Packet Storm - Information Security News, Files, Tools, Exploits, Advisories and Whitepapers http://packetstormsecurity.org/ en-us Mon, 28 May 2012 06:35:39 GMT 144400 http://packetstormsecurity.org/ http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=1600718856&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=Files%u2248%20Packet%20Storm&utmhn=packetstormsecurity.org&utmr=-&utmp=%2F0911-advisories%2FSUSE-SA-2009-057.txt%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.1600718856.1338186939.1338186939.1338186939.1%3B%2B__utmz%3D32867617.1338186939.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none) http://packetstormsecurity.org/files/82770/SUSE-SA-2009-057.txt http://packetstormsecurity.org/files/82770/SUSE-SA-2009-057.txt http://packetstormsecurity.org/files/82770/SUSE-Security-Announcement-SUSE-SA-2009-057.html Wed, 18 Nov 2009 16:19:02 GMT SUSE Security Announcement - The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache's mod_ssl was vulnerable to this kind of attack because it uses openssl. It is believed that this vulnerability is actively exploited in the wild to get access to HTTPS protected web-sites. Please note that renegotiation will be disabled for any application using openssl by this update and may cause problems in some cases. Additionally this attack is not limited to HTTP.