This is the story:
> > -----Original Message----- > > From: Joe Gooch [mailto:[email protected]] > > Sent: Monday, April 29, 2013 7:40 AM > > To: '[email protected]' > > Cc: 'Lubomir Rintel' > > Subject: RE: [Pound Mailing List] PCI-DSS Compliance with Pound > > > > My suggestion to anyone who needs PCI-DSS compliance is to run my > branch here: > > https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b > > > > Zip here: > > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip > > > > This is based on 2.7b, and includes a bunch of patches that I > > usually include in pound, to do things like SNI, CertDir includes, > IncludeDir, PCRE redirects, etc. > > > > > > If you don't feel comfortable running a 2.7 branch, or don't want to > > include those patches, I've rolled a new branch: > > https://github.com/goochjj/pound/tree/pcidss/v2.6 > > Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip > > > > Which includes only the XSRF, SSLv2, SSL compression and cipher > > enhancements against a 2.6 baseline. > > 2.7’s release cycle is still in progress. Robert would be the one to comment on any release date for that. I would recommend the debian maintainers apply everything in the pcidss branch as I’ve put everything critical in that branch, properly backported to 2.6. (cc: Martin) Joe From: Stefan Eriksson [mailto:[email protected]] Sent: Thursday, November 14, 2013 2:26 AM To: [email protected] Subject: Re: [Pound Mailing List] Disabling SSL Compression option in Stable Release Hi thanks for the info, Its not in debian 7 wheezy yet, Do you have the official merged patch so I can point that patch to debian maintainers? they are using 2.6 but should be ok to backport if the patch is for 2.7 Thanks! 2013-11-13 13:58, Joe Gooch skrev: I’m not sure what news you’re looking for. It’s been patched since 10/05/2012. Could you be more specific? Joe From: Stefan Eriksson [mailto:[email protected]] Sent: Wednesday, November 13, 2013 6:11 AM To: [email protected]<mailto:[email protected]> Subject: [Pound Mailing List] Disabling SSL Compression option in Stable Release > > You can use my stage for 2.7b branch if that's easier, which already has > > the CRIME patch applied for openssl pre 1.0 and 1.0+. > > https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b<https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b> > > Or you can borrow the patch from the last commit to that branch. > > Joe > Hi Chris, > > This isn't working for me, but thanks for the suggestions! > > I think Joe, I will check out your git code and compile that. Sounds > like a good way forward! > > Many thanks all, > James. Any news about this? Its a pretty serious issue, https://www.ssllabs.com/ is reporting about this CRIME issue. Many thanks Stefan
