CVE 2009-3555 for nginx & openssl

To: debian-security-tracker@lists.debian.org
Subject: CVE 2009-3555 for nginx & openssl
From: Hunter Blanks <hblanks@artifex.org>
Date: Mon, 8 Feb 2010 21:10:50 -0800 (PST)
Message-id: <[🔎] alpine.DEB.1.10.1002081159080.6333@terra.artifex.org>

Hello,

Although the security team addressed CVE 2009-3555 for apache, myreckoning is that lenny's nginx is still vulnerable to the SSLrenegotiation vulnerability detailed in CVE 2009-3555, and that openssl isas well. If that's the case, is it something the security team shouldaddress?

To offer some background, lenny's version of nginx is the "old"version, or 0.6 -- and so the nginx authors did not issue a patch forit. However, the 0.7 patch does apply on 0.6, and appears to work -- atleast in 0.6.39. (A few important other things, such as nginx's treatmentof Vary: headers, may have changed between lenny's rev of 0.6 and 0.6.39,so I can imagine that's complicated things).

But, for what it's worth, it seems like Debian testing, which has thecurrent stable nginx version (0.7), does have the fix(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557873). It alsoappears that Red Hat patched this for nginx 0.6 back in December of 2009(cf. the changelog athttp://fr2.rpmfind.net//linux/RPM/epel/5/i386/nginx-0.6.39-2.el5.i386.html).

If it's helpful, the other locus for the vulnerability is OpenSSL.However, their initial patch was -- by their admission in the Changelog --not quite right in 0.9.8l, and for the same reason doesn't obviate thenginx patch. We await 0.9.8m. That said, the (albeit imperfect) 0.9.8lfix for CVE 2009-3555 also does not seem to be in lenny. Should it be?


Thank you,

Hunter Blanks

Reply to:

Prev by Date: Tracker update
Next by Date: Re: On the usefulness of the remote column
Previous by thread: Tracker update
Next by thread: Re: On the usefulness of the remote column
Index(es):
- Date
- Thread