TITLE : HP Tru64 UNIX - SSRT090249 : Vulnerability in SSL/TLS Protocol Renegotiation

Copyright (c) Hewlett-Packard Company 2009.  All rights reserved.


PRODUCT:    HP Internet Express for Tru64 UNIX
SOURCE:     Hewlett-Packard Company

ECO INFORMATION:

     ECO Name:   T64V51B-IX691-APACHE2213-SSRT178-20091209.tar.gz
     ECO Kit Approximate Size: 44.8 MB
     Kit Applies To:  HP Internet Express for Tru64 UNIX 6.9

     ECO Kit CHECKSUMS:
        /usr/bin/sum results:
        44419  45895

        /usr/bin/cksum results:
        2389323405 46995856

        MD5 results:
        1ee8876763bcab5c004f4d14cda78cd8  

        SHA1 results:
        c595c0a86902af63050d9cac02d2f7f4960e291d     
        
ECO KIT SUMMARY:

A setld-based patch kit exists for HP Internet Express for Tru64 UNIX 6.9(IX)
that contains a solution to the following problem:

 The issue stems from TLS renegotiation requests and allows an attacker who is on the same network
 as the victim to inject plaintext data into the TLS/SSL protocol stream from the client to the
 server and have the request processed in the authentication context of the client.
 This can lead to various attacks.


Special Installation Instructions

The kit "T64V51B-IX691-APACHE2213-SSRT178-20091209.tar.gz" when extracted contains the following:

  -  IX691-APACHE1.3-SSRT.tar.gz (Installable Kit)
  -  apache_1.3.41.tar.Z (sources)

Installing the kit


1. gunzip T64V51B-IX691-APACHE2213-SSRT178-20091209.tar.gz

2. tar xvf T64V51B-IX691-APACHE2213-SSRT178-20091209.tar

3. gunzip IX691-APACHE1.3-SSRT.tar.gz

4. tar xvf IX691-APACHE1.3-SSRT.tar

5. cd apache-1.3_kit

6. ls -R
IAE.image   IAEAPCH691  INSTCTRL    instctrl

./instctrl:
IAE.image        IAE691.comp      IAEAPCH691.ctrl  IAEAPCH691.inv   IAEAPCH691.s
cp

5. setld -l .


SUPERSEDE INFORMATION:

Please note that the IX Apache(2.2) ERP being delivered with this EA contains subset IAEHTTPD691 
This IAEHTTPD691 supersedes the IAEHTTPD691 subset delivered with SSRT167
T64V51B-IX691-APACHE229-SSRT167-20090626.tar.gz


KNOWN PROBLEMS WITH THE PATCH KIT:

None.


[R] UNIX is a registered trademark in the United States and other countries 
licensed exclusively through X/Open Company Limited.

Copyright Hewlett-Packard Company 2009.  All Rights reserved.

  This software is proprietary to and embodies the confidential technology
  of Hewlett-Packard Company.  Possession, use, or copying of this
  software and media is authorized only pursuant to a valid written license
  from Hewlett-Packard or an authorized sublicensor.

       This ECO has not been through an exhaustive field test process.
       Due to the experimental stage of this ECO/workaround, Hewlett-Packard
       makes no representations regarding its use or performance. The
       customer shall have the sole responsibility for adequate protection
       and back-up data used in conjunction with this ECO/workaround.