Note that Red Hat already supports a workaround [0] that allows for disabling zlib at the OpenSSL layer, which prevents TLS compression working in Apache. As far as I am aware, no such option exists for Ubuntu, leaving users vulnerable until a new package is available.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=857051#c5 ** Bug watch added: Red Hat Bugzilla #857051 https://bugzilla.redhat.com/show_bug.cgi?id=857051 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
