Hi! Thanks for the note!
On 04/08/2013 04:34 AM, Michael Gilbert wrote: > This issue is still being tracked as affecting polarssl in the > security tracker. It's old, so it's likely been fixed, but it's > important to be thorough, so please check that it is and adjust the > affected versions appropriately. > > CVE-2009-3555[0]: > | The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as > | used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in > | the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, > | GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) > | 3.12.4 and earlier, multiple Cisco products, and other products, does > | not properly associate renegotiation handshakes with an existing > | connection, which allows man-in-the-middle attackers to insert data > | into HTTPS sessions, and possibly other types of sessions protected by > | TLS or SSL, by sending an unauthenticated request that is processed > | retroactively by a server in a post-renegotiation context, related to > | a "plaintext injection" attack, aka the "Project Mogul" issue. > > For further information see: > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 > http://security-tracker.debian.org/tracker/CVE-2009-3555 At the polarssl's upstream tracker, I found the following similar issue: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2011-01 regarding CVE-2011-1923 Is CVE-2011-1923 related to CVE-2009-3555? For CVE-2011-1923, they have a patch that applies to Debian's version in squeeze (fixed upstream in >squeeze), which I can adapt easily and prepare as a security fix. Nothing found directly for CVE-2009-3555 - will ask upstream. Thanks, Roland -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
