RHSA-2010:0166

Executive Summary

Summary
Title	gnutls security update

Informations
Name	RHSA-2010:0166	First vendor Publication	2010-03-25
Vendor	RedHat	Last vendor Modification	2010-03-25
Severity (Vendor)	Moderate	Revision	01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:P)
Cvss Base Score	5.8	Attack Range	Network
Cvss Impact Score	4.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated gnutls packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The GnuTLS library provides support for cryptographic algorithms and for
protocols such as Transport Layer Security (TLS).

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update addresses this flaw by implementing the
TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about
the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491

Dan Kaminsky found that browsers could accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. GnuTLS
now disables the use of the MD2 algorithm inside signatures by default.
(CVE-2009-2409)

Users of GnuTLS are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all applications linked to the GnuTLS library must be restarted, or
the system rebooted.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2010-0166.html

CWE : Common Weakness Enumeration

id	Name
CWE-310	Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8594

Oval ID:	oval:org.mitre.oval:def:8594
Title:	VMware Network Security Services (NSS) certificate spoofing vulnerability by using MD2 design flaw
Description:	The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-2409	Version:	2
Platform(s):	VMWare ESX Server 4	Product(s):
Definition Synopsis:
VMware ESX Server 4.0 is installed AND Patch ESX400-200912403-SG is not installed

Definition Id: oval:org.mitre.oval:def:7155

Oval ID:	oval:org.mitre.oval:def:7155
Title:	VMware ESX, Service Console update for OpenSSL, GnuTLS, NSS and NSPR.
Description:	The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-2409	Version:	3
Platform(s):	VMWare ESX Server 4	Product(s):
Definition Synopsis:
VMware ESX Server 4.0 is installed AND Patch ESX400-201009401-SG is not installed.

Definition Id: oval:org.mitre.oval:def:6631

Oval ID:	oval:org.mitre.oval:def:6631
Title:	Network Security Services Library Supports Certificates With Weak MD2 Hash Signatures
Description:	The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-2409	Version:	3
Platform(s):	VMWare ESX Server 4	Product(s):
Definition Synopsis:
VMware ESX Server 4.0 is installed AND Patch ESX400-201005401-SG is not installed

Definition Id: oval:org.mitre.oval:def:10763

Oval ID:	oval:org.mitre.oval:def:10763
Title:	The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Description:	The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-2409	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section openssl-perl is earlier than 0:0.9.7a-33.26 AND seamonkey-nspr is earlier than 0:1.0.9-0.45.el3 AND seamonkey-js-debugger is earlier than 0:1.0.9-0.45.el3 AND seamonkey-nss-devel is earlier than 0:1.0.9-0.45.el3 AND seamonkey is earlier than 0:1.0.9-0.45.el3 AND seamonkey-nspr-devel is earlier than 0:1.0.9-0.45.el3 AND openssl-devel is earlier than 0:0.9.7a-33.26 AND openssl is earlier than 0:0.9.7a-33.26 AND seamonkey-mail is earlier than 0:1.0.9-0.45.el3 AND seamonkey-chat is earlier than 0:1.0.9-0.45.el3 AND seamonkey-nss is earlier than 0:1.0.9-0.45.el3 AND seamonkey-devel is earlier than 0:1.0.9-0.45.el3 AND seamonkey-dom-inspector is earlier than 0:1.0.9-0.45.el3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section openssl-perl is earlier than 0:0.9.7a-43.17.el4_8.5 AND openssl-devel is earlier than 0:0.9.7a-43.17.el4_8.5 AND openssl is earlier than 0:0.9.7a-43.17.el4_8.5 AND nss-devel is earlier than 0:3.12.3.99.3-1.el4_8.2 AND nspr is earlier than 0:4.7.4-1.el4_8.1 AND nss is earlier than 0:3.12.3.99.3-1.el4_8.2 AND nss-tools is earlier than 0:3.12.3.99.3-1.el4_8.2 AND nspr-devel is earlier than 0:4.7.4-1.el4_8.1 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section openssl-perl is earlier than 0:0.9.8e-12.el5_4.1 AND nss-pkcs11-devel is earlier than 0:3.12.3.99.3-1.el5_3.2 AND nspr-devel is earlier than 0:4.7.4-1.el5_3.1 AND gnutls is earlier than 0:1.4.1-3.el5_4.8 AND openssl is earlier than 0:0.9.8e-12.el5_4.1 AND java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.7.b09.el5 AND nspr is earlier than 0:4.7.4-1.el5_3.1 AND nss is earlier than 0:3.12.3.99.3-1.el5_3.2 AND java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.7.b09.el5 AND java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.7.b09.el5 AND openssl-devel is earlier than 0:0.9.8e-12.el5_4.1 AND gnutls-devel is earlier than 0:1.4.1-3.el5_4.8 AND nss-devel is earlier than 0:3.12.3.99.3-1.el5_3.2 AND java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.7.b09.el5 AND java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.7.b09.el5 AND nss-tools is earlier than 0:3.12.3.99.3-1.el5_3.2 AND gnutls-utils is earlier than 0:1.4.1-3.el5_4.8

