[Secure-testing-commits] r15415 - in data: . CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Oct 3 22:57:26 UTC 2010 

Author: gilbert-guest
Date: 2010-10-03 22:57:26 +0000 (Sun, 03 Oct 2010)
New Revision: 15415

Removed:
   data/CVE-2009-3555
Modified:
   data/CVE/list
Log:
track cve-2009-3555 in a more standard manner

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-10-03 20:51:57 UTC (rev 15414)
+++ data/CVE/list	2010-10-03 22:57:26 UTC (rev 15415)
@@ -13474,7 +13474,31 @@
 CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as ...)
 	{DSA-1934-1}
 	- apache2 2.2.14-2
-	NOTE: See separate CVE-2009-3555 file in SVN
+	- openssl 0.9.8k-6
+	[lenny] - openssl <no-dsa> (fix changes functionality, can be fixed in point release)
+	- nss 3.12.6-1
+	- sun-java5 <removed>
+	- sun-java6 6.19-1
+	- openjdk-6 <unfixed>
+	- nginx 0.7.64-1
+	- matrixssl 1.8.8-1
+	- tomcat-native 1.1.18-1
+	- gnutls26 <not-affected> (safely handles renegotiation; however support for RFC 5746 would be useful)
+	- xyssl <undetermined>
+	- polarssl <undetermined>
+	- pike7.6 <undetermined>
+	- classpath <undetermined>
+	- gcj-4.1 <undetermined>
+	- gcj-4.2 <undetermined>
+	- gcj-4.3 <undetermined>
+	- gcj-4.4 <undetermined>
+	- zorp <undetermined>
+	NOTE: for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation 
+	NOTE: the following implement RFC 5746:
+	NOTE: - openssl 0.9.8m-1
+	NOTE: - apache 2.2.15-1
+	NOTE: - nss 3.12.6-1
+	NOTE: - sun-java6 6.19-1
 CVE-2009-3554 (Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss ...)
 	- jbossas4 4.2.2.GA-1 (bug #562000)
 	[lenny] - jbossas4 <no-dsa> (Contrib not supported)

Deleted: data/CVE-2009-3555
===================================================================
--- data/CVE-2009-3555	2010-10-03 20:51:57 UTC (rev 15414)
+++ data/CVE-2009-3555	2010-10-03 22:57:26 UTC (rev 15415)
@@ -1,40 +0,0 @@
-A generic position statement will be send by Florian.
-
-SSL implementations in the archive:
-
-- openssl -> Disabled SSL/TLS renegotiations in 0.9.8k-6 in unstable (bug #555829)
-- openssl097 (oldstable only)
-- gnutls26
-- gnutls13 (oldstable only)
-- nss
-- xyssl
-- polarssl
-- matrixssl -> Disabled SSL/TLS renegs in 1.8.8-1 in unstable
-- pike7.6
-- classpath
-- gcj-4.1
-- gcj-4.2
-- gcj-4.3
-- gcj-4.4
-- zorp
-- openjdk-6
-- sun-java5
-- sun-java6
-
-Applications, which have been modified with workarounds
-- proftpd-dfsg -> Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable
-- apache2 -> Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable
-- tomcat-native -> 1.1.18-1
-- nginx: disabled renegotiation in 0.7.64-1
-  patch at http://sysoev.ru/nginx/patch.cve-2009-3555.txt
-- openssl 0.9.8k-6
-
-
-Candidates for modification:
-- libapache-mod-ssl (oldstable only) bug #556942, no patch yet
-
-Applications, which implement RfC 5746:
-- openssl 0.9.8m-1
-- apache 2.2.15-1
-- nss 3.12.6-1
-- sun-java6 6.19-1

More information about the Secure-testing-commits mailing list