Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 414
Alerts This Week
Warning Icon 1 414

Debian: DSA-1934-1 Critical Apache2 Client Injection Threat

debian
Calendar Grey November 16, 2009
Debian Logo
- ------------------------------------------------------------------------ Debian Security Advisory
A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection

Summary

A design flaw has been found in the TLS and SSL protocol that allows
an attacker to inject arbitrary content at the beginning of a TLS/SSL
connection. The attack is related to the way how TLS and SSL handle
session renegotiations. CVE-2009-3555 has been assigned to this
vulnerability.

As a partial mitigation against this attack, this apache2 update
disables client-initiated renegotiations. This should fix the
vulnerability for the majority of Apache configurations in use.

NOTE: This is not a complete fix for the problem. The attack is
still possible in configurations where the server initiates the
renegotiation. This is the case for the following configurations
(the information in the changelog of the updated packages is
slightly inaccurate):

- - The "SSLVerifyClient" directive is used in a Directory or Location
context.
- - The "SSLCipherSuite" directive is used in a Directory or Location
context.

As a workaround, you may rearrange your configuration in a way that
SSLVerifyClient and SSLCipherSu...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.