Stay Vigilant with Timely Linux Security Advisories

security advisoryman-in-the-middleTLS

Scientific Linux: CVE-2009-3555 Moderate: NSS TLS Session Flaw

Moderate: nss security update. Date: Thu, 25 Mar 2010 11:05:25 -0500 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: nss on SL4.x, SL5.x i386/x86_64 Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it." Synopsis: Moderate: nss security update Issue date: 2010-03-25 CVE Names: CVE-2009-3555 CVE-2009-3555 TLS: MITM attacks via session renegotiation A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about this flaw: All running applications using the NSS library must be restarted for this update to take effect. SL 4.x SRPMS: nspr-4.8.4-1.1.el4_8.src.rpm nss-3.12.6-1.el4_8.src.rpm i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm SL 5.x SRPMS: nspr-4.8.4-1.el5_4.src.rpm nss-3.12.6-1.el5_4.src.rpm i386: nspr-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-tools-3.12.6-1.el5_4.i386.rpm x86_64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.x86_64.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.x86_64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.x86_64.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.x86_64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.x86_64.rpm nss-tools-3.12.6-1.el5_4.x86_64.rpm -Connie Sieh -Troy Dawson . Regular security patch for Scientific Linux targeting TLS session renegotiation vulnerabilities impacting SL4.x and SL5.x.. nss security update, Scientific Linux, TLS security fix, man-in-the-middle attack, session renegotiation. . LinuxSecurity.com Team

