8 Nov
2009
8 Nov
'09
11:13 a.m.
On 11/06/2009 09:29 AM, Pierre Schmitz wrote:
Moin,
you might have heard from the possible MTM attack against TLS. Openssl has released a new version which disabled the affected renegotiation feature. We should move this to core soon.
For more information see http://extendedsubset.com/?p=8 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555
Please note that this is more or less a protocol design flaw which means that every SSL implementation should be affected, not only openssl (e.g. Firefox uses nss and there is also gnutls). So we should have a look at those packages, too.
Pierre
signoff x86_64 -- Ionut