Ubuntu
openssl package

CVE-2009-3555 tracking bug

Maverick (10.10)
Bug #616759

Bug #616759 reported by Marc Deslauriers on 2010-08-12

272

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	apache2 (Ubuntu)	Fix Released	Undecided	Unassigned
	Dapper	Fix Released	Undecided	Marc Deslauriers
	Hardy	Fix Released	Undecided	Marc Deslauriers
	Jaunty	Fix Released	Undecided	Marc Deslauriers
	Karmic	Fix Released	Undecided	Marc Deslauriers
	Lucid	Fix Released	Undecided	Marc Deslauriers
	Maverick	Fix Released	Undecided	Unassigned
	openssl (Ubuntu)	Fix Released	Undecided	Unassigned
	Dapper	Fix Released	Undecided	Marc Deslauriers
	Hardy	Fix Released	Undecided	Marc Deslauriers
	Jaunty	Fix Released	Undecided	Marc Deslauriers
	Karmic	Fix Released	Undecided	Marc Deslauriers
	Lucid	Fix Released	Undecided	Marc Deslauriers
	Maverick	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: openssl

This is the main bug that will track CVE-2009-3555 updates. Please report any regression in this bug.

Related branches

lp://staging/ubuntu/dapper-proposed/openssl

lp://staging/ubuntu/karmic-proposed/openssl

lp://staging/ubuntu/jaunty-proposed/openssl

lp://staging/ubuntu/hardy-proposed/openssl

lp://staging/ubuntu/lucid-proposed/openssl

lp://staging/ubuntu/dapper-proposed/apache2

lp://staging/ubuntu/jaunty-security/apache2

lp://staging/ubuntu/hardy-security/apache2

lp://staging/ubuntu/hardy-updates/apache2

lp://staging/ubuntu/lucid-security/apache2

lp://staging/ubuntu/lucid-proposed/apache2

lp://staging/ubuntu/karmic-security/apache2

CVE References

2009-3555

Marc Deslauriers (mdeslaur) on 2010-08-12

Changed in apache2 (Ubuntu Maverick):
status:	New → Fix Released
Changed in openssl (Ubuntu Maverick):
status:	New → Fix Released
Changed in apache2 (Ubuntu Dapper):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in apache2 (Ubuntu Hardy):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in apache2 (Ubuntu Jaunty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in apache2 (Ubuntu Karmic):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in apache2 (Ubuntu Lucid):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in openssl (Ubuntu Dapper):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in openssl (Ubuntu Hardy):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in openssl (Ubuntu Jaunty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in openssl (Ubuntu Karmic):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in openssl (Ubuntu Lucid):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
visibility:	private → public

Revision history for this message

Kees Cook (kees) wrote on 2010-09-17:

#1

I can confirm that the firefox CVE-2009-3555 warnings go away once these packages are installed on Lucid. Additionally, I tested that sasl and dovecot still work as expected. Awesome. :)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#2

This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.18

---------------
apache2 (2.2.8-1ubuntu0.18) hardy-security; urgency=low

  * debian/patches/212_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:39:40 -0400

Changed in apache2 (Ubuntu Hardy):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#3

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.10

---------------
openssl (0.9.8g-4ubuntu3.10) hardy-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - apps/{s_cb,s_client,s_server}.c, doc/ssl/SSL_CTX_set_options.pod,
      ssl/{d1_both,d1_clnt,d1_srvr,s3_both,s3_clnt,s3_pkt,s3_srvr,ssl_err,
      ssl_lib,t1_lib,t1_reneg}.c, ssl/Makefile, ssl/{ssl3,ssl,ssl_locl,
      tls1}.h: backport rfc5746 support from openssl 0.9.8m.
    - CVE-2009-3555
  * Enable tlsext, and backport some patches from jaunty now that tlsext is
    enabled.
    - Fix a problem with tlsext preventing firefox 3 from connection.
    - Don't add extentions to ssl v3 connections. It breaks with some
      other software.
-- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:35:55 -0400

Changed in openssl (Ubuntu Hardy):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#4

This bug was fixed in the package apache2 - 2.2.11-2ubuntu2.7

---------------
apache2 (2.2.11-2ubuntu2.7) jaunty-security; urgency=low

  * debian/patches/909_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:34:47 -0400

Changed in apache2 (Ubuntu Jaunty):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#5

This bug was fixed in the package openssl - 0.9.8g-15ubuntu3.5

---------------
openssl (0.9.8g-15ubuntu3.5) jaunty-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - apps/{s_cb,s_client,s_server}.c, doc/ssl/SSL_CTX_set_options.pod,
      ssl/{d1_both,d1_clnt,d1_srvr,s3_both,s3_clnt,s3_pkt,s3_srvr,ssl_err,
      ssl_lib,t1_lib,t1_reneg}.c, ssl/Makefile, ssl/{ssl3,ssl,ssl_locl,
      tls1}.h: backport rfc5746 support from openssl 0.9.8m.
    - CVE-2009-3555
-- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:34:41 -0400

Changed in openssl (Ubuntu Jaunty):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#6

This bug was fixed in the package apache2 - 2.2.12-1ubuntu2.3

---------------
apache2 (2.2.12-1ubuntu2.3) karmic-security; urgency=low

  * debian/patches/905_sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Mon, 16 Aug 2010 13:26:28 -0400

Changed in apache2 (Ubuntu Karmic):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#7

This bug was fixed in the package openssl - 0.9.8g-16ubuntu3.2

---------------
openssl (0.9.8g-16ubuntu3.2) karmic-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - apps/{s_cb,s_client,s_server}.c, doc/ssl/SSL_CTX_set_options.pod,
      ssl/{d1_both,d1_clnt,d1_srvr,s3_both,s3_clnt,s3_pkt,s3_srvr,ssl_err,
      ssl_lib,t1_lib,t1_reneg}.c, ssl/Makefile, ssl/{ssl3,ssl,ssl_locl,
      tls1}.h: backport rfc5746 support from openssl 0.9.8m.
    - CVE-2009-3555
-- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:32:19 -0400

Changed in openssl (Ubuntu Karmic):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#8

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.2

---------------
apache2 (2.2.14-5ubuntu8.2) lucid-security; urgency=low

  * debian/patches/211-sslinsecurerenegotiation-directive.dpatch: once
    openssl gets updated to fix CVE-2009-3555, server renegotiations with
    unpatched clients will fail. This patch adds the ability to revert to
    the previous unsafe behaviour with a new SSLInsecureRenegotiation
    directive. (LP: #616759)
  * debian/control: add specific dependency on first openssl version to get
    CVE-2009-3555 fix.
-- Marc Deslauriers <email address hidden> Wed, 18 Aug 2010 16:37:47 -0400

Changed in apache2 (Ubuntu Lucid):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#9

This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.1

---------------
openssl (0.9.8k-7ubuntu8.1) lucid-security; urgency=low

  * SECURITY UPDATE: TLS renegotiation flaw (LP: #616759)
    - debian/patches/CVE-2009-3555-RFC5746.patch: backport rfc5746 support
      from openssl 0.9.8m.
    - CVE-2009-3555
-- Marc Deslauriers <email address hidden> Thu, 12 Aug 2010 08:30:03 -0400

Changed in openssl (Ubuntu Lucid):
status:	In Progress → Fix Released

Marc Deslauriers (mdeslaur) on 2010-09-21

Changed in apache2 (Ubuntu Dapper):
status:	In Progress → Fix Released
Changed in openssl (Ubuntu Dapper):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.