[pkg-lighttpd] Bug#700399: Bug#700399: vulnerable to CRIME SSL attack (CVE-2012-4929)
Thijs Kinkhorst
thijs at uvt.nl
Thu Feb 14 14:23:21 UTC 2013
Op donderdag 14 februari 2013 14:31:32 schreef Arno Töll:
> On 12.02.2013 16:08, Thijs Kinkhorst wrote:
> > Do you agree on the approach? Barring any objections I'm planning to
> > release this as a DSA after the weekend.
>
> I am by no means an expert with the SSL API, but I believe your patch to
> disable SSL compression looks fine (although diverging from upstream's
> fix as you noted). Yours looks pretty much like the fix we applied to
> Apache.
>
> Are you sure, the negotiation patch has no side effects with respect to
> SSL compression?
I'm pretty sure, and our tests show that the new packages both disabled the
renegotiation and compression.
> Moreover, I would suggest to announce your change in a NEWS entry for
> stable updates. People might rely on the renegotiation feature in multi
> vhost SSL setups.
Yes, I'll make a NEWS item based on the one in Apache then, and upload to
security-master.
> Otherwise I'm happy you provided a patch. The renegotiation fix should
> also be in Wheezy.
Yes, agreed.
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20130214/ac9ffe38/attachment.pgp>
More information about the pkg-lighttpd-maintainers
mailing list