Synopsis: Moderate: openssl097a security update
Issue date: 2010-03-25
CVE Names: CVE-2009-3555
CVE-2009-3555 TLS: MITM attacks via session renegotiation
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A
man-in-the-middle attacker could use this flaw to prefix arbitrary plain
text to a client's session (for example, an HTTPS connection to a
website). This could force the server to process an attacker's request
as if authenticated using the victim's credentials. This update
addresses this flaw by implementing the TLS Renegotiation Indication
Extension, as defined in RFC 5746. (CVE-2009-3555)
Refer to the following Knowledgebase article for additional details
about this flaw: http://kbase.redhat.com/faq/docs/DOC-20491
For the update to take effect, all services linked to the openssl097a
library must be restarted, or the system rebooted.
SL 5.x
SRPMS:
openssl097a-0.9.7a-9.el5_4.2.src.rpm
i386:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm
x86_64:
openssl097a-0.9.7a-9.el5_4.2.i386.rpm
openssl097a-0.9.7a-9.el5_4.2.x86_64.rpm
-Connie Sieh
-Troy Dawson