[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.24 --- apache2 (2.2.8-1ubuntu0.24) hardy-security; urgency=low * SECURITY UPDATE: XSS vulnerability in mod_negotiation - debian/patches/224_CVE-2012-2687.dpatch: escape filenames in modules/mappers/mod_negotiation.c. - CVE-2012-2687 * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854) - debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression on|off directive. Defaults to off as enabling compression enables the CRIME attack. - CVE-2012-4929 -- Marc Deslauriers marc.deslauri...@ubuntu.com Tue, 06 Nov 2012 15:01:07 -0500 ** Changed in: apache2 (Ubuntu) Status: Confirmed = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2687 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2687 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** Changed in: apache2 (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
Virendra, as far as I know, this isn't in any released Apache version. ** Changed in: apache2 (Ubuntu) Status: Fix Released = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** Changed in: apache2 (Debian) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
Debian just released apache2 v2.2.22-12 to address this issue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** Also affects: apache2 (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=857051 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** Changed in: apache2 (Debian) Status: Unknown = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
Note that Red Hat already supports a workaround [0] that allows for disabling zlib at the OpenSSL layer, which prevents TLS compression working in Apache. As far as I am aware, no such option exists for Ubuntu, leaving users vulnerable until a new package is available. [0] https://bugzilla.redhat.com/show_bug.cgi?id=857051#c5 ** Bug watch added: Red Hat Bugzilla #857051 https://bugzilla.redhat.com/show_bug.cgi?id=857051 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs