Summary
The remote host is missing updates announced in
advisory SUSE-SA:2009:057.
Solution
Update your system with the packages as indicated in the referenced security advisory.
https://secure1.securityspace.com/smysecure/catid.html?in=SUSE-SA:2009:057
Insight
The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection.
This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed.
For example Apache's mod_ssl was vulnerable to this kind of attack because it uses openssl.
It is believed that this vulnerability is actively exploited in the wild to get access to HTTPS protected web-sites.
Please note that renegotiation will be disabled for any application using openssl by this update and may cause problems in some cases.
Additionally this attack is not limited to HTTP.
Severity
Classification
-
CVE CVE-2009-3555 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P
Related Vulnerabilities