[Bug 1068854] [NEW] Support option to disable TLS compression to protect against CRIME attack

Reed Loden reed at reedloden.com
Fri Oct 19 21:06:38 UTC 2012 

Public bug reported:

Upstream Apache recently committed a change to be in Apache 2.2.24 (not
yet released) that would allow for disabling TLS compression to protect
against the CRIME attack. As it's probably going to be a way before
2.2.24 is released, it would be great to backport this patch as a one-
off SRU to at least precise (LTS) and quantal until the new release.
There's also been some mention that supporting TLS compression is
possibly causing some people's PCI compliance tests to fail, so having
this option would be extremely useful to help pass their compliance
tests (plus just protecting against CRIME and CRIME-like attacks).

More info:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689936
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html

** Affects: apache2
     Importance: Unknown
         Status: Unknown

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: apache2 (Debian)
     Importance: Unknown
         Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4929

** Bug watch added: Debian Bug tracker #674142
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142

** Also affects: apache2 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
   Importance: Unknown
       Status: Unknown

** Bug watch added: Apache Software Foundation Bugzilla #53219
   http://issues.apache.org/bugzilla/show_bug.cgi?id=53219

** Also affects: apache2 via
   http://issues.apache.org/bugzilla/show_bug.cgi?id=53219
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1068854

Title:
  Support option to disable TLS compression to protect against CRIME
  attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions

More information about the Ubuntu-server-bugs mailing list