After further editing. Timeline is to do this shortly after Joe's patch
gets the needed votes.
To: announce@http... Subject: CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation
Apache httpd is affected by CVE-2009-3555 (The SSL Injection or MiM
We strongly urge you to upgrade to OpenSSL 0.9.8l; and be prepared to
deploy 0.9.8m as it becomes available. Note that these are short term
and mid-term mitigation; the long term solution may well require a
modification of the SSL and/or TLS protocols.
For those who are not able to upgrade OpenSSL swiftly and/or for those
who need detailed logging - we recommend that you roll out this patch:
for mod_ssl as soon as possible. This is a partial fix in lieu of the
protocol issues being addressed and further changes to OpenSSL.
If you are unable to patch and unable to roll our a newer version of
OpenSSL, and you rely on Client Side Authentication with Certificates
then we recommend that you 1) ensure that you limit your configuration
to a single 'SSLClient require' on VirtualHost/Sever level and 2) remove
all other (re)negotiation/require directives. However this does NOT
fully protect you - it just curtails authentication in this specific
A version with this patch, Apache 2.2.15, is currently being readied.
Note that as mod_ssl is not part of the 1.3 branch distribution. A
further announcement will be sent out when these are available.