CVE-2011-3389

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

• sun-java6 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645881) [lenny] - sun-java6 (Non-free not supported) [squeeze] - sun-java6 (Non-free not supported)
• openjdk-6 6b23~pre11-1
• openjdk-7 7~b147-2.0-1
• iceweasel (Vulnerable code not present) http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
• chromium-browser 15.0.874.106~r107270-1 [squeeze] - chromium-browser
• lighttpd 1.4.30-1 strictly speaking this is no lighttpd issue, but lighttpd adds a workaround
• curl 7.24.0-1 http://curl.haxx.se/docs/adv_20120124B.html
• python2.6 2.6.8-0.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684511) [squeeze] - python2.6 (Minor issue)
• python2.7 2.7.3~rc1-1
• python3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678998) [squeeze] - python3.1 (Minor issue)
• python3.2 3.2.3~rc1-1 http://bugs.python.org/issue13885 python3.1 is fixed starting 3.1.5
• cyassl
• gnutls26 (unimportant)
• gnutls28 (unimportant) No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
• haskell-tls (unimportant) No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2
• matrixssl (low) [squeeze] - matrixssl (Minor issue) [wheezy] - matrixssl (Minor issue) matrixssl fix this upstream in 3.2.2
• bouncycastle 1.49+dfsg-1 [squeeze] - bouncycastle (Minor issue) [wheezy] - bouncycastle (Minor issue) No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9
• nss 3.13.1.with.ckbi.1.88-1 https://bugzilla.mozilla.org/show_bug.cgi?id=665814 https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
• polarssl (unimportant) No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases
• tlslite [wheezy] - tlslite (Minor issue)
• pound 2.6-2 Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks.
• erlang 1:15.b-dfsg-1 [squeeze] - erlang (Minor issue)
• asterisk 1:13.7.2dfsg-1 [jessie] - asterisk 1:11.13.1dfsg-2+deb8u1 [wheezy] - asterisk (Minor issue) [squeeze] - asterisk (Not supported in Squeeze LTS) http://downloads.digium.com/pub/security/AST-2016-001.html https://issues.asterisk.org/jira/browse/ASTERISK-24972 patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4 all versions vulnerable, backport required for wheezy