Mar 25, 2010 Scientific Linux

security advisorymoderatenetwork security

Red Hat Enterprise Linux Versions 4 and 5: Moderate NSS Security Update

Updated nss packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: nss security update Advisory ID: RHSA-2010:0165-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0165.html Issue date: 2010-03-25 CVE Names: CVE-2009-3555 ==================================================================== 1. Summary: Updated nss packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and networkI/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about this flaw: Users of Red Hat Certificate System 7.3 and 8.0 should review the following Knowledgebase article before installing this update: All users of NSS are advised to upgrade to these updated packages, which update NSS to version 3.12.6. This erratum also updates the NSPR packages to the version required by NSS 3.12.6. All running applications using the NSS library must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 6. Package List: Red Hat Enterprise Linux AS version4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm ia64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.ia64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ia64.rpm nspr-devel-4.8.4-1.1.el4_8.ia64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.ia64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.ia64.rpm nss-devel-3.12.6-1.el4_8.ia64.rpm nss-tools-3.12.6-1.el4_8.ia64.rpm ppc: nspr-4.8.4-1.1.el4_8.ppc.rpm nspr-4.8.4-1.1.el4_8.ppc64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ppc.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ppc64.rpm nspr-devel-4.8.4-1.1.el4_8.ppc.rpm nss-3.12.6-1.el4_8.ppc.rpm nss-3.12.6-1.el4_8.ppc64.rpm nss-debuginfo-3.12.6-1.el4_8.ppc.rpm nss-debuginfo-3.12.6-1.el4_8.ppc64.rpm nss-devel-3.12.6-1.el4_8.ppc.rpm nss-tools-3.12.6-1.el4_8.ppc.rpm s390: nspr-4.8.4-1.1.el4_8.s390.rpm nspr-debuginfo-4.8.4-1.1.el4_8.s390.rpm nspr-devel-4.8.4-1.1.el4_8.s390.rpm nss-3.12.6-1.el4_8.s390.rpm nss-debuginfo-3.12.6-1.el4_8.s390.rpm nss-devel-3.12.6-1.el4_8.s390.rpm nss-tools-3.12.6-1.el4_8.s390.rpm s390x: nspr-4.8.4-1.1.el4_8.s390.rpm nspr-4.8.4-1.1.el4_8.s390x.rpm nspr-debuginfo-4.8.4-1.1.el4_8.s390.rpm nspr-debuginfo-4.8.4-1.1.el4_8.s390x.rpm nspr-devel-4.8.4-1.1.el4_8.s390x.rpm nss-3.12.6-1.el4_8.s390.rpm nss-3.12.6-1.el4_8.s390x.rpm nss-debuginfo-3.12.6-1.el4_8.s390.rpm nss-debuginfo-3.12.6-1.el4_8.s390x.rpm nss-devel-3.12.6-1.el4_8.s390x.rpm nss-tools-3.12.6-1.el4_8.s390x.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm ia64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.ia64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ia64.rpm nspr-devel-4.8.4-1.1.el4_8.ia64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.ia64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.ia64.rpm nss-devel-3.12.6-1.el4_8.ia64.rpm nss-tools-3.12.6-1.el4_8.ia64.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux WS version4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm ia64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.ia64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ia64.rpm nspr-devel-4.8.4-1.1.el4_8.ia64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.ia64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.ia64.rpm nss-devel-3.12.6-1.el4_8.ia64.rpm nss-tools-3.12.6-1.el4_8.ia64.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: nspr-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-tools-3.12.6-1.el5_4.i386.rpm x86_64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.x86_64.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.x86_64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.x86_64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.x86_64.rpm nss-tools-3.12.6-1.el5_4.x86_64.rpm RHEL Desktop Workstation (v. 5client): Source: i386: nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm x86_64: nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.x86_64.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.x86_64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.x86_64.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.x86_64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: nspr-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-tools-3.12.6-1.el5_4.i386.rpm ia64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.ia64.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.ia64.rpm nspr-devel-4.8.4-1.el5_4.ia64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.ia64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.ia64.rpm nss-devel-3.12.6-1.el5_4.ia64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.ia64.rpm nss-tools-3.12.6-1.el5_4.ia64.rpm ppc: nspr-4.8.4-1.el5_4.ppc.rpm nspr-4.8.4-1.el5_4.ppc64.rpm nspr-debuginfo-4.8.4-1.el5_4.ppc.rpm nspr-debuginfo-4.8.4-1.el5_4.ppc64.rpm nspr-devel-4.8.4-1.el5_4.ppc.rpm nspr-devel-4.8.4-1.el5_4.ppc64.rpm nss-3.12.6-1.el5_4.ppc.rpm nss-3.12.6-1.el5_4.ppc64.rpm nss-debuginfo-3.12.6-1.el5_4.ppc.rpm nss-debuginfo-3.12.6-1.el5_4.ppc64.rpm nss-devel-3.12.6-1.el5_4.ppc.rpm nss-devel-3.12.6-1.el5_4.ppc64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.ppc.rpm nss-pkcs11-devel-3.12.6-1.el5_4.ppc64.rpm nss-tools-3.12.6-1.el5_4.ppc.rpm s390x: nspr-4.8.4-1.el5_4.s390.rpm nspr-4.8.4-1.el5_4.s390x.rpm nspr-debuginfo-4.8.4-1.el5_4.s390.rpm nspr-debuginfo-4.8.4-1.el5_4.s390x.rpm nspr-devel-4.8.4-1.el5_4.s390.rpm nspr-devel-4.8.4-1.el5_4.s390x.rpm nss-3.12.6-1.el5_4.s390.rpm nss-3.12.6-1.el5_4.s390x.rpm nss-debuginfo-3.12.6-1.el5_4.s390.rpm nss-debuginfo-3.12.6-1.el5_4.s390x.rpm nss-devel-3.12.6-1.el5_4.s390.rpm nss-devel-3.12.6-1.el5_4.s390x.rpm nss-pkcs11-devel-3.12.6-1.el5_4.s390.rpm nss-pkcs11-devel-3.12.6-1.el5_4.s390x.rpm nss-tools-3.12.6-1.el5_4.s390x.rpm x86_64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.x86_64.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.x86_64.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.x86_64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.x86_64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.x86_64.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.x86_64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.x86_64.rpm nss-tools-3.12.6-1.el5_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2009-3555 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLq0JXXlSAg2UNWIIRAjEzAKC61nCUsxHfL7CpbzpPy3aYqFzAuACdFMEw /P91vo2S8cdK8VfnnbDItwo=oW2l -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Balanced nss security patch for CentOS Linux 4 and 5. Fixes session reestablishment vulnerability associated with TLS.. NSS Update, Red Hat Security, TLS Update, Linux Security Patch, Red Hat Advisory. . LinuxSecurity.com Team

