VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx
Quanah Gibson-Mount
quanah at zimbra.com
Sat Nov 21 03:18:10 MSK 2009
--On Saturday, November 21, 2009 3:12 AM +0300 Maxim Dounin
<mdounin at mdounin.ru> wrote:
> Hello!
>
> On Fri, Nov 20, 2009 at 03:14:29PM -0800, Quanah Gibson-Mount wrote:
>
>> I've patched nginx, and tested https, POPS, and IMAPS. https fails
>> correctly:
>
>
> What patch you used, nginx version and openssl version? Recent
> nginx versions (0.8.23+, 0.7.64) already has workarounds for older
> openssl libraries and correctly disable renegotiation in all
> mentioned cases, closing connection immediately. At least they do
> so on all openssl versions I've tested.
nginx-0.5.37 + security patches
(<http://sysoev.ru/nginx/patch.cve-2009-3555.txt>, etc)
openssl 0.9.8l
As I noted, it correctly hangs up HTTPS. It leaves POPS and IMAPS open.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the nginx
mailing list