You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rainer Jung <ra...@kippdata.de> on 2009/11/09 23:28:18 UTC

Backport proposal for CVE-2009-3555

I did a first try on backporting the CVE-2009-3555 patch to 2.0:

http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch

I hadn't yet time for intensive testing, but first tests looked OK.
I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a
Windows thing. Hadn't yet time and access to test on Unix resp. test on
Windows without patch.

I'll be unfortunately offline for about 10 hours not responding to comments.

Regards,

Rainer

Re: Backport proposal for CVE-2009-3555

Posted by Rainer Jung <ra...@kippdata.de>.

On 09.11.2009 23:28, Rainer Jung wrote:
> I did a first try on backporting the CVE-2009-3555 patch to 2.0:
> 
> http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch
> 
> I hadn't yet time for intensive testing, but first tests looked OK.
> I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a
> Windows thing. Hadn't yet time and access to test on Unix resp. test on
> Windows without patch.

Testing looked good, client initiated reneg is not allowed, server side
reneg worked. The previously observed missing SSL_SESSION_ID in the
access logs was due to the client using TLS session ticket extension in
combination with HTTP-Keepalive.

I'll add it to 2.0.x STATUS soon.

Regards,

Rainer