Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 306583 - <dev-java/ibm-{jdk,jre}-bin- and Vulnerability in TLS Protocol during Renegotiation (CVE-2009-3555)
Summary: <dev-java/ibm-{jdk,jre}-bin- and Vulnerability in TLS Pr...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Blocks: java-security CVE-2009-3555 352603
  Show dependency tree
Reported: 2010-02-23 22:37 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2016-03-05 11:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-23 22:37:55 UTC
A security vulnerability in the TLS protocol (including SSL v3) may allow an attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow an attacker to decrypt the intercepted network communication.	

Affected Releases
IBM Platforms:
6 SR6 and earlier
5.0 SR11 and earlier
1.4.2 SR13-FP3 and earlier

Releases containing fix
IBM Platforms:
6 SR7 and later
5.0 SR11-FP1 and later
1.4.2 SR13-FP4 and later
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-23 23:03:21 UTC
Please stabilize:

distfiles on their way as usual
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-24 13:44:56 UTC
x86 stable
Comment 3 Brent Baude (RETIRED) gentoo-dev 2010-02-28 17:00:20 UTC
ppc64 done
Comment 4 Markus Meier gentoo-dev 2010-03-08 19:51:35 UTC
amd64 stable
Comment 5 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:40:21 UTC
Marked ppc stable.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:30:25 UTC
glsa request filed.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 11:14:56 UTC
A quick search shows no results for a GLSA that was released per previous comments.

The issue was fixed in later releases from Sun and marked stable.  No vulnerable versions are in the tree as of approximately 6 years ago.