CVE 2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Related bugs and status
CVE-2009-3555 (Candidate) is related to these bugs:
Bug #469752: firefox,3.5/3.6 startup-notification bug
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 469752 | firefox,3.5/3.6 startup-notification bug | firefox-3.5 (Ubuntu) | Medium | Invalid | ||
| 469752 | firefox,3.5/3.6 startup-notification bug | Mozilla Firefox | Medium | Fix Released | ||
| 469752 | firefox,3.5/3.6 startup-notification bug | firefox-3.5 (Suse) | Medium | Fix Released | ||
| 469752 | firefox,3.5/3.6 startup-notification bug | firefox (Ubuntu) | Medium | Fix Released | ||
| 469752 | firefox,3.5/3.6 startup-notification bug | firefox (Ubuntu Lucid) | Medium | Fix Released | ||
| 469752 | firefox,3.5/3.6 startup-notification bug | firefox-3.5 (Ubuntu Lucid) | Medium | Invalid | ||
Bug #484417: CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 484417 | CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack | openssl (Ubuntu) | Low | Fix Released | ||
| 484417 | CVE-2009-3555 OpenSSL need to be updated to close TLS MITM attack | openssl (Ubuntu Lucid) | Undecided | Fix Released | ||
Bug #506862: Please merge apache2 2.2.14-5(main) from debian squeeze(main)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 506862 | Please merge apache2 2.2.14-5(main) from debian squeeze(main) | apache2 (Ubuntu) | Undecided | Fix Released | ||
Bug #511681: Latest Nginx package appears to need Security Updates
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 511681 | Latest Nginx package appears to need Security Updates | nginx (Ubuntu) | Medium | Fix Released | ||
Bug #513099: Please merge nginx 0.7.64-2 (universe) from Debian testing (main)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 513099 | Please merge nginx 0.7.64-2 (universe) from Debian testing (main) | nginx (Ubuntu) | Wishlist | Fix Released | ||
Bug #551221: consider a newer version of apache2 for lucid or backport some changes
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 551221 | consider a newer version of apache2 for lucid or backport some changes | apache2 (Ubuntu) | Medium | Fix Released | ||
Bug #557408: New upstream microreleases: 8.4.3, 8.3.10, 8.1.20
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.4 (Ubuntu) | Medium | Fix Released | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.4 (Ubuntu Dapper) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.4 (Ubuntu Hardy) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.4 (Ubuntu Jaunty) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.4 (Ubuntu Lucid) | Medium | Fix Released | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.4 (Ubuntu Karmic) | Undecided | Fix Released | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.3 (Ubuntu) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.3 (Ubuntu Dapper) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.3 (Ubuntu Hardy) | Medium | Fix Released | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.3 (Ubuntu Jaunty) | Medium | Fix Released | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.3 (Ubuntu Karmic) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.3 (Ubuntu Lucid) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.1 (Ubuntu) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.1 (Ubuntu Dapper) | Medium | Fix Released | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.1 (Ubuntu Hardy) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.1 (Ubuntu Jaunty) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.1 (Ubuntu Karmic) | Undecided | Invalid | ||
| 557408 | New upstream microreleases: 8.4.3, 8.3.10, 8.1.20 | postgresql-8.1 (Ubuntu Lucid) | Undecided | Invalid | ||
Bug #566467: potentially vulnerable to cve-2009-3555
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 566467 | potentially vulnerable to cve-2009-3555 | Ubuntu | Undecided | Invalid | ||
| 566467 | potentially vulnerable to cve-2009-3555 | Launchpad itself | High | Won't Fix | ||
| 566467 | potentially vulnerable to cve-2009-3555 | Ubuntu Website - OBSOLETE | Undecided | Won't Fix | ||
Bug #589611: [SRU] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 589611 | [SRU] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23) | apache2 (Ubuntu) | High | Fix Released | ||
| 589611 | [SRU] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23) | apache2 (Ubuntu Lucid) | High | Fix Released | ||
Bug #605026: edge.launchpad.net : server does not support RFC 5746, see CVE-2009-3555
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 605026 | edge.launchpad.net : server does not support RFC 5746, see CVE-2009-3555 | Launchpad itself | Undecided | New | ||
Bug #616759: CVE-2009-3555 tracking bug
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu Dapper) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu Dapper) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu Hardy) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu Hardy) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu Karmic) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu Karmic) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu Lucid) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu Lucid) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu Jaunty) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu Jaunty) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | apache2 (Ubuntu Maverick) | Undecided | Fix Released | ||
