[Pkg-apache-commits] r1225 - in /trunk/apache2: NEWS changelog

sf at alioth.debian.org sf at alioth.debian.org
Sat Aug 28 19:01:26 UTC 2010 

Author: sf
Date: Sat Aug 28 19:01:16 2010
New Revision: 1225

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1225
Log:
add note about SSLInsecureRenegotiation to NEWS.Debian

Modified:
    trunk/apache2/NEWS
    trunk/apache2/changelog

Modified: trunk/apache2/NEWS
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/NEWS?rev=1225&op=diff
==============================================================================
--- trunk/apache2/NEWS (original)
+++ trunk/apache2/NEWS Sat Aug 28 19:01:16 2010
@@ -12,6 +12,17 @@
 
 apache2 (2.2.15-1) unstable; urgency=low
 
+  * To fix a security vulnerability in the design of the SSL/TLS protocol
+    (CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
+    session renegotiation is no longer supported with old clients that do not
+    implement this extension. This breaks certain configurations with client
+    certificate authentication. If you still need to support old clients, you
+    may restore the old (insecure) behaviour by uncommenting the
+
+        SSLInsecureRenegotiation on
+
+    line in /etc/apache2/mods-available/ssl.conf
+
   * This release adds and enables mod_reqtimeout, which limits the time
     Apache waits for a client to send a complete request. This helps to
     mitigate against certain denial of service attacks. In case of problems
@@ -19,7 +30,7 @@
     /etc/apache2/mods-available/reqtimeout.conf , or the module can be
     disabled with "a2dismod reqtimeout".
 
- -- Stefan Fritsch <sf at debian.org>  Sun, 07 Mar 2010 23:09:30 +0100
+ -- Stefan Fritsch <sf at debian.org>  Sat, 28 Aug 2010 20:49:30 +0100
 
 apache2 (2.2.14-6) unstable; urgency=low
 

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1225&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sat Aug 28 19:01:16 2010
@@ -4,6 +4,8 @@
   * If the init script's reload action is called immediately after the start
     action, wait a bit to allow apache2 to start and register its signal
     handlers. Closes: #589386, LP: #603192
+  * Add a note about the new behaviour of SSL/TLS renegotiation and the new
+    directive SSLInsecureRenegotiation to NEWS.Debian. Closes: #593334
   * Support 'graceful' as alias for 'reload' in the init script.
   * In README.Debian, suggest an Apache configuration change to get rid of the
     "Could not reliably determine the server's fully qualified domain name"

More information about the Pkg-apache-commits mailing list