Definition Id: oval:org.mitre.oval:def:8535

Oval ID:	oval:org.mitre.oval:def:8535
Title:	HP-UX Running OpenSSL, Remote Unauthorized Data Injection, Denial of Service (DoS)
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	3
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
Criteria meets HP Security Bulletin HPSBUX02482 HP Release B.11.23 AND filesets tests openssl.OPENSSL-PVT version is less than A.00.09.08l.002 AND openssl.OPENSSL-RUN version is less than A.00.09.08l.002 AND openssl.OPENSSL-CER version is less than A.00.09.08l.002 AND openssl.OPENSSL-CONF version is less than A.00.09.08l.002 AND openssl.OPENSSL-DOC version is less than A.00.09.08l.002 AND openssl.OPENSSL-INC version is less than A.00.09.08l.002 AND openssl.OPENSSL-LIB version is less than A.00.09.08l.002 AND openssl.OPENSSL-MAN version is less than A.00.09.08l.002 AND openssl.OPENSSL-MIS version is less than A.00.09.08l.002 AND openssl.OPENSSL-SRC version is less than A.00.09.08l.002 AND openssl.OPENSSL-PRNG version is less than A.00.09.08l.002 OR Criteria meets HP Security Bulletin HPSBUX02482 HP Release B.11.11 AND filesets tests openssl.OPENSSL-PVT version is less than A.00.09.08l.001 AND openssl.OPENSSL-RUN version is less than A.00.09.08l.001 AND openssl.OPENSSL-CER version is less than A.00.09.08l.001 AND openssl.OPENSSL-CONF version is less than A.00.09.08l.001 AND openssl.OPENSSL-DOC version is less than A.00.09.08l.001 AND openssl.OPENSSL-INC version is less than A.00.09.08l.001 AND openssl.OPENSSL-LIB version is less than A.00.09.08l.001 AND openssl.OPENSSL-MAN version is less than A.00.09.08l.001 AND openssl.OPENSSL-SRC version is less than A.00.09.08l.001 AND openssl.OPENSSL-MIS version is less than A.00.09.08l.001 AND openssl.OPENSSL-PRNG version is less than A.00.09.08l.001 OR Criteria meets HP Security Bulletin HPSBUX02482 HP-UX B.11.31 AND filesets tests openssl.OPENSSL-PRNG version is less than A.00.09.08l.003 AND openssl.OPENSSL-RUN version is less than A.00.09.08l.003 AND openssl.OPENSSL-CER version is less than A.00.09.08l.003 AND openssl.OPENSSL-CONF version is less than A.00.09.08l.003 AND openssl.OPENSSL-DOC version is less than A.00.09.08l.003 AND openssl.OPENSSL-INC version is less than A.00.09.08l.003 AND openssl.OPENSSL-LIB version is less than A.00.09.08l.003 AND openssl.OPENSSL-MAN version is less than A.00.09.08l.003 AND openssl.OPENSSL-SRC version is less than A.00.09.08l.003 AND openssl.OPENSSL-MIS version is less than A.00.09.08l.003 AND openssl.OPENSSL-PRNG version is less than A.00.09.08l.003

Definition Id: oval:org.mitre.oval:def:8366

Oval ID:	oval:org.mitre.oval:def:8366
Title:	HP-UX Running Apache, Remote Unauthorized Data Injection, Denial of Service (DoS)
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	3
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
platforms HP Release B.11.11 AND HP Release B.11.23 AND HP-UX B.11.31 AND filesets tests hpuxwsAPACHE.APACHE2 version is less than B.2.0.59.13 AND hpuxwsAPCH32.PHP version is less than B.2.0.59.13 AND hpuxwsAPCH32.PHP2 version is less than B.2.0.59.13 AND hpuxwsAPACHE.AUTH_LDAP version is less than B.2.0.59.13 AND hpuxwsAPACHE.AUTH_LDAP2 version is less than B.2.0.59.13 AND hpuxwsAPCH32.APACHE version is less than B.2.0.59.13 AND hpuxwsAPACHE.MOD_JK version is less than B.2.0.59.13 AND hpuxwsAPCH32.APACHE2 version is less than B.2.0.59.13 AND hpuxwsAPACHE.MOD_JK2 version is less than B.2.0.59.13 AND hpuxwsAPACHE.MOD_PERL version is less than B.2.0.59.13 AND hpuxwsAPCH32.AUTH_LDAP version is less than B.2.0.59.13 AND hpuxwsAPCH32.AUTH_LDAP2 version is less than B.2.0.59.13 AND hpuxwsAPACHE.MOD_PERL2 version is less than B.2.0.59.13 AND hpuxwsAPACHE.PHP version is less than B.2.0.59.13 AND hpuxwsAPCH32.MOD_JK version is less than B.2.0.59.13 AND hpuxwsAPACHE.PHP2 version is less than B.2.0.59.13 AND hpuxwsAPCH32.MOD_JK2 version is less than B.2.0.59.13 AND hpuxwsAPCH32.WEBPROXY version is less than B.2.0.59.13 AND hpuxwsAPACHE.WEBPROXY version is less than B.2.0.59.13 AND hpuxwsAPCH32.MOD_PERL version is less than B.2.0.59.13 AND hpuxwsAPCH32.MOD_PERL2 version is less than B.2.0.59.13 AND hpuxwsAPACHE.APACHE version is less than B.2.0.59.13

