[pkg-lighttpd] Bug#700399: Bug#700399: vulnerable to CRIME SSL attack (CVE-2012-4929)
Arno Töll
arno at debian.org
Thu Feb 14 13:31:32 UTC 2013
Hi Thijs,
On 12.02.2013 16:08, Thijs Kinkhorst wrote:
> Do you agree on the approach? Barring any objections I'm planning to release
> this as a DSA after the weekend.
I am by no means an expert with the SSL API, but I believe your patch to
disable SSL compression looks fine (although diverging from upstream's
fix as you noted). Yours looks pretty much like the fix we applied to
Apache.
Are you sure, the negotiation patch has no side effects with respect to
SSL compression?
Moreover, I would suggest to announce your change in a NEWS entry for
stable updates. People might rely on the renegotiation feature in multi
vhost SSL setups.
Otherwise I'm happy you provided a patch. The renegotiation fix should
also be in Wheezy.
[1]
http://redmine.lighttpd.net/projects/lighttpd/repository/entry/branches/lighttpd-1.4.x/src/network.c#L576
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20130214/59a5a16b/attachment.pgp>
More information about the pkg-lighttpd-maintainers
mailing list