Debian Security Advisory
DSA-3253-1 pound -- security update
- Date Reported:
- 07 May 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 723731, Bug 727197, Bug 765539, Bug 765649.
In Mitre's CVE dictionary: CVE-2009-3555, CVE-2012-4929, CVE-2014-3566.
- More information:
Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.
For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555). TLS compression is disabled (CVE-2012-4929), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566) entirely via the new
DisableSSLv3configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed.
For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555). This update addresses that issue for jessie.
For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1.
For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1.
For the unstable distribution (sid), these problems have been fixed in version 2.6-6.1.
We recommend that you upgrade your pound packages.