Definition Id: oval:org.mitre.oval:def:7973

Oval ID:	oval:org.mitre.oval:def:7973
Title:	Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Applications Utilizing Network Security Services (NSS)
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	1
Platform(s):	Sun Solaris 8 Sun Solaris 9 Sun Solaris 10	Product(s):
Definition Synopsis:
Solaris 8 (SPARC) meets Sun Alert 273350 Solaris 8 (SPARC) is installed AND NOT Patch 119209-22 or later installed AND SUNWtls is installed OR Solaris 9 (SPARC) meets Sun Alert 273350 Solaris 9 (SPARC) is installed AND NOT Patch 119211-22 or later installed AND SUNWtls is installed OR Solaris 10 (SPARC) meets Sun Alert 273350 Solaris 10 (SPARC) is installed AND NOT Patch 119213-21 or later installed AND SUNWtls is installed OR Solaris 9 (x86) meets Sun Alert 273350 Solaris 9 (x86) is installed AND NOT Patch 119212-22 or later installed AND SUNWtls is installed OR Solaris 10 (x86) meets Sun Alert 273350 Solaris 10 (x86) is installed AND NOT Patch 119214-21 or later installed AND SUNWtls is installed

Definition Id: oval:org.mitre.oval:def:7478

Oval ID:	oval:org.mitre.oval:def:7478
Title:	VMware ESX, Service Console update for OpenSSL, GnuTLS, NSS and NSPR.
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	3
Platform(s):	VMWare ESX Server 4	Product(s):
Definition Synopsis:
VMware ESX Server 4.0 is installed AND Patch ESX400-201009401-SG is not installed.

Definition Id: oval:org.mitre.oval:def:7315

Oval ID:	oval:org.mitre.oval:def:7315
Title:	TLS/SSL Renegotiation Vulnerability
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	7
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows 7	Product(s):	Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey
Definition Synopsis:
IF Mozilla Firefox is installed AND Mozilla Firefox 3.5.x before 3.5.9 and 3.6.x before 3.6.2 OR Mozilla Seamonkey is installed AND Mozilla Seamonkey version less than 2.0 AND Mozilla Seamonkey version 2.x and less than 2.0.4 OR Mozilla Thunderbird is installed AND Mozilla Thunderbird version less than 3.0.4 OR Vulnerable Microsoft Windows XP SP3 x86 Microsoft Windows XP (x86) SP3 is installed AND the version of schannel.dll is less than 5.1.2600.6006 OR Vulnerable Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 IF Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND the version of schannel.dll is less than 5.2.3790.4724 OR Vulnerable Microsoft Windows Vista x86/x64 SP1, Server 2008 x86/x64/ia64 IF Microsoft Windows Vista (32-bit) Service Pack 1 is installed AND Microsoft Windows Vista x64 Edition Service Pack 1 is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.0.6001.18490 OR LDR the version of schannel.dll is greater than or equal to 6.0.6001.22000 AND the version of schannel.dll is less than 6.0.6001.22709 OR Vulnerable Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 IF Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed AND Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.0.6002.18269 OR LDR the version of schannel.dll is greater than or equal to 6.0.6002.22000 AND the version of schannel.dll is less than 6.0.6002.22422 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 IF Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7600.16612 OR LDR the version of schannel.dll is greater than or equal to 6.1.7600.20000 AND the version of schannel.dll is less than 6.1.7600.20735

Definition Id: oval:org.mitre.oval:def:11617

Oval ID:	oval:org.mitre.oval:def:11617
Title:	AIX OpenSSL session renegotiation vulnerability
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	3
Platform(s):	IBM AIX 5.2 IBM AIX 5.3 IBM AIX 6.1	Product(s):
Definition Synopsis:
OS check IBM AIX 5.3 is installed AND openssl.base versions less than 0.9.8.1102 OR OS based check IBM AIX 5.3 is installed AND openssl.base FIPS capable versions less than 12.9.8.1102 OR OS check openssl.base versions less than 0.9.8.1102 AND IBM AIX Version 6.1 check AND IBM AIX Version 6.1 check OR openssl.base FIPS capable versions less than 12.9.8.1102 AND IBM AIX Version 6.1 check AND IBM AIX Version 6.1 check OR IBM AIX 5.2 is installed AND openssl.base versions less than 0.9.8.805

Definition Id: oval:org.mitre.oval:def:11578

Oval ID:	oval:org.mitre.oval:def:11578
Title:	Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects OpenSSL
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	3
Platform(s):	Sun Solaris 10	Product(s):
Definition Synopsis:
Solaris 10 (SPARC) meets Sun Alert 1021653.1 Solaris 10 (SPARC) is installed AND NOT Patch 143140-04 or later installed OR Solaris 10 (SPARC) meets Sun Alert 1021653.1 Solaris 10 (SPARC) is installed AND NOT Patch 145102-01 or later installed OR Solaris 10 (x86) meets Sun Alert 1021653.1 Solaris 10 (x86) is installed AND NOT Patch 141525-10 or later installed

Definition Id: oval:org.mitre.oval:def:10088

Oval ID:	oval:org.mitre.oval:def:10088
Title:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Description:	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2009-3555	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section openssl-perl is earlier than 0:0.9.7a-33.26 AND openssl-devel is earlier than 0:0.9.7a-33.26 AND openssl is earlier than 0:0.9.7a-33.26 AND httpd-devel is earlier than 0:2.0.46-77.ent AND mod_ssl is earlier than 0:2.0.46-77.ent AND httpd is earlier than 0:2.0.46-77.ent OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section openssl-perl is earlier than 0:0.9.7a-43.17.el4_8.5 AND httpd-suexec is earlier than 0:2.0.52-41.ent.6 AND httpd-manual is earlier than 0:2.0.52-41.ent.6 AND nspr is earlier than 0:4.8.4-1.1.el4_8 AND mod_ssl is earlier than 0:2.0.52-41.ent.6 AND nss is earlier than 0:3.12.6-1.el4_8 AND nspr-devel is earlier than 0:4.8.4-1.1.el4_8 AND httpd is earlier than 0:2.0.52-41.ent.6 AND openssl-devel is earlier than 0:0.9.7a-43.17.el4_8.5 AND gnutls is earlier than 0:1.0.20-4.el4_8.7 AND openssl is earlier than 0:0.9.7a-43.17.el4_8.5 AND httpd-devel is earlier than 0:2.0.52-41.ent.6 AND nss-devel is earlier than 0:3.12.6-1.el4_8 AND gnutls-devel is earlier than 0:1.0.20-4.el4_8.7 AND nss-tools is earlier than 0:3.12.6-1.el4_8 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section openssl097a is earlier than 0:0.9.7a-9.el5_4.2 AND openssl-perl is earlier than 0:0.9.8e-12.el5_4.6 AND nss-pkcs11-devel is earlier than 0:3.12.6-1.el5_4 AND httpd-manual is earlier than 0:2.2.3-31.el5_4.2 AND nspr-devel is earlier than 0:4.8.4-1.el5_4 AND gnutls is earlier than 0:1.4.1-3.el5_4.8 AND openssl is earlier than 0:0.9.8e-12.el5_4.6 AND httpd-devel is earlier than 0:2.2.3-31.el5_4.2 AND java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.11.b16.el5 AND mod_ssl is earlier than 0:2.2.3-31.el5_4.2 AND nspr is earlier than 0:4.8.4-1.el5_4 AND nss is earlier than 0:3.12.6-1.el5_4 AND httpd is earlier than 0:2.2.3-31.el5_4.2 AND java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.11.b16.el5 AND java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.11.b16.el5 AND openssl-devel is earlier than 0:0.9.8e-12.el5_4.6 AND gnutls-devel is earlier than 0:1.4.1-3.el5_4.8 AND nss-devel is earlier than 0:3.12.6-1.el5_4 AND java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.11.b16.el5 AND java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.11.b16.el5 AND nss-tools is earlier than 0:3.12.6-1.el5_4 AND gnutls-utils is earlier than 0:1.4.1-3.el5_4.8

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Http Server cpe:/a:apache:http_server:2.2.8 cpe:/a:apache:http_server:2.2.7 cpe:/a:apache:http_server:2.2.6 cpe:/a:apache:http_server:2.2.5 cpe:/a:apache:http_server:2.2.4 cpe:/a:apache:http_server:2.2.3 cpe:/a:apache:http_server:2.2.2 cpe:/a:apache:http_server:2.2.13 cpe:/a:apache:http_server:2.2.12 cpe:/a:apache:http_server:2.2.11 cpe:/a:apache:http_server:2.2.10 cpe:/a:apache:http_server:2.2.1 cpe:/a:apache:http_server:2.2.0 cpe:/a:apache:http_server:2.2 cpe:/a:apache:http_server:2.1.9 cpe:/a:apache:http_server:2.1.8 cpe:/a:apache:http_server:2.1.7 cpe:/a:apache:http_server:2.1.6 cpe:/a:apache:http_server:2.1.5 cpe:/a:apache:http_server:2.1.4 cpe:/a:apache:http_server:2.1.3 cpe:/a:apache:http_server:2.1.2 cpe:/a:apache:http_server:2.1.1 cpe:/a:apache:http_server:2.0.9 cpe:/a:apache:http_server:2.0.63 cpe:/a:apache:http_server:2.0.61 cpe:/a:apache:http_server:2.0.60 cpe:/a:apache:http_server:2.0.59 cpe:/a:apache:http_server:2.0.58 cpe:/a:apache:http_server:2.0.58::win32 cpe:/a:apache:http_server:2.0.57 cpe:/a:apache:http_server:2.0.56 cpe:/a:apache:http_server:2.0.55 cpe:/a:apache:http_server:2.0.54 cpe:/a:apache:http_server:2.0.53 cpe:/a:apache:http_server:2.0.52 cpe:/a:apache:http_server:2.0.51 cpe:/a:apache:http_server:2.0.50 cpe:/a:apache:http_server:2.0.49 cpe:/a:apache:http_server:2.0.48 cpe:/a:apache:http_server:2.0.47 cpe:/a:apache:http_server:2.0.46 cpe:/a:apache:http_server:2.0.46::win32 cpe:/a:apache:http_server:2.0.45 cpe:/a:apache:http_server:2.0.44 cpe:/a:apache:http_server:2.0.43 cpe:/a:apache:http_server:2.0.42 cpe:/a:apache:http_server:2.0.41 cpe:/a:apache:http_server:2.0.40 cpe:/a:apache:http_server:2.0.39 cpe:/a:apache:http_server:2.0.38 cpe:/a:apache:http_server:2.0.37 cpe:/a:apache:http_server:2.0.36 cpe:/a:apache:http_server:2.0.35 cpe:/a:apache:http_server:2.0.34:beta cpe:/a:apache:http_server:2.0.32 cpe:/a:apache:http_server:2.0.32:beta cpe:/a:apache:http_server:2.0.28 cpe:/a:apache:http_server:2.0.28:beta cpe:/a:apache:http_server:2.0 cpe:/a:apache:http_server:1.99 cpe:/a:apache:http_server:1.4.0 cpe:/a:apache:http_server:1.3.9 cpe:/a:apache:http_server:1.3.8 cpe:/a:apache:http_server:1.3.7::dev cpe:/a:apache:http_server:1.3.7 cpe:/a:apache:http_server:1.3.68 cpe:/a:apache:http_server:1.3.65 cpe:/a:apache:http_server:1.3.6 cpe:/a:apache:http_server:1.3.5 cpe:/a:apache:http_server:1.3.4 cpe:/a:apache:http_server:1.3.39 cpe:/a:apache:http_server:1.3.38 cpe:/a:apache:http_server:1.3.37 cpe:/a:apache:http_server:1.3.36 cpe:/a:apache:http_server:1.3.35 cpe:/a:apache:http_server:1.3.34 cpe:/a:apache:http_server:1.3.33 cpe:/a:apache:http_server:1.3.32 cpe:/a:apache:http_server:1.3.31 cpe:/a:apache:http_server:1.3.30 cpe:/a:apache:http_server:1.3.3 cpe:/a:apache:http_server:1.3.29 cpe:/a:apache:http_server:1.3.28 cpe:/a:apache:http_server:1.3.27 cpe:/a:apache:http_server:1.3.26 cpe:/a:apache:http_server:1.3.25 cpe:/a:apache:http_server:1.3.24 cpe:/a:apache:http_server:1.3.23 cpe:/a:apache:http_server:1.3.22 cpe:/a:apache:http_server:1.3.20 cpe:/a:apache:http_server:1.3.2 cpe:/a:apache:http_server:1.3.19 cpe:/a:apache:http_server:1.3.18 cpe:/a:apache:http_server:1.3.17 cpe:/a:apache:http_server:1.3.16 cpe:/a:apache:http_server:1.3.15 cpe:/a:apache:http_server:1.3.14 cpe:/a:apache:http_server:1.3.13 cpe:/a:apache:http_server:1.3.12 cpe:/a:apache:http_server:1.3.11 cpe:/a:apache:http_server:1.3.1.1 cpe:/a:apache:http_server:1.3.0 cpe:/a:apache:http_server:1.3 cpe:/a:apache:http_server:1.2.6 cpe:/a:apache:http_server:1.2.5 cpe:/a:apache:http_server:1.2.4 cpe:/a:apache:http_server:1.2 cpe:/a:apache:http_server:1.1.1 cpe:/a:apache:http_server:1.0.5 cpe:/a:apache:http_server:1.0.3 cpe:/a:apache:http_server:1.0.2 cpe:/a:apache:http_server:1.0 cpe:/a:apache:http_server:0.8.14 cpe:/a:apache:http_server:0.8.11	115
Application	Gnu Gnutls cpe:/a:gnu:gnutls:2.8.1 cpe:/a:gnu:gnutls:2.8.0 cpe:/a:gnu:gnutls:2.7.4 cpe:/a:gnu:gnutls:2.6.6 cpe:/a:gnu:gnutls:2.6.5 cpe:/a:gnu:gnutls:2.6.4 cpe:/a:gnu:gnutls:2.6.3 cpe:/a:gnu:gnutls:2.6.2 cpe:/a:gnu:gnutls:2.6.1 cpe:/a:gnu:gnutls:2.6.0 cpe:/a:gnu:gnutls:2.5.0 cpe:/a:gnu:gnutls:2.4.2 cpe:/a:gnu:gnutls:2.4.1 cpe:/a:gnu:gnutls:2.4.0 cpe:/a:gnu:gnutls:2.3.9 cpe:/a:gnu:gnutls:2.3.8 cpe:/a:gnu:gnutls:2.3.7 cpe:/a:gnu:gnutls:2.3.6 cpe:/a:gnu:gnutls:2.3.5 cpe:/a:gnu:gnutls:2.3.4 cpe:/a:gnu:gnutls:2.3.3 cpe:/a:gnu:gnutls:2.3.2 cpe:/a:gnu:gnutls:2.3.11 cpe:/a:gnu:gnutls:2.3.10 cpe:/a:gnu:gnutls:2.3.1 cpe:/a:gnu:gnutls:2.3.0 cpe:/a:gnu:gnutls:2.2.5 cpe:/a:gnu:gnutls:2.2.4 cpe:/a:gnu:gnutls:2.2.3 cpe:/a:gnu:gnutls:2.2.2 cpe:/a:gnu:gnutls:2.2.1 cpe:/a:gnu:gnutls:2.2.0 cpe:/a:gnu:gnutls:2.1.8 cpe:/a:gnu:gnutls:2.1.7 cpe:/a:gnu:gnutls:2.1.6 cpe:/a:gnu:gnutls:2.1.5 cpe:/a:gnu:gnutls:2.1.4 cpe:/a:gnu:gnutls:2.1.3 cpe:/a:gnu:gnutls:2.1.2 cpe:/a:gnu:gnutls:2.1.1 cpe:/a:gnu:gnutls:2.1.0 cpe:/a:gnu:gnutls:2.0.4 cpe:/a:gnu:gnutls:2.0.3 cpe:/a:gnu:gnutls:2.0.2 cpe:/a:gnu:gnutls:2.0.1 cpe:/a:gnu:gnutls:2.0.0 cpe:/a:gnu:gnutls:1.7.9 cpe:/a:gnu:gnutls:1.7.8 cpe:/a:gnu:gnutls:1.7.7 cpe:/a:gnu:gnutls:1.7.6 cpe:/a:gnu:gnutls:1.7.5 cpe:/a:gnu:gnutls:1.7.4 cpe:/a:gnu:gnutls:1.7.3 cpe:/a:gnu:gnutls:1.7.2 cpe:/a:gnu:gnutls:1.7.19 cpe:/a:gnu:gnutls:1.7.18 cpe:/a:gnu:gnutls:1.7.17 cpe:/a:gnu:gnutls:1.7.16 cpe:/a:gnu:gnutls:1.7.15 cpe:/a:gnu:gnutls:1.7.14 cpe:/a:gnu:gnutls:1.7.13 cpe:/a:gnu:gnutls:1.7.12 cpe:/a:gnu:gnutls:1.7.11 cpe:/a:gnu:gnutls:1.7.10 cpe:/a:gnu:gnutls:1.7.1 cpe:/a:gnu:gnutls:1.7.0 cpe:/a:gnu:gnutls:1.6.3 cpe:/a:gnu:gnutls:1.6.2 cpe:/a:gnu:gnutls:1.6.1 cpe:/a:gnu:gnutls:1.6.0 cpe:/a:gnu:gnutls:1.5.5 cpe:/a:gnu:gnutls:1.5.4 cpe:/a:gnu:gnutls:1.5.3 cpe:/a:gnu:gnutls:1.5.2 cpe:/a:gnu:gnutls:1.5.1 cpe:/a:gnu:gnutls:1.5.0 cpe:/a:gnu:gnutls:1.4.5 cpe:/a:gnu:gnutls:1.4.4 cpe:/a:gnu:gnutls:1.4.3 cpe:/a:gnu:gnutls:1.4.2 cpe:/a:gnu:gnutls:1.4.1 cpe:/a:gnu:gnutls:1.4.0 cpe:/a:gnu:gnutls:1.3.5 cpe:/a:gnu:gnutls:1.3.4 cpe:/a:gnu:gnutls:1.3.3 cpe:/a:gnu:gnutls:1.3.2 cpe:/a:gnu:gnutls:1.3.1 cpe:/a:gnu:gnutls:1.3.0 cpe:/a:gnu:gnutls:1.2.9 cpe:/a:gnu:gnutls:1.2.8.1a1 cpe:/a:gnu:gnutls:1.2.8 cpe:/a:gnu:gnutls:1.2.7 cpe:/a:gnu:gnutls:1.2.6 cpe:/a:gnu:gnutls:1.2.5 cpe:/a:gnu:gnutls:1.2.4 cpe:/a:gnu:gnutls:1.2.3 cpe:/a:gnu:gnutls:1.2.2 cpe:/a:gnu:gnutls:1.2.11 cpe:/a:gnu:gnutls:1.2.10 cpe:/a:gnu:gnutls:1.2.1 cpe:/a:gnu:gnutls:1.2.0 cpe:/a:gnu:gnutls:1.1.23 cpe:/a:gnu:gnutls:1.1.22 cpe:/a:gnu:gnutls:1.1.21 cpe:/a:gnu:gnutls:1.1.20 cpe:/a:gnu:gnutls:1.1.19 cpe:/a:gnu:gnutls:1.1.18 cpe:/a:gnu:gnutls:1.1.17 cpe:/a:gnu:gnutls:1.1.16 cpe:/a:gnu:gnutls:1.1.15 cpe:/a:gnu:gnutls:1.1.14 cpe:/a:gnu:gnutls:1.1.13 cpe:/a:gnu:gnutls:1.0.25 cpe:/a:gnu:gnutls:1.0.24 cpe:/a:gnu:gnutls:1.0.23 cpe:/a:gnu:gnutls:1.0.22 cpe:/a:gnu:gnutls:1.0.21 cpe:/a:gnu:gnutls:1.0.20 cpe:/a:gnu:gnutls:1.0.19 cpe:/a:gnu:gnutls:1.0.18 cpe:/a:gnu:gnutls:1.0.17 cpe:/a:gnu:gnutls:1.0.16	122
