CVE-2009-3555 | AttackerKB

Description

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a “plaintext injection” attack, aka the “Project Mogul” issue.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

apache,
canonical,
debian,
f5,
fedoraproject,
gnu,
mozilla,
openssl

Products

debian linux 4.0,
debian linux 5.0,
debian linux 6.0,
debian linux 7.0,
debian linux 8.0,
fedora 11,
fedora 12,
fedora 13,
fedora 14,
gnutls,
http server,
nginx,
nss,
openssl,
openssl 1.0,
ubuntu linux 10.04,
ubuntu linux 10.10,
ubuntu linux 8.04,
ubuntu linux 8.10,
ubuntu linux 9.04,
ubuntu linux 9.10

References

Canonical

CVE-2009-3555 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555)

BID-36935 (http://www.securityfocus.com/bid/36935)

Advisory

APPLE-SA-2010-05-18-1 (http://lists.apple.com/archives/security-announce/2010//May/msg00001.html)

SECTRACK-1023427 (http://www.securitytracker.com/id?1023427)

http://support.avaya.com/css/P8/documents/100081611

OSVDB-62210 (http://osvdb.org/62210)

SECUNIA-37640 (http://secunia.com/advisories/37640)

http://www.arubanetworks.com/support/alerts/aid-020810.txt

ADV-2010-0916 (http://www.vupen.com/english/advisories/2010/0916)

http://support.avaya.com/css/P8/documents/100114327

http://www.redhat.com/support/errata/RHSA-2010-0167.html

ADV-2010-2010 (http://www.vupen.com/english/advisories/2010/2010)

FEDORA-2009-12750 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html)

ADV-2010-0086 (http://www.vupen.com/english/advisories/2010/0086)

ADV-2010-1673 (http://www.vupen.com/english/advisories/2010/1673)

[tls] 20091104 TLS renegotiation issue (http://www.ietf.org/mail-archive/web/tls/current/msg03948.html)

SECUNIA-37656 (http://secunia.com/advisories/37656)

http://www.redhat.com/support/errata/RHSA-2010-0865.html

SECUNIA-39628 (http://secunia.com/advisories/39628)

http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

SECUNIA-42724 (http://secunia.com/advisories/42724)

ADV-2009-3310 (http://www.vupen.com/english/advisories/2009/3310)

ADV-2009-3205 (http://www.vupen.com/english/advisories/2009/3205)

http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during

SECUNIA-39461 (http://secunia.com/advisories/39461)

http://support.avaya.com/css/P8/documents/100114315

http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c

GLSA-201406-32 (http://security.gentoo.org/glsa/glsa-201406-32.xml)

http://www.ingate.com/Relnote.php?ver=481

SECTRACK-1023204 (http://www.securitytracker.com/id?1023204)

SECUNIA-40866 (http://secunia.com/advisories/40866)

HPSBMU02799 (http://marc.info?l=bugtraq&m=134254866602253&w=2)

TA10-222A (http://www.us-cert.gov/cas/techalerts/TA10-222A.html)

SECTRACK-1023211 (http://www.securitytracker.com/id?1023211)

SSRT090249 (http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686)

SECUNIA-39317 (http://secunia.com/advisories/39317)

SECTRACK-1023212 (http://www.securitytracker.com/id?1023212)

http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html

SECUNIA-39127 (http://secunia.com/advisories/39127)

SECUNIA-40545 (http://secunia.com/advisories/40545)

ADV-2010-3069 (http://www.vupen.com/english/advisories/2010/3069)

SECTRACK-1023210 (http://www.securitytracker.com/id?1023210)

SECTRACK-1023270 (http://www.securitytracker.com/id?1023270)

SECUNIA-40070 (http://secunia.com/advisories/40070)

SECTRACK-1023273 (http://www.securitytracker.com/id?1023273)

http://kbase.redhat.com/faq/docs/DOC-20491

USN-927-5 (http://www.ubuntu.com/usn/USN-927-5)

PM12247 (http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247)

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

http://www.mandriva.com/security/advisories?name=MDVSA-2010:089

http://www.redhat.com/support/errata/RHSA-2010-0770.html

http://www.openssl.org/news/secadv_20091111.txt

SECTRACK-1023275 (http://www.securitytracker.com/id?1023275)

DSA-3253 (http://www.debian.org/security/2015/dsa-3253)

ADV-2009-3484 (http://www.vupen.com/english/advisories/2009/3484)

SECTRACK-1023207 (http://www.securitytracker.com/id?1023207)

SECUNIA-37859 (http://secunia.com/advisories/37859)

