Package: nginx
Version: 0.7.67-3
Severity: grave
Tags: security patch
Hi,
nginx in squeeze and wheezy is vulnerable to the SSL attack CVE-2012-4929
dubbed 'CRIME'. The attack is related to SSL compression.
The popular solution to the attack is to disable SSL compression. This is
what Apache has done and also what nginx upstream has done in 1.2.2.
Attached patch does that, works for us and we've verified that it solves
the problem.
Upstream info is here: http://forum.nginx.org/read.php?2,231067,231068
I'd gladly hear your view on this patch. Barring any objections I'm planning
to release this as a DSA after the weekend, and also make an upload to
wheezy.
Cheers,
Thijs
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Index: nginx-0.7.67/src/event/ngx_event_openssl.c
===================================================================
--- nginx-0.7.67.orig/src/event/ngx_event_openssl.c 2010-06-07 13:55:20.000000000 +0200
+++ nginx-0.7.67/src/event/ngx_event_openssl.c 2013-02-12 16:02:39.238581000 +0100
@@ -108,6 +108,9 @@
OpenSSL_add_all_algorithms();
+ /* Disable compression in older versions of OpenSSL (CVE-2012-4929) */
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+
ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (ngx_ssl_connection_index == -1) {
