Mailinglist Archive: opensuse-java (6 mails)
| < Previous | Next > |
Re: [opensuse-java] TLS renegotiation RFC 5746
- From: Michal Vyskocil <mvyskocil@xxxxxxx>
- Date: Fri, 22 Oct 2010 12:19:38 +0200
- Message-id: <201010221219.46219.mvyskocil@xxxxxxx>
On Thursday 21 of October 2010 19:04:05 Willy Weisz wrote:
Hi Willy,
Thank for a clarification. I checked a list of CVEs fixed by Icedtea6-1.9.1
[1] update I'm working on it atm. According announcement it conforms to Sun
Java u22 - update is tracked as bnc#642531 [2].
So the RFC 5746 is already fixed in Sun Java, the openjdk is WIP.
[1] http://blog.fuseyism.com/index.php/2010/10/12/icedtea6-175-182-and-191-
released/
[2] https://bugzilla.novell.com/show_bug.cgi?id=642531
Regards
Michal Vyskocil
Robert Munteanu wrote:wrote:
On Thu, Oct 21, 2010 at 6:34 PM, Willy Weisz <Willy.Weisz@xxxxxxxxxxxx>
First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was
addressed in 2 steps:
1. As an emergency action: disable SSL/TLS renegotiation. This is the
"solution" used in Sun Java u19.
2. The real solution was a redefinition of the renegotiation protocol
(see RFC 5746). This was included in Sun Java u22.
Let me reformulate my question: Where can I find an openSuSE Java rpm
set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC
5746 conformimg SSL/TLS renegotiation?
Incidentally, Java 6 Update 22 was pushed to the Updates repository
today.
Thank you for the information.
Hi Willy,
What about openjdk and RFC 5746?
Thank for a clarification. I checked a list of CVEs fixed by Icedtea6-1.9.1
[1] update I'm working on it atm. According announcement it conforms to Sun
Java u22 - update is tracked as bnc#642531 [2].
So the RFC 5746 is already fixed in Sun Java, the openjdk is WIP.
[1] http://blog.fuseyism.com/index.php/2010/10/12/icedtea6-175-182-and-191-
released/
[2] https://bugzilla.novell.com/show_bug.cgi?id=642531
Regards
Michal Vyskocil
Regards
Willy
Robert
Regards
Willy Weisz
Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which
contains the patch implementing RFC 5746 to mitigate the TLS
renegotiation MITM attack?
Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19
update and icedtea6-1.7.3 patchset, more recent versions of both JVMs
are avaliable in standard update repository [2]
[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-
cve.html
[2] http://download.opensuse.org/update/11.3/
Regards
Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards
Willy Weisz
--
-----------------------------------------------------------
Willy Weisz
European Centre for Parallel Computing at Vienna (VCPC)
Computational Science Center
University of Vienna
Nordbergstrasse 15/C312
A-1090 Wien
Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394
e-mail: Willy.Weisz@xxxxxxxxxxxx
--
To unsubscribe, e-mail: opensuse-java+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-java+help@xxxxxxxxxxxx
| < Previous | Next > |