[Bug 1068854] [NEW] Support option to disable TLS compression to protect against CRIME attack
Reed Loden
reed at reedloden.com
Fri Oct 19 21:06:38 UTC 2012
Public bug reported:
Upstream Apache recently committed a change to be in Apache 2.2.24 (not
yet released) that would allow for disabling TLS compression to protect
against the CRIME attack. As it's probably going to be a way before
2.2.24 is released, it would be great to backport this patch as a one-
off SRU to at least precise (LTS) and quantal until the new release.
There's also been some mention that supporting TLS compression is
possibly causing some people's PCI compliance tests to fail, so having
this option would be extremely useful to help pass their compliance
tests (plus just protecting against CRIME and CRIME-like attacks).
More info:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689936
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
** Affects: apache2
Importance: Unknown
Status: Unknown
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
** Affects: apache2 (Debian)
Importance: Unknown
Status: Unknown
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-4929
** Bug watch added: Debian Bug tracker #674142
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
** Also affects: apache2 (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
Importance: Unknown
Status: Unknown
** Bug watch added: Apache Software Foundation Bugzilla #53219
http://issues.apache.org/bugzilla/show_bug.cgi?id=53219
** Also affects: apache2 via
http://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1068854
Title:
Support option to disable TLS compression to protect against CRIME
attack
To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions
More information about the Ubuntu-server-bugs
mailing list