Your message dated Tue, 30 Oct 2012 23:47:45 +0000 with message-id <E1TTLX7-0000Qq-94@franck.debian.org> and subject line Bug#689936: fixed in apache2 2.2.22-12 has caused the Debian Bug report #689936, regarding apache2: handling the CRIME attack to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 689936: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689936 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2: handling the CRIME attack
- From: Christoph Anton Mitterer <calestyo@scientia.net>
- Date: Mon, 08 Oct 2012 02:51:40 +0200
- Message-id: <1349657500.6470.23.camel@fermat.scientia.net>
Source: root-system Severity: important Tags: security Hi folks, AFAICS, Debian’s Apache2.2 is still vulnerable to CRIME. Well, AFAIK, CRIME is thought to be fixed on the browser sides, by them simply not using compression with TLS. While this helps in many cases, IMHO it's not enough and I'd rather have a way to force the server to secure things (just as it is, AFAIK, done with the BEAST attack). A feature to disable compression for mod_ssl has been backported to 2.2.x: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 Can we cherry-pick this? And perhaps enable it per default in mod_ssl's config. Cheers, Chris.Attachment: smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
- To: 689936-close@bugs.debian.org
- Subject: Bug#689936: fixed in apache2 2.2.22-12
- From: Arno Töll <arno@debian.org>
- Date: Tue, 30 Oct 2012 23:47:45 +0000
- Message-id: <E1TTLX7-0000Qq-94@franck.debian.org>
Source: apache2 Source-Version: 2.2.22-12 We believe that the bug you reported is fixed in the latest version of apache2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 689936@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Arno Töll <arno@debian.org> (supplier of updated apache2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 31 Oct 2012 00:23:59 +0100 Source: apache2 Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg Architecture: source amd64 all Version: 2.2.22-12 Distribution: unstable Urgency: low Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Arno Töll <arno@debian.org> Description: apache2 - Apache HTTP Server metapackage apache2-dbg - Apache debugging symbols apache2-doc - Apache HTTP Server documentation apache2-mpm-event - Apache HTTP Server - event driven model apache2-mpm-itk - multiuser MPM for Apache 2.2 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model apache2-mpm-worker - Apache HTTP Server - high speed threaded model apache2-prefork-dev - Apache development headers - non-threaded MPM apache2-suexec - Standard suexec program for Apache 2 mod_suexec apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec apache2-threaded-dev - Apache development headers - threaded MPM apache2-utils - utility programs for webservers apache2.2-bin - Apache HTTP Server common binary files apache2.2-common - Apache HTTP Server common files Closes: 674142 689936 Changes: apache2 (2.2.22-12) unstable; urgency=low . * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is "off". This mitigates impact of CRIME attacks. Fixes: - "handling the CRIME attack" (Closes: #689936) - "make it possible to disable ssl compression in apache2 mod_ssl" (Closes: #674142) Checksums-Sha1: 6d0cf1e0e358a5721454e2e8422f18cc760caab3 2885 apache2_2.2.22-12.dsc 9fb2e4aabec9534900e2a532f20cbd8695c83f41 196863 apache2_2.2.22-12.debian.tar.gz 6453f01b1be9119ae4510fda41c654c8a2a9a167 290370 apache2.2-common_2.2.22-12_amd64.deb 778a67b1eeb7fe5628207027b03c54cf9b5718a5 780540 apache2.2-bin_2.2.22-12_amd64.deb 02ef6214f265743830dbe7e41fa8ac44826c98e8 2250 apache2-mpm-worker_2.2.22-12_amd64.deb e42d824027cea5c95f0aa8230f87b8cb2bb8f80b 2362 apache2-mpm-prefork_2.2.22-12_amd64.deb b239f70a0f6ea7379c7485f6be204de8166a5bfe 2316 apache2-mpm-event_2.2.22-12_amd64.deb 5a002ea84b373acaa17c5728bae807422e2b1228 2342 apache2-mpm-itk_2.2.22-12_amd64.deb 541d720a59894a71be12fe0377a0221535e75c40 161586 apache2-utils_2.2.22-12_amd64.deb e5d16c19f7697ad4e788f27e9aeefc13814202cf 105390 apache2-suexec_2.2.22-12_amd64.deb 62033a8ba9a6c7573b772e8b578328f1083b8702 106874 apache2-suexec-custom_2.2.22-12_amd64.deb 78463097f42aa7d5a6585ddb7f5e56e48fab2b13 