SSRT101846 (http://marc.info?l=bugtraq&m=142660345230545&w=2)

SUNALERT-1021752 (http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1)

FEDORA-2010-6131 (http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html)

ADV-2010-0848 (http://www.vupen.com/english/advisories/2010/0848)

[oss-security] 20091107 Re: [TLS] CVE-2009-3555 for TLS renegotiation MITM attacks (http://www.openwall.com/lists/oss-security/2009/11/07/3)

SECUNIA-39819 (http://secunia.com/advisories/39819)

IC68055 (http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055)

OSVDB-60521 (http://osvdb.org/60521)

[oss-security] 20091123 Re: CVEs for nginx (http://www.openwall.com/lists/oss-security/2009/11/23/10)

VU#120541 (http://www.kb.cert.org/vuls/id/120541)

SECTRACK-1023217 (http://www.securitytracker.com/id?1023217)

http://www.redhat.com/support/errata/RHSA-2010-0768.html

ADV-2009-3353 (http://www.vupen.com/english/advisories/2009/3353)

FEDORA-2010-5357 (http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html)

SECUNIA-39136 (http://secunia.com/advisories/39136)

http://www.openoffice.org/security/cves/CVE-2009-3555.html

ADV-2011-0032 (http://www.vupen.com/english/advisories/2011/0032)

SECTRACK-1023148 (http://securitytracker.com/id?1023148)

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

SSRT090208 (http://marc.info?l=bugtraq&m=130497311408250&w=2)

ADV-2010-1107 (http://www.vupen.com/english/advisories/2010/1107)

SECTRACK-1023218 (http://www.securitytracker.com/id?1023218)

ADV-2010-1350 (http://www.vupen.com/english/advisories/2010/1350)

http://www.redhat.com/support/errata/RHSA-2010-0338.html

SECUNIA-42379 (http://secunia.com/advisories/42379)

FEDORA-2009-12775 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html)

20091109 Transport Layer Security Renegotiation Vulnerability (http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml)

IC67848 (http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848)

SECTRACK-1023213 (http://www.securitytracker.com/id?1023213)

FEDORA-2010-16240 (http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html)

ADV-2010-1793 (http://www.vupen.com/english/advisories/2010/1793)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11617

SECUNIA-37292 (http://secunia.com/advisories/37292)

SSRT100817 (http://www.securityfocus.com/archive/1/522176)

XF-tls-renegotiation-weak-security(54158) (https://exchange.xforce.ibmcloud.com/vulnerabilities/54158)

APPLE-SA-2010-05-18-2 (http://lists.apple.com/archives/security-announce/2010//May/msg00002.html)

SECUNIA-39278 (http://secunia.com/advisories/39278)

SECTRACK-1023205 (http://www.securitytracker.com/id?1023205)

http://www.redhat.com/support/errata/RHSA-2010-0130.html

http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html

http://support.apple.com/kb/HT4004

SECTRACK-1023215 (http://www.securitytracker.com/id?1023215)

USN-1010-1 (http://www.ubuntu.com/usn/USN-1010-1)

SECTRACK-1023206 (http://www.securitytracker.com/id?1023206)

http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888

GLSA-200912-01 (http://security.gentoo.org/glsa/glsa-200912-01.xml)

SSRT090180 (http://marc.info?l=bugtraq&m=127419602507642&w=2)

ADV-2009-3313 (http://www.vupen.com/english/advisories/2009/3313)

SUNALERT-274990 (http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1)

SECTRACK-1023208 (http://www.securitytracker.com/id?1023208)

SECUNIA-43308 (http://secunia.com/advisories/43308)

SECTRACK-1023214 (http://www.securitytracker.com/id?1023214)

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html

SECUNIA-38781 (http://secunia.com/advisories/38781)

HPSBOV02762 (http://marc.info?l=bugtraq&m=133469267822771&w=2)

DSA-1934 (http://www.debian.org/security/2009/dsa-1934)

FEDORA-2009-12782 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7478

SECTRACK-1023271 (http://www.securitytracker.com/id?1023271)

APPLE-SA-2010-01-19-1 (http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html)

[cryptography] 20091105 OpenSSL 0.9.8l released (http://marc.info?l=cryptography&m=125752275331877&w=2)

SECUNIA-42467 (http://secunia.com/advisories/42467)

20091130 TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability) (http://www.securityfocus.com/archive/1/508130/100/0/threaded)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7315

SECTRACK-1023224 (http://www.securitytracker.com/id?1023224)

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

USN-927-4 (http://www.ubuntu.com/usn/USN-927-4)

SECUNIA-41490 (http://secunia.com/advisories/41490)

