CVE-2011-3389

Name	CVE-2011-3389
Description	The SSL protocol, as used in certain configurations in Microsoft Windo ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-154-1, DLA-400-1, DSA-2356-1, DSA-2358-1, DSA-2368-1, DSA-2398-1
Debian Bugs	645881, 678998, 684511

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
asterisk (PTS)	bullseye	1:16.28.0~dfsg-0+deb11u4	fixed
	bullseye (security)	1:16.28.0~dfsg-0+deb11u9	fixed
	sid	1:22.9.0+dfsg+~cs6.16.60671434-1	fixed
bouncycastle (PTS)	bullseye	1.68-2	fixed
	bookworm	1.72-2	fixed
	forky, sid, trixie	1.80-3	fixed
curl (PTS)	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u16	fixed
	bookworm	7.88.1-10+deb12u14	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	trixie	8.14.1-2+deb13u2	fixed
	forky	8.19.0-3	fixed
	sid	8.20.0~rc3-1	fixed
erlang (PTS)	bullseye	1:23.2.6+dfsg-1+deb11u1	fixed
	bullseye (security)	1:23.2.6+dfsg-1+deb11u3	fixed
	bookworm	1:25.2.3+dfsg-1+deb12u3	fixed
	bookworm (security)	1:25.2.3+dfsg-1+deb12u1	fixed
	trixie	1:27.3.4.1+dfsg-1+deb13u1	fixed
	forky, sid	1:27.3.4.11+dfsg-1	fixed
gnutls28 (PTS)	bullseye	3.7.1-5+deb11u5	vulnerable
	bullseye (security)	3.7.1-5+deb11u9	vulnerable
	bookworm	3.7.9-2+deb12u5	vulnerable
	bookworm (security)	3.7.9-2+deb12u6	vulnerable
	trixie (security), trixie	3.8.9-3+deb13u2	vulnerable
	forky, sid	3.8.12-3	vulnerable
haskell-tls (PTS)	bullseye	1.5.4-1	vulnerable
	bookworm	1.5.8-1	vulnerable
	trixie	1.8.0-1	vulnerable
	forky, sid	2.1.8-2	vulnerable
lighttpd (PTS)	bullseye (security), bullseye	1.4.59-1+deb11u2	fixed
	bookworm	1.4.69-1	fixed
	trixie	1.4.79-2	fixed
	forky, sid	1.4.82-2	fixed
nss (PTS)	bullseye	2:3.61-1+deb11u3	fixed
	bullseye (security)	2:3.61-1+deb11u5	fixed
	bookworm	2:3.87.1-1+deb12u1	fixed
	bookworm (security)	2:3.87.1-1+deb12u2	fixed
	trixie (security), trixie	2:3.110-1+deb13u1	fixed
	forky, sid	2:3.123-1	fixed
pound (PTS)	bullseye	3.0-2	fixed
	trixie	4.16-3	fixed
	forky, sid	4.22-2	fixed
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
asterisk	source	squeeze	(unfixed)	end-of-life
asterisk	source	jessie	1:11.13.1~dfsg-2+deb8u1
asterisk	source	(unstable)	1:13.7.2~dfsg-1
bouncycastle	source	(unstable)	1.49+dfsg-1
chromium-browser	source	squeeze	(unfixed)	end-of-life
chromium-browser	source	(unstable)	15.0.874.106~r107270-1
curl	source	lenny	7.18.2-8lenny6		DSA-2398-1
curl	source	squeeze	7.21.0-2.1+squeeze1		DSA-2398-1
curl	source	(unstable)	7.24.0-1
cyassl	source	(unstable)	(unfixed)
erlang	source	(unstable)	1:15.b-dfsg-1
gnutls26	source	(unstable)	(unfixed)	unimportant
gnutls28	source	(unstable)	(unfixed)	unimportant
haskell-tls	source	(unstable)	(unfixed)	unimportant
iceweasel	source	(unstable)	(not affected)
lighttpd	source	lenny	1.4.19-5+lenny3		DSA-2368-1
lighttpd	source	squeeze	1.4.28-2+squeeze1		DSA-2368-1
lighttpd	source	(unstable)	1.4.30-1
matrixssl	source	(unstable)	(unfixed)	low
nss	source	squeeze	3.12.8-1+squeeze11		DLA-154-1
nss	source	(unstable)	3.13.1.with.ckbi.1.88-1
openjdk-6	source	lenny	6b18-1.8.10-0~lenny2		DSA-2358-1
openjdk-6	source	squeeze	6b18-1.8.10-0+squeeze2		DSA-2356-1
openjdk-6	source	(unstable)	6b23~pre11-1
openjdk-7	source	(unstable)	7~b147-2.0-1
polarssl	source	(unstable)	(unfixed)	unimportant
pound	source	squeeze	2.6-1+deb6u1		DLA-400-1
pound	source	(unstable)	2.6-2
python2.6	source	(unstable)	2.6.8-0.1			684511
python2.7	source	(unstable)	2.7.3~rc1-1
python3.1	source	(unstable)	(unfixed)			678998
python3.2	source	(unstable)	3.2.3~rc1-1
sun-java6	source	(unstable)	(unfixed)			645881
tlslite	source	(unstable)	(unfixed)

Notes

[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- iceweasel <not-affected> (Vulnerable code not present)
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
strictly speaking this is no lighttpd issue, but lighttpd adds a workaround
http://curl.haxx.se/docs/adv_20120124B.html
[squeeze] - python2.6 <no-dsa> (Minor issue)
[squeeze] - python3.1 <no-dsa> (Minor issue)
http://bugs.python.org/issue13885
python3.1 is fixed starting 3.1.5
No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2
[squeeze] - matrixssl <no-dsa> (Minor issue)
[wheezy] - matrixssl <no-dsa> (Minor issue)
matrixssl fix this upstream in 3.2.2
[squeeze] - bouncycastle <no-dsa> (Minor issue)
[wheezy] - bouncycastle <no-dsa> (Minor issue)
No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9
https://bugzilla.mozilla.org/show_bug.cgi?id=665814
https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases
[wheezy] - tlslite <no-dsa> (Minor issue)
Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks.
[squeeze] - erlang <no-dsa> (Minor issue)
[wheezy] - asterisk <no-dsa> (Minor issue)
[squeeze] - asterisk <end-of-life> (Not supported in Squeeze LTS)
http://downloads.digium.com/pub/security/AST-2016-001.html
https://issues.asterisk.org/jira/browse/ASTERISK-24972
patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
all versions vulnerable, backport required for wheezy