Mar 25, 2010 Red Hat

security advisorymoderatesession renegotiation

Scientific Linux 5.x Moderate Advisory for OpenSSL097a: CVE-2009-3555 MitM

Moderate: openssl097a security update. Date: Thu, 25 Mar 2010 10:59:50 -0500 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: openssl097a on SL5.x i386/x86_64 Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it." Synopsis: Moderate: openssl097a security update Issue date: 2010-03-25 CVE Names: CVE-2009-3555 CVE-2009-3555 TLS: MITM attacks via session renegotiation A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about this flaw: For the update to take effect, all services linked to the openssl097a library must be restarted, or the system rebooted. SL 5.x SRPMS: openssl097a-0.9.7a-9.el5_4.2.src.rpm i386: openssl097a-0.9.7a-9.el5_4.2.i386.rpm x86_64: openssl097a-0.9.7a-9.el5_4.2.i386.rpm openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm -Connie Sieh -Troy Dawson . openssl097a on CentOS has undergone a significant security upgrade, mitigating risks associated with possible impersonation attacks.. openssl097a, session Renegotiation, moderate security, Scientific Linux. . Severity: Important. LinuxSecurity.com Team

Mar 25, 2010 •Important Scientific Linux

security advisoryDoSopenssl update

Scientific Linux: CVE-2009-0590 Moderate: openssl DoS Threat

Moderate: openssl security update. Date: Tue, 23 Mar 2010 16:15:32 -0500 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: FASTBUGS for SL 5.x i386/x86_64 Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it." The following FASTBUGS have been uploaded to i386: cyrus-sasl-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-devel-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-ldap-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-lib-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-md5-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-ntlm-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-sql-2.1.22-5.el5_4.3.i386.rpm x86_64: cyrus-sasl-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-devel-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-devel-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-ldap-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-lib-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-lib-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-md5-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-ntlm-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-ntlm-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-plain-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-plain-2.1.22-5.el5_4.3.x86_64.rpm cyrus-sasl-sql-2.1.22-5.el5_4.3.i386.rpm cyrus-sasl-sql-2.1.22-5.el5_4.3.x86_64.rpm -Connie Sieh -Troy Dawson Date: Thu, 25 Mar 2010 10:52:25 -0500 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: openssl on SL3.x, SL4.x i386/x86_64 Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it." Synopsis: Moderate: openssl security update Issue date: 2010-03-25 CVE Names: CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw toprefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409) An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially-crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. (CVE-2009-0590) For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. SL 3.0.x SRPMS: openssl-0.9.7a-33.26.src.rpm i386: openssl-0.9.7a-33.26.i386.rpm openssl-0.9.7a-33.26.i686.rpm openssl-devel-0.9.7a-33.26.i386.rpm openssl-perl-0.9.7a-33.26.i386.rpm x86_64: openssl-0.9.7a-33.26.i686.rpm openssl-0.9.7a-33.26.x86_64.rpm openssl-devel-0.9.7a-33.26.x86_64.rpm openssl-perl-0.9.7a-33.26.x86_64.rpm SL 4.x SRPMS: openssl-0.9.7a-43.17.el4_8.5.src.rpm i386: openssl-0.9.7a-43.17.el4_8.5.i386.rpm openssl-0.9.7a-43.17.el4_8.5.i686.rpm openssl-devel-0.9.7a-43.17.el4_8.5.i386.rpm openssl-perl-0.9.7a-43.17.el4_8.5.i386.rpm x86_64: openssl-0.9.7a-43.17.el4_8.5.i686.rpm openssl-0.9.7a-43.17.el4_8.5.x86_64.rpm openssl-devel-0.9.7a-43.17.el4_8.5.i386.rpm openssl-devel-0.9.7a-43.17.el4_8.5.x86_64.rpm openssl-perl-0.9.7a-43.17.el4_8.5.x86_64.rpm -Connie Sieh -Troy Dawson . Scheduled security enhancement for Scientific Linux targeting vulnerabilities in openssl. A crucial update for maintaining system integrity and safeguarding security.. openssl Update, Scientific Linux Security, OpenSSL Flaw Fix. . Severity: Important. LinuxSecurity.com Team

