[Secure-testing-team] Bug#700426: vulnerable to CRIME SSL attack (CVE-2012-4929)
Thijs Kinkhorst
thijs at debian.org
Tue Feb 12 15:27:09 UTC 2013
Package: nginx
Version: 0.7.67-3
Severity: grave
Tags: security patch
Hi,
nginx in squeeze and wheezy is vulnerable to the SSL attack CVE-2012-4929
dubbed 'CRIME'. The attack is related to SSL compression.
The popular solution to the attack is to disable SSL compression. This is
what Apache has done and also what nginx upstream has done in 1.2.2.
Attached patch does that, works for us and we've verified that it solves
the problem.
Upstream info is here: http://forum.nginx.org/read.php?2,231067,231068
I'd gladly hear your view on this patch. Barring any objections I'm planning
to release this as a DSA after the weekend, and also make an upload to
wheezy.
Cheers,
Thijs
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2012-4929.diff
Type: text/x-diff
Size: 611 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130212/d18c9f70/attachment.diff>
More information about the Secure-testing-team
mailing list