On 11/06/2009 10:58 PM, Dirk-Willem van Gulik wrote: > So what are the next steps here ? > > - Joe's patch is final. > > - Give the community the advice 'immediately' - with a website > update and an email to announce: > > Apache httpd is affected by CVE-XXXX (The SSL Injectin > or MiM attack). > > We strongly urge you to upgrade to OpenSSL 0.9.8l; and be > prepared to deploy 0.9.8m as it becomes available. > > For those who are not able to upgrade swiftly and/or for those > who need detailed logging - we recommend that you roll out > this patch (URL) as soon as possible.
I guess no one who needs server triggered renegotiation in its configuration can upgrade to 0.9.8l as to my understanding *all* renegotiations are simply turned off in 0.9.8l. So these people can only go with our patch or a fresh release of httpd and are still *vulnerable* in those URL spaces that are somehow "protected" by these renegotiations. I guess how much in the cert case also depends on the clients browser settings and its user (does it send a certificate even though the original request by the browser did not request one?) > If you are unable to patch and unable to roll our a newer > version of OpenSSL then we recommend that you ensure that > you limit your configuratin to a single 'SSLClient require' > or 'SSLClient none' at VirtualHost/Sever level and remove > all other (re)negotiation changes. However this does NOT > fully protect you - it just curtails authentication. > > A version with this patch, Apache 2.2.15, is currently > beeing readied; there are no plans for a backport to > 1.3.X at this time. > > - Check how much we have on the roster in - and either release > a 2.x with just this CVE - or a more wrapped up one ? > > Do we need to backport this for the 1.3.42 branch ? Note that mod_ssl is not part of 1.3.x but a separate project. So only 2.0.x might be worth a thought. Regards RĂ¼diger ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