20091124 rPSA-2009-0155-1 httpd mod_ssl (http://www.securityfocus.com/archive/1/508075/100/0/threaded)

SECTRACK-1023243 (http://www.securitytracker.com/id?1023243)

SECUNIA-37504 (http://secunia.com/advisories/37504)

SECTRACK-1023219 (http://www.securitytracker.com/id?1023219)

http://sysoev.ru/nginx/patch.cve-2009-3555.txt

SECTRACK-1023163 (http://www.securitytracker.com/id?1023163)

HPSBHF02706 (http://marc.info?l=bugtraq&m=132077688910227&w=2)

ADV-2009-3521 (http://www.vupen.com/english/advisories/2009/3521)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7973

HPSBMA02568 (http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995)

http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released

https://bugzilla.redhat.com/show_bug.cgi?id=533125

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10088

SECUNIA-44183 (http://secunia.com/advisories/44183)

http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES

SECUNIA-42808 (http://secunia.com/advisories/42808)

SECUNIA-39500 (http://secunia.com/advisories/39500)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11578

http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html

ADV-2009-3220 (http://www.vupen.com/english/advisories/2009/3220)

SSRT100179 (http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751)

SSRT100089 (http://marc.info?l=bugtraq&m=127557596201693&w=2)

http://www.redhat.com/support/errata/RHSA-2010-0165.html

20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console (http://www.securityfocus.com/archive/1/515055/100/0/threaded)

http://www.redhat.com/support/errata/RHSA-2010-0987.html

https://bugzilla.mozilla.org/show_bug.cgi?id=545755

http://www-01.ibm.com/support/docview.wss?uid=swg21426108

SECTRACK-1023411 (http://www.securitytracker.com/id?1023411)

http://www.redhat.com/support/errata/RHSA-2010-0339.html

http://www.redhat.com/support/errata/RHSA-2010-0986.html

ADV-2009-3164 (http://www.vupen.com/english/advisories/2009/3164)

SECUNIA-37383 (http://secunia.com/advisories/37383)

FEDORA-2009-12229 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html)

SECUNIA-44954 (http://secunia.com/advisories/44954)

[tls] 20091104 MITM attack on delayed TLS-client auth through renegotiation (http://www.ietf.org/mail-archive/web/tls/current/msg03928.html)

http://support.avaya.com/css/P8/documents/100070150

SECUNIA-40747 (http://secunia.com/advisories/40747)

HPSBUX02498 (http://marc.info?l=bugtraq&m=126150535619567&w=2)

SECUNIA-39292 (http://secunia.com/advisories/39292)

SECUNIA-42816 (http://secunia.com/advisories/42816)

IC68054 (http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054)

SUNALERT-273029 (http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1)

FEDORA-2009-12604 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html)

http://www-01.ibm.com/support/docview.wss?uid=swg21432298

http://www-01.ibm.com/support/docview.wss?uid=swg24025312

http://www-01.ibm.com/support/docview.wss?uid=swg24006386

http://support.apple.com/kb/HT4170

20091118 TLS / SSLv3 vulnerability explained (DRAFT) (http://www.securityfocus.com/archive/1/507952/100/0/threaded)

SECTRACK-1023209 (http://www.securitytracker.com/id?1023209)

PM00675 (http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only)

http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html

SECUNIA-48577 (http://secunia.com/advisories/48577)

http://www.opera.com/docs/changelogs/unix/1060

http://www.redhat.com/support/errata/RHSA-2011-0880.html

http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

[oss-security] 20091107 Re: CVE-2009-3555 for TLS renegotiation MITM attacks (http://www.openwall.com/lists/oss-security/2009/11/06/3)

FEDORA-2009-12305 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html)

http://wiki.rpath.com/Advisories:rPSA-2009-0155

http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html

http://support.citrix.com/article/CTX123359

SECUNIA-37501 (http://secunia.com/advisories/37501)

http://www.mandriva.com/security/advisories?name=MDVSA-2010:076

HPSBUX02517 (http://marc.info?l=bugtraq&m=127128920008563&w=2)

ADV-2009-3587 (http://www.vupen.com/english/advisories/2009/3587)

SECUNIA-39632 (http://secunia.com/advisories/39632)

SECUNIA-38687 (http://secunia.com/advisories/38687)

MS10-049 (https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-049)

ADV-2010-0982 (http://www.vupen.com/english/advisories/2010/0982)

SECUNIA-37399 (http://secunia.com/advisories/37399)

USN-927-1 (http://www.ubuntu.com/usn/USN-927-1)

SECTRACK-1023272 (http://www.securitytracker.com/id?1023272)

