Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560854 (CVE-2013-3587) - <www-servers/nginx-1.10.1: the default config is vulnerable to BREACH (CVE-2013-3587)
Summary: <www-servers/nginx-1.10.1: the default config is vulnerable to BREACH (CVE-20...
Alias: CVE-2013-3587
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa]
Depends on:
Reported: 2015-09-19 16:20 UTC by Agostino Sarubbo
Modified: 2016-06-17 18:30 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-19 16:20:33 UTC
The default nginx config provides http compression

gzip on should be turned off.

Tested with:
Comment 1 Johan Bergström 2015-09-20 23:48:34 UTC
Yep, it should indeed be off (default config has it commented out).
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2016-02-06 14:00:05 UTC
This is fixed in 1.9.10-r1. We'll move this to the stable tree once 1.10 is released.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 18:30:48 UTC
This issue was resolved and addressed in
 GLSA 201606-06 at
by GLSA coordinator Kristian Fiskerstrand (K_F).