[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug

Mon Jun 10 18:00:56 UTC 2013

To test this modification, I extended the Ubuntu Security Team's QRT
testcase for OpenSSL to run through the entire test suite twice -- once
with compression enabled, once with compression disabled, and verify
that compression has been enabled or disabled where appropriate. These
modifications can be found here: http://bazaar.launchpad.net/~ubuntu-
bugcontrol/qa-regression-testing/master/revision/1931

Because the 10.04 LTS Python test suite will exit when the test suite is
over I special-cased that distribution to run only the tests with
compression enabled. I don't foresee this being a problem, and the
modification to run the other set of tests would be readily visible for
future updates.

I ran this test suite on all five currently supported distributions:
10.04 LTS, 12.04 LTS, 12.10, 13.04, and Saucy, on KVM VMs running both
i386 and AMD64.

Thus, I'd like testing from the larger community to determine if this is
suitable for the distribution. Cases when users will need to manually
enable compression for compatibility reasons are likely low, as Fedora
has shipped with this modification for several months.

I want to know which services do not work 'out of the box' before
shipping this update to the larger Ubuntu community.

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1187195

Title:
  OpenSSL site-wide compression disable tracking bug

Status in “openssl” package in Ubuntu:
  Fix Committed
Status in “openssl” source package in Lucid:
  Fix Committed
Status in “openssl” source package in Precise:
  Fix Committed
Status in “openssl” source package in Quantal:
  Fix Committed
Status in “openssl” source package in Raring:
  Fix Committed
Status in “openssl” source package in Saucy:
  Fix Committed

Bug description:
  This bug is a tracking bug for OpenSSL patches that introduce a new
  environment variable OPENSSL_DEFAULT_ZLIB that is necessary for re-
  enabling compression on a per-application basis.

  Many applications, such as Apache Webserver, Qt's wrappers, and
  others, provide controls that can be used to configure if compression
  is required, allowed, or forbidden.

  This bug tracks an update to include a patch from Fedora,
  http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-
  env-zlib.patch , that will disable OpenSSL's automatic compression for
  all programs that do not have the OPENSSL_DEFAULT_ZLIB environment
  variable defined. (Value does not matter.) This is necessary because
  some programs, e.g. Postfix, do not have controls exposed to disable
  compression.

  I do not know if the compression-related SSL attacks even make sense
  for SMTP, but some PCI-DSS auditors are flagging Postfix
  configurations with this flaw. It is safer to turn off compression
  everywhere it is not necessary.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions