Debian DSA-3253-1 : pound - security update (POODLE)

low Nessus Plugin ID 83306


The remote Debian host is missing a security-related update.


Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555 ). TLS compression is disabled (CVE-2012-4929 ), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566 ) entirely via the new 'DisableSSLv3' configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed.

For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555 ). This update addresses that issue for jessie.


Upgrade the pound packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1.

For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1.

See Also

Plugin Details

Severity: Low

ID: 83306

File Name: debian_DSA-3253.nasl

Version: 2.16

Type: local

Agent: unix

Published: 5/11/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C


Risk Factor: Low

Base Score: 3.4

Temporal Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:pound, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/7/2015

Vulnerability Publication Date: 11/9/2009

Reference Information

CVE: CVE-2009-3555, CVE-2012-4929, CVE-2014-3566

BID: 36935, 55704, 70574

DSA: 3253

CWE: 310