aboutsummaryrefslogtreecommitdiffstats
path: root/english/lts/security/2016/dla-400.wml
blob: d19d0d3590be9d1e90c3cb821e2e7f8a280f117e (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p>This update fixes certain known vulnerabilities in pound in squeeze-lts by
backporting the version in wheezy.</p>

<ul>

<li><a href="https://security-tracker.debian.org/tracker/CVE-2009-3555">CVE-2009-3555</a>

    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
    used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
    in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
    GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
    3.12.4 and earlier, multiple Cisco products, and other products,
    does not properly associate renegotiation handshakes with an
    existing connection, which allows man-in-the-middle attackers to
    insert data into HTTPS sessions, and possibly other types of
    sessions protected by TLS or SSL, by sending an unauthenticated
    request that is processed retroactively by a server in a
    post-renegotiation context, related to a <q>plaintext injection</q>
    attack, aka the <q>Project Mogul</q> issue.</p></li>

<li><a href="https://security-tracker.debian.org/tracker/CVE-2011-3389">CVE-2011-3389</a>

    <p>The SSL protocol, as used in certain configurations in Microsoft
    Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
    Chrome, Opera, and other products, encrypts data by using CBC mode
    with chained initialization vectors, which allows man-in-the-middle
    attackers to obtain plaintext HTTP headers via a blockwise
    chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
    with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the
    Java URLConnection API, or (3) the Silverlight WebClient API, aka a
    <q>BEAST</q> attack.</p></li>

<li><a href="https://security-tracker.debian.org/tracker/CVE-2012-4929">CVE-2012-4929</a>

    <p>The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google
    Chrome, Qt, and other products, can encrypt compressed data without
    properly obfuscating the length of the unencrypted data, which
    allows man-in-the-middle attackers to obtain plaintext HTTP headers
    by observing length differences during a series of guesses in which
    a string in an HTTP request potentially matches an unknown string in
    an HTTP header, aka a <q>CRIME</q> attack.</p></li>

<li><a href="https://security-tracker.debian.org/tracker/CVE-2014-3566">CVE-2014-3566</a>

    <p>The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
    products, uses nondeterministic CBC padding, which makes it easier
    for man-in-the-middle attackers to obtain cleartext data via a
    padding-oracle attack, aka the <q>POODLE</q> issue.</p></li>

</ul>
</define-tag>

# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2016/dla-400.data"
# $Id$

© 2014-2024 Faster IT GmbH | imprint | privacy policy