Debian Security Advisory

DSA-3253-1 pound -- security update

Date Reported:
07 May 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 723731, Bug 727197, Bug 765539, Bug 765649.
In Mitre's CVE dictionary: CVE-2009-3555, CVE-2012-4929, CVE-2014-3566.
More information:

Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555). TLS compression is disabled (CVE-2012-4929), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566) entirely via the new DisableSSLv3 configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed.

For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555). This update addresses that issue for jessie.

For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1.

For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1.

For the unstable distribution (sid), these problems have been fixed in version 2.6-6.1.

We recommend that you upgrade your pound packages.