Date: 06 January 2011
References: ASB-2009.1125.2 ASB-2010.0073 ESB-2011.0013 ESB-2011.0014 ESB-2011.0030
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0015
New apache2 packages add backward compatibility option
6 January 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: apache2
Publisher: Debian
Operating System: Debian GNU/Linux 5
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3555
Reference: ASB-2010.0073
ASB-2009.1125.2
ESB-2011.0013
ESB-2011.0014
Original Bulletin:
http://www.debian.org/security/2010/dsa-2141
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-2141-3 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
January 06, 2011 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : apache2
Vulnerability : backward compatibility option for SSL/TLS insecure
renegotiation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-3555
Debian Bug : 587037
DSA-2141-1 changed the behaviour of the openssl libraries in a server
environment to only allow SSL/TLS renegotiation for clients that
support the RFC5746 renegotiation extension. This update to apache2
adds the new SSLInsecureRenegotiation configuration option that allows
to restore support for insecure clients. More information can be found
in the file /usr/share/doc/apache2.2-common/NEWS.Debian.gz .
For the stable distribution (lenny), the compatibility option has been
included in version 2.2.9-10+lenny9.
In addition, apache2-mpm-itk has been rebuilt to work with the updated
apache2 packages. The new version number is 2.2.6-02-1+lenny4.
For the unstable distribution (sid), and the testing distribution
(squeeze), the compatibility option has been included since version
2.2.15-1.
We recommend that you upgrade your apache2 and apache2-mpm-itk
packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNJPfTbxelr8HyTqQRAh/DAJ4xuJnfV2wG28kSCNamFiZahQ4guwCfXT8G
CStrDUDmqVy0cl5Yz8B3tU8=
=+bhm
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNJSL5/iFOrG6YcBERAvNWAKDPpTguSc2TDAtf+GNTDOXfJGTjiACggSHs
4LwhvKObft4TNWSdKjN5w2U=
=rsfk
-----END PGP SIGNATURE-----
|