[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2009-3555 not addressed in OpenSSL

Simon Josefsson <simon@josefsson.org> writes:
> Yves-Alexis Perez <corsac@debian.org> writes:

>> Well, who uses gnuTLS as the server anyway?

> Exim uses GnuTLS, and at least in lenny it was the default MTA.

> However I looked at how Exim uses GnuTLS a long time ago, and it is not
> directly vulnerable.  Almost all servers that were using GnuTLS was not
> vulnerable, because of how GnuTLS handles renegotiation.  However by not
> supporting the new TLS extension, clients have no way of knowing whether
> the server is insecure or not.  That is a problem, but it is borderline
> between a security problem and an interoperability problem.

OpenLDAP in Debian also uses GnuTLS, but if I recall correctly, the
OpenLDAP developers looked at this problem when it was first announced and
concluded that LDAP as a protocol is not particularly vulnerable to the
problem due to significant difficulties in encoding the required attack
into what the LDAP protocol expects, and OpenLDAP in specific is not
vulnerable for other reasons.

See:

    http://www.openldap.org/lists/openldap-devel/200911/msg00005.html

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: