Source: nginx Version: 1.6.2-5 Severity: grave Tags: security Originally filed by myself downstream in Ubuntu at https://bugs.launchpad.net/nginx/+bug/1403283
Originally identified in 1.6.2-5, but it likely affects other versions as well, if `gzip on;` is defined in the default configs. (Severity set as 'grave' per the lowest severity identified on the tags documentation page for setting tags on bugs. Please change this if you feel this is incorrect, as I thought it should be 'important' instead of 'grave'.) ------ The BREACH vulnerability (http://breachattack.com/ <http://breachattack.com/>) is not mitigated in the default nginx.conf configuration file. Details on the BREACH vulnerability are available at the link above. HTTP level compression served over a TLS connection is vulnerable to the same attack as CRIME, but without the TLS-level compression. This is easily mitigated by changing `gzip on;` in the nginx.conf file to `gzip off;` which disables `gzip` compression except where overridden later by sites' configurations. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
