httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Reading between the lines; changelog
Date Fri, 05 Mar 2010 22:22:51 GMT
On 3/5/2010 4:13 PM, Jeff Trawick wrote:
> On Fri, Mar 5, 2010 at 4:55 PM, William A. Rowe Jr. <wrowe@rowe-clan.net> wrote:
>> Anyone looking at the changelog should be terrified of adopting 2.2.15; I'm going
>> to modify it thusly (please correct attributions if needed?);
>>
>>  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
>>     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
>>     attack when compiled against OpenSSL version 0.9.8m or later.
> 
> I see what you mean about potential fear; OTOH, maybe "comprehensive
> fix" is misleading too.  Joe mentioned adding something to the FAQ
> about the issue.  Perhaps that's the only solution.

I will solve through the CHANGES, as well, to at least calm fears that there is only
half a solution in 2.2.15.  (Well, there is only half a solution, the other half is
in openssl :-)

Here is some slight rewording; I don't believe comprehensive is misleading at all,
the exposure isn't mitigated, it is eliminated [until they are foolish enough to
re-enable SSLInsecureRenegotiation].  We also can hardly assume most credit.  So I'd
suggest this phrasing;

     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
     and offer unsafe legacy renegotiation with clients which do not yet
     support the secure renegotiation protocol.  [Joe Orton, and the OpenSSL Team]


Mime
View raw message