Bug#587037: marked as done (CVE-2009-3555: Firefox reports server is "potentially vulnerable")

To: Stefan Fritsch <sf@debian.org>
Subject: Bug#587037: marked as done (CVE-2009-3555: Firefox reports server is "potentially vulnerable")
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 06 Jan 2011 07:57:03 +0000
Message-id: <[🔎] handler.587037.D587037.12943004905282.ackdone@bugs.debian.org>
References: <E1PakgK-0001Jw-OC@franck.debian.org> <20100624165920.13488.40606.reportbug@orange.limedaley.com>

Your message dated Thu, 06 Jan 2011 07:54:48 +0000
with message-id <E1PakgK-0001Jw-OC@franck.debian.org>
and subject line Bug#587037: fixed in apache2 2.2.9-10+lenny9
has caused the Debian Bug report #587037,
regarding CVE-2009-3555: Firefox reports server is "potentially vulnerable"
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
587037: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587037
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-3555: Firefox reports server is "potentially vulnerable"
From: Jon Daley <debian@jon.limedaley.com>
Date: Thu, 24 Jun 2010 12:59:20 -0400
Message-id: <20100624165920.13488.40606.reportbug@orange.limedaley.com>

Package: apache2.2-common
Version: 2.2.9-10+lenny8
Severity: normal


Hi, http://security-tracker.debian.org/tracker/CVE-2009-3555, says this has been fixed in my version of apache, and I am not using SSLVerifyClient at 
all, and there is one default SSLCipherSuite line in ssl.conf.  Firefox reports (in the javascript console, but I gather that is supposed to change to a 
more obvious error message at some point) that my server is "potentially vulnerable to CVS-2009-3555".

On the openssl side, I see that it was fixed in openssl0.9.8k, but I (lenny) have openssl: 0.9.8g-15+lenny6.
I don't see that CVE mentioned in the changelog of openssl, so perhaps it wasn't ever backported.

Am I really vulnerable and/or is firefox going to start reporting to users that I am at some point?


                                                                                                                                                                 
                                       
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  alias auth_basic auth_digest authn_file authz_default
  authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
  dav_svn deflate dir env expires fastcgi include jk mime negotiation
  perl rewrite setenvif ssl status suexec suphp

-- System Information:
Debian Release: 5.0.4
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny8 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny8      utility programs for webservers
ii  libapr1             1.4.2-3~bpo50+2      The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii  libc6               2.7-18lenny2         GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny6     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19lenny2      Larry Wall's Practical Extraction 
ii  procps              1:3.2.7-11           /proc file system utilities
ii  psmisc              22.6-1               Utilities that use the proc filesy
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 587037-close@bugs.debian.org
Subject: Bug#587037: fixed in apache2 2.2.9-10+lenny9
From: Stefan Fritsch <sf@debian.org>
Date: Thu, 06 Jan 2011 07:54:48 +0000
Message-id: <E1PakgK-0001Jw-OC@franck.debian.org>

