Author: markt
Date: Fri Nov 20 00:50:20 2009
New Revision: 882369
URL: http://svn.apache.org/viewvc?rev=882369&view=rev
Log:
Propose alternative fix
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=882369&r1=882368&r2=882369&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Nov 20 00:50:20 2009
@@ -250,4 +250,11 @@
http://people.apache.org/~markt/patches/2009-11-17-cookie-allow-equals.patch
+1: markt
-1:
-
\ No newline at end of file
+
+* Alternative fix for CVE-2009-3555 SSL MITN
+ The current patch uses an async callback to close the socket. It is
+ technically possible an attack may suceed before the socket is closed
+ The new patch only logs failed server initiated negotiations
+ http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch
+ +1: markt
+ -1:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
