[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
This bug was fixed in the package openssl - 1.0.1-4ubuntu5.10 --- openssl (1.0.1-4ubuntu5.10) precise-security; urgency=low * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch -- Seth Arnold seth.arn...@canonical.com Mon, 03 Jun 2013 18:13:18 -0700 ** Changed in: openssl (Ubuntu Precise) Status: Fix Committed = Fix Released ** Changed in: openssl (Ubuntu Lucid) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.15 --- openssl (0.9.8k-7ubuntu8.15) lucid-security; urgency=low * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch -- Seth Arnold seth.arn...@canonical.com Mon, 03 Jun 2013 20:37:34 -0700 ** Changed in: openssl (Ubuntu Quantal) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
This bug was fixed in the package openssl - 1.0.1c-3ubuntu2.5 --- openssl (1.0.1c-3ubuntu2.5) quantal-security; urgency=low * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch -- Seth Arnold seth.arn...@canonical.com Mon, 03 Jun 2013 18:13:33 -0700 ** Changed in: openssl (Ubuntu Raring) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
This bug was fixed in the package openssl - 1.0.1c-4ubuntu8.1 --- openssl (1.0.1c-4ubuntu8.1) raring-security; urgency=low * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch -- Seth Arnold seth.arn...@canonical.com Mon, 03 Jun 2013 18:13:47 -0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
Guys I have also failed the PCI test on my SSL enabled postfix and dovecot. I run TestSSLServer and it says: CRIME status: vulnerable I am using Ubuntu 12.04.2 LTS (precise) 64 bit and my openssl version is 1.0.1-4ubuntu5.9. Is this backported to precise? What is the easiest way to be protected against it? Does the OPENSSL_DEFAULT_ZLIB env variable works on my version? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
@Theodotos, there is a package on it's way for Precise (http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.10/changelog). You can deploy it now by enabling the precise-proposed repo but it should hit the regular repos soonish as it was published on June 3rd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
OKI enabled the proposed repo and now I got the updated version: # aptitude show openssl | grep -i version Version: 1.0.1-4ubuntu5.10 But running TestSSLServer against my dovecot pop3s (port 995) I still get that the system is vulnerable to CRIME. Compression is supposed to be disabled by default and only enabled when you use the OPENSSL_DEFAULT_ZLIB environment variable right? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
False alarm. I updated openssl but not libssl. Works now. Thanks Simon! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
Theodotos, thanks for the feedback. Please also let us know if you need to set the environment variable for any services, I'd really like to know if there are any services that require compression. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
** Also affects: openssl (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Saucy) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: openssl (Ubuntu Raring) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
Pocket copied openssl to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed ** Changed in: openssl (Ubuntu Saucy) Status: New = Fix Committed ** Changed in: openssl (Ubuntu Raring) Status: New = Fix Committed ** Changed in: openssl (Ubuntu Quantal) Status: New = Fix Committed ** Changed in: openssl (Ubuntu Precise) Status: New = Fix Committed ** Changed in: openssl (Ubuntu Lucid) Status: New = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
To test this modification, I extended the Ubuntu Security Team's QRT testcase for OpenSSL to run through the entire test suite twice -- once with compression enabled, once with compression disabled, and verify that compression has been enabled or disabled where appropriate. These modifications can be found here: http://bazaar.launchpad.net/~ubuntu- bugcontrol/qa-regression-testing/master/revision/1931 Because the 10.04 LTS Python test suite will exit when the test suite is over I special-cased that distribution to run only the tests with compression enabled. I don't foresee this being a problem, and the modification to run the other set of tests would be readily visible for future updates. I ran this test suite on all five currently supported distributions: 10.04 LTS, 12.04 LTS, 12.10, 13.04, and Saucy, on KVM VMs running both i386 and AMD64. Thus, I'd like testing from the larger community to determine if this is suitable for the distribution. Cases when users will need to manually enable compression for compatibility reasons are likely low, as Fedora has shipped with this modification for several months. I want to know which services do not work 'out of the box' before shipping this update to the larger Ubuntu community. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
To ubuntu-sru: if this passes the verification process, please ping the security team (sarnold). Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
This bug was fixed in the package openssl - 1.0.1e-2ubuntu1.1 --- openssl (1.0.1e-2ubuntu1.1) saucy-security; urgency=low * SECURITY UPDATE: Disable compression to avoid CRIME systemwide (LP: #1187195) - CVE-2012-4929 - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of zlib to compress SSL/TLS unless the environment variable OPENSSL_DEFAULT_ZLIB is set in the environment during library initialization. - Introduced to assist with programs not yet updated to provide their own controls on compression, such as Postfix - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch -- Seth Arnold seth.arn...@canonical.com Mon, 03 Jun 2013 18:14:05 -0700 ** Changed in: openssl (Ubuntu Saucy) Status: Fix Committed = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4929 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1187195 Title: OpenSSL site-wide compression disable tracking bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs