Your message dated Sun, 26 Jan 2014 18:33:47 +0000
with message-id <[email protected]>
and subject line Bug#727197: fixed in pound 2.6-3
has caused the Debian Bug report #727197,
regarding pound: TLS compression is insecure (CRIME attack) and can't be
disabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
727197: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727197
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pound
Version: 2.5-1
Severity: important
Tags: patch
Pound 2.5 has TLS compression enabled and that makes possible a practical attack
known as CRIME [1].
There's a simple patch to disable TLS compression. Please see included patch.
1:
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
-- System Information:
Debian Release: 6.0.7
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-54-generic (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages pound depends on:
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8o-4squeeze14 SSL shared libraries
pound recommends no packages.
pound suggests no packages.
[disable-tls-compression.patch follows]
Disables TLS compression in OpenSSL < 1.0.0
From:
https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b
--- pound.c.orig 2013-10-23 10:38:10.679311801 +0100
+++ pound.c 2013-10-23 10:42:08.771321671 +0100
@@ -188,6 +188,21 @@
CRYPTO_set_locking_callback(l_lock);
init_timer();
+ /* disable TLS compression for OpenSSL < 1.0.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ {
+ int i,n;
+ STACK_OF(SSL_COMP) *ssl_comp_methods;
+
+ ssl_comp_methods = SSL_COMP_get_compression_methods();
+ n = sk_SSL_COMP_num(ssl_comp_methods);
+
+ for(i=n-1; i>=0; i--) {
+ sk_SSL_COMP_delete(ssl_comp_methods, i);
+ }
+ }
+#endif
+
/* prepare regular expressions */
if(regcomp(&HEADER, "^([a-z0-9!#$%&'*+.^_`|~-]+):[ \t]*(.*)[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CHUNK_HEAD, "^([0-9a-f]+).*$", REG_ICASE | REG_NEWLINE |
REG_EXTENDED)
--- End Message ---
--- Begin Message ---
Source: pound
Source-Version: 2.6-3
We believe that the bug you reported is fixed in the latest version of
pound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brett Parker <[email protected]> (supplier of updated pound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 26 Jan 2014 12:40:27 +0000
Source: pound
Binary: pound
Architecture: source amd64
Version: 2.6-3
Distribution: unstable
Urgency: low
Maintainer: Brett Parker <[email protected]>
Changed-By: Brett Parker <[email protected]>
Description:
pound - reverse proxy, load balancer and HTTPS front-end for Web servers
Closes: 723731 727197
Changes:
pound (2.6-3) unstable; urgency=low
.
* New maintainer: Brett Parker <[email protected]>
* Update xss_redirect_patch
- Allow = character in urls (Closes: #723731)
* Add patch from Joe Gooch <[email protected]> for CRIME vulnerability
- tls_compression_disable.patch (Closes: #727197)
Checksums-Sha1:
0a0a1bc008377e03884d57a3975d314f577d56d4 1706 pound_2.6-3.dsc
426a1109195d29fed4847810ddc6a6eb1f981a03 11292 pound_2.6-3.debian.tar.xz
541d21d31a99e3e4bc4f993c204ae9a5b6f48cff 102032 pound_2.6-3_amd64.deb
Checksums-Sha256:
44302168e60fb489dc37f3128a1116a7f3785c0f76bcf412917701f0eb2c9adc 1706
pound_2.6-3.dsc
70d1b551206af4f089c037f55a3478495622f0f24417da88cde4107f79c72d55 11292
pound_2.6-3.debian.tar.xz
8f3823343b690b5148dcef2e94710ac418a16622084fe574ba4d668c2cff7b97 102032
pound_2.6-3_amd64.deb
Files:
3e8e72458e6e509b670232f41a8ef229 1706 net extra pound_2.6-3.dsc
1848b652c2ab645b2fd6e4c2bbe93f95 11292 net extra pound_2.6-3.debian.tar.xz
5ae52c0025eb316891dc9ec25c8a994e 102032 net extra pound_2.6-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJS5VP4AAoJELSic+t+oim9FMkP/1VyO4tnDjIci+vUExiMXn5I
/kc3hNExwMPajIpwgfY6kTmDBtNvQn111o7kljsufnyEUYhF0usaK1DP4P7pv2tV
AzyRkfQD9WcCy4z2BWXdtQ0pJk/6/7seWLJLF/QQz5UNA7GSSF1O5vHDePBhzrtg
0xDD0hQGJTE2xWOimTHDislBlBFmF3/epMcahz43NKMti/TvljA0csnvd8X0QR16
9Pt+Jjrlp7XdeijW4flLn4dJXaY9O51ptO//WFxeartgQ9N3jG8x9gnlatSSonqL
wdGwnImmnwXCMl6fAfvGnkzAMk6Vi0LBlvhmdt28ykCBiY2HFXbXQ9K1317uqCx+
WCdo7XseMaKtdcSkm16ruoALdNQUfyLQlhNWbjTQj9MtYTvEHyYfLKsSwp0+6NLH
+fCsZkmIHhotTnQu9ywJSwcVsueQ4k3LhoBmtTl/+dX6O6eDZ+/YnREwA6KwEy8P
SYUZ7VviVKVpBOpFUkYYkK3OgSYCQ/ZXa63iVnql5r99g3sEF5ijp8wHRLunHdGv
+M87+IxOSWv9rt+hdlscHxU/JqNIkYXo4y086CsHyYLFoSAHHm84iNr+ExAyn/bA
9gQR0gsk30h+bdWAewBDhxl1w3odl7RWNuVlZra4Wa4ZI17X+Lw5lYrwl2hGmmLB
r0EPTphPZaL8cpIdMf8/
=f275
-----END PGP SIGNATURE-----
--- End Message ---