Package: apache2.2-common Version: 2.2.9-10+lenny8 Severity: normal
Hi, http://security-tracker.debian.org/tracker/CVE-2009-3555, says this has been fixed in my version of apache, and I am not using SSLVerifyClient at all, and there is one default SSLCipherSuite line in ssl.conf. Firefox reports (in the javascript console, but I gather that is supposed to change to a more obvious error message at some point) that my server is "potentially vulnerable to CVS-2009-3555". On the openssl side, I see that it was fixed in openssl0.9.8k, but I (lenny) have openssl: 0.9.8g-15+lenny6. I don't see that CVE mentioned in the changelog of openssl, so perhaps it wasn't ever backported. Am I really vulnerable and/or is firefox going to start reporting to users that I am at some point? -- Package-specific info: List of /etc/apache2/mods-enabled/*.load: alias auth_basic auth_digest authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi dav dav_fs dav_svn deflate dir env expires fastcgi include jk mime negotiation perl rewrite setenvif ssl status suexec suphp -- System Information: Debian Release: 5.0.4 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) Shell: /bin/sh linked to /bin/bash Versions of packages apache2 depends on: ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional n apache2 recommends no packages. apache2 suggests no packages. Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers ii libapr1 1.4.2-3~bpo50+2 The Apache Portable Runtime Librar ii libaprutil1 1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libmagic1 4.26-1 File type determination library us ii libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap ii net-tools 1.60-22 The NET-3 networking toolkit ii perl 5.10.0-19lenny2 Larry Wall's Practical Extraction ii procps 1:3.2.7-11 /proc file system utilities ii psmisc 22.6-1 Utilities that use the proc filesy ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100624165920.13488.40606.report...@orange.limedaley.com
