[jetty-dev] CVE-2009-3555 SSL vulnerability fix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] CVE-2009-3555 SSL vulnerability fix

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Fri, 13 Nov 2009 16:02:53 +1100
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

All,

I've committed a work around to the CVE-2009-3555 SSL vulnerability
to jetty-6, plus a test harness that demonstrates that renegotiation
has been disabled by the workaround. (both SslSocketConnector and SslSelectChannelConnector)

This approach appears to be favoured by all those trying to work around
this issue while waiting for Sun to fix the JVMs.

I will commit a similar patch to jetty-7 over the weekend.

I would be very interested to hear any feedback from SSL users that
this has not broken their usage.

We will have releases with this patch available early in the week.

Older releases might be able to be patched by substitution of the
SSL classes.

regards

Prev by Date: [jetty-dev] Comet panel at google
Next by Date: [jetty-dev] i-jetty release 2.1
Previous by thread: [jetty-dev] Comet panel at google
Next by thread: [jetty-dev] i-jetty release 2.1
Index(es):
- Date
- Thread

Breadcrumbs