CVE-2009-3555 tracking bug

Bug #616759 reported by Marc Deslauriers on 2010-08-12
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Marc Deslauriers
Hardy
Undecided
Marc Deslauriers
Jaunty
Undecided
Marc Deslauriers
Karmic
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Unassigned
openssl (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Marc Deslauriers
Hardy
Undecided
Marc Deslauriers
Jaunty
Undecided
Marc Deslauriers
Karmic
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Maverick
Undecided
Unassigned

Bug Description

Binary package hint: openssl

This is the main bug that will track CVE-2009-3555 updates. Please report any regression in this bug.

Changed in apache2 (Ubuntu Maverick):
status: New → Fix Released
Changed in openssl (Ubuntu Maverick):
status: New → Fix Released
Changed in apache2 (Ubuntu Dapper):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in apache2 (Ubuntu Hardy):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in apache2 (Ubuntu Jaunty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in apache2 (Ubuntu Karmic):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in apache2 (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in openssl (Ubuntu Dapper):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in openssl (Ubuntu Hardy):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in openssl (Ubuntu Jaunty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in openssl (Ubuntu Karmic):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
Changed in openssl (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → In Progress
visibility: private → public
Kees Cook (kees) wrote :

I can confirm that the firefox CVE-2009-3555 warnings go away once these packages are installed on Lucid. Additionally, I tested that sasl and dovecot still work as expected. Awesome. :)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.18

---------------
apache2 (2.2.8-1ubuntu0.18) hardy-security; urgency=low

  * debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
 -- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:39:40 -0400

Changed in apache2 (Ubuntu Hardy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.10

---------------
openssl (0.9.8g-4ubuntu3.10) hardy-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - apps/{s_cb,s_client,s_server}.c, doc/ssl/SSL_CTX_set_options.pod,
      ssl/{d1_both,d1_clnt,d1_srvr,s3_both,s3_clnt,s3_pkt,s3_srvr,ssl_err,
      ssl_lib,t1_lib,t1_reneg}.c, ssl/Makefile, ssl/{ssl3,ssl,ssl_locl,
      tls1}.h: backport rfc5746 support from openssl 0.9.8m.
    - CVE-2009-3555
  * Enable tlsext, and backport some patches from jaunty now that tlsext is
    enabled.
    - Fix a problem with tlsext preventing firefox 3 from connection.
    - Don't add extentions to ssl v3 connections. It breaks with some
      other software.
 -- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:35:55 -0400

Changed in openssl (Ubuntu Hardy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.11-2ubuntu2.7

---------------
apache2 (2.2.11-2ubuntu2.7) jaunty-security; urgency=low

  * debian/patches/909_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
 -- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:34:47 -0400

Changed in apache2 (Ubuntu Jaunty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-15ubuntu3.5

---------------
openssl (0.9.8g-15ubuntu3.5) jaunty-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - apps/{s_cb,s_client,s_server}.c, doc/ssl/SSL_CTX_set_options.pod,
      ssl/{d1_both,d1_clnt,d1_srvr,s3_both,s3_clnt,s3_pkt,s3_srvr,ssl_err,
      ssl_lib,t1_lib,t1_reneg}.c, ssl/Makefile, ssl/{ssl3,ssl,ssl_locl,
      tls1}.h: backport rfc5746 support from openssl 0.9.8m.
    - CVE-2009-3555
 -- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:34:41 -0400

Changed in openssl (Ubuntu Jaunty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.12-1ubuntu2.3

---------------
apache2 (2.2.12-1ubuntu2.3) karmic-security; urgency=low

  * debian/patches/905_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
 -- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:26:28 -0400

Changed in apache2 (Ubuntu Karmic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-16ubuntu3.2

---------------
openssl (0.9.8g-16ubuntu3.2) karmic-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - apps/{s_cb,s_client,s_server}.c, doc/ssl/SSL_CTX_set_options.pod,
      ssl/{d1_both,d1_clnt,d1_srvr,s3_both,s3_clnt,s3_pkt,s3_srvr,ssl_err,
      ssl_lib,t1_lib,t1_reneg}.c, ssl/Makefile, ssl/{ssl3,ssl,ssl_locl,
      tls1}.h: backport rfc5746 support from openssl 0.9.8m.
    - CVE-2009-3555
 -- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:32:19 -0400

Changed in openssl (Ubuntu Karmic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.2

---------------
apache2 (2.2.14-5ubuntu8.2) lucid-security; urgency=low

  * debian/patches/211-sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
 -- Marc Deslauriers <email address hidden> Wed, 18 Aug 2010 16:37:47 -0400

Changed in apache2 (Ubuntu Lucid):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.1

---------------
openssl (0.9.8k-7ubuntu8.1) lucid-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - debian/patches/CVE-2009-3555-RFC5746.patch: backport rfc5746 support
      from openssl 0.9.8m.
    - CVE-2009-3555
 -- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:30:03 -0400

Changed in openssl (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Dapper):
status: In Progress → Fix Released
Changed in openssl (Ubuntu Dapper):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers