Your message dated Thu, 06 Jan 2011 07:54:48 +0000
with message-id <e1pakgk-0001jw...@franck.debian.org>
and subject line Bug#587037: fixed in apache2 2.2.9-10+lenny9
has caused the Debian Bug report #587037,
regarding CVE-2009-3555: Firefox reports server is "potentially vulnerable"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
587037: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587037
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny8
Severity: normal
Hi, http://security-tracker.debian.org/tracker/CVE-2009-3555, says this has
been fixed in my version of apache, and I am not using SSLVerifyClient at
all, and there is one default SSLCipherSuite line in ssl.conf. Firefox reports
(in the javascript console, but I gather that is supposed to change to a
more obvious error message at some point) that my server is "potentially
vulnerable to CVS-2009-3555".
On the openssl side, I see that it was fixed in openssl0.9.8k, but I (lenny)
have openssl: 0.9.8g-15+lenny6.
I don't see that CVE mentioned in the changelog of openssl, so perhaps it
wasn't ever backported.
Am I really vulnerable and/or is firefox going to start reporting to users that
I am at some point?
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
alias auth_basic auth_digest authn_file authz_default
authz_groupfile authz_host authz_user autoindex cgi dav dav_fs
dav_svn deflate dir env expires fastcgi include jk mime negotiation
perl rewrite setenvif ssl status suexec suphp
-- System Information:
Debian Release: 5.0.4
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL
set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.9-10+lenny8 Apache HTTP Server - traditional n
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny8 utility programs for webservers
ii libapr1 1.4.2-3~bpo50+2 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8+lenny4 The Apache Portable Runtime Utilit
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination library us
ii libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19lenny2 Larry Wall's Practical Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii psmisc 22.6-1 Utilities that use the proc filesy
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.9-10+lenny9
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-dbg_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-dbg_2.2.9-10+lenny9_i386.deb
apache2-doc_2.2.9-10+lenny9_all.deb
to main/a/apache2/apache2-doc_2.2.9-10+lenny9_all.deb
apache2-mpm-event_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-mpm-event_2.2.9-10+lenny9_i386.deb
apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
apache2-src_2.2.9-10+lenny9_all.deb
to main/a/apache2/apache2-src_2.2.9-10+lenny9_all.deb
apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
apache2-suexec_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-suexec_2.2.9-10+lenny9_i386.deb
apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
apache2-utils_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2-utils_2.2.9-10+lenny9_i386.deb
apache2.2-common_2.2.9-10+lenny9_i386.deb
to main/a/apache2/apache2.2-common_2.2.9-10+lenny9_i386.deb
apache2_2.2.9-10+lenny9.diff.gz
to main/a/apache2/apache2_2.2.9-10+lenny9.diff.gz
apache2_2.2.9-10+lenny9.dsc
to main/a/apache2/apache2_2.2.9-10+lenny9.dsc
apache2_2.2.9-10+lenny9_all.deb
to main/a/apache2/apache2_2.2.9-10+lenny9_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 587...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 11 Dec 2010 19:45:28 +0100
Source: apache2
Binary: apache2.2-common apache2-mpm-worker apache2-mpm-prefork
apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2
apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.9-10+lenny9
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
apache2 - Apache HTTP Server metapackage
apache2-dbg - Apache debugging symbols
apache2-doc - Apache HTTP Server documentation
apache2-mpm-event - Apache HTTP Server - event driven model
apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
apache2-mpm-worker - Apache HTTP Server - high speed threaded model
apache2-prefork-dev - Apache development headers - non-threaded MPM
apache2-src - Apache source code
apache2-suexec - Standard suexec program for Apache 2 mod_suexec
apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
apache2-threaded-dev - Apache development headers - threaded MPM
apache2-utils - utility programs for webservers
apache2.2-common - Apache HTTP Server common files
Closes: 587037
Changes:
apache2 (2.2.9-10+lenny9) stable-security; urgency=high
.
* Add the new SSLInsecureRenegotiation directive to configure if clients
that have not been patched to support secure renegotiation (RFC 5746)
are allowed to connect (CVE-2009-3555).
Together with the recent openssl upgrade, this closes: #587037
This upgrade also adds support for the SSL_SECURE_RENEG variable, to
allow testing if secure renegotiation is supported by the client.