Mar 25, 2010 •Important Scientific Linux

security advisorymoderateRed Hat

Red Hat: RHSA-2011:0235-01 Important: openssl Security Vulnerability

Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: gnutls security update Advisory ID: RHSA-2010:0167-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0167.html Issue date: 2010-03-25 CVE Names: CVE-2009-3555 CVE-2010-0731 ==================================================================== 1. Summary: Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebasearticle for additional details about the CVE-2009-3555 flaw: A flaw was found in the way GnuTLS extracted serial numbers from X.509 certificates. On 64-bit big endian platforms, this flaw could cause the certificate revocation list (CRL) check to be bypassed; cause various GnuTLS utilities to crash; or, possibly, execute arbitrary code. (CVE-2010-0731) Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 573028 - CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1] 6. Package List: Red Hat Enterprise Linux AS version4: Source: i386: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-devel-1.0.20-4.el4_8.7.i386.rpm ia64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.ia64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.ia64.rpm gnutls-devel-1.0.20-4.el4_8.7.ia64.rpm ppc: gnutls-1.0.20-4.el4_8.7.ppc.rpm gnutls-1.0.20-4.el4_8.7.ppc64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.ppc.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.ppc64.rpm gnutls-devel-1.0.20-4.el4_8.7.ppc.rpm s390: gnutls-1.0.20-4.el4_8.7.s390.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.s390.rpm gnutls-devel-1.0.20-4.el4_8.7.s390.rpm s390x: gnutls-1.0.20-4.el4_8.7.s390.rpm gnutls-1.0.20-4.el4_8.7.s390x.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.s390.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.s390x.rpm gnutls-devel-1.0.20-4.el4_8.7.s390x.rpm x86_64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.7.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: i386: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-devel-1.0.20-4.el4_8.7.i386.rpm x86_64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.7.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: i386: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-devel-1.0.20-4.el4_8.7.i386.rpm ia64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.ia64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.ia64.rpm gnutls-devel-1.0.20-4.el4_8.7.ia64.rpm x86_64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.7.x86_64.rpm Red Hat Enterprise Linux WSversion 4: Source: i386: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-devel-1.0.20-4.el4_8.7.i386.rpm ia64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.ia64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.ia64.rpm gnutls-devel-1.0.20-4.el4_8.7.ia64.rpm x86_64: gnutls-1.0.20-4.el4_8.7.i386.rpm gnutls-1.0.20-4.el4_8.7.x86_64.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.i386.rpm gnutls-debuginfo-1.0.20-4.el4_8.7.x86_64.rpm gnutls-devel-1.0.20-4.el4_8.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2009-3555 https://access.redhat.com/security/cve/CVE-2010-0731 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. . Recent security patch for gnutls rectifying session renegotiation vulnerabilities and certificate validation errors on Red Hat systems.. Red Hat Advisory, Gnutls Update, TLS Security, Cryptographic Issues, RHEL Security. . LinuxSecurity.com Team

