Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol. For Debian 7 (wheezy) this update adds a missing part to make it actually possible to disable client-initiated renegotiation and disables it by default (CVE-2009-3555). TLS compression is disabled (CVE-2012-4929), although this is normally already disabled by the OpenSSL system library. Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566) entirely via the new DisableSSLv3 configuration directive, although it will not disabled by default in this update. Additionally a non-security sensitive issue in redirect encoding is addressed. For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555). This update addresses that issue for jessie. For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 2.6-6.1. We recommend that you upgrade your pound packages.
Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.
For Debian 7 (wheezy) this update adds a missing part to make it actually
possible to disable client-initiated renegotiation and disables it by default
(CVE-2009-3555).
TLS compression is disabled (CVE-2012-4929),
although this is normally already disabled by the OpenSSL system library.
Finally it adds the ability to disable the SSLv3 protocol (CVE-2014-3566)
entirely via the new DisableSSLv3
configuration directive, although it
will not disabled by default in this update. Additionally a non-security
sensitive issue in redirect encoding is
addressed.
For Debian 8 (jessie) these issues have been fixed prior to the release, with the exception of client-initiated renegotiation (CVE-2009-3555). This update addresses that issue for jessie.
For the oldstable distribution (wheezy), these problems have been fixed in version 2.6-2+deb7u1.
For the stable distribution (jessie), these problems have been fixed in version 2.6-6+deb8u1.
For the unstable distribution (sid), these problems have been fixed in version 2.6-6.1.
We recommend that you upgrade your pound packages.