Hi, Can this not be protected against the same way other OpenSSL based webservers (Apache + nginx) protect against it by adding:
export OPENSSL_NO_DEFAULT_ZLIB=1 to your init script? Chris -----Original Message----- From: James Bensley [mailto:[email protected]] Sent: 13 December 2012 17:46 To: [email protected] Subject: Re: [Pound Mailing List] Disabling SSL Compression option in Stable Release Howdy all, I'm curious about this too. I would like to protect against it. So far I have only found this one reference to it on line, if I implement this single line of code and recompile Pound (running version 2.7a) which this work for me? http://comments.gmane.org/gmane.comp.web.pound.general/6858 Many thanks, James. On 23 October 2012 20:06, Root Kev <[email protected]> wrote: > Is there any eta on when this might be included in a stable release, > as the CRIME attack vulnerability has come up in our latest network > audit. Since pound needs to be deployed to quite a few of our > production servers, we would prefer not to have to manually patch it on each > machine. > > Thanks! > > Kevin -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. ________________________________ NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
