1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3253-1] pound security update

    From Thijs Kinkhorst@1:229/2 to All on Thu May 7 21:50:02 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3253-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst
    May 07, 2015 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : pound
    CVE ID : CVE-2009-3555 CVE-2012-4929 CVE-2014-3566
    Debian Bug : 723731 727197 765539 765649

    Pound, a HTTP reverse proxy and load balancer, had several issues
    related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

    For Debian 7 (wheezy) this update adds a missing part to make it
    actually possible to disable client-initiated renegotiation and
    disables it by default (CVE-2009-3555). TLS compression is disabled (CVE-2012-4929), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566) entirely via the new "DisableSSLv3" configuration
    directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is
    addressed.

    For Debian 8 (jessie) these issues have been fixed prior to the release,
    with the exception of client-initiated renegotiation (CVE-2009-3555).
    This update addresses that issue for jessie.

    For the oldstable distribution (wheezy), these problems have been fixed
    in version 2.6-2+deb7u1.

    For the stable distribution (jessie), these problems have been fixed in
    version 2.6-6+deb8u1.

    For the unstable distribution (sid), these problems have been fixed in
    version 2.6-6.1.

    We recommend that you upgrade your pound packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQEcBAEBCAAGBQJVS79aAAoJEFb2GnlAHawETHwH/RrPS2EYLPKsjvXD6zokWclq IGaOOCcXQS9u22qtii5lWBPvBH6ALZCrd46wQBwlgmEaPu0JR/8ILHtwoIF3soFM 49SQVkPAfApKSugJlJasO7E59K/ip6GYmxNZ+uVVSggK2OYnIicFymx8D/7E6e3Q RFv6OnOtLxVpXulpDZ0gGJswwuXroQLufG8l5E4LOOAdj/ZmW7N7F4J4BB6RSNg4 fadVn+u+BdzKx+C62DQIMsgGpxtyXR3Iy372bzzpzIbJtBMaM6YuMBCeR8T1EfB3 Q3eRWj6U60A4JCtQuGyW98MWs3HWZkiF3O53Gc6nUHMuWeLoaoNbIYpcsMoSCZo=
    =N3Sp
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)