Hello Deb-sec! I'd like to bring to the attention of the developers and the Debian community that CVE-2009-3555 has not been completely addressed in Debian/stable as we are meant to believe here:
http://security-tracker.debian.org/tracker/CVE-2009-3555 The apache & nginx fixes paper over the issue without addressing the underlying problem, a protocol vulnerability in the openssl library. In my opinion the openssl package should be marked with a security tag, as it is for Ubuntu and Debian bug #555829 should be re-opened. Debian package: http://packages.debian.org/lenny/openssl Ubuntu package: http://packages.ubuntu.com/jaunty/openssl Debian Bug Report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555829 After verification from upstream this patch series looks like the proper way to address the protocol vulnerability: Ubuntu proposed fix: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/jaunty/openssl/jaunty-proposed/revision/34 To demonstrate this issue you can goto my example site, Debian/stable (lenny), openssl (0.9.8g-15+lenny8) custom apache (2.2.16): https://debian-lenny.badercom.net With a recent Firefox build you will notice this in the error console: "debian-lenny.badercom.net : server does not support RFC 5746, see CVE-2009-3555" Example site where protocol vulnerability is addressed, Debian/testing (squeeze), openssl (0.9.8o-2) custom apache (2.2.16): https://debian-squeeze.badercom.net Thanks, -- Kyle Bader -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinpvwvmhtx2v0coj0tbfvngxxtp7aarygaqj...@mail.gmail.com
