FS#33561 : [apache] CRIME attack vulnerability

FS#33561 - [apache] CRIME attack vulnerability

Attached to Project: Arch Linux
Opened by Noah (print) - Friday, 25 January 2013, 17:04 GMT
Last edited by Jan de Groot (JGC) - Monday, 18 March 2013, 14:04 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Jan de Groot (JGC)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	6 Arthur Darcet (Arthur) (2013-03-14) Pierre Buard (Gilrain) (2013-03-14) Geert Hendrickx (ghen) (2013-03-13) Adam Young (atyoung) (2013-01-31) Noah (print) (2013-01-30) David Zaragoza (mclaud2000) (2013-01-29)
Private	No

Details

Description:

Apache 2.2.23 is vulnerable to the so-called "CRIME" SSL attack. Mitigation info here: (http://opensourceandhackystuff.blogspot.com/2012/09/how-to-mitigate-crime-attack-in-apache.html)

Mitigation requires disabling SSL compression (SSLCompression no); however, that directive was not added to mod_ssl until 2.4.3

Additional info:
* package version(s)
* config and/or log files etc.

Steps to reproduce:

This task depends upon

Closed by Jan de Groot (JGC)
Monday, 18 March 2013, 14:04 GMT
Reason for closing: Fixed

Comment by Adam Young (atyoung) - Thursday, 31 January 2013, 07:15 GMT

Setting the environmental var with: export OPENSSL_NO_DEFAULT_ZLIB=1 mitigates this attack. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4929

Comment by Geert Hendrickx (ghen) - Friday, 08 March 2013, 21:02 GMT

The environment variable didn't work for me. Upgrading the package to 2.2.24 and setting the new (backported) SSLCompression off did.

Upgrading to 2.2.24 is as simple as setting the pkgvar and the checksums, all the patches still apply. Can this be considered?

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#33561 - [apache] CRIME attack vulnerability

Details

Loading...