Updated Versions of NSS and NSPR, Resolving SSL/TLS Vulnerability CVE-2009-3555 (Sun Java System Web Server 6.1 SP13 Release Notes)

Sun Java System Web Server 6.1 SP12/SP13 Release Notes

Previous: Release Notes Revision History
Next: HTTP Response-Splitting and XSS Vulnerability Resolved

Updated Versions of NSS and NSPR, Resolving SSL/TLS Vulnerability CVE-2009-3555

Web Server 6.1 SP12 included NSS 3.12.5, which provided relief, but not resolution, for the SSL/TLS renegotiation vulnerability CVE-2009-3555. Additionally, Web Server 6.1 SP12 disabled all use of SSL/TLS renegotiation in order to protect Web Server from attack. If either the client or Web Server attempted to trigger renegotiation on an existing SSL/TLS session, the connection would fail.

Web Server 6.1 SP13 includes NSS 3.12.7, which provides safe SSL/TLS renegotiation and so provides resolution of CVE-2009-3555. As a result, Web Server 6.1 SP13 re-enables use of SSL/TLS renegotiation. For more information about Web Server 6.1 SP13 support of NSS and NSPR, see NSS and NSPR Support.

Previous: Release Notes Revision History
Next: HTTP Response-Splitting and XSS Vulnerability Resolved