CVE-2009-3555

NameCVE-2009-3555
DescriptionThe TLS protocol, and the SSL protocol 3.0 and possibly earlier, as ...
SourceCVE (at NVD; oss-sec, OSVDB, EDB, Red Hat, Ubuntu, Gentoo, SuSE, more)
ReferencesDSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2626-1
Debian Bugs704946
Debian/oldstablepackages polarssl, zorp are vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)squeeze (security)2.2.16-6+squeeze11fixed
squeeze2.2.16-6+squeeze12fixed
wheezy2.2.22-13+deb7u1fixed
jessie, sid2.4.9-1fixed
gnutls26 (PTS)squeeze2.8.6-1+squeeze2fixed
squeeze (security)2.8.6-1+squeeze3fixed
wheezy2.12.20-7fixed
wheezy (security)2.12.20-8+deb7u1fixed
jessie, sid2.12.23-13fixed
lighttpd (PTS)squeeze1.4.28-2+squeeze1.5fixed
squeeze (security)1.4.28-2+squeeze1.6fixed
wheezy1.4.31-4+deb7u2fixed
wheezy (security)1.4.31-4+deb7u3fixed
jessie, sid1.4.35-2fixed
matrixssl (PTS)jessie, squeeze, wheezy, sid1.8.8-1fixed
nginx (PTS)squeeze, squeeze (security)0.7.67-3+squeeze3fixed
wheezy, wheezy (security)1.2.1-2.2+wheezy2fixed
jessie, sid1.4.7-1fixed
nss (PTS)squeeze, squeeze (security)3.12.8-1+squeeze7fixed
wheezy, wheezy (security)2:3.14.5-1fixed
jessie, sid2:3.16-1fixed
openjdk-6 (PTS)squeeze6b18-1.8.13-0+squeeze2fixed
wheezy6b27-1.12.5-1fixed
squeeze (security)6b27-1.12.6-1~deb6u1fixed
wheezy (security)6b27-1.12.6-1~deb7u1fixed
jessie, sid6b30-1.13.2-2fixed
openssl (PTS)squeeze, squeeze (security)0.9.8o-4squeeze14fixed
wheezy1.0.1e-2+deb7u4fixed
wheezy (security)1.0.1e-2+deb7u6fixed
jessie, sid1.0.1g-2fixed
polarssl (PTS)squeeze0.12.1-1squeeze1vulnerable
squeeze (security)1.2.9-1~deb6u1fixed
wheezy, wheezy (security)1.2.9-1~deb7u1fixed
jessie, sid1.3.4-1fixed
sun-java6 (PTS)squeeze/non-free6.26-0squeeze1fixed
tomcat-native (PTS)squeeze1.1.20-1fixed
wheezy1.1.24-1fixed
jessie, sid1.1.29-1fixed
zorp (PTS)squeeze3.3.6-1.1vulnerable
jessie, wheezy, sid3.9.5-4fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2source(unstable)2.2.14-2
apache2sourceetch2.2.3-4+etch11DSA-1934-1
apache2sourcelenny2.2.9-10+lenny6DSA-1934-1
classpathsource(unstable)(unfixed)
gnutls26source(unstable)(not affected)
lighttpdsource(unstable)1.4.30-1
lighttpdsourcesqueeze1.4.28-2+squeeze1.2DSA-2626-1
matrixsslsource(unstable)1.8.8-1
nginxsource(unstable)0.7.64-1
nsssource(unstable)3.12.6-1
nsssourcelenny3.12.3.1-0lenny3DSA-2141-2
openjdk-6source(unstable)6b18-1.8.2-1
opensslsource(unstable)0.9.8k-6
opensslsourcelenny0.9.8g-15+lenny11DSA-2141-1
polarsslsource(unstable)1.2.0-1704946
sun-java5source(unstable)(unfixed)
sun-java6source(unstable)6.19-1
sun-java6sourcelenny6-22-0lenny
tomcat-nativesource(unstable)1.1.18-1
zorpsource(unstable)3.9.2-1

Notes

[lenny] - sun-java5 <no-dsa> (Minor issue)
Update 22 for Sun Java implemented the new RFC extension
[lenny] - matrixssl <no-dsa> (Fringe SSL implementation, can be fixed in spu)
[lenny] - tomcat-native <no-dsa> (Minor issue)
- gnutls26 <not-affected> (safely handles renegotiation; however support for RFC 5746 would be useful)
[squeeze] - zorp <no-dsa> (Minor issue)
[lenny] - zorp <no-dsa> (Minor issue)
for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation
the following implement RFC 5746:
- openssl 0.9.8m-1
- apache 2.2.15-1
- nss 3.12.6-1
- sun-java6 6.19-1

Search for package or bug name: Reporting problems

Home - Testing Security Team - Debian Security - Source (SVN)