CVE-2011-3389

NameCVE-2011-3389
DescriptionThe SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-154-1, DLA-400-1, DSA-2356-1, DSA-2358-1, DSA-2368-1, DSA-2398-1
NVD severitymedium
Debian Bugs645881, 678998, 684511

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)jessie1:11.13.1~dfsg-2+deb8u5fixed
jessie (security)1:11.13.1~dfsg-2+deb8u6fixed
stretch (security), stretch1:13.14.1~dfsg-2+deb9u4fixed
buster1:16.2.1~dfsg-1+deb10u1fixed
bullseye, sid1:16.2.1~dfsg-2fixed
bouncycastle (PTS)jessie1.49+dfsg-3+deb8u2fixed
jessie (security)1.49+dfsg-3+deb8u3fixed
stretch (security), stretch1.56-1+deb9u2fixed
buster1.60-1fixed
bullseye, sid1.61-1fixed
chromium-browser (PTS)jessie (security), jessie57.0.2987.98-1~deb8u1fixed
stretch70.0.3538.110-1~deb9u1fixed
stretch (security)71.0.3578.80-1~deb9u1fixed
curl (PTS)jessie7.38.0-4+deb8u11fixed
jessie (security)7.38.0-4+deb8u16fixed
stretch (security), stretch7.52.1-5+deb9u9fixed
buster7.64.0-4fixed
bullseye, sid7.66.0-1fixed
erlang (PTS)jessie (security), jessie1:17.3-dfsg-4+deb8u2fixed
stretch1:19.2.1+dfsg-2+deb9u2fixed
stretch (security)1:19.2.1+dfsg-2+deb9u1fixed
buster1:21.2.6+dfsg-1fixed
bullseye, sid1:22.1.7+dfsg-1fixed
gnutls28 (PTS)jessie3.3.8-6+deb8u7vulnerable
jessie (security)3.3.30-0+deb8u1vulnerable
stretch3.5.8-5+deb9u4vulnerable
stretch (security)3.5.8-5+deb9u1vulnerable
buster3.6.7-4vulnerable
bullseye3.6.10-4vulnerable
sid3.6.10-5vulnerable
haskell-tls (PTS)jessie1.2.9-2vulnerable
stretch1.3.8-3vulnerable
bullseye, buster, sid1.4.1-3vulnerable
lighttpd (PTS)jessie (security), jessie1.4.35-4+deb8u1fixed
stretch1.4.45-1fixed
buster1.4.53-4fixed
bullseye, sid1.4.54-2fixed
nss (PTS)jessie2:3.26-1+debu8u3fixed
jessie (security)2:3.26-1+debu8u6fixed
stretch (security), stretch2:3.26.2-1.1+deb9u1fixed
buster2:3.42.1-1+deb10u1fixed
bullseye2:3.45-1fixed
sid2:3.47-1fixed
openjdk-7 (PTS)jessie7u181-2.6.14-1~deb8u1fixed
jessie (security)7u231-2.6.19-1~deb8u2fixed
polarssl (PTS)jessie1.3.9-2.1+deb8u3vulnerable
jessie (security)1.3.9-2.1+deb8u4vulnerable
pound (PTS)jessie (security), jessie2.6-6+deb8u1fixed
stretch2.7-1.3+deb9u1fixed
sid2.8-2fixed
python2.7 (PTS)jessie2.7.9-2+deb8u1fixed
jessie (security)2.7.9-2+deb8u5fixed
stretch (security), stretch2.7.13-2+deb9u3fixed
buster2.7.16-2+deb10u1fixed
bullseye, sid2.7.17-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:13.7.2~dfsg-1
asterisksourcejessie1:11.13.1~dfsg-2+deb8u1
asterisksourcesqueeze(unfixed)end-of-life
bouncycastlesource(unstable)1.49+dfsg-1
chromium-browsersource(unstable)15.0.874.106~r107270-1
chromium-browsersourcesqueeze(unfixed)end-of-life
curlsource(unstable)7.24.0-1
curlsourcelenny7.18.2-8lenny6DSA-2398-1
curlsourcesqueeze7.21.0-2.1+squeeze1DSA-2398-1
cyasslsource(unstable)(unfixed)
erlangsource(unstable)1:15.b-dfsg-1
gnutls26source(unstable)(unfixed)unimportant
gnutls28source(unstable)(unfixed)unimportant
haskell-tlssource(unstable)(unfixed)unimportant
iceweaselsource(unstable)(not affected)
lighttpdsource(unstable)1.4.30-1
lighttpdsourcelenny1.4.19-5+lenny3DSA-2368-1
lighttpdsourcesqueeze1.4.28-2+squeeze1DSA-2368-1
matrixsslsource(unstable)(unfixed)low
nsssource(unstable)3.13.1.with.ckbi.1.88-1
nsssourcesqueeze3.12.8-1+squeeze11DLA-154-1
openjdk-6source(unstable)6b23~pre11-1
openjdk-6sourcelenny6b18-1.8.10-0~lenny2DSA-2358-1
openjdk-6sourcesqueeze6b18-1.8.10-0+squeeze2DSA-2356-1
openjdk-7source(unstable)7~b147-2.0-1
polarsslsource(unstable)(unfixed)unimportant
poundsource(unstable)2.6-2
poundsourcesqueeze2.6-1+deb6u1DLA-400-1
python2.6source(unstable)2.6.8-0.1684511
python2.7source(unstable)2.7.3~rc1-1
python3.1source(unstable)(unfixed)678998
python3.2source(unstable)3.2.3~rc1-1
sun-java6source(unstable)(unfixed)645881
tlslitesource(unstable)(unfixed)

Notes

[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
strictly speaking this is no lighttpd issue, but lighttpd adds a workaround
http://curl.haxx.se/docs/adv_20120124B.html
[squeeze] - python2.6 <no-dsa> (Minor issue)
[squeeze] - python3.1 <no-dsa> (Minor issue)
http://bugs.python.org/issue13885
python3.1 is fixed starting 3.1.5
No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2
[squeeze] - matrixssl <no-dsa> (Minor issue)
[wheezy] - matrixssl <no-dsa> (Minor issue)
matrixssl fix this upstream in 3.2.2
[squeeze] - bouncycastle <no-dsa> (Minor issue)
[wheezy] - bouncycastle <no-dsa> (Minor issue)
No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9
https://bugzilla.mozilla.org/show_bug.cgi?id=665814
https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases
[wheezy] - tlslite <no-dsa> (Minor issue)
Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks.
[squeeze] - erlang <no-dsa> (Minor issue)
[wheezy] - asterisk <no-dsa> (Minor issue)
[squeeze] - asterisk <end-of-life> (Not supported in Squeeze LTS)
http://downloads.digium.com/pub/security/AST-2016-001.html
https://issues.asterisk.org/jira/browse/ASTERISK-24972
patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
all versions vulnerable, backport required for wheezy

Search for package or bug name: Reporting problems