Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560854 (CVE-2013-3587)

Summary: <www-servers/nginx-1.10.1: the default config is vulnerable to BREACH (CVE-2013-3587)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bugs, dev-zero, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-09-19 16:20:33 UTC 
The default nginx config provides http compression

gzip on should be turned off.

Tested with: https://github.com/drwetter/testssl.sh
Comment 1 Johan Bergström 2015-09-20 23:48:34 UTC 
Yep, it should indeed be off (default config has it commented out).
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2016-02-06 14:00:05 UTC 
This is fixed in 1.9.10-r1. We'll move this to the stable tree once 1.10 is released.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 18:30:48 UTC 
This issue was resolved and addressed in
 GLSA 201606-06 at https://security.gentoo.org/glsa/201606-06
by GLSA coordinator Kristian Fiskerstrand (K_F).