SciLinux: CVE-2009-3555 Moderate: openssl097a SL5.x i386/x86_64
Summary
A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. Aman-in-the-middle attacker could use this flaw to prefix arbitrary plaintext to a client's session (for example, an HTTPS connection to awebsite). This could force the server to process an attacker's requestas if authenticated using the victim's credentials. This updateaddresses this flaw by implementing the TLS Renegotiation IndicationExtension, as defined in RFC 5746. (CVE-2009-3555)Refer to the following Knowledgebase article for additional detailsabout this flaw:For the update to take effect, all services linked to the openssl097alibrary must be restarted, or the system rebooted.SL 5.xSRPMS:openssl097a-0.9.7a-9.el5_4.2.src.rpmi386:openssl097a-0.9.7a-9.el5_4.2.i386.rpmx86_64:openssl097a-0.9.7a-9.el5_4.2.i386.rpmopenssl097a-0.9.7a-9.el5_4.2.x86_64.rpm-Connie Sieh-Troy Dawson