Checksums-Sha1:
f8d0b20040ab8bd9ea4388386af13cd8c22ca23c 1697 apache2_2.2.9-10+lenny9.dsc
b9c13a9bc36936fb59aa1fca4baea78d27c09ca3 149748 apache2_2.2.9-10+lenny9.diff.gz
5a23a2257385b3afe7fb86a9368b218d103f7567 783768
apache2.2-common_2.2.9-10+lenny9_i386.deb
b5f92618a13a653e75b9a8408bc9b89640c7d599 242282
apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
fce62b386ce657322d599d8d750fd840108cc21f 239060
apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
6f9722f647299ed3ea1eb082dfcfd3a32c15c03f 242720
apache2-mpm-event_2.2.9-10+lenny9_i386.deb
8e240ca72daf56f4f477dd4c7804538bc8340983 144556
apache2-utils_2.2.9-10+lenny9_i386.deb
aebd18480b4e3a385d726e46af0c27ad78108602 83300
apache2-suexec_2.2.9-10+lenny9_i386.deb
a72b462f26e3596e56f2c986d439e72691284185 84898
apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
a9c8acf606141a6fd9174a3bf80956e75d89a565 212068
apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
05ea51cd94e7f89e28ddcbe26aa7b9e8ec6691ee 213262
apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
f16340b5348e78ec9671ee20d21a230012fd1fd5 2319710
apache2-dbg_2.2.9-10+lenny9_i386.deb
28685bff1f3cfdb0923f4105ea2db3fa681d680c 45856 apache2_2.2.9-10+lenny9_all.deb
02b21b046cbcaa7015c0f44841bb86ed48a604ac 2061636
apache2-doc_2.2.9-10+lenny9_all.deb
0dd1197ac1a9ba121db79442da1e65ee5e65707e 6737144
apache2-src_2.2.9-10+lenny9_all.deb
Checksums-Sha256:
0cc6352e3769411e76eb96bdd3325b65c4ae1a0929b389bd770965144ebabc27 1697
apache2_2.2.9-10+lenny9.dsc
ec466513f6c0950bd62747cb6e97f245d1573e875055f2e75ce60bfd9595ebaf 149748
apache2_2.2.9-10+lenny9.diff.gz
eb7a40b6b3e3c3d1a28af0845d55d874c6d33d23fe4b7f43f0b911355407ce7b 783768
apache2.2-common_2.2.9-10+lenny9_i386.deb
63db8a5c5dbbb81894165d67bd7eb551f36a2f073fc981bd7c4f51498d4c1711 242282
apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
1eee1779f8dce51a51bf54be4d404cd03618c3db9362d69d814855664b701898 239060
apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
1f53e64c88787e3080579224800e9f27ffbcb1a4c1f4b27873d47e32f9d53c47 242720
apache2-mpm-event_2.2.9-10+lenny9_i386.deb
f8a983c176b1cffd24a02b33b4db4bd4c98ba1e6507a48261b5ecd8a0c403f87 144556
apache2-utils_2.2.9-10+lenny9_i386.deb
b4e22ea8b5c9a6df93f50e5902756da407b353b329750dec7471f7e1835cce38 83300
apache2-suexec_2.2.9-10+lenny9_i386.deb
af1863311542a308b7038f7173c1877064dfc50d2e4fbfef812cce05240a9327 84898
apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
331c0787d82dc6e31c84500dfc66583fb939675aa35ccb3da89d4c555762ce99 212068
apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
46c4f5a430db529f3e9086e9bbafe5144f6eb87fc70e3860356cd4efcd229428 213262
apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
fbec33aa4c007f648c8bb28792f08f8d282c588ceb24ae85d074db087462d3ec 2319710
apache2-dbg_2.2.9-10+lenny9_i386.deb
4535fc53b27a4430fa2b5dbbceac90319efbbc4a4c563ceb23b2ab097daa6079 45856
apache2_2.2.9-10+lenny9_all.deb
436f313bba2167c397b306ed8e6270306c83fb96fa4d8fb3cc33e78da31f1b6a 2061636
apache2-doc_2.2.9-10+lenny9_all.deb
4b6b87aa1ddfdbfd5193bde95482e6916e3a3b5c8707628fbf1d1d0d86dc5a4f 6737144
apache2-src_2.2.9-10+lenny9_all.deb
Files:
ef76d3ad84941ecfd98e4968f9d95eba 1697 web optional apache2_2.2.9-10+lenny9.dsc
ebedab9ae59a32e224c1321b9b543752 149748 web optional
apache2_2.2.9-10+lenny9.diff.gz
4470d5b5764fbc333b1d92aa97e286e6 783768 web optional
apache2.2-common_2.2.9-10+lenny9_i386.deb
4e786cfee02f6da8783880561b131a28 242282 web optional
apache2-mpm-worker_2.2.9-10+lenny9_i386.deb
0dc8daf0b4ecd6a034031b9db62e45c9 239060 web optional
apache2-mpm-prefork_2.2.9-10+lenny9_i386.deb
3daa2df7c336b0d08690070dbfbf41ad 242720 web optional
apache2-mpm-event_2.2.9-10+lenny9_i386.deb
ac440f1eb477ddbd50026b1501c7f887 144556 web optional
apache2-utils_2.2.9-10+lenny9_i386.deb
30864abd7486c386db43ea6ae359ca2b 83300 web optional
apache2-suexec_2.2.9-10+lenny9_i386.deb
7268fd31c77095ffd8fd1c97e1de3427 84898 web extra
apache2-suexec-custom_2.2.9-10+lenny9_i386.deb
76da9662f7cb93a8b3f7d4bf519402f6 212068 devel extra
apache2-prefork-dev_2.2.9-10+lenny9_i386.deb
ea7c648516db1ddf4cf0499a9ff5f96c 213262 devel extra
apache2-threaded-dev_2.2.9-10+lenny9_i386.deb
f9789d63e129106624e2343e5af42ade 2319710 libdevel extra
apache2-dbg_2.2.9-10+lenny9_i386.deb
1332a9407456fb3cb1cb93b013dc224e 45856 web optional
apache2_2.2.9-10+lenny9_all.deb
7181192049fcc498cb670ce2ba005422 2061636 doc optional
apache2-doc_2.2.9-10+lenny9_all.deb
9b9acbf1fd7ea0357add41f35ca9da3f 6737144 devel extra
apache2-src_2.2.9-10+lenny9_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNA+oEbxelr8HyTqQRAv4GAKCks2JaevXwN19wB64eLYaSVjI7XQCfXyjK
CmsjJ9lIujmm79Xe1yJOlPY=
=gwZP
-----END PGP SIGNATURE-----
--- End Message ---