Application	Microsoft Iis cpe:/a:microsoft:iis:7.0	1
Application	Mozilla Firefox cpe:/a:mozilla:firefox	1
Application	Mozilla Nss cpe:/a:mozilla:nss:3.9.5 cpe:/a:mozilla:nss:3.9 cpe:/a:mozilla:nss:3.8 cpe:/a:mozilla:nss:3.7.7 cpe:/a:mozilla:nss:3.7.5 cpe:/a:mozilla:nss:3.7.3 cpe:/a:mozilla:nss:3.7.2 cpe:/a:mozilla:nss:3.7.1 cpe:/a:mozilla:nss:3.7 cpe:/a:mozilla:nss:3.6.1 cpe:/a:mozilla:nss:3.6 cpe:/a:mozilla:nss:3.5 cpe:/a:mozilla:nss:3.4.3 cpe:/a:mozilla:nss:3.4.2 cpe:/a:mozilla:nss:3.4.1 cpe:/a:mozilla:nss:3.4 cpe:/a:mozilla:nss:3.3.2 cpe:/a:mozilla:nss:3.3.1 cpe:/a:mozilla:nss:3.3 cpe:/a:mozilla:nss:3.2.1 cpe:/a:mozilla:nss:3.2 cpe:/a:mozilla:nss:3.12.2 cpe:/a:mozilla:nss:3.12.1 cpe:/a:mozilla:nss:3.12 cpe:/a:mozilla:nss:3.11.8 cpe:/a:mozilla:nss:3.11.7 cpe:/a:mozilla:nss:3.11.4 cpe:/a:mozilla:nss:3.11.2 cpe:/a:mozilla:nss:3.10 cpe:/a:mozilla:nss:3.0	30
Application	Openssl Openssl cpe:/a:openssl:openssl:1.0::openvms cpe:/a:openssl:openssl:0.9.8k cpe:/a:openssl:openssl:0.9.8j cpe:/a:openssl:openssl:0.9.8i cpe:/a:openssl:openssl:0.9.8h cpe:/a:openssl:openssl:0.9.8g cpe:/a:openssl:openssl:0.9.8f cpe:/a:openssl:openssl:0.9.8e cpe:/a:openssl:openssl:0.9.8d cpe:/a:openssl:openssl:0.9.8c cpe:/a:openssl:openssl:0.9.8b cpe:/a:openssl:openssl:0.9.8a cpe:/a:openssl:openssl:0.9.8 cpe:/a:openssl:openssl:0.9.7m cpe:/a:openssl:openssl:0.9.7l cpe:/a:openssl:openssl:0.9.7k cpe:/a:openssl:openssl:0.9.7j cpe:/a:openssl:openssl:0.9.7i cpe:/a:openssl:openssl:0.9.7h cpe:/a:openssl:openssl:0.9.7g cpe:/a:openssl:openssl:0.9.7f cpe:/a:openssl:openssl:0.9.7e cpe:/a:openssl:openssl:0.9.7d cpe:/a:openssl:openssl:0.9.7c cpe:/a:openssl:openssl:0.9.7b cpe:/a:openssl:openssl:0.9.7a cpe:/a:openssl:openssl:0.9.7 cpe:/a:openssl:openssl:0.9.7:beta5 cpe:/a:openssl:openssl:0.9.7:beta1 cpe:/a:openssl:openssl:0.9.7:beta4 cpe:/a:openssl:openssl:0.9.7:beta2 cpe:/a:openssl:openssl:0.9.7:beta3 cpe:/a:openssl:openssl:0.9.7:beta6 cpe:/a:openssl:openssl:0.9.6m cpe:/a:openssl:openssl:0.9.6l cpe:/a:openssl:openssl:0.9.6k cpe:/a:openssl:openssl:0.9.6j cpe:/a:openssl:openssl:0.9.6i cpe:/a:openssl:openssl:0.9.6h cpe:/a:openssl:openssl:0.9.6g cpe:/a:openssl:openssl:0.9.6f cpe:/a:openssl:openssl:0.9.6e cpe:/a:openssl:openssl:0.9.6d cpe:/a:openssl:openssl:0.9.6c cpe:/a:openssl:openssl:0.9.6b cpe:/a:openssl:openssl:0.9.6a:beta3 cpe:/a:openssl:openssl:0.9.6a:beta1 cpe:/a:openssl:openssl:0.9.6a cpe:/a:openssl:openssl:0.9.6a:beta2 cpe:/a:openssl:openssl:0.9.6:beta2 cpe:/a:openssl:openssl:0.9.6:beta1 cpe:/a:openssl:openssl:0.9.6 cpe:/a:openssl:openssl:0.9.6:beta3 cpe:/a:openssl:openssl:0.9.5a:beta1 cpe:/a:openssl:openssl:0.9.5a:beta2 cpe:/a:openssl:openssl:0.9.5a cpe:/a:openssl:openssl:0.9.5:beta2 cpe:/a:openssl:openssl:0.9.5:beta1 cpe:/a:openssl:openssl:0.9.5 cpe:/a:openssl:openssl:0.9.4 cpe:/a:openssl:openssl:0.9.3a cpe:/a:openssl:openssl:0.9.3 cpe:/a:openssl:openssl:0.9.2b cpe:/a:openssl:openssl:0.9.1c	64

