Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"
Package: apache2.2-common
Version: 2.2.9-10+lenny8
Severity: normal
Hi, http://security-tracker.debian.org/tracker/CVE-2009-3555, says this has been fixed in my version of apache, and I am not using SSLVerifyClient at
all, and there is one default SSLCipherSuite line in ssl.conf. Firefox reports (in the javascript console, but I gather that is supposed to change to a
more obvious error message at some point) that my server is "potentially vulnerable to CVS-2009-3555".
On the openssl side, I see that it was fixed in openssl0.9.8k, but I (lenny) have openssl: 0.9.8g-15+lenny6.
I don't see that CVE mentioned in the changelog of openssl, so perhaps it wasn't ever backported.
Am I really vulnerable and/or is firefox going to start reporting to users that I am at some point?
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
alias auth_basic auth_digest authn_file authz_default
authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
dav_svn deflate dir env expires fastcgi include jk mime negotiation
perl rewrite setenvif ssl status suexec suphp
-- System Information:
Debian Release: 5.0.4
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional n
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers
ii libapr1 1.4.2-3~bpo50+2 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination library us
ii libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19lenny2 Larry Wall's Practical Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii psmisc 22.6-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
-- no debconf information
Reply to: