English | Deutsch | Español | Português
 UserID:
 Passwd:
 new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   		     Search 61204 CVE descriptions
and 32582 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.68241
Category:Ubuntu Local Security Checks
Title:Ubuntu USN-990-1 (openssl)
Summary:Ubuntu USN-990-1 (openssl)
Description:The remote host is missing an update to openssl
announced via advisory USN-990-1.

Details follow:

Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3
protocols. If an attacker could perform a man in the middle attack at the
start of a TLS connection, the attacker could inject arbitrary content at
the beginning of the user's session. This update adds backported support
for the new RFC5746 renegotiation extension and will use it when both the
client and the server support it.

ATTENTION: After applying this update, a patched server will allow both
patched and unpatched clients to connect, but unpatched clients will not be
able to renegotiate. For more information, please refer to the following:
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION

Solution:
The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libssl0.9.8 0.9.8a-7ubuntu0.12

Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.10

Ubuntu 9.04:
libssl0.9.8 0.9.8g-15ubuntu3.5

Ubuntu 9.10:
libssl0.9.8 0.9.8g-16ubuntu3.2

Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

http://www.securityspace.com/smysecure/catid.html?in=USN-990-1

Risk factor : High
Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-3555
Bugtraq: 20091124 rPSA-2009-0155-1 httpd mod_ssl (Google Search)
http://www.securityfocus.com/archive/1/archive/1/508075/100/0/threaded
Bugtraq: 20091118 TLS / SSLv3 vulnerability explained (DRAFT) (Google Search)
http://www.securityfocus.com/archive/1/archive/1/507952/100/0/threaded
Bugtraq: 20091130 TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability) (Google Search)
http://www.securityfocus.com/archive/1/archive/1/508130/100/0/threaded
Bugtraq: 20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console (Google Search)
http://www.securityfocus.com/archive/1/archive/1/515055/100/0/threaded
Bugtraq: 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX (Google Search)
http://www.securityfocus.com/archive/1/archive/1/516397/100/0/threaded
http://seclists.org/fulldisclosure/2009/Nov/139
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
http://marc.info/?l=cryptography&m=125752275331877&w=2
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html
http://www.openwall.com/lists/oss-security/2009/11/05/3
http://www.openwall.com/lists/oss-security/2009/11/05/5
http://www.openwall.com/lists/oss-security/2009/11/06/3
http://www.openwall.com/lists/oss-security/2009/11/07/3
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.openwall.com/lists/oss-security/2009/11/20/1
http://www.openwall.com/lists/oss-security/2009/11/23/10
http://extendedsubset.com/?p=8
http://extendedsubset.com/Renegotiating_TLS.pdf
http://www.betanews.com/article/1257452450
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://www.links.org/?p=780
http://www.tombom.co.uk/blog/?p=85
https://bugzilla.mozilla.org/show_bug.cgi?id=526689
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
http://blogs.iss.net/archive/sslmitmiscsrf.html
http://www.links.org/?p=786
http://www.links.org/?p=789
http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html
http://clicky.me/tlsvuln
https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html
http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html
AIX APAR: PM00675
http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only
AIX APAR: IC67848
http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848
AIX APAR: PM12247
http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247
AIX APAR: IC68054
http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054
AIX APAR: IC68055
http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055
http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html
http://lists.apple.com/archives/security-announce/2010//May/msg00001.html
http://lists.apple.com/archives/security-announce/2010//May/msg00002.html
Cisco Security Advisory: 20091109 Transport Layer Security Renegotiation Vulnerability
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml
Debian Security Information: DSA-1934 (Google Search)
http://www.debian.org/security/2009/dsa-1934
Debian Security Information: DSA-2141 (Google Search)
http://www.debian.org/security/2011/dsa-2141
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html
http://security.gentoo.org/glsa/glsa-200912-01.xml
http://security.gentoo.org/glsa/glsa-201203-22.xml
HPdes Security Advisory: HPSBUX02482
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686
HPdes Security Advisory: SSRT090249
HPdes Security Advisory: HPSBMA02534
http://marc.info/?l=bugtraq&m=127419602507642&w=2
HPdes Security Advisory: SSRT090180
HPdes Security Advisory: HPSBMA02547
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
HPdes Security Advisory: SSRT100179
HPdes Security Advisory: HPSBGN02562
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041
HPdes Security Advisory: HPSBMA02568
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
HPdes Security Advisory: SSRT100219
HPdes Security Advisory: HPSBOV02683
http://marc.info/?l=bugtraq&m=130497311408250&w=2
HPdes Security Advisory: SSRT090208
HPdes Security Advisory: HPSBHF02706
http://marc.info/?l=bugtraq&m=132077688910227&w=2
HPdes Security Advisory: SSRT100613
HPdes Security Advisory: HPSBMU02759
http://www.securityfocus.com/archive/1/522176
HPdes Security Advisory: SSRT100817
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084
http://www.mandriva.com/security/advisories?name=MDVSA-2010:076
http://www.mandriva.com/security/advisories?name=MDVSA-2010:089
Microsoft Security Bulletin: MS10-049
http://www.microsoft.com/technet/security/Bulletin/MS10-049.mspx
OpenBSD Security Advisory: [4.5] 010: SECURITY FIX: November 26, 2009
http://openbsd.org/errata45.html#010_openssl
OpenBSD Security Advisory: [4.6] 004: SECURITY FIX: November 26, 2009
http://openbsd.org/errata46.html#004_openssl
http://www.redhat.com/support/errata/RHSA-2010-0119.html
http://www.redhat.com/support/errata/RHSA-2010-0155.html
http://www.redhat.com/support/errata/RHSA-2010-0167.html
http://www.redhat.com/support/errata/RHSA-2010-0337.html
http://www.redhat.com/support/errata/RHSA-2010-0338.html
http://www.redhat.com/support/errata/RHSA-2010-0339.html
http://www.redhat.com/support/errata/RHSA-2010-0130.html
http://www.redhat.com/support/errata/RHSA-2010-0165.html
http://www.redhat.com/support/errata/RHSA-2010-0770.html
http://www.redhat.com/support/errata/RHSA-2010-0786.html
http://www.redhat.com/support/errata/RHSA-2010-0807.html
http://www.redhat.com/support/errata/RHSA-2010-0768.html
http://www.redhat.com/support/errata/RHSA-2010-0865.html
http://www.redhat.com/support/errata/RHSA-2010-0986.html
http://www.redhat.com/support/errata/RHSA-2010-0987.html
http://www.redhat.com/support/errata/RHSA-2011-0880.html
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1
SuSE Security Announcement: SUSE-SA:2009:057 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html
SuSE Security Announcement: SUSE-SR:2010:008 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
SuSE Security Announcement: SUSE-SR:2010:011 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
SuSE Security Announcement: SUSE-SR:2010:012 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
SuSE Security Announcement: SUSE-SR:2010:013 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
SuSE Security Announcement: SUSE-SA:2010:061 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html
SuSE Security Announcement: SUSE-SR:2010:019 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html
SuSE Security Announcement: SUSE-SR:2010:024 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html
SuSE Security Announcement: SUSE-SU-2011:0847 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
SuSE Security Announcement: openSUSE-SU-2011:0845 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
http://ubuntu.com/usn/usn-923-1
http://www.ubuntu.com/usn/USN-927-1
http://www.ubuntu.com/usn/USN-927-4
http://www.ubuntu.com/usn/USN-927-5
http://www.ubuntu.com/usn/USN-1010-1
Cert/CC Advisory: TA10-222A
http://www.us-cert.gov/cas/techalerts/TA10-222A.html
Cert/CC Advisory: TA10-287A
http://www.us-cert.gov/cas/techalerts/TA10-287A.html
CERT/CC vulnerability note: VU#120541
http://www.kb.cert.org/vuls/id/120541
BugTraq ID: 36935
http://www.securityfocus.com/bid/36935
http://osvdb.org/60521
http://osvdb.org/60972
http://osvdb.org/62210
http://osvdb.org/65202
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10088
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11578
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7315
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7973
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8366
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8535
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11617
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7478
http://securitytracker.com/id?1023148
http://www.securitytracker.com/id?1023163
http://www.securitytracker.com/id?1023204
http://www.securitytracker.com/id?1023205
http://www.securitytracker.com/id?1023206
http://www.securitytracker.com/id?1023207
http://www.securitytracker.com/id?1023208
http://www.securitytracker.com/id?1023209
http://www.securitytracker.com/id?1023210
http://www.securitytracker.com/id?1023211
http://www.securitytracker.com/id?1023212
