Status Tracking Note JVNTR-2010-22

SSL and TLS protocols renegotiation vulnerability (CVE-2009-3555, MS10-049, VU#120541)

Overview

A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTP transaction.
Event Information
Date (UTC)Description
2010-08-11 02:32 JPCERT/CC
JPCERT-AT-2010-0020: August 2010 Microsoft Security Bulletin (including eight critical patches)
Public notification for "Microsoft Security Bulletin Summary for Auguest 2010"
2010-08-10 19:22 US-CERT
TA10-222A: Microsoft Updates for Multiple Vulnerabilities
Technical Cyber Security Alert publised via US-CERT Mailing List.
Public notification for "Microsoft Security Bulletin Summary for August 2010"
2010-08-10 17:53 Microsoft
MS10-049: Microsoft Security Bulletin Summary for August 2010
Security Update (MS10-049) released.
2010-07-30 17:55 Microsoft
ms10-aug: Microsoft Security Bulletin Advance Notification for August 2010
Advance notification for Security Update.
2010-03-30 Mozilla Foundation
MFSA 2010-22: Update NSS to support TLS renegotiation indication
Security Update (MFSA 2010-22) released.: Firefox 3.6.2/3.5.9, Thunderbird 3.0.4
2010-02-25 18:24 OpenSSL
OpenSSL Security Advisory [11-Nov-2009]: OpenSSL 0.9.8m is now available, including important bug and security fixes
OpenSSL 0.9.8m (Support for RFC5746 TLS renegotiation extension.) released.
2010-02-13 IETF
draft-ietf-tls-renegotiation-03.txt: RFC5746: Transport Layer Security (TLS) Renegotiation Indication Extension
2010-02-09 20:04 Microsoft
Microsoft Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing
Security Advisory (977377) published.
2010-01-04 IETF
draft-ietf-tls-renegotiation-03.txt: Transport Layer Security (TLS) Renegotiation Indication Extension
2009-12-16 IETF
draft-ietf-tls-renegotiation-02.txt: Transport Layer Security (TLS) Renegotiation Indication Extension
2009-11-26 IETF
draft-ietf-tls-renegotiation-01.txt: Transport Layer Security (TLS) Renegotiation Indication Extension
2009-11-19 IETF
draft-ietf-tls-renegotiation-00.txt: Transport Layer Security (TLS) Renegotiation Indication Extension
2009-11-11 15:50 OpenSSL
OpenSSL Security Advisory [11-Nov-2009]: A potentially serious flaw in SSL and TLS has been worked around in OpenSSL 0.9.8l.
OpenSSL 0.9.8l (Temporary work around for CVE-2009-3555: disable renegotiation.) released.
2009-11-06 23:01 US-CERT
SSL and TLS Vulnerable to Man-in-the-middle Attacks
US-CERT Current Activity
Public notification for "Vulnerability within the SSL and TLS protocols".
2009-11-05 03:20
Authentication Gap in TLS Renegotiation
Vulnerability proof-of-concept information posted to Web site.
Reference
Date first published (UTC): 2010-09-12T03:51+00:00
Date last updated (UTC): 2010-09-12T03:51+00:00
Valid HTML 4.01!