I don't get it .. that fix has been out as a package set for over a week or more :
http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/openssl-0.9.8l,REV=2009.11.23-SunOS5.8-sparc-CSW.pkg.gz and http://mirrors.med.harvard.edu/csw/unstable/sparc/5.8/apache2-2.2.14,REV=2009.10.16-SunOS5.8-sparc-CSW.pkg.gz On Sun, Dec 6, 2009 at 7:04 AM, Yann Rouillard <[email protected]> wrote: > Dear users, > > A security vulnerability has been recently found in the TLS and SSL > protocol part related to the handling of session renegotiation [1]. This > vulnerability allows an attacker to inject arbitrary content at the > beginning of a TLS/SSL connection within a Man-in-the-middle attack. > > This problem is caused by a design flaw in the TLS/SSL protocol and is > difficult to fix in a clean and backward compatible way. As a result the > new openssl release (0.9.8l) which fixes this bug simply completely > disables renegotiation. > > This new package will hit csw unstable mirror very soon. > > This modification should not have any impact for most setups except for > Apache https configurations which use certificate client verification > (SSLVerifyClient) or specify a new ssl cipher list (SSLCipherSuite) in a > directory or location context. > If that's your case, you should try to use these instructions on > the server or virtual host level, or avoid upgrading to openssl 0.9.8l [2], > but you will stay vulnerable in the latter. > > A new protocol extension to TLS is planned to address this issue but the > RFC draft is still under review and it will require both the client and > the server to implement the extension. > > Best regards > > Yann > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 > [2] You can avoid upgrading with pkgutil >= 1.9 by adding the following line > in pkgutil.conf: > exclude_pattern=CSWossl > > > _______________________________________________ > users mailing list > [email protected] > https://lists.opencsw.org/mailman/listinfo/users > _______________________________________________ users mailing list [email protected] https://lists.opencsw.org/mailman/listinfo/users