FEDORA-2009-12606 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html)

ADV-2010-3126 (http://www.vupen.com/english/advisories/2010/3126)

SECUNIA-37320 (http://secunia.com/advisories/37320)

ADV-2009-3165 (http://www.vupen.com/english/advisories/2009/3165)

ADV-2010-1639 (http://www.vupen.com/english/advisories/2010/1639)

SECUNIA-38020 (http://secunia.com/advisories/38020)

USN-923-1 (http://ubuntu.com/usn/usn-923-1)

SECUNIA-39243 (http://secunia.com/advisories/39243)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8366

SECUNIA-37453 (http://secunia.com/advisories/37453)

http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html

ADV-2010-0933 (http://www.vupen.com/english/advisories/2010/0933)

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

SECUNIA-41972 (http://secunia.com/advisories/41972)

ADV-2010-3086 (http://www.vupen.com/english/advisories/2010/3086)

DSA-2141 (http://www.debian.org/security/2011/dsa-2141)

SECTRACK-1024789 (http://www.securitytracker.com/id?1024789)

http://www.redhat.com/support/errata/RHSA-2010-0155.html

ADV-2011-0033 (http://www.vupen.com/english/advisories/2011/0033)

http://www.redhat.com/support/errata/RHSA-2010-0337.html

SECTRACK-1023216 (http://www.securitytracker.com/id?1023216)

SECUNIA-41480 (http://secunia.com/advisories/41480)

ADV-2011-0086 (http://www.vupen.com/english/advisories/2011/0086)

SECUNIA-41818 (http://secunia.com/advisories/41818)

SECUNIA-37604 (http://secunia.com/advisories/37604)

http://www.opera.com/support/search/view/944

[announce] 20091107 CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation (http://marc.info?l=apache-httpd-announce&m=125755783724966&w=2)

http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html

TA10-287A (http://www.us-cert.gov/cas/techalerts/TA10-287A.html)

http://www.redhat.com/support/errata/RHSA-2010-0119.html

SECUNIA-38056 (http://secunia.com/advisories/38056)

ADV-2010-0748 (http://www.vupen.com/english/advisories/2010/0748)

SECUNIA-37675 (http://secunia.com/advisories/37675)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8535

http://www.vmware.com/security/advisories/VMSA-2010-0019.html

http://www.redhat.com/support/errata/RHSA-2010-0786.html

SECUNIA-38003 (http://secunia.com/advisories/38003)

http://support.apple.com/kb/HT4171

SECTRACK-1023428 (http://www.securitytracker.com/id?1023428)

[oss-security] 20091120 CVEs for nginx (http://www.openwall.com/lists/oss-security/2009/11/20/1)

ADV-2009-3354 (http://www.vupen.com/english/advisories/2009/3354)

SECTRACK-1023274 (http://www.securitytracker.com/id?1023274)

FEDORA-2009-12968 (https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html)

SECUNIA-39242 (http://secunia.com/advisories/39242)

https://kb.bluecoat.com/index?page=content&id=SA50

SECUNIA-38241 (http://secunia.com/advisories/38241)

SECUNIA-42377 (http://secunia.com/advisories/42377)

GLSA-201203-22 (http://security.gentoo.org/glsa/glsa-201203-22.xml)

[oss-security] 20091105 CVE-2009-3555 for TLS renegotiation MITM attacks (http://www.openwall.com/lists/oss-security/2009/11/05/3)

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html

OSVDB-60972 (http://osvdb.org/60972)

SECTRACK-1023426 (http://www.securitytracker.com/id?1023426)

SECUNIA-38484 (http://secunia.com/advisories/38484)

http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

SUNALERT-1021653 (http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1)

http://www.mozilla.org/security/announce/2010/mfsa2010-22.html

20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX (http://www.securityfocus.com/archive/1/516397/100/0/threaded)

SECUNIA-41967 (http://secunia.com/advisories/41967)

http://www.redhat.com/support/errata/RHSA-2010-0807.html

ADV-2010-1191 (http://www.vupen.com/english/advisories/2010/1191)

20091111 Re: SSL/TLS MiTM PoC (http://seclists.org/fulldisclosure/2009/Nov/139)

[oss-security] 20091105 Re: CVE-2009-3555 for TLS renegotiation MITM attacks (http://www.openwall.com/lists/oss-security/2009/11/05/5)

SECUNIA-39713 (http://secunia.com/advisories/39713)

SECUNIA-42733 (http://secunia.com/advisories/42733)

SECUNIA-37291 (http://secunia.com/advisories/37291)

FEDORA-2010-16312 (http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html)

