Welcome! Log In Create A New Profile

nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation

Forum List Message List New Topic Print View

February 12, 2010 06:32PM

I'm running nginx/0.7.64, compiled from source.

The top of the changelog that came with the source says:

Changes with nginx 0.7.64 16 Nov 2009

*) Security: now SSL/TLS renegotiation is disabled.
Thanks to Maxim Dounin.

Also http://nginx.org/en/security_advisories.html says:

The renegotiation vulnerability in SSL protocol
Severity: major
VU#120541 CVE-2009-3555
Not vulnerable: 0.8.23+, 0.7.64+

I also checked against http://sysoev.ru/nginx/patch.cve-2009-3555.txt and the
source I have does seem to contain that patch.

However, I've had a scanning vendor tell me I'm still vulnerable to the
problem:

" . . . service allows renegotiation of TLS / SSL connections."

and references CVE-2009-3555

What can I do in order to make sure this is fixed please?

Thanks,

JW

--

----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	JW	February 12, 2010 06:32PM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	Maxim Dounin	February 12, 2010 08:14PM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	JW	February 14, 2010 12:48AM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	Maxim Dounin	February 14, 2010 06:42AM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	Igor Sysoev	February 13, 2010 02:08AM
Re: nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation	JW	February 14, 2010 12:48AM