Mar 25, 2010 Red Hat

security advisorymoderatenetwork security

Red Hat: RHSA-2010:0165-01 Moderate: NSS TLS Session Handling Issue

Updated nss packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: nss security update Advisory ID: RHSA-2010:0165-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0165.html Issue date: 2010-03-25 CVE Names: CVE-2009-3555 ==================================================================== 1. Summary: Updated nss packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management (malloc and free), and shared library linking. Aflaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555) Refer to the following Knowledgebase article for additional details about this flaw: Users of Red Hat Certificate System 7.3 and 8.0 should review the following Knowledgebase article before installing this update: All users of NSS are advised to upgrade to these updated packages, which update NSS to version 3.12.6. This erratum also updates the NSPR packages to the version required by NSS 3.12.6. All running applications using the NSS library must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 6. Package List: Red Hat Enterprise Linux AS version4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm ia64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.ia64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ia64.rpm nspr-devel-4.8.4-1.1.el4_8.ia64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.ia64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.ia64.rpm nss-devel-3.12.6-1.el4_8.ia64.rpm nss-tools-3.12.6-1.el4_8.ia64.rpm ppc: nspr-4.8.4-1.1.el4_8.ppc.rpm nspr-4.8.4-1.1.el4_8.ppc64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ppc.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ppc64.rpm nspr-devel-4.8.4-1.1.el4_8.ppc.rpm nss-3.12.6-1.el4_8.ppc.rpm nss-3.12.6-1.el4_8.ppc64.rpm nss-debuginfo-3.12.6-1.el4_8.ppc.rpm nss-debuginfo-3.12.6-1.el4_8.ppc64.rpm nss-devel-3.12.6-1.el4_8.ppc.rpm nss-tools-3.12.6-1.el4_8.ppc.rpm s390: nspr-4.8.4-1.1.el4_8.s390.rpm nspr-debuginfo-4.8.4-1.1.el4_8.s390.rpm nspr-devel-4.8.4-1.1.el4_8.s390.rpm nss-3.12.6-1.el4_8.s390.rpm nss-debuginfo-3.12.6-1.el4_8.s390.rpm nss-devel-3.12.6-1.el4_8.s390.rpm nss-tools-3.12.6-1.el4_8.s390.rpm s390x: nspr-4.8.4-1.1.el4_8.s390.rpm nspr-4.8.4-1.1.el4_8.s390x.rpm nspr-debuginfo-4.8.4-1.1.el4_8.s390.rpm nspr-debuginfo-4.8.4-1.1.el4_8.s390x.rpm nspr-devel-4.8.4-1.1.el4_8.s390x.rpm nss-3.12.6-1.el4_8.s390.rpm nss-3.12.6-1.el4_8.s390x.rpm nss-debuginfo-3.12.6-1.el4_8.s390.rpm nss-debuginfo-3.12.6-1.el4_8.s390x.rpm nss-devel-3.12.6-1.el4_8.s390x.rpm nss-tools-3.12.6-1.el4_8.s390x.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm ia64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.ia64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ia64.rpm nspr-devel-4.8.4-1.1.el4_8.ia64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.ia64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.ia64.rpm nss-devel-3.12.6-1.el4_8.ia64.rpm nss-tools-3.12.6-1.el4_8.ia64.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux WS version4: Source: i386: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-devel-4.8.4-1.1.el4_8.i386.rpm nss-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-devel-3.12.6-1.el4_8.i386.rpm nss-tools-3.12.6-1.el4_8.i386.rpm ia64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.ia64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.ia64.rpm nspr-devel-4.8.4-1.1.el4_8.ia64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.ia64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.ia64.rpm nss-devel-3.12.6-1.el4_8.ia64.rpm nss-tools-3.12.6-1.el4_8.ia64.rpm x86_64: nspr-4.8.4-1.1.el4_8.i386.rpm nspr-4.8.4-1.1.el4_8.x86_64.rpm nspr-debuginfo-4.8.4-1.1.el4_8.i386.rpm nspr-debuginfo-4.8.4-1.1.el4_8.x86_64.rpm nspr-devel-4.8.4-1.1.el4_8.x86_64.rpm nss-3.12.6-1.el4_8.i386.rpm nss-3.12.6-1.el4_8.x86_64.rpm nss-debuginfo-3.12.6-1.el4_8.i386.rpm nss-debuginfo-3.12.6-1.el4_8.x86_64.rpm nss-devel-3.12.6-1.el4_8.x86_64.rpm nss-tools-3.12.6-1.el4_8.