[SECURITY] [DLA 400-1] pound security update

2016-01-2404:50:54

lists.debian.org

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

JSON

Package : pound
Version : 2.6-1+deb6u1
CVE ID : CVE-2009-3555 CVE-2011-3389 CVE-2012-4929 CVE-2014-3566

This update fixes certain known vulnerabilities in pound in squeeze-lts by
backporting the version in wheezy.

CVE-2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, multiple Cisco products, and other products,
does not properly associate renegotiation handshakes with an
existing connection, which allows man-in-the-middle attackers to
insert data into HTTPS sessions, and possibly other types of
sessions protected by TLS or SSL, by sending an unauthenticated
request that is processed retroactively by a server in a
post-renegotiation context, related to a "plaintext injection"
attack, aka the "Project Mogul" issue.

CVE-2011-3389
The SSL protocol, as used in certain configurations in Microsoft
Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
Chrome, Opera, and other products, encrypts data by using CBC mode
with chained initialization vectors, which allows man-in-the-middle
attackers to obtain plaintext HTTP headers via a blockwise
chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the
Java URLConnection API, or (3) the Silverlight WebClient API, aka a
"BEAST" attack.

CVE-2012-4929
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google
Chrome, Qt, and other products, can encrypt compressed data without
properly obfuscating the length of the unencrypted data, which
allows man-in-the-middle attackers to obtain plaintext HTTP headers
by observing length differences during a series of guesses in which
a string in an HTTP request potentially matches an unknown string in
an HTTP header, aka a "CRIME" attack.

CVE-2014-3566
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the "POODLE" issue.

Brian May <[email protected]>

OSVersionArchitecturePackageVersionFilename
Debian6i386lighttpd-mod-webdav< 1.4.28-2+squeeze1.7lighttpd-mod-webdav_1.4.28-2+squeeze1.7_i386.deb
Debian7allcalendar-google-provider< 31.3.0-1~deb7u1calendar-google-provider_31.3.0-1~deb7u1_all.deb
Debian7amd64icedtea-6-jre-cacao< 6b34-1.13.6-1~deb7u1icedtea-6-jre-cacao_6b34-1.13.6-1~deb7u1_amd64.deb
Debian7powerpcopenjdk-7-dbg< 7u75-2.5.4-1~deb7u1openjdk-7-dbg_7u75-2.5.4-1~deb7u1_powerpc.deb
Debian6allopenjdk-6-jre-lib< 6b34-1.13.6-1~deb6u1openjdk-6-jre-lib_6b34-1.13.6-1~deb6u1_all.deb
Debian6alllighttpd-doc< 1.4.28-2+squeeze1.7lighttpd-doc_1.4.28-2+squeeze1.7_all.deb
Debian6allopenjdk-6-source< 6b34-1.13.6-1~deb6u1openjdk-6-source_6b34-1.13.6-1~deb6u1_all.deb
Debian7armhfopenjdk-6-dbg< 6b34-1.13.6-1~deb7u1openjdk-6-dbg_6b34-1.13.6-1~deb7u1_armhf.deb
Debian7allopenjdk-6< 6b34-1.13.6-1~deb7u1openjdk-6_6b34-1.13.6-1~deb7u1_all.deb
Debian7s390lighttpd-mod-mysql-vhost< 1.4.31-4+deb7u4lighttpd-mod-mysql-vhost_1.4.31-4+deb7u4_s390.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	i386	lighttpd-mod-webdav	< 1.4.28-2+squeeze1.7	lighttpd-mod-webdav_1.4.28-2+squeeze1.7_i386.deb
Debian	7	all	calendar-google-provider	< 31.3.0-1~deb7u1	calendar-google-provider_31.3.0-1~deb7u1_all.deb
Debian	7	amd64	icedtea-6-jre-cacao	< 6b34-1.13.6-1~deb7u1	icedtea-6-jre-cacao_6b34-1.13.6-1~deb7u1_amd64.deb
Debian	7	powerpc	openjdk-7-dbg	< 7u75-2.5.4-1~deb7u1	openjdk-7-dbg_7u75-2.5.4-1~deb7u1_powerpc.deb
Debian	6	all	openjdk-6-jre-lib	< 6b34-1.13.6-1~deb6u1	openjdk-6-jre-lib_6b34-1.13.6-1~deb6u1_all.deb
Debian	6	all	lighttpd-doc	< 1.4.28-2+squeeze1.7	lighttpd-doc_1.4.28-2+squeeze1.7_all.deb
Debian	6	all	openjdk-6-source	< 6b34-1.13.6-1~deb6u1	openjdk-6-source_6b34-1.13.6-1~deb6u1_all.deb
Debian	7	armhf	openjdk-6-dbg	< 6b34-1.13.6-1~deb7u1	openjdk-6-dbg_6b34-1.13.6-1~deb7u1_armhf.deb
Debian	7	all	openjdk-6	< 6b34-1.13.6-1~deb7u1	openjdk-6_6b34-1.13.6-1~deb7u1_all.deb
Debian	7	s390	lighttpd-mod-mysql-vhost	< 1.4.31-4+deb7u4	lighttpd-mod-mysql-vhost_1.4.31-4+deb7u4_s390.deb