Is there any version of JDK 1.6 available for openSuSE 11.3 which contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack? Just disallowing the renegotiation isn't an option for my Java applet. Regards Willy Weisz -- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack?
Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in standard update repository [2] [1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability- cve.html [2] http://download.opensuse.org/update/11.3/ Regards Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards Willy Weisz
First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was addressed in 2 steps: 1. As an emergency action: disable SSL/TLS renegotiation. This is the "solution" used in Sun Java u19. 2. The real solution was a redefinition of the renegotiation protocol (see RFC 5746). This was included in Sun Java u22. Let me reformulate my question: Where can I find an openSuSE Java rpm set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC 5746 conformimg SSL/TLS renegotiation? Regards Willy Weisz Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack?
Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in standard update repository [2]
[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability- cve.html [2] http://download.opensuse.org/update/11.3/
Regards Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards Willy Weisz
-- ----------------------------------------------------------- Willy Weisz European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center University of Vienna Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 e-mail: Willy.Weisz@univie.ac.at -- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
On Thu, Oct 21, 2010 at 6:34 PM, Willy Weisz <Willy.Weisz@univie.ac.at> wrote:
First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was addressed in 2 steps: 1. As an emergency action: disable SSL/TLS renegotiation. This is the "solution" used in Sun Java u19. 2. The real solution was a redefinition of the renegotiation protocol (see RFC 5746). This was included in Sun Java u22.
Let me reformulate my question: Where can I find an openSuSE Java rpm set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC 5746 conformimg SSL/TLS renegotiation?
Incidentally, Java 6 Update 22 was pushed to the Updates repository today. Robert
Regards Willy Weisz
Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack?
Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in standard update repository [2]
[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability- cve.html [2] http://download.opensuse.org/update/11.3/
Regards Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards Willy Weisz
-- ----------------------------------------------------------- Willy Weisz
European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center University of Vienna Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 e-mail: Willy.Weisz@univie.ac.at
-- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
-- Sent from my (old) computer -- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
Robert Munteanu wrote:
On Thu, Oct 21, 2010 at 6:34 PM, Willy Weisz <Willy.Weisz@univie.ac.at> wrote:
First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was addressed in 2 steps: 1. As an emergency action: disable SSL/TLS renegotiation. This is the "solution" used in Sun Java u19. 2. The real solution was a redefinition of the renegotiation protocol (see RFC 5746). This was included in Sun Java u22.
Let me reformulate my question: Where can I find an openSuSE Java rpm set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC 5746 conformimg SSL/TLS renegotiation?
Incidentally, Java 6 Update 22 was pushed to the Updates repository today.
Thank you for the information. What about openjdk and RFC 5746? Regards Willy
Robert
Regards Willy Weisz
Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack? Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in standard update repository [2]
[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability- cve.html [2] http://download.opensuse.org/update/11.3/
Regards Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards Willy Weisz
-- ----------------------------------------------------------- Willy Weisz
European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center University of Vienna Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 e-mail: Willy.Weisz@univie.ac.at
-- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
-- ----------------------------------------------------------- Willy Weisz European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center University of Vienna Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 e-mail: Willy.Weisz@univie.ac.at -- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
On Thursday 21 of October 2010 19:04:05 Willy Weisz wrote:
Robert Munteanu wrote:
On Thu, Oct 21, 2010 at 6:34 PM, Willy Weisz <Willy.Weisz@univie.ac.at> wrote:
First of all I mean CVE-2009-3555. The SSL/TLS MITM vulnerability was addressed in 2 steps: 1. As an emergency action: disable SSL/TLS renegotiation. This is the "solution" used in Sun Java u19. 2. The real solution was a redefinition of the renegotiation protocol (see RFC 5746). This was included in Sun Java u22.
Let me reformulate my question: Where can I find an openSuSE Java rpm set for Sun Java u22 and/or an icedtea6 patchset which includes the RFC 5746 conformimg SSL/TLS renegotiation?
Incidentally, Java 6 Update 22 was pushed to the Updates repository today.
Thank you for the information.
Hi Willy,
What about openjdk and RFC 5746?
Thank for a clarification. I checked a list of CVEs fixed by Icedtea6-1.9.1 [1] update I'm working on it atm. According announcement it conforms to Sun Java u22 - update is tracked as bnc#642531 [2]. So the RFC 5746 is already fixed in Sun Java, the openjdk is WIP. [1] http://blog.fuseyism.com/index.php/2010/10/12/icedtea6-175-182-and-191- released/ [2] https://bugzilla.novell.com/show_bug.cgi?id=642531 Regards Michal Vyskocil
Regards Willy
Robert
Regards Willy Weisz
Michal Vyskocil wrote:
On Monday 18 of October 2010 11:36:59 Willy Weisz wrote:
Is there any version of JDK 1.6 available for openSuSE 11.3 which
contains the patch implementing RFC 5746 to mitigate the TLS renegotiation MITM attack?
Do you mean CVE-2009-5555 [1]? This was addressed by Sun Java u19 update and icedtea6-1.7.3 patchset, more recent versions of both JVMs are avaliable in standard update repository [2]
[1] http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability- cve.html [2] http://download.opensuse.org/update/11.3/
Regards Michal Vyskocil
Just disallowing the renegotiation isn't an option for my Java applet.
Regards Willy Weisz
-- ----------------------------------------------------------- Willy Weisz
European Centre for Parallel Computing at Vienna (VCPC)
Computational Science Center
University of Vienna
Nordbergstrasse 15/C312
A-1090 Wien
Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394
e-mail: Willy.Weisz@univie.ac.at
-- To unsubscribe, e-mail: opensuse-java+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-java+help@opensuse.org
participants (3)
-
Michal Vyskocil -
Robert Munteanu -
Willy Weisz