[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#587037: CVE-2009-3555: Firefox reports server is "potentially vulnerable"

On Thursday 24 June 2010, Jon Daley wrote:
> Hi, http://security-tracker.debian.org/tracker/CVE-2009-3555, says
> this has been fixed in my version of apache, and I am not using
> SSLVerifyClient at all, and there is one default SSLCipherSuite
> line in ssl.conf.  Firefox reports (in the javascript console, but
> I gather that is supposed to change to a more obvious error
> message at some point) that my server is "potentially vulnerable
> to CVS-2009-3555".

If your apache configuration does _not_ use any per-directory client-
cert authentication, it is not vulnerable (that was the fix in 
DSA-1934-1). But firefox has no way to tell that, that's why it's 
saying "potentially vulnerable".

> On the openssl side, I see that it was fixed in openssl0.9.8k, but
> I (lenny) have openssl: 0.9.8g-15+lenny6. I don't see that CVE
> mentioned in the changelog of openssl, so perhaps it wasn't ever
> backported.
> 
> Am I really vulnerable and/or is firefox going to start reporting
> to users that I am at some point?

Yes, the openssl fix has not been backported to lenny yet. And yes, we 
should do that in the not too distant future (maybe in 5.0.6). It's 
quite likely that the browsers will print a more obvious error message 
in the future, but I don't know when that will happen.
Reply to: