Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1250
pound security update
8 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pound
Publisher: Debian
Operating System: Debian GNU/Linux 7
Debian GNU/Linux 8
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3566 CVE-2012-4929 CVE-2009-3555
Reference: ASB-2015.0035
ASB-2015.0009
ESB-2015.0639
ASB-2014.0146
ASB-2014.0134
ASB-2014.0131
Original Bulletin:
http://www.debian.org/security/2015/dsa-3253
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3253-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 07, 2015 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : pound
CVE ID : CVE-2009-3555 CVE-2012-4929 CVE-2014-3566
Debian Bug : 723731 727197 765539 765649
Pound, a HTTP reverse proxy and load balancer, had several issues
related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.
For Debian 7 (wheezy) this update adds a missing part to make it
actually possible to disable client-initiated renegotiation and
disables it by default (CVE-2009-3555). TLS compression is disabled
(CVE-2012-4929), although this is normally already disabled by the OpenSSL
system library. Finally it adds the ability to disable the SSLv3 protocol
(CVE-2014-3566) entirely via the new "DisableSSLv3" configuration
directive, although it will not disabled by default in this update.
Additionally a non-security sensitive issue in redirect encoding is
addressed.
For Debian 8 (jessie) these issues have been fixed prior to the release,
with the exception of client-initiated renegotiation (CVE-2009-3555).
This update addresses that issue for jessie.
For the oldstable distribution (wheezy), these problems have been fixed
in version 2.6-2+deb7u1.
For the stable distribution (jessie), these problems have been fixed in
version 2.6-6+deb8u1.
For the unstable distribution (sid), these problems have been fixed in
version 2.6-6.1.
We recommend that you upgrade your pound packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVS79aAAoJEFb2GnlAHawETHwH/RrPS2EYLPKsjvXD6zokWclq
IGaOOCcXQS9u22qtii5lWBPvBH6ALZCrd46wQBwlgmEaPu0JR/8ILHtwoIF3soFM
49SQVkPAfApKSugJlJasO7E59K/ip6GYmxNZ+uVVSggK2OYnIicFymx8D/7E6e3Q
RFv6OnOtLxVpXulpDZ0gGJswwuXroQLufG8l5E4LOOAdj/ZmW7N7F4J4BB6RSNg4
fadVn+u+BdzKx+C62DQIMsgGpxtyXR3Iy372bzzpzIbJtBMaM6YuMBCeR8T1EfB3
Q3eRWj6U60A4JCtQuGyW98MWs3HWZkiF3O53Gc6nUHMuWeLoaoNbIYpcsMoSCZo=
=N3Sp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVUv+yRLndAQH1ShLAQKAaBAAuqvETEFZHAWZ5UOAjOEygdHW4eNzCMcu
cOILCfsPQdyBdkqOQWunutAldYXwSZIKrUCdIJR5sYu2jjDTqzYYA7r34L48I5f7
ZDLCAaRD+2qWqDcG9Q/wHe86lc2KvygzbKGq+rc1/FLW260WBz8TZOO6qGxi38TJ
mVXuN+g30BxMlPKPHMilfy9Yma+eJQ2/LSaUBsBwx+HhpP2XRABhLk0dLVOWVZ9z
iHjHMaLC8kRojXAFbnwzucF+hmUMz/R4zWPnRhKbZSq2s6Q67w1do1/hyQTmfmdH
Q42kNbJBS0vbMtb8IQP7P8ei/NFRO5RPBMVE5X5UnZgGVsqLg/kVaRnBxtOHYKgN
o+UGTeY+HOENdO8R5HZBOsW9J9ovsfzJjwK8ozg1h65xglgw3oWShAoqTQBMgsfH
//PjyyZ1YPXjW/ZlnPHmiTD9AwwIyZqEYVwKi5y0H+9pVadXyFTSkFvcUrTQW0Sl
zBV6fqUrX3q2LUwi0dYxiISLYrHrh/idqvsJ3Eh3tFV4gjJTXUIjyVq46VV9ipZL
75vz0wl3hHKd7cTmvsPf2rOjazU1uGtfoGRFlS0doSlIhCGs1POc2cR5XoCVoPKZ
lZ09UWrY7Yu8IyJg05ZxKPjM5l04JiDLeQpz3djxOBmibcu/p3MvFCkg7V0RngzI
M+HcAubaIPE=
=6HOX
-----END PGP SIGNATURE-----