Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1250 pound security update 8 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pound Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 8 Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-3566 CVE-2012-4929 CVE-2009-3555 Reference: ASB-2015.0035 ASB-2015.0009 ESB-2015.0639 ASB-2014.0146 ASB-2014.0134 ASB-2014.0131 Original Bulletin: http://www.debian.org/security/2015/dsa-3253 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3253-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst May 07, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : pound CVE ID : CVE-2009-3555 CVE-2012-4929 CVE-2014-3566 Debian Bug : 723731 727197 765539 765649 Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol. For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555). TLS compression is disabled (CVE-2012-4929), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566) entirely via the new "DisableSSLv3" configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed. For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555). This update addresses that issue for jessie. For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 2.6-6.1. We recommend that you upgrade your pound packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVS79aAAoJEFb2GnlAHawETHwH/RrPS2EYLPKsjvXD6zokWclq IGaOOCcXQS9u22qtii5lWBPvBH6ALZCrd46wQBwlgmEaPu0JR/8ILHtwoIF3soFM 49SQVkPAfApKSugJlJasO7E59K/ip6GYmxNZ+uVVSggK2OYnIicFymx8D/7E6e3Q RFv6OnOtLxVpXulpDZ0gGJswwuXroQLufG8l5E4LOOAdj/ZmW7N7F4J4BB6RSNg4 fadVn+u+BdzKx+C62DQIMsgGpxtyXR3Iy372bzzpzIbJtBMaM6YuMBCeR8T1EfB3 Q3eRWj6U60A4JCtQuGyW98MWs3HWZkiF3O53Gc6nUHMuWeLoaoNbIYpcsMoSCZo= =N3Sp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVUv+yRLndAQH1ShLAQKAaBAAuqvETEFZHAWZ5UOAjOEygdHW4eNzCMcu cOILCfsPQdyBdkqOQWunutAldYXwSZIKrUCdIJR5sYu2jjDTqzYYA7r34L48I5f7 ZDLCAaRD+2qWqDcG9Q/wHe86lc2KvygzbKGq+rc1/FLW260WBz8TZOO6qGxi38TJ mVXuN+g30BxMlPKPHMilfy9Yma+eJQ2/LSaUBsBwx+HhpP2XRABhLk0dLVOWVZ9z iHjHMaLC8kRojXAFbnwzucF+hmUMz/R4zWPnRhKbZSq2s6Q67w1do1/hyQTmfmdH Q42kNbJBS0vbMtb8IQP7P8ei/NFRO5RPBMVE5X5UnZgGVsqLg/kVaRnBxtOHYKgN o+UGTeY+HOENdO8R5HZBOsW9J9ovsfzJjwK8ozg1h65xglgw3oWShAoqTQBMgsfH //PjyyZ1YPXjW/ZlnPHmiTD9AwwIyZqEYVwKi5y0H+9pVadXyFTSkFvcUrTQW0Sl zBV6fqUrX3q2LUwi0dYxiISLYrHrh/idqvsJ3Eh3tFV4gjJTXUIjyVq46VV9ipZL 75vz0wl3hHKd7cTmvsPf2rOjazU1uGtfoGRFlS0doSlIhCGs1POc2cR5XoCVoPKZ lZ09UWrY7Yu8IyJg05ZxKPjM5l04JiDLeQpz3djxOBmibcu/p3MvFCkg7V0RngzI M+HcAubaIPE= =6HOX -----END PGP SIGNATURE-----