On 3/5/2010 4:13 PM, Jeff Trawick wrote:
> On Fri, Mar 5, 2010 at 4:55 PM, William A. Rowe Jr. <[email protected]>
> wrote:
>> Anyone looking at the changelog should be terrified of adopting 2.2.15; I'm
>> going
>> to modify it thusly (please correct attributions if needed?);
>>
>> *) SECURITY: CVE-2009-3555 (cve.mitre.org)
>> mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
>> attack when compiled against OpenSSL version 0.9.8m or later.
>
> I see what you mean about potential fear; OTOH, maybe "comprehensive
> fix" is misleading too. Joe mentioned adding something to the FAQ
> about the issue. Perhaps that's the only solution.
I will solve through the CHANGES, as well, to at least calm fears that there is
only
half a solution in 2.2.15. (Well, there is only half a solution, the other
half is
in openssl :-)
Here is some slight rewording; I don't believe comprehensive is misleading at
all,
the exposure isn't mitigated, it is eliminated [until they are foolish enough to
re-enable SSLInsecureRenegotiation]. We also can hardly assume most credit.
So I'd
suggest this phrasing;
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the secure renegotiation protocol. [Joe Orton, and the OpenSSL
Team]
