Your message dated
with message-id
and subject line Closing resolved/obsolete bug reports
has caused the Debian Bug report #919320,
regarding nginx-extras: Would you please consider replacing Gzip module with
Brotli for compression?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
919320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nginx-extras
Version: 1.14.2-2
Severity: wishlist
Hello nginx maintainers,
At the moment, nginx-extra package includes gzip module as one of the optional
http modules. However it seems Gzip compression is vulnerable to BREACH [1]
attack and the vulnerability researchers' recommendation is to disable Gzip
compression. There are also discussions on stackexchange [2].
Instead of disabling compression over TLS/SSL completely, Google seems to be
using a different compression scheme Brotli [3]. Would you consider replacing
nginx Gzip module with Brotli?
Thanks,
Abi,
---
[1] http://breachattack.com/#mitigations <http://breachattack.com/#mitigations>
[2]
https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack
<https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack>
[3] https://github.com/google/ngx_brotli <https://github.com/google/ngx_brotli>
--- End Message ---
--- Begin Message ---
This issue appears to be resolved, so I'm closing this bug report.
Please reopen it if the problem persists.
Best regards,
Jan
--- End Message ---