Summary: | <net-ftp/proftpd-1.3.2d: TLS Session Renegotiation MITM (CVE-2009-3555) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Bernd Lommerzheim <bernd> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | chtekk, net-ftp, proxy-maint | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://www.proftpd.org | ||||||||||
Whiteboard: | A3 [glsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Bug Depends on: | |||||||||||
Bug Blocks: | 292023 | ||||||||||
Attachments: |
|
Description
Bernd Lommerzheim
2010-02-16 01:01:50 UTC
Created attachment 219843 [details, diff]
proftpd-1.3.3_rc4.ebuild (patch against proftpd-1.3.3_rc3-r1.ebuild)
Created attachment 219845 [details]
proftpd.initd (replaces proftpd.rc7)
Created attachment 219893 [details]
proftpd.initd (replaces proftpd.rc7)
The previous version bump (bug #295545) missed this bit: 1.3.2c (maintenance) --------------------- + Added Taiwan translation. + Added a workaround in mod_tls to deal with the vulnerability found in SSL/TLS protocol during renegotiation (CVE-2009-3555). Good descriptions of this vulnerability can be found here: http://extendedsubset.com/?p=8 http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html The workaround implemented in mod_tls (Bug#3324) is one of the suggested mitigation approaches: the server now refuses all client-initiated SSL/TLS session renegotiations. and the latest release adds this: 1.3.2d (maintenance) --------------------- + Fixed mod_tls compilation when using OpenSSL versions older than 0.9.7. I think we should add ProFTPD 1.3.2d to the portage tree and start a stabilization request for it. Although it does not directly fix a security issue it solves some segfaults and compatibility problems. Ok, 1.3.3_rc4 added in tree with your changes, thanks Bernd! I've also added 1.3.2d as as simple copy of 1.3.2c, to keep minimal changes for testing. Thanks Jer for spotting the security issue, recommend 1.3.2d stable round then, target arches: alpha amd64 hppa ppc ppc64 sparc x86 obsolete by bug 307075 Arches, please test and mark stable: =net-ftp/proftpd-1.3.2d Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" x86 stable amd64 stable ppc64 done Marked ppc stable. Stable for HPPA. alpha/sparc stable GLSA with 343389. CVE-2009-3555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555): The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). |