Source: apache2
Source-Version: 2.2.9-10+lenny9

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-dbg_2.2.9-10+lenny9_i386.deb
apache2-doc_2.2.9-10+lenny9_all.deb
  to main/a/apache2/apache2-doc_2.2.9-10+lenny9_all.deb
apache2-mpm-event_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-mpm-event_2.2.9-10+lenny9_i386.deb
apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
apache2-src_2.2.9-10+lenny9_all.deb
  to main/a/apache2/apache2-src_2.2.9-10+lenny9_all.deb
apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
apache2-suexec_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-suexec_2.2.9-10+lenny9_i386.deb
apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
apache2-utils_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2-utils_2.2.9-10+lenny9_i386.deb
apache2.2-common_2.2.9-10+lenny9_i386.deb
  to main/a/apache2/apache2.2-common_2.2.9-10+lenny9_i386.deb
apache2_2.2.9-10+lenny9.diff.gz
  to main/a/apache2/apache2_2.2.9-10+lenny9.diff.gz
apache2_2.2.9-10+lenny9.dsc
  to main/a/apache2/apache2_2.2.9-10+lenny9.dsc
apache2_2.2.9-10+lenny9_all.deb
  to main/a/apache2/apache2_2.2.9-10+lenny9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 587037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 11 Dec 2010 19:45:28 +0100
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-10+lenny9
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-src - Apache source code
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-common - Apache HTTP Server common files
Closes: 587037
Changes: 
 apache2 (2.2.9-10+lenny9) stable-security; urgency=high
 .
   * Add the new SSLInsecureRenegotiation directive to configure if clients
     that have not been patched to support secure renegotiation (RFC 5746)
     are allowed to connect (CVE-2009-3555).
     Together with the recent openssl upgrade, this closes: #587037
     This upgrade also adds support for the SSL_SECURE_RENEG variable, to
     allow testing if secure renegotiation is supported by the client.
Checksums-Sha1: 
 f8d0b20040ab8bd9ea4388386af13cd8c22ca23c 1697 apache2_2.2.9-10+lenny9.dsc
 b9c13a9bc36936fb59aa1fca4baea78d27c09ca3 149748 apache2_2.2.9-10+lenny9.diff.gz
 5a23a2257385b3afe7fb86a9368b218d103f7567 783768 apache2.2-common_2.2.9-10+lenny9_i386.deb
 b5f92618a13a653e75b9a8408bc9b89640c7d599 242282 apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
 fce62b386ce657322d599d8d750fd840108cc21f 239060 apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
 6f9722f647299ed3ea1eb082dfcfd3a32c15c03f 242720 apache2-mpm-event_2.2.9-10+lenny9_i386.deb
 8e240ca72daf56f4f477dd4c7804538bc8340983 144556 apache2-utils_2.2.9-10+lenny9_i386.deb
 aebd18480b4e3a385d726e46af0c27ad78108602 83300 apache2-suexec_2.2.9-10+lenny9_i386.deb
 a72b462f26e3596e56f2c986d439e72691284185 84898 apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
 a9c8acf606141a6fd9174a3bf80956e75d89a565 212068 apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
 05ea51cd94e7f89e28ddcbe26aa7b9e8ec6691ee 213262 apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
 f16340b5348e78ec9671ee20d21a230012fd1fd5 2319710 apache2-dbg_2.2.9-10+lenny9_i386.deb
 28685bff1f3cfdb0923f4105ea2db3fa681d680c 45856 apache2_2.2.9-10+lenny9_all.deb
 02b21b046cbcaa7015c0f44841bb86ed48a604ac 2061636 apache2-doc_2.2.9-10+lenny9_all.deb
 0dd1197ac1a9ba121db79442da1e65ee5e65707e 6737144 apache2-src_2.2.9-10+lenny9_all.deb
Checksums-Sha256: 
 0cc6352e3769411e76eb96bdd3325b65c4ae1a0929b389bd770965144ebabc27 1697 apache2_2.2.9-10+lenny9.dsc
 ec466513f6c0950bd62747cb6e97f245d1573e875055f2e75ce60bfd9595ebaf 149748 apache2_2.2.9-10+lenny9.diff.gz