| 616759 | CVE-2009-3555 tracking bug | openssl (Ubuntu Maverick) | Undecided | Fix Released | ||
Bug #700198: CVE-2009-0793
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 700198 | CVE-2009-0793 | lcms (Ubuntu) | Undecided | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6 (Ubuntu) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6b18 (Ubuntu) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | gimp (Ubuntu) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | ia32-libs (Ubuntu) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | gimp (Ubuntu Hardy) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | ia32-libs (Ubuntu Hardy) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | lcms (Ubuntu Hardy) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6 (Ubuntu Hardy) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6b18 (Ubuntu Hardy) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | gimp (Ubuntu Karmic) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | ia32-libs (Ubuntu Karmic) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | lcms (Ubuntu Karmic) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6 (Ubuntu Karmic) | Undecided | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6b18 (Ubuntu Karmic) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | gimp (Ubuntu Lucid) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | ia32-libs (Ubuntu Lucid) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | lcms (Ubuntu Lucid) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6 (Ubuntu Lucid) | Undecided | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6b18 (Ubuntu Lucid) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | gimp (Ubuntu Maverick) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | ia32-libs (Ubuntu Maverick) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | lcms (Ubuntu Maverick) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6 (Ubuntu Maverick) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6b18 (Ubuntu Maverick) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | gimp (Ubuntu Natty) | Undecided | Invalid | ||
| 700198 | CVE-2009-0793 | ia32-libs (Ubuntu Natty) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | lcms (Ubuntu Natty) | Undecided | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6 (Ubuntu Natty) | Low | Fix Released | ||
| 700198 | CVE-2009-0793 | openjdk-6b18 (Ubuntu Natty) | Low | Fix Released | ||
Bug #798672: Firefox 5 unable to renegotiate on SSL socket
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 798672 | Firefox 5 unable to renegotiate on SSL socket | firefox (Ubuntu) | High | Won't Fix | ||
| 798672 | Firefox 5 unable to renegotiate on SSL socket | Mozilla Firefox | Medium | Won't Fix | ||
Bug #862466: Creating or Opening an Event in Lightning leads to The window "Calendar - Mozilla Thunderbird" is not responding.
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 862466 | Creating or Opening an Event in Lightning leads to The window "Calendar - Mozilla Thunderbird" is not responding. | lightning-extension (Ubuntu) | Undecided | Invalid | ||
| 862466 | Creating or Opening an Event in Lightning leads to The window "Calendar - Mozilla Thunderbird" is not responding. | Lightning | Undecided | Invalid | ||
| 862466 | Creating or Opening an Event in Lightning leads to The window "Calendar - Mozilla Thunderbird" is not responding. | Mozilla Thunderbird | Critical | Invalid | ||
Bug #888504: Lightning won't connect to CALDAV server which doesn't support RFC 5746
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 888504 | Lightning won't connect to CALDAV server which doesn't support RFC 5746 | lightning-extension (Ubuntu) | Undecided | Fix Released | ||
| 888504 | Lightning won't connect to CALDAV server which doesn't support RFC 5746 | Mozilla Thunderbird | High | Fix Released | ||
Bug #1800605: lighttpd: "SSL: renegotiation initiated by client, killing connection"
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1800605 | lighttpd: "SSL: renegotiation initiated by client, killing connection" | lighttpd (Ubuntu) | Undecided | Confirmed | ||
Bug #1958267: wpa can't connect to servers using TLS 1.1 or older
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1958267 | wpa can't connect to servers using TLS 1.1 or older | wpa (Ubuntu) | High | Fix Released | ||
| 1958267 | wpa can't connect to servers using TLS 1.1 or older | wpa (Ubuntu Jammy) | High | Fix Released | ||
| 1958267 | wpa can't connect to servers using TLS 1.1 or older | wpa (Debian) | Unknown | Fix Released | ||
Bug #1963834: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1963834 | openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] | openssl (Ubuntu) | Undecided | Won't Fix | ||
See the 
CVE page on Mitre.org
for more details.
