-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation Apache httpd is affected by CVE-2009-3555<A NAME="-1"></A>[1] (The SSL Injection or MiM attack<A NAME="-2"></A>[2]). The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol. We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available<A NAME="-3"></A>[3]. Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or TLS protocols<A NAME="-4"></A>[4]. For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging - we recommend that you roll out this patch<A NAME="-5"></A>[5]: http://www.apache.org/dist/httpd/patches/ apply_to_2.2.14 CVE-2009-3555-2.2.patch sha1: 28cd58f3758f1add39417333825b9d854f4f5f43 as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation. If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates then we recommend that you 1) ensure that you limit your configuration to a single 'SSLClient require' on VirtualHost/Sever level and 2) remove all other (re)negotiation/require directives. However this does NOT fully protect you - it just curtails authentication in this specific setting. 1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 2: http://www.links.org/?p=780, http://extendedsubset.com/?p=8 3: http://www.openssl.org/source/ openssl-announce mailing list on http://www.openssl.org/support/community.html 4: http://www.ietf.org/mail-archive/web/tls/current/msg03963.html 5: svn diff -r833581:833594 https://svn.apache.org/repos/asf/ httpd/httpd/trunk/modules/ssl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQCVAwUBSvTOITGmPZbsFAuBAQKpXgQAgoBq0FjmnFwxBYjZQ05cPgHYzE+rBQHg f142MZWXreBoZyB1pV2CJpmf7BWtmBKQgKIMwk3fWfRs33rvnjhEWjrMBFA4ID8J 0CBLmiwBVxLfCTj7YIBJ71VPn4Mw3iviiIUb1qrW0RaOjGgf4j2ffsapnlpR6lR9 JHDVPFBXl8s= =OYuY -----END PGP SIGNATURE-----