httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48866] New: Clarification regarding CVE-2009-3555
Date Fri, 05 Mar 2010 14:43:41 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48866

           Summary: Clarification regarding CVE-2009-3555
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sailesh_kyanam@fanniemae.com


Per CVE-2009-3555
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555), mod_ssl (among
many products that use SSL/TLS) is vulnerable to a MITM attack during SSL/TLS
renegotiation. The CVE and various advisories posted online are not very clear
on the scope of this vulnerability. The CVE seems to suggest that the
vulnerability manifests itself only when client cert authentication is used.
However, other advisories suggest that this could happen even when client cert
authentication is not involved, if the client or server requests a
re-negotiate.

My first question is: Are Apache web servers 2.2.x with mod_ssl vulnerable to
this issue if client certificate authetication is not used.

My second question is: 2.2 documentation refers to a new mod_ssl directive
called SSLInsecureRenegotiation:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation. The
document mentions that this is only supported in 2.2.15 but I have not seen
2.2.15 being released. When would it be released?


Thanks

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message