Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 292025

Summary: <net-libs/gnutls-2.10.0: TLS Session Renegotiation MITM vulnerability (CVE-2009-3555)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: crypto+disabled, kjackie, zvn
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://extendedsubset.com/?p=8
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 307343, 326589    
Bug Blocks: 292023    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-05 22:39:15 UTC 
+++ This bug was initially created as a clone of Bug #292023 +++

From $URL:
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. [...]

(See blocked bug for more information)
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-06-25 21:39:08 UTC 
net-libs/gnutls-2.10.0 has been released and added to the tree.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-26 12:52:53 UTC 
Also: http://article.gmane.org/gmane.network.gnutls.general/2046

Arches, please test and mark stable:
=net-libs/gnutls-2.10.0
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2010-06-26 13:24:08 UTC 
amd64 stable
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-06-27 11:07:20 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-28 10:52:42 UTC 
Stable for HPPA.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2010-07-05 15:10:18 UTC 
ppc64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2010-07-11 08:45:48 UTC 
Stable on alpha.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-07-25 16:53:37 UTC 
arm/ia64/m68k/s390/sh/sparc stable
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:49:01 UTC 
*ping* ppc
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-06 16:01:18 UTC 
(In reply to comment #9)
> *ping* ppc

Working on it now.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-06 16:53:59 UTC 
Stable for PPC.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:31:54 UTC 
GLSA together with bug 281224.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-23 14:41:15 UTC 
This issue was resolved and addressed in
 GLSA 201206-18 at http://security.gentoo.org/glsa/glsa-201206-18.xml
by GLSA coordinator Sean Amoss (ackle).