Package: libssl0.9.8 Version: 0.9.8c-4etch5 Severity: normal -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-486 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages libssl0.9.8 depends on: ii debconf [debconf-2. 1.5.11etch2 Debian configuration management sy ii libc6 2.3.6.ds1-13etch9+b1 GNU C Library: Shared libraries ii zlib1g 1:1.2.3-13 compression library - runtime libssl0.9.8 recommends no packages. -- debconf information: libssl0.9.8/restart-services: Hi! We ran into this bug during our last Qualys security scan. It is reported as a Level 3 Vulnerability and as such not compliant to the Payment Card Data Security Standard (PCI DSS) as required by Visa and Mastercard. ============================================= = Here is the Qualys vulnerability description: == # Diagnosis Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is initially established, the first available cipher is used. If a session is resumed, a different cipher may be chosen if it appears in the passed cipher list before the session's current cipher. This bug can be used to change ciphers on the server. OpenSSL contains this bug if the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. This option was introduced for compatibility reasons. The problem arises when different applications using OpenSSL's libssl library enable all compatibility options including SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, thus enabling the bug. # Consequence A malicious legitimate client can enforce a ciphersuite not supported by the server to be used for a session between the client and the server. This can result in disclosure of sensitive information. # Solution This problem can be fixed by disabling the SSL OP NETSCAPE REUSE CIPHER_CHANGE_BUG option from the options list of OpenSSL's libssl library. This can be done by replacing the SSL OP ALL definition in the openssl/ssl.h file with the following line: #define SSL OP ALL (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) Unfortunately there is no CVE number. I've found a discussion of this bug on the OpenSSL developer mailing list. http://marc.info/?l=openssl-dev&m=109532567028570&w=2 Could you be so kind to address this issue in a future openssl/libssl0.9.8 release? Thank you very much! Best regards, Juergen Heil -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
