[Bug 1403283] [NEW] [Security] BREACH vulnerability is not mitigated in default configuration
Thomas Ward
teward at trekweb.org
Wed Dec 17 02:32:31 UTC 2014
*** This bug is a security vulnerability ***
Public security bug reported:
The BREACH vulnerability (http://breachattack.com/) is not mitigated in
the default nginx.conf configuration file.
Details on the BREACH vulnerability are available at the link above.
HTTP level compression served over a TLS connection is vulnerable to the
same attack as CRIME, but without the TLS-level compression.
In Vivid, and likely the older variants of Ubuntu, this is easily
mitigated by changing `gzip on;` in the nginx.conf file to `gzip off;`
which disables `gzip` compression except where overridden later by
sites' configurations.
This impacts Ubuntu, the PPAs, and Debian as well. (I will likely
upstream this to Debian tomorrow, but will add the Nginx tracker here on
Launchpad for the PPAs)
** Affects: nginx
Importance: Undecided
Status: New
** Affects: nginx (Ubuntu)
Importance: Undecided
Status: New
** Also affects: nginx
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1403283
Title:
[Security] BREACH vulnerability is not mitigated in default
configuration
To manage notifications about this bug go to:
https://bugs.launchpad.net/nginx/+bug/1403283/+subscriptions
More information about the Ubuntu-server-bugs
mailing list