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: nspr-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-tools-3.12.6-1.el5_4.i386.rpm x86_64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.x86_64.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.x86_64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.x86_64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.x86_64.rpm nss-tools-3.12.6-1.el5_4.x86_64.rpm RHEL Desktop Workstation (v. 5client): Source: i386: nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm x86_64: nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.x86_64.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.x86_64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.x86_64.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.x86_64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: nspr-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-tools-3.12.6-1.el5_4.i386.rpm ia64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.ia64.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.ia64.rpm nspr-devel-4.8.4-1.el5_4.ia64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.ia64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.ia64.rpm nss-devel-3.12.6-1.el5_4.ia64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.ia64.rpm nss-tools-3.12.6-1.el5_4.ia64.rpm ppc: nspr-4.8.4-1.el5_4.ppc.rpm nspr-4.8.4-1.el5_4.ppc64.rpm nspr-debuginfo-4.8.4-1.el5_4.ppc.rpm nspr-debuginfo-4.8.4-1.el5_4.ppc64.rpm nspr-devel-4.8.4-1.el5_4.ppc.rpm nspr-devel-4.8.4-1.el5_4.ppc64.rpm nss-3.12.6-1.el5_4.ppc.rpm nss-3.12.6-1.el5_4.ppc64.rpm nss-debuginfo-3.12.6-1.el5_4.ppc.rpm nss-debuginfo-3.12.6-1.el5_4.ppc64.rpm nss-devel-3.12.6-1.el5_4.ppc.rpm nss-devel-3.12.6-1.el5_4.ppc64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.ppc.rpm nss-pkcs11-devel-3.12.6-1.el5_4.ppc64.rpm nss-tools-3.12.6-1.el5_4.ppc.rpm s390x: nspr-4.8.4-1.el5_4.s390.rpm nspr-4.8.4-1.el5_4.s390x.rpm nspr-debuginfo-4.8.4-1.el5_4.s390.rpm nspr-debuginfo-4.8.4-1.el5_4.s390x.rpm nspr-devel-4.8.4-1.el5_4.s390.rpm nspr-devel-4.8.4-1.el5_4.s390x.rpm nss-3.12.6-1.el5_4.s390.rpm nss-3.12.6-1.el5_4.s390x.rpm nss-debuginfo-3.12.6-1.el5_4.s390.rpm nss-debuginfo-3.12.6-1.el5_4.s390x.rpm nss-devel-3.12.6-1.el5_4.s390.rpm nss-devel-3.12.6-1.el5_4.s390x.rpm nss-pkcs11-devel-3.12.6-1.el5_4.s390.rpm nss-pkcs11-devel-3.12.6-1.el5_4.s390x.rpm nss-tools-3.12.6-1.el5_4.s390x.rpm x86_64: nspr-4.8.4-1.el5_4.i386.rpm nspr-4.8.4-1.el5_4.x86_64.rpm nspr-debuginfo-4.8.4-1.el5_4.i386.rpm nspr-debuginfo-4.8.4-1.el5_4.x86_64.rpm nspr-devel-4.8.4-1.el5_4.i386.rpm nspr-devel-4.8.4-1.el5_4.x86_64.rpm nss-3.12.6-1.el5_4.i386.rpm nss-3.12.6-1.el5_4.x86_64.rpm nss-debuginfo-3.12.6-1.el5_4.i386.rpm nss-debuginfo-3.12.6-1.el5_4.x86_64.rpm nss-devel-3.12.6-1.el5_4.i386.rpm nss-devel-3.12.6-1.el5_4.x86_64.rpm nss-pkcs11-devel-3.12.6-1.el5_4.i386.rpm nss-pkcs11-devel-3.12.6-1.el5_4.x86_64.rpm nss-tools-3.12.6-1.el5_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2009-3555 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. . A security enhancement for nss modules on RHEL 4 and 5 resolves an issue with TLS session management vulnerabilities.. nss security, Red Hat update, Linux security advisory, TLS flaw, RHEL vulnerabilities. . LinuxSecurity.com Team

