Le 2013-02-12 16:27, Thijs Kinkhorst a écrit :
Package: nginx
Version: 0.7.67-3
Severity: grave
Tags: security patch
Hi,
nginx in squeeze and wheezy is vulnerable to the SSL attack
CVE-2012-4929
dubbed 'CRIME'. The attack is related to SSL compression.
The popular solution to the attack is to disable SSL compression.
This is
what Apache has done and also what nginx upstream has done in 1.2.2.
Attached patch does that, works for us and we've verified that it
solves
the problem.
Upstream info is here:
http://forum.nginx.org/read.php?2,231067,231068
I'd gladly hear your view on this patch. Barring any objections I'm
planning
to release this as a DSA after the weekend, and also make an upload
to
wheezy.
Cheers,
Thijs
Hello Thijs.
Thanks for this report.
I think we have to include this patch in the nginx packages (stable and
unstable).
I don't actually know if you already prepared an upload, so I did it by
myself (and it was a great time to relearn how to use quilt).
The packages are here :
* Stable :
http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze3.dsc
* Unstable : http://sources.davromaniak.eu/nginx/nginx_1.2.1-3.dsc
In case you already prepared an upload, just ignore the last lines ;).
When the 1.2.1 package will arrive on the unstable repo, I will
backport it to squeeze.
Thanks.
--
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]