issue affects multiple platforms/vendors/applications which use the affected protocols. General Fix: Apply the appropriate patch from your vendor. Several vendors have released httpd update packages. The OpenSSL Repository also contains an update for OpenSSL. It should be noted that initial patches simply mitigate the problem by disabling renegotiation rather than solving the problem completely. References: BugTraq SecurityFocus BID 36935 CERT CERT Vulnerability Note VU#120541 Cisco Cisco Advisory ID: cisco-sa-20091109-tls Foundstone Faultline ID 7312 Mandriva Mandriva Security Advisory MDVSA-2009:295 OAR MSS-OAR-E01-2009:3405.1 MSS-OAR-E01-2009:3456.1 MSS-OAR-E01-2009:3457.1 MSS-OAR-E01-2009:3458.1 MSS-OAR-E01-2009:3464.1 Other OpenSSL CVS Repository Check-in 18790 Citrix Document ID: CTX123359 RedHat Red Hat Security Advisory RHSA-2009-1579 Red Hat Security Advisory RHSA-2009-1580 XForce XForce tls-renegotiation-weak-security (54158) -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