http://www.securitytracker.com/id?1023215
http://www.securitytracker.com/id?1023216
http://www.securitytracker.com/id?1023217
http://www.securitytracker.com/id?1023218
http://www.securitytracker.com/id?1023219
http://www.securitytracker.com/id?1023243
http://www.securitytracker.com/id?1023270
http://www.securitytracker.com/id?1023271
http://www.securitytracker.com/id?1023272
http://www.securitytracker.com/id?1023273
http://www.securitytracker.com/id?1023274
http://www.securitytracker.com/id?1023275
http://www.securitytracker.com/id?1023411
http://www.securitytracker.com/id?1023426
http://www.securitytracker.com/id?1023427
http://www.securitytracker.com/id?1023428
http://www.securitytracker.com/id?1023213
http://www.securitytracker.com/id?1023214
http://www.securitytracker.com/id?1023224
http://www.securitytracker.com/id?1024789
http://secunia.com/advisories/37291
http://secunia.com/advisories/37292
http://secunia.com/advisories/37320
http://secunia.com/advisories/37501
http://secunia.com/advisories/37504
http://secunia.com/advisories/37656
http://secunia.com/advisories/37675
http://secunia.com/advisories/37604
http://secunia.com/advisories/37640
http://secunia.com/advisories/37859
http://secunia.com/advisories/38056
http://secunia.com/advisories/38241
http://secunia.com/advisories/38484
http://secunia.com/advisories/38003
http://secunia.com/advisories/38020
http://secunia.com/advisories/38687
http://secunia.com/advisories/39136
http://secunia.com/advisories/39242
http://secunia.com/advisories/39243
http://secunia.com/advisories/39292
http://secunia.com/advisories/39317
http://secunia.com/advisories/37383
http://secunia.com/advisories/37399
http://secunia.com/advisories/37453
http://secunia.com/advisories/39278
http://secunia.com/advisories/38781
http://secunia.com/advisories/39500
http://secunia.com/advisories/39628
http://secunia.com/advisories/39461
http://secunia.com/advisories/39632
http://secunia.com/advisories/39713
http://secunia.com/advisories/39819
http://secunia.com/advisories/40070
http://secunia.com/advisories/39127
http://secunia.com/advisories/40545
http://secunia.com/advisories/40747
http://secunia.com/advisories/40866
http://secunia.com/advisories/41480
http://secunia.com/advisories/41490
http://secunia.com/advisories/41967
http://secunia.com/advisories/41972
http://secunia.com/advisories/42377
http://secunia.com/advisories/42379
http://secunia.com/advisories/42467
http://secunia.com/advisories/42811
http://secunia.com/advisories/42724
http://secunia.com/advisories/42733
http://secunia.com/advisories/42808
http://secunia.com/advisories/42816
http://secunia.com/advisories/43308
http://secunia.com/advisories/44183
http://secunia.com/advisories/44954
http://secunia.com/advisories/48577
http://www.vupen.com/english/advisories/2009/3164
http://www.vupen.com/english/advisories/2009/3165
http://www.vupen.com/english/advisories/2009/3205
http://www.vupen.com/english/advisories/2009/3220
http://www.vupen.com/english/advisories/2009/3353
http://www.vupen.com/english/advisories/2009/3354
http://www.vupen.com/english/advisories/2009/3484
http://www.vupen.com/english/advisories/2009/3521
http://www.vupen.com/english/advisories/2009/3587
http://www.vupen.com/english/advisories/2010/0173
http://www.vupen.com/english/advisories/2010/0086
http://www.vupen.com/english/advisories/2010/0748
http://www.vupen.com/english/advisories/2009/3310
http://www.vupen.com/english/advisories/2009/3313
http://www.vupen.com/english/advisories/2010/0848
http://www.vupen.com/english/advisories/2010/0982
http://www.vupen.com/english/advisories/2010/0933
http://www.vupen.com/english/advisories/2010/0916
http://www.vupen.com/english/advisories/2010/1054
http://www.vupen.com/english/advisories/2010/0994
http://www.vupen.com/english/advisories/2010/1107
http://www.vupen.com/english/advisories/2010/1191
http://www.vupen.com/english/advisories/2010/1350
http://www.vupen.com/english/advisories/2010/1673
http://www.vupen.com/english/advisories/2010/1639
http://www.vupen.com/english/advisories/2010/1793
http://www.vupen.com/english/advisories/2010/2010
http://www.vupen.com/english/advisories/2010/2745
http://www.vupen.com/english/advisories/2010/3069
http://www.vupen.com/english/advisories/2010/3086
http://www.vupen.com/english/advisories/2010/3126
http://www.vupen.com/english/advisories/2011/0032
http://www.vupen.com/english/advisories/2011/0033
http://www.vupen.com/english/advisories/2011/0086
XForce ISS Database: tls-renegotiation-weak-security(54158)
http://xforce.iss.net/xforce/xfdb/54158
CopyrightCopyright (c) 2010 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  
 Forgot userid or passwd?
Email/Userid:



Home | About Us | Contact Us | Partner Programs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2013 E-Soft Inc. All rights reserved.