Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"
From: Jon Daley <debian@jon.limedaley.com>
Date: Thu, 24 Jun 2010 12:59:20 -0400
Message-id: <[🔎] 20100624165920.13488.40606.reportbug@orange.limedaley.com>
Reply-to: Jon Daley <debian@jon.limedaley.com>, 587037@bugs.debian.org

Package: apache2.2-common
Version: 2.2.9-10+lenny8
Severity: normal


Hi, http://security-tracker.debian.org/tracker/CVE-2009-3555, says this has been fixed in my version of apache, and I am not using SSLVerifyClient at 
all, and there is one default SSLCipherSuite line in ssl.conf.  Firefox reports (in the javascript console, but I gather that is supposed to change to a 
more obvious error message at some point) that my server is "potentially vulnerable to CVS-2009-3555".

On the openssl side, I see that it was fixed in openssl0.9.8k, but I (lenny) have openssl: 0.9.8g-15+lenny6.
I don't see that CVE mentioned in the changelog of openssl, so perhaps it wasn't ever backported.

Am I really vulnerable and/or is firefox going to start reporting to users that I am at some point?


                                                                                                                                                                 
                                       
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  alias auth_basic auth_digest authn_file authz_default
  authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
  dav_svn deflate dir env expires fastcgi include jk mime negotiation
  perl rewrite setenvif ssl status suexec suphp

-- System Information:
Debian Release: 5.0.4
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny8 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny8      utility programs for webservers
ii  libapr1             1.4.2-3~bpo50+2      The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii  libc6               2.7-18lenny2         GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny6     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19lenny2      Larry Wall's Practical Extraction 
ii  procps              1:3.2.7-11           /proc file system utilities
ii  psmisc              22.6-1               Utilities that use the proc filesy
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

-- no debconf information

Reply to:

Follow-Ups:
- Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Já pensou onde vai passar as suas férias?
Next by Date: Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"
Previous by thread: Já pensou onde vai passar as suas férias?
Next by thread: Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"
Index(es):
- Date
- Thread