On Wed, Sep 08, 2010 at 10:20:11AM -0700, Kyle Bader wrote: > Hello Deb-sec! > > I'd like to bring to the attention of the developers and the Debian > community that CVE-2009-3555 has not been completely addressed in > Debian/stable as we are meant to believe here: > > http://security-tracker.debian.org/tracker/CVE-2009-3555 > > The apache & nginx fixes paper over the issue without addressing the > underlying problem, a protocol vulnerability in the openssl library. > In my opinion the openssl package should be marked with a security > tag, as it is for Ubuntu and Debian bug #555829 should be re-opened.
Bug #555829 is still listed as affecting stable and has a security tag. I've now also marked it properly with version numbers, but it really doesn't change anything other than saying that testing/unstable was also affected at some point in the past. Anyway, the proper fix would be to backport the RFC5746 changes. But the other end will also require that support for it to work. You're probably better off avoiding renegotiation. Kurt -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100908214111.ga13...@roeckx.be
