potentially vulnerable to cve-2009-3555

This is if I understand it correctly problem at those sites and not Ubuntu itself. I have assigned launchpad to this how to deal with wiki.ubuntu.com?

Hi, I can confirm that the error console does indeed say this, however it's not clear to me what the impact of this is on our systems. This issue was addressed in USN 860-1 http://www.ubuntu.com/usn/USN-860-1. Herb has stated that our systems are up to date but if the sysadmins can confirm this and close this bug it would be great.

Hi, pasting from IRC:

(11:52:57 AM) jdstrand: herb, newz2000: I did that apache update, and it is not vulnerable to client initiated TLS renegotiation
(11:53:18 AM) jdstrand: herb, newz2000: however, it is still vulnerable to server initiated renegotiation
(11:53:40 AM) jdstrand: herb, newz2000: and there are mitigations in the USN
(11:54:11 AM) jdstrand: herb, newz2000: you can see http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3555.html for a lot of details
(11:54:31 AM) jdstrand: herb, newz2000: mdeslaur from our team is the most up to date on the issue however
(11:55:41 AM) jdstrand: CVE-2009-3555 requires a protocol change to fully address the issue. however, for apache, you can configure apache to not be vulnerable
(11:56:01 AM) jdstrand: (with the patch from the usn)

LOSAs verify that LP has the patch installed.

They will track further Apache updates, once the protocol change has been agreed upon and implemented.

I didn't think there was a way around this yet, but https://bugzilla.mozilla.org/show_bug.cgi?id=554594#c8 seems to suggest that an update to a newer openssl will make our users no longer worried about the problem.

I'm reopening the bug for Foundations and will make an RT.

To be clear, the problem is not the potential vulnerability--IS has assured that we are not vulnerable. The concern is that more than half of Launchpad's users are Firefox users, and we want to keep them from being concerned about Launchpad, and keep us from having to reply to security questions about this issue.

RT #40432

I'm here from the duplicate.
FWIW these are also flagged by Firefox trunk as of today:
launchpad.net : server does not support RFC 5746, see CVE-2009-3555
edge.launchpad.net : server does not support RFC 5746, see CVE-2009-3555
launchpadlibrarian.net : server does not support RFC 5746, see CVE-2009-3555

In what way is it flagged? In the error log? In the main UI? Somewhere else?

On Mon, Jul 19, 2010 at 10:33 PM, Robert Collins
<email address hidden> wrote:
> In what way is it flagged? In the error log? In the main UI? Somewhere
> else?

The Firefox error console (Tools -> Error Console)

--
Stuart Bishop <email address hidden>
http://www.stuartbishop.net/

$ LANGUAGE=C apt-cache policy firefox
firefox:
  Installed: 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
  Candidate: 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
  Version table:
 *** 3.6.8+build1+nobinonly-0ubuntu0.10.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://archive.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     3.6.3+nobinonly-0ubuntu4 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages

Any progress for this?
I heard that this bug resolution needs couple of upgrades for:
Apache, mod_ssl, and openssl
All the latest available versions on Ubuntu repository does not contain the resolution, this bug affects launchpad as well as everybody who uses an Ubuntu server like me...

I know that redhat and fedora just released fix for this by upgrading Apache to version 2.2.15 (currently on Ubuntu it's 2.2.14)

@Amahdy:

It is currently fixed in Maverick.

Updated openssl and apache2 packages will appear in -proposed for earlier releases probably next week.

See bug #616759 for tracking.

Updated packages have been released for stable releases

http://www.ubuntu.com/usn/usn-990-1
http://www.ubuntu.com/usn/usn-990-2