[Secure-testing-commits] r31752 - data/CVE
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Jan 27 17:36:00 UTC 2015
Author: hertzog
Date: 2015-01-27 17:36:00 +0000 (Tue, 27 Jan 2015)
New Revision: 31752
Modified:
data/CVE/list
Log:
Try to clarify the situation of pound related to the various SSL issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-01-27 17:35:52 UTC (rev 31751)
+++ data/CVE/list 2015-01-27 17:36:00 UTC (rev 31752)
@@ -69996,6 +69996,8 @@
NOTE: No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases
- tlslite <removed>
[wheezy] - tlslite <no-dsa> (Minor issue)
+ - pound 2.6-2
+ NOTE: Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks.
CVE-2011-3388 (Opera before 11.51 allows remote attackers to cause an insecure site ...)
NOT-FOR-US: Opera
CVE-2011-3387 (The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote ...)
@@ -96412,7 +96414,8 @@
[squeeze] - zorp <no-dsa> (Minor issue)
[lenny] - zorp <no-dsa> (Minor issue)
- lighttpd 1.4.30-1
- - pound 2.6-2
+ - pound <unfixed> (bug #765649)
+ NOTE: the anti_beast.patch in pound 2.6-2 has some provision for this issue too but it seems to be broken, cf #765649
NOTE: for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation
NOTE: the following implement RFC 5746:
NOTE: - openssl 0.9.8m-1
More information about the Secure-testing-commits
mailing list