Mar 25, 2010 Red Hat

security advisorymoderateRed Hat

Red Hat: RHSA-2010:0130-01 Moderate: TLS Session Renegotiation Issue

Updated java-1.5.0-ibm packages that fix a security issue are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having moderate security impact by the Red Hat Security Response Team.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.5.0-ibm security update Advisory ID: RHSA-2010:0130-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://access.redhat.com/errata/RHSA-2010:0130.html Issue date: 2010-03-03 CVE Names: CVE-2009-3555 ==================================================================== 1. Summary: Updated java-1.5.0-ibm packages that fix a security issue are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. (CVE-2009-3555) This update disables renegotiation in the Java Secure Socket Extension (JSSE) component. Unsaferenegotiation can be re-enabled using the com.ibm.jsse2.renegotiate property. Refer to the following Knowledgebase article for details: All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR11-FP1 Java release. All running instances of IBM Java must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 6. Package List: Red Hat Enterprise Linux AS version 4Extras: i386: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.i386.rpm ppc: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.ppc64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.ppc.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.ppc64.rpm s390: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.s390.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.s390.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.s390.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el4.s390.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.s390.rpm s390x: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.s390x.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.s390x.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.s390x.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.x86_64.rpm Red Hat Desktop version 4Extras: i386: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el4.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el4.x86_64.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el4.x86_64.rpm RHEL Desktop Supplementary (v.5 client): i386: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.i386.rpm x86_64: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.x86_64.rpm RHEL Supplementary (v. 5server): i386: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-accessibility-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.i386.rpm ppc: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.ppc64.rpm java-1.5.0-ibm-accessibility-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.ppc64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.ppc64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.ppc64.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.ppc.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.ppc64.rpm s390x: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.s390.rpm java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.s390x.rpm java-1.5.0-ibm-accessibility-1.5.0.11.1-1jpp.3.el5.s390x.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.s390.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.s390x.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.s390.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.s390x.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.s390.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.s390x.rpm x86_64: java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-accessibility-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-demo-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-devel-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-javacomm-1.5.0.11.1-1jpp.3.el5.x86_64.rpm java-1.5.0-ibm-jdbc-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-plugin-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.i386.rpm java-1.5.0-ibm-src-1.5.0.11.1-1jpp.3.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2009-3555 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2010 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFLjqkCXlSAg2UNWIIRAo4iAJ9Htnva6uRj0e39vEEAkYb4UIuQHACgsscc OntQs0wrBL6+6e0kFXtQPLs=Hach -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Updated java-1.5.0-ibm packages fix a moderate security issue faced in TLS session renegotiation for Red Hat.. Java Security Update, Red Hat Advisory, TLS Attack Prevention. . LinuxSecurity.com Team

Mar 03, 2010 Red Hat

security advisorymoderateDoS

Scientific Linux: Moderate Httpd Update for DoS and TLS Issues

Moderate: httpd security update. Date: Thu, 12 Nov 2009 14:58:35 -0600 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: httpd on SL3.x, SL4.x, SL5.x i386/x86_64 Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it." Synopsis: Moderate: httpd security update Issue date: 2009-11-11 CVE Names: CVE-2009-1891 CVE-2009-3094 CVE-2009-3095 CVE-2009-3555 CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header CVE-2009-3555 TLS: MITM attacks via session renegotiation A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555) Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: A denial of service flaw was found in the Apache mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) - SL4 only A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxiedcould use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094) A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095) After installing the updated packages, the httpd daemon must be restarted for the update to take effect. SL 3.0.x SRPMS: httpd-2.0.46-77.sl3.src.rpm i386: httpd-2.0.46-77.sl3.i386.rpm httpd-devel-2.0.46-77.sl3.i386.rpm mod_ssl-2.0.46-77.sl3.i386.rpm x86_64: httpd-2.0.46-77.sl3.x86_64.rpm httpd-devel-2.0.46-77.sl3.x86_64.rpm mod_ssl-2.0.46-77.sl3.x86_64.rpm SL 4.x SRPMS: httpd-2.0.52-41.sl4.6.src.rpm i386: httpd-2.0.52-41.sl4.6.i386.rpm httpd-devel-2.0.52-41.sl4.6.i386.rpm httpd-manual-2.0.52-41.sl4.6.i386.rpm httpd-suexec-2.0.52-41.sl4.6.i386.rpm mod_ssl-2.0.52-41.sl4.6.i386.rpm x86_64: httpd-2.0.52-41.sl4.6.x86_64.rpm httpd-devel-2.0.52-41.sl4.6.x86_64.rpm httpd-manual-2.0.52-41.sl4.6.x86_64.rpm httpd-suexec-2.0.52-41.sl4.6.x86_64.rpm mod_ssl-2.0.52-41.sl4.6.x86_64.rpm SL 5.x SRPMS: httpd-2.2.3-31.sl5.2.src.rpm i386: httpd-2.2.3-31.sl5.2.i386.rpm httpd-devel-2.2.3-31.sl5.2.i386.rpm httpd-manual-2.2.3-31.sl5.2.i386.rpm mod_ssl-2.2.3-31.sl5.2.i386.rpm x86_64: httpd-2.2.3-31.sl5.2.x86_64.rpm httpd-devel-2.2.3-31.sl5.2.i386.rpm httpd-devel-2.2.3-31.sl5.2.x86_64.rpm httpd-manual-2.2.3-31.sl5.2.x86_64.rpm mod_ssl-2.2.3-31.sl5.2.x86_64.rpm -Connie Sieh -Troy Dawson . Important nginx security enhancements released for Debian Linux, rectifying several vulnerabilities and improving system resilience.. Scientific Linux, httpd security update, DoS protection, session renegotiation fix. . LinuxSecurity.com Team

