Mailinglist Archive: opensuse-java (6 mails)

< Previous Next >
Re: [opensuse-java] TLS renegotiation RFC 5746
  • From: Robert Munteanu <robert.munteanu@xxxxxxxxx>
  • Date: Thu, 21 Oct 2010 18:36:14 +0300
  • Message-id: <AANLkTinF8eTab8DbQ_ZrVj8sjbrT7xOC94cgkKMLQ-4L@xxxxxxxxxxxxxx>
On Thu, Oct 21, 2010 at 6:34 PM, Willy Weisz <Willy.Weisz@xxxxxxxxxxxx> wrote:
First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was
addressed in 2 steps:
1. As an emergency action: disable SSL/TLS renegotiation. This is the
"solution" used in Sun Java u19.
2. The real solution was a redefinition of the renegotiation protocol
(see RFC 5746). This was included in Sun Java u22.

Let me reformulate my question: Where can I find an openSuSE Java rpm
set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC
5746 conformimg SSL/TLS renegotiation?

Incidentally, Java 6 Update 22 was pushed to the Updates repository today.

Robert


Regards
Willy Weisz

Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
 Is there any version of JDK 1.6 available for openSuSE 11.3 which
contains the patch implementing RFC 5746 to mitigate the TLS
renegotiation MITM attack?

Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and
icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in
standard update repository [2]

[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-
cve.html
[2] http://download.opensuse.org/update/11.3/

Regards
Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.

Regards
Willy Weisz


--
-----------------------------------------------------------
Willy Weisz

European Centre for Parallel Computing at Vienna (VCPC)
          Computational Science Center
              University of Vienna
             Nordbergstrasse 15/C312
                A-1090 Wien
Tel: (+43 1) 4277 - 39424          Fax: (+43 1) 4277 - 9394
            e-mail: Willy.Weisz@xxxxxxxxxxxx

--
To unsubscribe, e-mail: opensuse-java+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-java+help@xxxxxxxxxxxx





--
Sent from my (old) computer
--
To unsubscribe, e-mail: opensuse-java+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-java+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups