Comment 3 for bug 566467

Revision history for this message
Matthew Nuzum (newz) wrote :

Hi, pasting from IRC:

(11:52:57 AM) jdstrand: herb, newz2000: I did that apache update, and it is not vulnerable to client initiated TLS renegotiation
(11:53:18 AM) jdstrand: herb, newz2000: however, it is still vulnerable to server initiated renegotiation
(11:53:40 AM) jdstrand: herb, newz2000: and there are mitigations in the USN
(11:54:11 AM) jdstrand: herb, newz2000: you can see http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-3555.html for a lot of details
(11:54:31 AM) jdstrand: herb, newz2000: mdeslaur from our team is the most up to date on the issue however
(11:55:41 AM) jdstrand: CVE-2009-3555 requires a protocol change to fully address the issue. however, for apache, you can configure apache to not be vulnerable
(11:56:01 AM) jdstrand: (with the patch from the usn)