This bug was fixed in the package openssl - 1.0.1-4ubuntu5.10
---
openssl (1.0.1-4ubuntu5.10) precise-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch:
This bug was fixed in the package openssl - 0.9.8k-7ubuntu8.15
---
openssl (0.9.8k-7ubuntu8.15) lucid-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch:
This bug was fixed in the package openssl - 1.0.1c-3ubuntu2.5
---
openssl (1.0.1c-3ubuntu2.5) quantal-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch:
This bug was fixed in the package openssl - 1.0.1c-4ubuntu8.1
---
openssl (1.0.1c-4ubuntu8.1) raring-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch:
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187195
Title:
OpenSSL site-wide compression disable tracking bug
To manage
Guys I have also failed the PCI test on my SSL enabled postfix and
dovecot.
I run TestSSLServer and it says:
CRIME status: vulnerable
I am using Ubuntu 12.04.2 LTS (precise) 64 bit and my openssl version is
1.0.1-4ubuntu5.9.
Is this backported to precise? What is the easiest way to be
@Theodotos, there is a package on it's way for Precise
(http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.10/changelog).
You can deploy it now by enabling the precise-proposed repo but it
should hit the regular repos soonish as it was published on June 3rd.
--
OKI enabled the proposed repo and now I got the updated version:
# aptitude show openssl | grep -i version
Version: 1.0.1-4ubuntu5.10
But running TestSSLServer against my dovecot pop3s (port 995) I still
get that the system is vulnerable to CRIME.
Compression is supposed to be disabled by
False alarm. I updated openssl but not libssl. Works now. Thanks Simon!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187195
Title:
OpenSSL site-wide compression disable tracking bug
To manage
Theodotos, thanks for the feedback. Please also let us know if you need
to set the environment variable for any services, I'd really like to
know if there are any services that require compression.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
** Also affects: openssl (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: openssl (Ubuntu Quantal)
Pocket copied openssl to proposed.
Please test and give feedback here. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.
Thank you in advance!
** Tags added: verification-needed
** Changed in: openssl (Ubuntu Saucy)
Status: New =
To test this modification, I extended the Ubuntu Security Team's QRT
testcase for OpenSSL to run through the entire test suite twice -- once
with compression enabled, once with compression disabled, and verify
that compression has been enabled or disabled where appropriate. These
modifications can
To ubuntu-sru: if this passes the verification process, please ping the
security team (sarnold). Thanks!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187195
Title:
OpenSSL site-wide compression
This bug was fixed in the package openssl - 1.0.1e-2ubuntu1.1
---
openssl (1.0.1e-2ubuntu1.1) saucy-security; urgency=low
* SECURITY UPDATE: Disable compression to avoid CRIME systemwide
(LP: #1187195)
- CVE-2012-4929
- debian/patches/openssl-1.0.1e-env-zlib.patch:
15 matches
Mail list logo
