nginx 0.7.64 and CVE-2009-3555 TLS / SSL renegotiation
JW
jw at mailsw.com
Sat Feb 13 02:28:15 MSK 2010
I'm running nginx/0.7.64, compiled from source.
The top of the changelog that came with the source says:
Changes with nginx 0.7.64 16 Nov 2009
*) Security: now SSL/TLS renegotiation is disabled.
Thanks to Maxim Dounin.
Also http://nginx.org/en/security_advisories.html says:
The renegotiation vulnerability in SSL protocol
Severity: major
VU#120541 CVE-2009-3555
Not vulnerable: 0.8.23+, 0.7.64+
I also checked against http://sysoev.ru/nginx/patch.cve-2009-3555.txt and the
source I have does seem to contain that patch.
However, I've had a scanning vendor tell me I'm still vulnerable to the
problem:
" . . . service allows renegotiation of TLS / SSL connections."
and references CVE-2009-3555
What can I do in order to make sure this is fixed please?
Thanks,
JW
--
----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com
More information about the nginx
mailing list