FEDORA-2010-5942 (http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html)

ADV-2010-2745 (http://www.vupen.com/english/advisories/2010/2745)

SUNALERT-273350 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1)

ADV-2010-0994 (http://www.vupen.com/english/advisories/2010/0994)

ADV-2010-0173 (http://www.vupen.com/english/advisories/2010/0173)

ADV-2010-1054 (http://www.vupen.com/english/advisories/2010/1054)

OSVDB-65202 (http://osvdb.org/65202)

HPSBGN02562 (http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041)

FEDORA-2010-16294 (http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html)

[gnutls-devel] 20091105 Re: TLS renegotiation MITM (http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html)

20131121 ESA-2013-077: RSA Data Protection Manager Appliance Multiple Vulnerabilities (http://archives.neohapsis.com/archives/bugtraq/2013-11/0120.html)

SECUNIA-42811 (http://secunia.com/advisories/42811)

[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ (https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E)

[tomcat-dev] 20190325 svn commit: r1856174 [26/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ (https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E)

[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/ (https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E)

[tomcat-dev] 20200213 svn commit: r1873980 [31/34] - /tomcat/site/trunk/docs/ (https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E)

Miscellaneous

[4.5] 010: SECURITY FIX: November 26, 2009 (http://openbsd.org/errata45.html#010_openssl)

http://www.links.org?p=786

http://www.tombom.co.uk/blog?p=85

http://extendedsubset.com?p=8

http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html

http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html

http://blogs.iss.net/archive/sslmitmiscsrf.html

http://extendedsubset.com/Renegotiating_TLS.pdf

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446

http://www.links.org?p=789

http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html

https://bugzilla.mozilla.org/show_bug.cgi?id=526689

http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

http://www.links.org?p=780

https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt

http://www.betanews.com/article/1257452450

[4.6] 004: SECURITY FIX: November 26, 2009 (http://openbsd.org/errata46.html#004_openssl)

https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html

http://clicky.me/tlsvuln

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=130497311408250&w=2

https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E

https://access.redhat.com/errata/RHSA-2009:1580

https://access.redhat.com/errata/RHSA-2010:0163

https://access.redhat.com/errata/RHSA-2010:0166

https://access.redhat.com/errata/RHSA-2010:0119

http://extendedsubset.com/?p=8

http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2

http://marc.info/?l=bugtraq&m=126150535619567&w=2

http://marc.info/?l=bugtraq&m=127128920008563&w=2

http://marc.info/?l=bugtraq&m=127419602507642&w=2

http://marc.info/?l=bugtraq&m=127557596201693&w=2

http://marc.info/?l=bugtraq&m=132077688910227&w=2

http://marc.info/?l=bugtraq&m=134254866602253&w=2

http://marc.info/?l=bugtraq&m=142660345230545&w=2

http://marc.info/?l=cryptography&m=125752275331877&w=2

http://www.links.org/?p=780

http://www.links.org/?p=786

http://www.links.org/?p=789

http://www.opera.com/docs/changelogs/unix/1060/

http://www.opera.com/support/search/view/944/

http://www.tombom.co.uk/blog/?p=85

https://access.redhat.com/errata/RHSA-2009:1579

https://access.redhat.com/errata/RHSA-2009:1694

https://access.redhat.com/errata/RHSA-2010:0011

https://access.redhat.com/errata/RHSA-2010:0130

https://access.redhat.com/errata/RHSA-2010:0155

https://access.redhat.com/errata/RHSA-2010:0162

https://access.redhat.com/errata/RHSA-2010:0164

https://access.redhat.com/errata/RHSA-2010:0165

https://access.redhat.com/errata/RHSA-2010:0167

https://access.redhat.com/errata/RHSA-2010:0337

https://access.redhat.com/errata/RHSA-2010:0338

https://access.redhat.com/errata/RHSA-2010:0339

https://access.redhat.com/errata/RHSA-2010:0408

https://access.redhat.com/errata/RHSA-2010:0440

https://access.redhat.com/errata/RHSA-2010:0768

https://access.redhat.com/errata/RHSA-2010:0770

https://access.redhat.com/errata/RHSA-2010:0786

https://access.redhat.com/errata/RHSA-2010:0807

https://access.redhat.com/errata/RHSA-2010:0865

https://access.redhat.com/errata/RHSA-2010:0986

https://access.redhat.com/errata/RHSA-2010:0987

https://access.redhat.com/errata/RHSA-2011:0880

https://access.redhat.com/errata/RHSA-2015:1591

https://access.redhat.com/security/cve/CVE-2009-3555

https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E

Rapid7

Technical Analysis