Source: nginx Version: 1.10.3-1+deb9u2 Severity: important Tags: security Hi,
The default nginx.conf includes 'gzip on' which opens up the applications (by default) to BREACH. This deviates from the default upstream configuration (and the nginx default). A previous bug (#773332) was filed about this and was closed in 2015 because a warning had been added in the configuration example. I do not find this warning anymore. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