Nov 12, 2009 Scientific Linux

Community Poll

More Polls

Stay Secure with the Latest Linux Advisories

Debian Dovecot High Severity Service Disruption Info Leak Flaw DLA-4617-1

Debian 11 gsasl Critical DoS Threat Advisory DLA-4618-1 CVE-2026-48829

SUSE MozillaThunderbird Important Memory Safety Fix Advisory 2026-2271-1

SUSE Linux Micro 6.0 Ignition Key HTTP Transport Loop Patch 2026-21987-1

SUSE Linux Micro 6.0 Important Libzypp Libsolv Security Update 2026-21988-1

SUSE Google-Guest-Agent Important Security Update 2026-21989-1

SUSE Linux Micro Important Salt Multi-Linux Manager Vuln 2026-21990-1

SUSE Linux Micro Critical Ignition Patch CVE-2026-33814

SUSE Linux Micro 6.1 Security Update for libzypp libsolv Key 2026-21992-1

Refine advisories

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Ubuntu 25.10 kmod Critical Algif_aead Privilege Escalation USN-8226-1

Ubuntu 26.04 LTS nginx Critical Denial of Service 2026-42945

Ubuntu 26.04 Docker Critical Security Threats USN-8230-1 CVE-2026-33747

Debian OpenSSH Critical DSA-6204-1 CVE-2026-3497 Remote DoS Execution

Explore Latest Linux Security advisories

Scientific Linux: CVE-2009-3555 Moderate: NSS TLS Session Flaw

Red Hat Enterprise Linux Versions 4 and 5: Moderate NSS Security Update

Scientific Linux 5.x Moderate Advisory for OpenSSL097a: CVE-2009-3555 MitM

Scientific Linux: CVE-2009-0590 Moderate: openssl DoS Threat

Red Hat: RHSA-2011:0235-01 Important: openssl Security Vulnerability

Red Hat: RHSA-2010:0165-01 Moderate: NSS TLS Session Handling Issue

Red Hat: RHSA-2010:0130-01 Moderate: TLS Session Renegotiation Issue

Scientific Linux: Moderate Httpd Update for DoS and TLS Issues

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Ubuntu 25.10 kmod Critical Algif_aead Privilege Escalation USN-8226-1

Ubuntu 26.04 LTS nginx Critical Denial of Service 2026-42945

Ubuntu 26.04 Docker Critical Security Threats USN-8230-1 CVE-2026-33747

Debian OpenSSH Critical DSA-6204-1 CVE-2026-3497 Remote DoS Execution

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Stay Secure with the Latest Linux Advisories

Debian Dovecot High Severity Service Disruption Info Leak Flaw DLA-4617-1

Debian 11 gsasl Critical DoS Threat Advisory DLA-4618-1 CVE-2026-48829

SUSE MozillaThunderbird Important Memory Safety Fix Advisory 2026-2271-1

SUSE Linux Micro 6.0 Ignition Key HTTP Transport Loop Patch 2026-21987-1

SUSE Linux Micro 6.0 Important Libzypp Libsolv Security Update 2026-21988-1

SUSE Google-Guest-Agent Important Security Update 2026-21989-1

SUSE Linux Micro Important Salt Multi-Linux Manager Vuln 2026-21990-1

SUSE Linux Micro Critical Ignition Patch CVE-2026-33814

SUSE Linux Micro 6.1 Security Update for libzypp libsolv Key 2026-21992-1

Refine advisories

severity

Topics

Published Date

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Explore Latest Linux Security advisories

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Search Topics

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!