aboutsummaryrefslogtreecommitdiffstats
path: root/english/security/2011/dsa-2141.wml
blob: b2a9ad1fa0e0f3bafb0d4ffd03fcd0fab51510c0 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

<define-tag description>SSL/TLS insecure renegotiation protocol design flaw</define-tag>
<define-tag moreinfo>

<p>DSA-2141 consists of three individual parts, which can be viewed in the 
mailing list archive:
<a href="https://lists.debian.org/debian-security-announce/2011/msg00001.html">DSA 2141-1</a> (openssl),
<a href="https://lists.debian.org/debian-security-announce/2011/msg00002.html">DSA 2141-2</a> (nss),
<a href="https://lists.debian.org/debian-security-announce/2011/msg00003.html">DSA 2141-3</a> (apache2), and
<a href="https://lists.debian.org/debian-security-announce/2011/msg00006.html">DSA 2141-4</a> (lighttpd).
This page only covers the first part, openssl.</p>

<ul>

<li><a href="https://security-tracker.debian.org/tracker/CVE-2009-3555">CVE-2009-3555</a>

<p>Marsh Ray, Steve Dispensa, and Martin Rex discovered a flaw in the TLS
and SSLv3 protocols. If an attacker could perform a man in the middle
attack at the start of a TLS connection, the attacker could inject
arbitrary content at the beginning of the user's session. This update
adds backported support for the new RFC5746 renegotiation extension
which fixes this issue.</p>

<p>If openssl is used in a server application, it will by default no
longer accept renegotiation from clients that do not support the
RFC5746 secure renegotiation extension. A separate advisory will add
RFC5746 support for nss, the security library used by the iceweasel
web browser. For apache2, there will be an update which allows to
re-enable insecure renegotiation.</p>

<p>This version of openssl is not compatible with older versions of tor.
You have to use at least tor version 0.2.1.26-1~lenny+1, which has
been included in the point release 5.0.7 of Debian stable.</p>

<p>Currently we are not aware of other software with similar compatibility
problems.</p></li>

<li><a href="https://security-tracker.debian.org/tracker/CVE-2010-4180">CVE-2010-4180</a>

<p>In addition, this update fixes a flaw that allowed a client to bypass
restrictions configured in the server for the used cipher suite.</p></li>

</ul>

<p>For the stable distribution (lenny), this problem has been fixed
in version 0.9.8g-15+lenny11.</p>

<p>For the unstable distribution (sid), and the testing distribution
(squeeze), this problem has been fixed in version 0.9.8o-4.</p>

<p>We recommend that you upgrade your openssl package.</p>

<p>Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <a href="$(HOME)/security/">https://www.debian.org/security/</a></p>
</define-tag>

# do not modify the following line
#include "$(ENGLISHDIR)/security/2011/dsa-2141.data"
# $Id$

© 2014-2024 Faster IT GmbH | imprint | privacy policy