[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug

Launchpad Bug Tracker 1187195 at bugs.launchpad.net
Thu Jul 4 12:18:24 UTC 2013 

This bug was fixed in the package openssl - 1.0.1c-3ubuntu2.5

---------------
openssl (1.0.1c-3ubuntu2.5) quantal-security; urgency=low

  * SECURITY UPDATE: Disable compression to avoid CRIME systemwide
    (LP: #1187195)
    - CVE-2012-4929
    - debian/patches/openssl-1.0.1e-env-zlib.patch: disable default use of
      zlib to compress SSL/TLS unless the environment variable
      OPENSSL_DEFAULT_ZLIB is set in the environment during library
      initialization.
    - Introduced to assist with programs not yet updated to provide their own
      controls on compression, such as Postfix
    - http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-env-zlib.patch
 -- Seth Arnold <seth.arnold at canonical.com>   Mon, 03 Jun 2013 18:13:33 -0700

** Changed in: openssl (Ubuntu Raring)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1187195

Title:
  OpenSSL site-wide compression disable tracking bug

Status in “openssl” package in Ubuntu:
  Fix Released
Status in “openssl” source package in Lucid:
  Fix Released
Status in “openssl” source package in Precise:
  Fix Released
Status in “openssl” source package in Quantal:
  Fix Released
Status in “openssl” source package in Raring:
  Fix Released
Status in “openssl” source package in Saucy:
  Fix Released

Bug description:
  This bug is a tracking bug for OpenSSL patches that introduce a new
  environment variable OPENSSL_DEFAULT_ZLIB that is necessary for re-
  enabling compression on a per-application basis.

  Many applications, such as Apache Webserver, Qt's wrappers, and
  others, provide controls that can be used to configure if compression
  is required, allowed, or forbidden.

  This bug tracks an update to include a patch from Fedora,
  http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-
  env-zlib.patch , that will disable OpenSSL's automatic compression for
  all programs that do not have the OPENSSL_DEFAULT_ZLIB environment
  variable defined. (Value does not matter.) This is necessary because
  some programs, e.g. Postfix, do not have controls exposed to disable
  compression.

  I do not know if the compression-related SSL attacks even make sense
  for SMTP, but some PCI-DSS auditors are flagging Postfix
  configurations with this flaw. It is safer to turn off compression
  everywhere it is not necessary.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions

More information about the foundations-bugs mailing list