CVE-2009-3555 not addressed in OpenSSL
Hello Deb-sec!
I'd like to bring to the attention of the developers and the Debian
community that CVE-2009-3555 has not been completely addressed in
Debian/stable as we are meant to believe here:
http://security-tracker.debian.org/tracker/CVE-2009-3555
The apache & nginx fixes paper over the issue without addressing the
underlying problem, a protocol vulnerability in the openssl library.
In my opinion the openssl package should be marked with a security
tag, as it is for Ubuntu and Debian bug #555829 should be re-opened.
Debian package:
http://packages.debian.org/lenny/openssl
Ubuntu package:
http://packages.ubuntu.com/jaunty/openssl
Debian Bug Report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555829
After verification from upstream this patch series looks like the
proper way to address the protocol vulnerability:
Ubuntu proposed fix:
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/jaunty/openssl/jaunty-proposed/revision/34
To demonstrate this issue you can goto my example site, Debian/stable
(lenny), openssl (0.9.8g-15+lenny8) custom apache (2.2.16):
https://debian-lenny.badercom.net
With a recent Firefox build you will notice this in the error console:
"debian-lenny.badercom.net : server does not support RFC 5746, see
CVE-2009-3555"
Example site where protocol vulnerability is addressed, Debian/testing
(squeeze), openssl (0.9.8o-2) custom apache (2.2.16):
https://debian-squeeze.badercom.net
Thanks,
--
Kyle Bader
Reply to: