Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 292025 - <net-libs/gnutls-2.10.0: TLS Session Renegotiation MITM vulnerability (CVE-2009-3555)
Summary: <net-libs/gnutls-2.10.0: TLS Session Renegotiation MITM vulnerability (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://extendedsubset.com/?p=8
Whiteboard: A3 [glsa]
Keywords:
Depends on: 307343 326589
Blocks: CVE-2009-3555
  Show dependency tree
 
Reported: 2009-11-05 22:39 UTC by Alex Legler (RETIRED)
Modified: 2012-06-23 14:41 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-05 22:39:15 UTC 
+++ This bug was initially created as a clone of Bug #292023 +++

From $URL:
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. [...]

(See blocked bug for more information)
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-06-25 21:39:08 UTC 
net-libs/gnutls-2.10.0 has been released and added to the tree.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-26 12:52:53 UTC 
Also: http://article.gmane.org/gmane.network.gnutls.general/2046

Arches, please test and mark stable:
=net-libs/gnutls-2.10.0
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2010-06-26 13:24:08 UTC 
amd64 stable
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-06-27 11:07:20 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-28 10:52:42 UTC 
Stable for HPPA.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2010-07-05 15:10:18 UTC 
ppc64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2010-07-11 08:45:48 UTC 
Stable on alpha.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-07-25 16:53:37 UTC 
arm/ia64/m68k/s390/sh/sparc stable
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:49:01 UTC 
*ping* ppc
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-06 16:01:18 UTC 
(In reply to comment #9)
> *ping* ppc

Working on it now.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-06 16:53:59 UTC 
Stable for PPC.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:31:54 UTC 
GLSA together with bug 281224.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-23 14:41:15 UTC 
This issue was resolved and addressed in
 GLSA 201206-18 at http://security.gentoo.org/glsa/glsa-201206-18.xml
by GLSA coordinator Sean Amoss (ackle).