First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was addressed in 2 steps: 1. As an emergency action: disable SSL/TLS renegotiation. This is the "solution" used in Sun Java u19. 2. The real solution was a redefinition of the renegotiation protocol (see RFC 5746). This was included in Sun Java u22. Let me reformulate my question: Where can I find an openSuSE Java rpm set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC 5746 conformimg SSL/TLS renegotiation? Regards Willy Weisz Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack?
Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in standard update repository [2]
[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability- cve.html [2] http://download.opensuse.org/update/11.3/
Regards Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards Willy Weisz
-- ----------------------------------------------------------- Willy Weisz European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center University of Vienna Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 e-mail: Willy.Weisz@univie.ac.at -- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org