[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 400-1] pound security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : pound
Version        : 2.6-1+deb6u1
CVE ID         : CVE-2009-3555 CVE-2011-3389 CVE-2012-4929 CVE-2014-3566

This update fixes certain known vulnerabilities in pound in squeeze-lts by
backporting the version in wheezy.

CVE-2009-3555
    The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
    used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
    in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
    GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
    3.12.4 and earlier, multiple Cisco products, and other products,
    does not properly associate renegotiation handshakes with an
    existing connection, which allows man-in-the-middle attackers to
    insert data into HTTPS sessions, and possibly other types of
    sessions protected by TLS or SSL, by sending an unauthenticated
    request that is processed retroactively by a server in a
    post-renegotiation context, related to a "plaintext injection"
    attack, aka the "Project Mogul" issue.

CVE-2011-3389
    The SSL protocol, as used in certain configurations in Microsoft
    Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
    Chrome, Opera, and other products, encrypts data by using CBC mode
    with chained initialization vectors, which allows man-in-the-middle
    attackers to obtain plaintext HTTP headers via a blockwise
    chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
    with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the
    Java URLConnection API, or (3) the Silverlight WebClient API, aka a
    "BEAST" attack.

CVE-2012-4929
    The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google
    Chrome, Qt, and other products, can encrypt compressed data without
    properly obfuscating the length of the unencrypted data, which
    allows man-in-the-middle attackers to obtain plaintext HTTP headers
    by observing length differences during a series of guesses in which
    a string in an HTTP request potentially matches an unknown string in
    an HTTP header, aka a "CRIME" attack.

CVE-2014-3566
    The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
    products, uses nondeterministic CBC padding, which makes it easier
    for man-in-the-middle attackers to obtain cleartext data via a
    padding-oracle attack, aka the "POODLE" issue.
- -- 
Brian May <bam@debian.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWpFguAAoJEJyE7hq50CY2GzIP/j7ZUsYNARMcrM4lSpL63dfu
zubAAXjUN/tkf4u18MsQMWdgU5h54leipfm2yrTdnJnUh1j7JKlDBnukegxbZlts
bOez0tpBXFxGz5F/TU2umaDIAYfed4ms0XFwwnG6Mckt3dlOXzJ9QQV3BkQFqlGe
AqV1QH44pUBUPHAcilVUrlJ9eKM2pBvauqC+dtMXLLEA7U16HVOn6rEi8plP7o5g
kkHuApcuzq/v00qD82MS1wt4zI5W1lV8sSdlgYimyJ039yalmcWd81FvtrWOifWB
P+q9YZKppbqsVm7Vf5GSPPc4YYAnf50hVZaAflB/kOUG+NjRFD87CwGr/EWvlbn1
G69ikrftDryFymf1vjYQg3wDDtHweHDw857UJAM88+qtjOM8/nH7ES19PhlgFoCu
AIMa0t2h93KZTVPrfotwDSpIGRDrm/yJcnlZot0m8+N3ONCODoBQxji/Y2/KvCnr
ERdIf6pI5SvMiVP6G91inVKDnRC+qjRVB1WH6H2dCCJ+PBFTjbZjmYpR3cGPRVSc
7RAhaI0bGnuwBNO+RXzr+7N0f3YrOwb1WFs7kYdpZJU7V8eCKPjB1cVycjuoflGp
UvA8USi+e+pSIJG+RqbBhNHkdJIhUXejFhvvLIhFABA7dDnEc0x5wwI0Cu6FxQXv
TD3T6UlovT50WyX98cxb
=4wrA
-----END PGP SIGNATURE-----


Reply to: