-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2141-2 security@xxxxxxxxxx http://www.debian.org/security/ Stefan Fritsch January 06, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : nss Vulnerability : SSL/TLS insecure renegotiation protocol design flaw Problem type : remote Debian-specific: no CVE ID : CVE-2009-3555 CVE-2009-3555: Marsh Ray, Steve Dispensa, and Martin Rex discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds backported support for the new RFC5746 renegotiation extension which fixes this issue. The updated libraries allow to use shell environment variables to configure if insecure renegotiation is still allowed. The syntax of these environment variables is described in the release notes to version 3.12.6 of nss: https://developer.mozilla.org/NSS_3.12.6_release_notes However, the default behaviour for nss in Debian 5.0 (Lenny) is NSS_SSL_ENABLE_RENEGOTIATION=3, which allows clients to continue to renegotiate with vulnerable servers. For the stable distribution (lenny), this problem has been fixed in version 3.12.3.1-0lenny3. For the unstable distribution (sid), and the testing distribution (squeeze), this problem has been fixed in version 3.12.6-1. We recommend that you upgrade your nss package. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFNJPfIbxelr8HyTqQRAhfvAJ9cQ5xPCr1MKm2M2HkOX4O/5Lau6wCeNAtE 3BuBYa58RjJmNXQNm8nqnhs= =8rXx -----END PGP SIGNATURE-----
