Your message dated Sun, 17 Feb 2013 12:47:23 +0000 with message-id <e1u73en-0000fw...@franck.debian.org> and subject line Bug#700426: fixed in nginx 0.7.67-3+squeeze3 has caused the Debian Bug report #700426, regarding vulnerable to CRIME SSL attack (CVE-2012-4929) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700426 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: nginx Version: 0.7.67-3 Severity: grave Tags: security patch Hi, nginx in squeeze and wheezy is vulnerable to the SSL attack CVE-2012-4929 dubbed 'CRIME'. The attack is related to SSL compression. The popular solution to the attack is to disable SSL compression. This is what Apache has done and also what nginx upstream has done in 1.2.2. Attached patch does that, works for us and we've verified that it solves the problem. Upstream info is here: http://forum.nginx.org/read.php?2,231067,231068 I'd gladly hear your view on this patch. Barring any objections I'm planning to release this as a DSA after the weekend, and also make an upload to wheezy. Cheers, Thijs -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (400, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bashIndex: nginx-0.7.67/src/event/ngx_event_openssl.c =================================================================== --- nginx-0.7.67.orig/src/event/ngx_event_openssl.c 2010-06-07 13:55:20.000000000 +0200 +++ nginx-0.7.67/src/event/ngx_event_openssl.c 2013-02-12 16:02:39.238581000 +0100 @@ -108,6 +108,9 @@ OpenSSL_add_all_algorithms(); + /* Disable compression in older versions of OpenSSL (CVE-2012-4929) */ + sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); + ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); if (ngx_ssl_connection_index == -1) {
--- End Message ---
--- Begin Message ---Source: nginx Source-Version: 0.7.67-3+squeeze3 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Cyril Lavier <cyril.lav...@davromaniak.eu> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 13 Feb 2013 14:32:44 +0100 Source: nginx Binary: nginx nginx-dbg Architecture: source amd64 Version: 0.7.67-3+squeeze3 Distribution: stable-security Urgency: high Maintainer: Jose Parrella <bure...@debian.org> Changed-By: Cyril Lavier <cyril.lav...@davromaniak.eu> Description: nginx - small, but very powerful and efficient web server and mail proxy nginx-dbg - Debugging symbols for nginx Closes: 700426 Changes: nginx (0.7.67-3+squeeze3) stable-security; urgency=high . * debian/patches/CVE-2012-4929.diff: + Fixes the vulnerability to CRIME SSL attack. See: CVE-2012-4929 for more details.(Closes: #700426). Checksums-Sha1: 14e7c9c5e82a6598572307e07ebfeef77b130b27 1737 nginx_0.7.67-3+squeeze3.dsc f19099cc1485f3d9ed739f523c1bcc8a396a12f1 26858 nginx_0.7.67-3+squeeze3.debian.tar.gz 75e0f15b6f765f759b1a08f31c834a05733c491d 325372 nginx_0.7.67-3+squeeze3_amd64.deb ef73b84284ee471f92b0d08f5956bbd900c6da42 1924886 nginx-dbg_0.7.67-3+squeeze3_amd64.deb Checksums-Sha256: 1508403fdcb89fbf53f68a5a5c24a994a9ac5846ebbd1e51788baa67df020a85 1737 nginx_0.7.67-3+squeeze3.dsc 1bd980e0e045d22f5e36fc175b3ad78d23def92d19b31dfaa3260023c65c872c 26858 nginx_0.7.67-3+squeeze3.debian.tar.gz c1b6b7661d1f60547443d7e4c0887845947fb4f65547acab6fe994350ed0e86f 325372 nginx_0.7.67-3+squeeze3_amd64.deb b19de4c1875740a3fa1c8cb5b697fd8df572bead7cea802d77c5510815e22dfe 1924886 nginx-dbg_0.7.67-3+squeeze3_amd64.deb Files: f9ca9f114c9cec23ac8ec99ce0fea133 1737 httpd optional nginx_0.7.67-3+squeeze3.dsc da3470797ea22cf0e8f79c9b32058a94 26858 httpd optional nginx_0.7.67-3+squeeze3.debian.tar.gz d484c1655313f44bece15a0c7bd64a95 325372 httpd optional nginx_0.7.67-3+squeeze3_amd64.deb e537d160f98d4965d8ec2438a77784f5 1924886 debug extra nginx-dbg_0.7.67-3+squeeze3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRG7jIAAoJEFb2GnlAHawEmb4H/3ZVf9LJn7GFfI4rgL+xJMCa XYRUIzxUzYyPLaFnZ5WsmenlccRYAKJK9ml69f/p7Wgc6Uym7lBxjeTZgCgicnfp sDDkvVIguPcTPoVkHMTH9ddGMWT7nOMBeYgG7mfYiW87qwDMyEy4cW4FSTtENZGZ EyF1NBAKe7+WxFfb1Ns1+5tFYOQFVWHA12tKkboTcyT95ZvJfqG5FLtubdT8nkwj 7upEO0AKuNe5uvMq60JJRL1n9bWN7lRB3Va5VEVNc+lPLwUipPQOYyNm2HUSkTBq nMDe64K5KxBDzjU8x73Oyw7kq0liEQBQVp5GazyWcltLmFLru4iUtdqytvja0U4= =BWt1 -----END PGP SIGNATURE-----
--- End Message ---