 eb7a40b6b3e3c3d1a28af0845d55d874c6d33d23fe4b7f43f0b911355407ce7b 783768 apache2.2-common_2.2.9-10+lenny9_i386.deb
 63db8a5c5dbbb81894165d67bd7eb551f36a2f073fc981bd7c4f51498d4c1711 242282 apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
 1eee1779f8dce51a51bf54be4d404cd03618c3db9362d69d814855664b701898 239060 apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
 1f53e64c88787e3080579224800e9f27ffbcb1a4c1f4b27873d47e32f9d53c47 242720 apache2-mpm-event_2.2.9-10+lenny9_i386.deb
 f8a983c176b1cffd24a02b33b4db4bd4c98ba1e6507a48261b5ecd8a0c403f87 144556 apache2-utils_2.2.9-10+lenny9_i386.deb
 b4e22ea8b5c9a6df93f50e5902756da407b353b329750dec7471f7e1835cce38 83300 apache2-suexec_2.2.9-10+lenny9_i386.deb
 af1863311542a308b7038f7173c1877064dfc50d2e4fbfef812cce05240a9327 84898 apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
 331c0787d82dc6e31c84500dfc66583fb939675aa35ccb3da89d4c555762ce99 212068 apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
 46c4f5a430db529f3e9086e9bbafe5144f6eb87fc70e3860356cd4efcd229428 213262 apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
 fbec33aa4c007f648c8bb28792f08f8d282c588ceb24ae85d074db087462d3ec 2319710 apache2-dbg_2.2.9-10+lenny9_i386.deb
 4535fc53b27a4430fa2b5dbbceac90319efbbc4a4c563ceb23b2ab097daa6079 45856 apache2_2.2.9-10+lenny9_all.deb
 436f313bba2167c397b306ed8e6270306c83fb96fa4d8fb3cc33e78da31f1b6a 2061636 apache2-doc_2.2.9-10+lenny9_all.deb
 4b6b87aa1ddfdbfd5193bde95482e6916e3a3b5c8707628fbf1d1d0d86dc5a4f 6737144 apache2-src_2.2.9-10+lenny9_all.deb
Files: 
 ef76d3ad84941ecfd98e4968f9d95eba 1697 web optional apache2_2.2.9-10+lenny9.dsc
 ebedab9ae59a32e224c1321b9b543752 149748 web optional apache2_2.2.9-10+lenny9.diff.gz
 4470d5b5764fbc333b1d92aa97e286e6 783768 web optional apache2.2-common_2.2.9-10+lenny9_i386.deb
 4e786cfee02f6da8783880561b131a28 242282 web optional apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
 0dc8daf0b4ecd6a034031b9db62e45c9 239060 web optional apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
 3daa2df7c336b0d08690070dbfbf41ad 242720 web optional apache2-mpm-event_2.2.9-10+lenny9_i386.deb
 ac440f1eb477ddbd50026b1501c7f887 144556 web optional apache2-utils_2.2.9-10+lenny9_i386.deb
 30864abd7486c386db43ea6ae359ca2b 83300 web optional apache2-suexec_2.2.9-10+lenny9_i386.deb
 7268fd31c77095ffd8fd1c97e1de3427 84898 web extra apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
 76da9662f7cb93a8b3f7d4bf519402f6 212068 devel extra apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
 ea7c648516db1ddf4cf0499a9ff5f96c 213262 devel extra apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
 f9789d63e129106624e2343e5af42ade 2319710 libdevel extra apache2-dbg_2.2.9-10+lenny9_i386.deb
 1332a9407456fb3cb1cb93b013dc224e 45856 web optional apache2_2.2.9-10+lenny9_all.deb
 7181192049fcc498cb670ce2ba005422 2061636 doc optional apache2-doc_2.2.9-10+lenny9_all.deb
 9b9acbf1fd7ea0357add41f35ca9da3f 6737144 devel extra apache2-src_2.2.9-10+lenny9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNA+oEbxelr8HyTqQRAv4GAKCks2JaevXwN19wB64eLYaSVjI7XQCfXyjK
CmsjJ9lIujmm79Xe1yJOlPY=
=gwZP
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#606317: apache2: upgrade to sysvinit causes apache virtualhosts to fail - started before bind9
Next by Date: apache2_2.2.9-10+lenny9_i386.changes ACCEPTED into proposed-updates
Previous by thread: Processing of apache2_2.2.9-10+lenny9_i386.changes
Next by thread: apache2_2.2.9-10+lenny9_i386.changes ACCEPTED into proposed-updates
Index(es):
- Date
- Thread