CVE 2009-3555 for nginx & openssl
Hello,
Although the security team addressed CVE 2009-3555 for apache, my
reckoning is that lenny's nginx is still vulnerable to the SSL
renegotiation vulnerability detailed in CVE 2009-3555, and that openssl is
as well. If that's the case, is it something the security team should
address?
To offer some background, lenny's version of nginx is the "old"
version, or 0.6 -- and so the nginx authors did not issue a patch for
it. However, the 0.7 patch does apply on 0.6, and appears to work -- at
least in 0.6.39. (A few important other things, such as nginx's treatment
of Vary: headers, may have changed between lenny's rev of 0.6 and 0.6.39,
so I can imagine that's complicated things).
But, for what it's worth, it seems like Debian testing, which has the
current stable nginx version (0.7), does have the fix
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557873). It also
appears that Red Hat patched this for nginx 0.6 back in December of 2009
(cf. the changelog at
http://fr2.rpmfind.net//linux/RPM/epel/5/i386/nginx-0.6.39-2.el5.i386.html).
If it's helpful, the other locus for the vulnerability is OpenSSL.
However, their initial patch was -- by their admission in the Changelog --
not quite right in 0.9.8l, and for the same reason doesn't obviate the
nginx patch. We await 0.9.8m. That said, the (albeit imperfect) 0.9.8l
fix for CVE 2009-3555 also does not seem to be in lenny. Should it be?
Thank you,
Hunter Blanks
Reply to: