Launchpad itself

edge.launchpad.net : server does not support RFC 5746, see CVE-2009-3555

Bug #605026 reported by Alex Mayorga
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
New
Undecided
Unassigned

Bug Description

Got these messages on Firefox 4 beta while wandering around launchpad.net, reporting in case they're relevant.

launchpadlibrarian.net : server does not support RFC 5746, see CVE-2009-3555
bugs.edge.launchpad.net : server does not support RFC 5746, see CVE-2009-3555
edge.launchpad.net : server does not support RFC 5746, see CVE-2009-3555

CVE References

Curtis Hovey (sinzui)
affects: launchpad → launchpad-foundations
Revision history for this message
Robert Collins (lifeless) wrote :

Thanks for reporting this, we're looking into it.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We have fixed CVE-2009-3555 by disabling client-side renegotiation in our updated Apache packages here:

http://www.ubuntulinux.org/usn/USN-860-1

Unfortunately, firefox gives this warning when it detects the server doesn't support the new renegotiation protocol, RFC 5746, even if CVE-2009-3555 is no longer a threat. In this sense, it is a false alert, as noted by some in the upstream mozilla bug report:

https://bugzilla.mozilla.org/show_bug.cgi?id=554594

We will be publishing updated openssl packages in the future that support RFC5746, so this problem can be ignored for now, and will go away completely eventually.

Curtis Hovey (sinzui)
security vulnerability: yes → no
visibility: private → public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.