what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Debian Security Advisory 2141-1

Debian Security Advisory 2141-1
Posted Jan 6, 2011
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2141-1 - Marsh Ray, Steve Dispensa, and Martin Rex discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds backported support for the new RFC5746 renegotiation extension which fixes this issue. If openssl is used in a server application, it will by default no longer accept renegotiation from clients that do not support the RFC5746 secure renegotiation extension. A separate advisory will add RFC5746 support for nss, the security library used by the iceweasel web browser. For apache2, there will be an update which allows to re-enable insecure renegotiation. This version of openssl is not compatible with older versions of tor. You have to use at least tor version 0.2.1.26-1~lenny+1, which has been included in the point release 5.0.7 of Debian stable.

tags | advisory, web, arbitrary, protocol
systems | linux, debian
advisories | CVE-2010-3555, CVE-2010-4180
SHA-256 | e51d87d1ee8b18157edde2e72dde7a519c02a7696a6328d3a164c2b081dd9c27

Debian Security Advisory 2141-1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2141-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
January 06, 2011 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openssl
Vulnerability : SSL/TLS insecure renegotiation protocol design flaw
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-3555 CVE-2010-4180
Debian Bug : 555829

CVE-2009-3555:

Marsh Ray, Steve Dispensa, and Martin Rex discovered a flaw in the TLS
and SSLv3 protocols. If an attacker could perform a man in the middle
attack at the start of a TLS connection, the attacker could inject
arbitrary content at the beginning of the user's session. This update
adds backported support for the new RFC5746 renegotiation extension
which fixes this issue.

If openssl is used in a server application, it will by default no
longer accept renegotiation from clients that do not support the
RFC5746 secure renegotiation extension. A separate advisory will add
RFC5746 support for nss, the security library used by the iceweasel
web browser. For apache2, there will be an update which allows to
re-enable insecure renegotiation.

This version of openssl is not compatible with older versions of tor.
You have to use at least tor version 0.2.1.26-1~lenny+1, which has
been included in the point release 5.0.7 of Debian stable.

Currently we are not aware of other software with similar compatibility
problems.


CVE-2010-4180:

In addition, this update fixes a flaw that allowed a client to bypass
restrictions configured in the server for the used cipher suite.


For the stable distribution (lenny), this problem has been fixed
in version 0.9.8g-15+lenny11.

For the unstable distribution (sid), and the testing distribution
(squeeze), this problem has been fixed in version 0.9.8o-4.

We recommend that you upgrade your openssl package.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNJPe+bxelr8HyTqQRAgz7AJ9zP01uGq9aeyPPWJRDit9RGiLH7wCeL2yb
ER5vbU2hWhtwTUhj3isjjds=
=XNn8
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close