FS#33561 - [apache] CRIME attack vulnerability
Attached to Project:
Arch Linux
Opened by Noah (print) - Friday, 25 January 2013, 17:04 GMT
Last edited by Jan de Groot (JGC) - Monday, 18 March 2013, 14:04 GMT
Opened by Noah (print) - Friday, 25 January 2013, 17:04 GMT
Last edited by Jan de Groot (JGC) - Monday, 18 March 2013, 14:04 GMT
|
Details
Description:
Apache 2.2.23 is vulnerable to the so-called "CRIME" SSL attack. Mitigation info here: (http://opensourceandhackystuff.blogspot.com/2012/09/how-to-mitigate-crime-attack-in-apache.html) Mitigation requires disabling SSL compression (SSLCompression no); however, that directive was not added to mod_ssl until 2.4.3 Additional info: * package version(s) * config and/or log files etc. Steps to reproduce: |
This task depends upon
Upgrading to 2.2.24 is as simple as setting the pkgvar and the checksums, all the patches still apply. Can this be considered?