CVE-2009-3555

Name	CVE-2009-3555
Description	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-400-1, DSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2626-1, DSA-3253-1
Debian Bugs	704946, 765649

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u29	fixed
	stretch (security)	2.4.25-3+deb9u13	fixed
	stretch (lts), stretch	2.4.25-3+deb9u19	fixed
	buster, buster (lts)	2.4.59-1~deb10u4	fixed
	buster (security)	2.4.59-1~deb10u1	fixed
	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.62-1~deb11u2	fixed
	bookworm (security), bookworm	2.4.62-1~deb12u2	fixed
	sid, trixie	2.4.62-3	fixed
lighttpd (PTS)	jessie, jessie (lts)	1.4.35-4+deb8u1	fixed
	stretch (security), stretch (lts), stretch	1.4.45-1+deb9u1	fixed
	buster (security), buster, buster (lts)	1.4.53-4+deb10u3	fixed
	bullseye (security), bullseye	1.4.59-1+deb11u2	fixed
	bookworm	1.4.69-1	fixed
	sid, trixie	1.4.76-1	fixed
nginx (PTS)	jessie, jessie (lts)	1.6.2-5+deb8u10	fixed
	stretch (security)	1.10.3-1+deb9u7	fixed
	stretch (lts), stretch	1.10.3-1+deb9u8	fixed
	buster (security), buster, buster (lts)	1.14.2-2+deb10u5	fixed
	bullseye (security), bullseye	1.18.0-6.1+deb11u3	fixed
	bookworm	1.22.1-9	fixed
	sid, trixie	1.26.0-3	fixed
nss (PTS)	jessie, jessie (lts)	2:3.26-1+debu8u19	fixed
	stretch (security)	2:3.26.2-1.1+deb9u5	fixed
	stretch (lts), stretch	2:3.26.2-1.1+deb9u8	fixed
	buster, buster (lts)	2:3.42.1-1+deb10u9	fixed
	buster (security)	2:3.42.1-1+deb10u8	fixed
	bullseye	2:3.61-1+deb11u3	fixed
	bullseye (security)	2:3.61-1+deb11u4	fixed
	bookworm	2:3.87.1-1	fixed
	bookworm (security)	2:3.87.1-1+deb12u1	fixed
	trixie	2:3.105-2	fixed
	sid	2:3.106-1	fixed
openssl (PTS)	jessie, jessie (lts)	1.0.1t-1+deb8u21	fixed
	stretch (security)	1.1.0l-1~deb9u6	fixed
	stretch (lts), stretch	1.1.0l-1~deb9u9	fixed
	buster (security), buster, buster (lts)	1.1.1n-0+deb10u6	fixed
	bullseye	1.1.1w-0+deb11u1	fixed
	bullseye (security)	1.1.1w-0+deb11u2	fixed
	bookworm	3.0.15-1~deb12u1	fixed
	bookworm (security)	3.0.14-1~deb12u2	fixed
	sid, trixie	3.3.2-2	fixed
polarssl (PTS)	jessie, jessie (lts)	1.3.9-2.1+deb8u4	fixed
pound (PTS)	jessie, jessie (lts)	2.6-6+deb8u3	fixed
	stretch	2.7-1.3+deb9u1	fixed
	bullseye	3.0-2	fixed
	sid, trixie	4.15-1	fixed
tomcat-native (PTS)	jessie, jessie (lts)	1.1.32~repack-2+deb8u2	fixed
	stretch (security), stretch (lts), stretch	1.2.21-1~deb9u1	fixed
	buster	1.2.21-1	fixed
	bullseye	1.2.26-1	fixed
	bookworm	1.2.35-1	fixed
	sid, trixie	1.3.1-1	fixed
zorp (PTS)	jessie	3.9.5-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
apache2	source	etch	2.2.3-4+etch11	DSA-1934-1
apache2	source	lenny	2.2.9-10+lenny6	DSA-1934-1
apache2	source	(unstable)	2.2.14-2
classpath	source	(unstable)	(unfixed)
gnutls26	source	(unstable)	(not affected)
lighttpd	source	squeeze	1.4.28-2+squeeze1.2	DSA-2626-1
lighttpd	source	(unstable)	1.4.30-1
matrixssl	source	(unstable)	1.8.8-1
nginx	source	(unstable)	0.7.64-1
nss	source	lenny	3.12.3.1-0lenny3	DSA-2141-2
nss	source	(unstable)	3.12.6-1
openjdk-6	source	(unstable)	6b18-1.8.2-1
openssl	source	lenny	0.9.8g-15+lenny11	DSA-2141-1
openssl	source	(unstable)	0.9.8k-6
polarssl	source	(unstable)	1.2.0-1		704946
pound	source	squeeze	2.6-1+deb6u1	DLA-400-1
pound	source	wheezy	2.6-2+deb7u1	DSA-3253-1
pound	source	jessie	2.6-6+deb8u1	DSA-3253-1
pound	source	(unstable)	2.6-6.1		765649
sun-java5	source	(unstable)	(unfixed)
sun-java6	source	lenny	6-22-0lenny
sun-java6	source	(unstable)	6.19-1
tomcat-native	source	(unstable)	1.1.18-1
zorp	source	(unstable)	3.9.2-1

Notes

[lenny] - sun-java5 <no-dsa> (Minor issue)
Update 22 for Sun Java implemented the new RFC extension
[lenny] - matrixssl <no-dsa> (Fringe SSL implementation, can be fixed in spu)
[lenny] - tomcat-native <no-dsa> (Minor issue)
- gnutls26 <not-affected> (safely handles renegotiation; however support for RFC 5746 would be useful)
[squeeze] - zorp <no-dsa> (Minor issue)
[lenny] - zorp <no-dsa> (Minor issue)
[jessie] - pound <no-dsa> (Minor issue)
the anti_beast.patch in pound 2.6-2 has some provision for this issue too but it seems to be broken, cf #765649
for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation
the following implement RFC 5746:
- openssl 0.9.8m-1
- apache 2.2.15-1
- nss 3.12.6-1
- sun-java6 6.19-1