The CRIME attack on SSL depends on the TLS compression feature. Their authors recommend for current installations to just disable TLS compression, as most browsers don't support it anyway:
However, apache 2.2 does not yet have an option to disable TLS compression. This will come in apache 2.2.24, but for now I'd suggest applying the patch from upstream's bugtracker:
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome,
Qt, and other products, can encrypt compressed data without properly
obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext HTTP headers by observing
length differences during a series of guesses in which a string in an HTTP
request potentially matches an unknown string in an HTTP header, aka a
2.2.24 still not released yet. Would be bad if there would be a 2.2.23-r1 with the same ebuild as 2.2.23 plus the patch in Comment #1 ?
At last someone can release Apache 2.2.23-r1 with this patch or Linux Gentoo completly die and everyone ignore security?
Nah. All we need is a version bump, 2.2.24 got released yesterday.
Cool but this is good to wait for new version? - all other Linux Distro create own patch and release new version...
And one more - new apache release 2013-02-25 and still no in portage...
+*apache-tools-2.2.24 (28 Feb 2013)
+ 28 Feb 2013; Tony Vroon <email@example.com> +apache-tools-2.2.24.ebuild:
+ Version bump as required for =www-servers/apache-2.2.24; for security bug
+ #438680 filed by Hanno Boeck.
+*apache-2.2.24 (28 Feb 2013)
+ 28 Feb 2013; Tony Vroon <firstname.lastname@example.org> +apache-2.2.24.ebuild:
+ Upstream security fix adds "SSLCompression" parameter to disable flawed
+ compression support and thus protect against the CRIME attack. For security
+ bug #438680 filed by Hanno Boeck.
Arches, please test & mark stable:
Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Users, you need to set "SSLCompression off" in any VirtualHost that declares "SSLEngine on" in order to fully secure your installation. A tester is available here: https://www.ssllabs.com/ssltest/
GLSA vote: yes.
YES too, added to existing request.
This issue was resolved and addressed in
GLSA 201309-12 at http://security.gentoo.org/glsa/glsa-201309-12.xml
by GLSA coordinator Sean Amoss (ackle).