Lucene search

K
suseSuseSUSE-SA:2009:057
HistoryNov 18, 2009 - 9:50 a.m.

man-in-the-middle attack in openssl

2009-11-1809:50:39
lists.opensuse.org
26

0.002 Low

EPSS

Percentile

64.8%

The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache’s mod_ssl was vulnerable to this kind of attack because it uses openssl. It is believed that this vulnerability is actively exploited in the wild to get access to HTTPS protected web-sites. Please note that renegotiation will be disabled for any application using openssl by this update and may cause problems in some cases. Additionally this attack is not limited to HTTP.

Solution

There is no work-around known. Please install the update. Moblin packages will be released later.