ExploitDB Exploits

id	Description
2009-12-21	TLS Renegotiation Vulnerability PoC Exploit

Open Source Vulnerability Database (OSVDB)

id	Description
77832	Parallels Plesk Panel Billing System TLS Renegotiation Handshakes MiTM Plaint...
75622	Blue Coat Director TLS Renegotiation Handshakes MiTM Plaintext Data Injection
74335	Hitachi Web Server TLS Renegotiation Handshakes MiTM Plaintext Data Injection
71961	Oracle Fusion Middleware Oracle WebLogic Server TLS Renegotiation Handshakes ...
71951	Oracle Multiple Products Oracle Security Service TLS Renegotiation Handshakes...
70620	mGuard TLS Renegotiation Handshakes MiTM Plaintext Data Injection
70055	Oracle Supply Chain Transportation Management TLS Renegotiation Handshakes Mi...
69561	IBM WebSphere MQ Internet Pass-Thru TLS Renegotiation Handshake MiTM Plaintex...
69032	Oracle Java SE / Java for Business TLS Renegotiation Handshake MiTM Plaintext...
67029	HP Threat Management Services zl Module TLS Renegotiation Handshakes MiTM Pla...
66315	HP Insight Manager TLS Renegotiation Handshakes MiTM Plaintext Data Injection
65202	OpenOffice.org (OOo) TLS Renegotiation Handshakes MiTM Plaintext Data Injection
64725	HP System Management Homepage (SMH) TLS Renegotiation Handshakes MiTM Plainte...
64499	ArubaOS HTTPS WebUI Admin Interface TLS Renegotiation Handshakes MiTM Plainte...
64040	IBM DB2 TLS Renegotiation Handshakes MiTM Plaintext Data Injection
62877	SSH Tectia Audit Player TLS Renegotiation Handshakes MiTM Plaintext Data Inje...
62536	Blue Coat Products TLS Renegotiation Handshakes MiTM Plaintext Data Injection
62273	Opera TLS Renegotiation Handshakes MiTM Plaintext Data Injection
62210	Aruba Mobility Controller TLS Renegotiation Handshakes MiTM Plaintext Data In...
62135	Network Security Services (NSS) TLS Renegotiation Handshakes MiTM Plaintext D...
62064	IBM Java TLS Renegotiation Handshakes MiTM Plaintext Data Injection
61929	IBM WebSphere Application Server TLS Renegotiation Handshakes MiTM Plaintext ...
61785	Avaya Products Multiple Product TLS Renegotiation Handshakes MiTM Plaintext D...
61784	Sun Java System Multiple Product TLS Renegotiation Handshakes MiTM Plaintext ...
61718	IBM WebSphere DataPower TLS Renegotiation Handshakes MiTM Plaintext Data Inje...
61234	IBM SDK for Java TLS Renegotiation Handshakes MiTM Plaintext Data Injection
60521	Ingate Firewall/SIParator SSL / TLS Renegotiation Handshakes MiTM Plaintext D...
60366	Cisco Multiple Devices TLS Renegotiation Handshakes MiTM Plaintext Data Injec...
59974	MatrixSSL TLS Renegotiation Handshakes MiTM Plaintext Data Injection
59973	Citrix Secure Gateway TLS Renegotiation Handshakes MiTM Plaintext Data Injection
59972	GnuTLS TLS Renegotiation Handshakes MiTM Plaintext Data Injection
59971	OpenSSL TLS Renegotiation Handshakes MiTM Plaintext Data Injection
59970	Mozilla Network Security Services (NSS) SSL / TLS Renegotiation Handshakes Mi...
59969	Apache HTTP Server mod_ssl SSL / TLS Renegotiation Handshakes MiTM Plaintext ...
59968	Microsoft Multiple Products SSL / TLS Renegotiation Handshakes MiTM Plaintext...
56752	Network Security Services (NSS) Library X.509 Certificate MD2 Hash Collision ...