Scientific Linux 5.x Moderate Advisory for OpenSSL097a: CVE-2009-3555 MitM

Date: Thu, 25 Mar 2010 10:59:50 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Moderate: openssl097a on SL5.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

Synopsis:	Moderate: openssl097a security update
Issue date:	2010-03-25
CVE Names:	CVE-2009-3555

CVE-2009-3555 TLS: MITM attacks via session renegotiation

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A
man-in-the-middle attacker could use this flaw to prefix arbitrary plain
text to a client's session (for example, an HTTPS connection to a
website). This could force the server to process an attacker's request
as if authenticated using the victim's credentials. This update
addresses this flaw by implementing the TLS Renegotiation Indication
Extension, as defined in RFC 5746. (CVE-2009-3555)

Refer to the following Knowledgebase article for additional details
about this flaw:
For the update to take effect, all services linked to the openssl097a
library must be restarted, or the system rebooted.

SL 5.x

 SRPMS:
openssl097a-0.9.7a-9.el5_4.2.src.rpm
 i386:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm
 x86_64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm

-Connie Sieh
-Troy Dawson