Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package apache2. This upload mitigates impact of the so called "CRIME" attacks to SSL. That's primarily a browser issue and no vulnerability in Apache's code. Having that said, this patch disables SSL compression globally by default so that vulnerable browsers can't be exploited while talking to a web server with this patch. Please note, we are planning to upload the very same patch to s-p-u (same patch, just adapted to Squeeze's Apache version and in dpatch format). Do you agree with our plans with that? Alternatively we can discuss this in a separate bug if you prefer. This is the patch: diff --git a/debian/changelog b/debian/changelog index 665b678..3d4d908 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +apache2 (2.2.22-12) unstable; urgency=low + + * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is + "off". This mitigates impact of CRIME attacks. Fixes: + - "handling the CRIME attack" (Closes: #689936) + - "make it possible to disable ssl compression in apache2 mod_ssl" + (Closes: #674142) + + -- Arno Töll <[email protected]> Wed, 31 Oct 2012 00:23:59 +0100 + apache2 (2.2.22-11) unstable; urgency=low * Be more careful regarding link attacks when purging the cache disk diff --git a/debian/patches/disable-ssl-compression.patch b/debian/patches/disable-ssl-compression.patch new file mode 100644 index 0000000..6878f68 --- /dev/null +++ b/debian/patches/disable-ssl-compression.patch @@ -0,0 +1,121 @@ +From: Bjoern Jacke <[email protected]> +Subject: Allow mod_ssl to disable ssl compression + +Patch submitted upstream, merged into 2.2.24. This patch adds a "Compression +on|off" directive to mod_ssl. + +Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 + +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -146,6 +146,9 @@ + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") + SSL_CMD_SRV(HonorCipherOrder, FLAG, + "Use the server's cipher ordering preference") ++ SSL_CMD_SRV(Compression, FLAG, ++ "Enable SSL level compression" ++ "(`on', `off')") + SSL_CMD_SRV(InsecureRenegotiation, FLAG, + "Enable support for insecure renegotiation") + SSL_CMD_ALL(UserName, TAKE1, +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -178,6 +178,9 @@ + #ifdef HAVE_FIPS + sc->fips = UNSET; + #endif ++#ifndef OPENSSL_NO_COMP ++ sc->compression = UNSET; ++#endif + + modssl_ctx_init_proxy(sc, p); + +@@ -275,6 +278,9 @@ + #ifdef HAVE_FIPS + cfgMergeBool(fips); + #endif ++#ifndef OPENSSL_NO_COMP ++ cfgMergeBool(compression); ++#endif + + modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + +@@ -708,6 +714,23 @@ + + } + ++const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) ++{ ++#if !defined(OPENSSL_NO_COMP) ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++#ifndef SSL_OP_NO_COMPRESSION ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err) ++ return "This version of openssl does not support configuring " ++ "compression within <VirtualHost> sections."; ++#endif ++ sc->compression = flag ? TRUE : FALSE; ++ return NULL; ++#else ++ return "Setting Compression mode unsupported; not implemented by the SSL library"; ++#endif ++} ++ + const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) + { + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -532,6 +532,18 @@ + } + #endif + ++ ++#ifndef OPENSSL_NO_COMP diff --git a/debian/changelog b/debian/changelog index 665b678..3d4d908 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +apache2 (2.2.22-12) unstable; urgency=low + + * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is + "off". This mitigates impact of CRIME attacks. Fixes: + - "handling the CRIME attack" (Closes: #689936) + - "make it possible to disable ssl compression in apache2 mod_ssl" + (Closes: #674142) + + -- Arno Töll <[email protected]> Wed, 31 Oct 2012 00:23:59 +0100 + apache2 (2.2.22-11) unstable; urgency=low * Be more careful regarding link attacks when purging the cache disk diff --git a/debian/patches/disable-ssl-compression.patch b/debian/patches/disable-ssl-compression.patch new file mode 100644 index 0000000..6878f68 --- /dev/null +++ b/debian/patches/disable-ssl-compression.patch @@ -0,0 +1,121 @@ +From: Bjoern Jacke <[email protected]> +Subject: Allow mod_ssl to disable ssl compression + +Patch submitted upstream, merged into 2.2.24. This patch adds a "Compression +on|off" directive to mod_ssl. + +Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 + +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -146,6 +146,9 @@ + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") + SSL_CMD_SRV(HonorCipherOrder, FLAG, + "Use the server's cipher ordering preference") ++ SSL_CMD_SRV(Compression, FLAG, ++ "Enable SSL level compression" ++ "(`on', `off')") + SSL_CMD_SRV(InsecureRenegotiation, FLAG, + "Enable support for insecure renegotiation") + SSL_CMD_ALL(UserName, TAKE1, +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -178,6 +178,9 @@ + #ifdef HAVE_FIPS + sc->fips = UNSET; + #endif ++#ifndef OPENSSL_NO_COMP ++ sc->compression = UNSET; unblock apache2/2.2.22-12 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
