Debian DSA-3253-1 : pound - security update (POODLE)

Medium Nessus Plugin ID 83306

Synopsis

The remote Debian host is missing a security-related update.

Description

Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555 ). TLS compression is disabled (CVE-2012-4929 ), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566 ) entirely via the new 'DisableSSLv3' configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed.

For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555 ). This update addresses that issue for jessie.

Solution

Upgrade the pound packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1.

For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723731

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727197

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765539

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765649

https://security-tracker.debian.org/tracker/CVE-2009-3555

https://security-tracker.debian.org/tracker/CVE-2012-4929

https://security-tracker.debian.org/tracker/CVE-2014-3566

https://security-tracker.debian.org/tracker/CVE-2009-3555

https://packages.debian.org/source/wheezy/pound

https://packages.debian.org/source/jessie/pound

https://www.debian.org/security/2015/dsa-3253

Plugin Details

Severity: Medium

ID: 83306

File Name: debian_DSA-3253.nasl

Version: 2.13

Type: local

Agent: unix

Published: 2015/05/11

Updated: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 6.8

Temporal Score: 6.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:pound, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/05/07

Reference Information

CVE: CVE-2009-3555, CVE-2012-4929, CVE-2014-3566

BID: 36935, 55704, 70574

DSA: 3253

CWE: 310