Le 2013-02-12 16:27, Thijs Kinkhorst a écrit :
Package: nginx
Version: 0.7.67-3
Severity: grave
Tags: security patch

Hi,

nginx in squeeze and wheezy is vulnerable to the SSL attack CVE-2012-4929
dubbed 'CRIME'. The attack is related to SSL compression.

The popular solution to the attack is to disable SSL compression. This is
what Apache has done and also what nginx upstream has done in 1.2.2.
Attached patch does that, works for us and we've verified that it solves
the problem.

Upstream info is here: http://forum.nginx.org/read.php?2,231067,231068

I'd gladly hear your view on this patch. Barring any objections I'm planning to release this as a DSA after the weekend, and also make an upload to
wheezy.


Cheers,
Thijs


Hello Thijs.

Thanks for this report.

I think we have to include this patch in the nginx packages (stable and unstable).

I don't actually know if you already prepared an upload, so I did it by myself (and it was a great time to relearn how to use quilt).

The packages are here :
* Stable : http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze3.dsc
* Unstable : http://sources.davromaniak.eu/nginx/nginx_1.2.1-3.dsc

In case you already prepared an upload, just ignore the last lines ;).

When the 1.2.1 package will arrive on the unstable repo, I will backport it to squeeze.

Thanks.
--
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to