1436 apache2_2.2.22-12_amd64.deb 65b162fdd9aa99dcb83639aee3cdbdbcbb293013 1770476 apache2-doc_2.2.22-12_all.deb cf5632f3e20b3625990cdb1ebcfc53cf67bca94e 114182 apache2-prefork-dev_2.2.22-12_amd64.deb 74fe45f3b4537f936f72129fb97d5db3e9b3e899 115020 apache2-threaded-dev_2.2.22-12_amd64.deb 56e66c52ae09be01e1e5942a3630e759f0beb646 1727278 apache2-dbg_2.2.22-12_amd64.deb Checksums-Sha256: eafa3378fb34f329cb19f41892b7077e75ed48907595ea098efb65ea17291987 2885 apache2_2.2.22-12.dsc 3ae9569a5e06a434705838f2639effa25856d72470b4a1b7a179f5c12b055957 196863 apache2_2.2.22-12.debian.tar.gz 9c5dd2a4240913ca226d3e02438ee3eb0a9bc00f472d12de73ae486feef4e37d 290370 apache2.2-common_2.2.22-12_amd64.deb 857d28a0e0f0c7928ea13e6e351bbe11af5bb2003451ab2327da535dfedc22aa 780540 apache2.2-bin_2.2.22-12_amd64.deb e0ff2f2cf8a1c2d7b99889968e0afe70ec1fac5cceef242442df798135a5ab41 2250 apache2-mpm-worker_2.2.22-12_amd64.deb be2f32cd5ad34aa5d02145f5ba35bdb9c0527528333a72738f497d3552d5f451 2362 apache2-mpm-prefork_2.2.22-12_amd64.deb f813935b75ae5cd7c708f8a224a8e100c1e0564e4eb6d350ac003330f41da73e 2316 apache2-mpm-event_2.2.22-12_amd64.deb 57c80e64d7c0c96e51abbdbf66ee801c58d28054c46213238f84994bd8851d84 2342 apache2-mpm-itk_2.2.22-12_amd64.deb 9736646d878b0161d17fd2d5b43e8ec5a23a20197b9a164b5bb6d976e2697aa2 161586 apache2-utils_2.2.22-12_amd64.deb ac75d277717783df4007c700170c4093431569e83e9092a16b62ec4370aaaa79 105390 apache2-suexec_2.2.22-12_amd64.deb 4d68b6dcd737cf25c0d5a92115e23b1b68996c6c6db3afd2f05e94e3e0c7e241 106874 apache2-suexec-custom_2.2.22-12_amd64.deb c2f41db13ef76966b3f8d41ee957ff88b0a2527789be2d7c1ab826ff4c1004ef 1436 apache2_2.2.22-12_amd64.deb 4da79bf236f01662959407587f8419a0c0bfb3a59b8309dc0ba426e30f09cd2f 1770476 apache2-doc_2.2.22-12_all.deb 5baa7750aa8577d82bc721ffd8d401698469515387206ad87040dd5d9b4cf8f4 114182 apache2-prefork-dev_2.2.22-12_amd64.deb 9c55d0bd5a62c4f8f6cb532c4c60dda05b82cc67baa716c513bff65375b9a53f 115020 apache2-threaded-dev_2.2.22-12_amd64.deb 1dc6ac5eab5ae5f5c8ea616ae590ada0bd66100e844e858cc65d278b7add0948 1727278 apache2-dbg_2.2.22-12_amd64.deb Files: 42ac643ee968bf4a3032fcc818c5e434 2885 httpd optional apache2_2.2.22-12.dsc a874f9022b84d8a8598906a2c6e92587 196863 httpd optional apache2_2.2.22-12.debian.tar.gz e27e7bd03801421768e9feb734e40747 290370 httpd optional apache2.2-common_2.2.22-12_amd64.deb 8b4ab0ceeba5ac4ebbbfe0f3f1f53b09 780540 httpd optional apache2.2-bin_2.2.22-12_amd64.deb b3481312fb98b183caa0cd2f8f969186 2250 httpd optional apache2-mpm-worker_2.2.22-12_amd64.deb a73bd7ea18cfc2cd7c7650a3427572bf 2362 httpd optional apache2-mpm-prefork_2.2.22-12_amd64.deb 6c56e3f4570d6ebc64f565fdf9692e4c 2316 httpd optional apache2-mpm-event_2.2.22-12_amd64.deb 9594cb266fa79c0a80bcde274768a4a5 2342 httpd extra apache2-mpm-itk_2.2.22-12_amd64.deb 1923051f78643a104be2a3eaa317d926 161586 httpd optional apache2-utils_2.2.22-12_amd64.deb 19de10a8523868adaab7010c971c375e 105390 httpd optional apache2-suexec_2.2.22-12_amd64.deb 5f6da6484695dcb3eeb6645459f4dbe2 106874 httpd extra apache2-suexec-custom_2.2.22-12_amd64.deb c92cba7e28dad1f03b04053772252760 1436 httpd optional apache2_2.2.22-12_amd64.deb e81a4f468a5931d49f56ac254e41ef69 1770476 doc optional apache2-doc_2.2.22-12_all.deb 379b7aae2516213fc9c0ed734a193d5e 114182 httpd extra apache2-prefork-dev_2.2.22-12_amd64.deb e9950b38f2421190436b51aa7e7323aa 115020 httpd extra apache2-threaded-dev_2.2.22-12_amd64.deb da2216516b4e8ff61e43e0c64d928fb7 1727278 debug extra apache2-dbg_2.2.22-12_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQkGTfAAoJEMcrUe6dgPNt9JMP/AlGuRTEXOBx8BzcZO6/nvD8 AP3WOUGJMyrBbix3iU2qKSkBweE6U20I1FiykVUVPXG+2u1rIbv5dQqNf0Ba/nis Hn0vS18WscjXg9I2EhBl/SL00F1i6JueOA9KM6Q+bJo+cnSjDfvLXYAcijnw7dOt sZVt+YjbMhUOMqW2CB3Ar4HkzA2QuAutqOWvQi7YkAPT2HAXG0mhHQXOzAmfObHq PuMtbhVrC/bu4SZSI7JYye2F7v/nXlEiI2NLv/PCWTrZkJWtvRVi5w8A6CbntTSw NCgRZsiFpH/HXsqAgUPUpbitv/etDr2xIuwOD95C3THY3s/Uj+Fx46ndtQOAYUoS RwaUgwkA8TTzfTenOM2lijQr8okbUIHAnlML9oXEh/bezHJpHt1At5RJj2sXFyHU ryM/OQijrirqIcUGe9lmIefvhcxmoVnsiuegTlI+zs1DurO/VN+UtiVrb/rxqOMV 0lA8E1McBdpb45OrqgG4sCLdEaMiPyI7P4ZQ2yGMIy/P8uxujZMf9zQR8HyDExvY qKq0HpWH/lrK3YSR1vpuBcBfbQ7whoU9j57/ElkBIR43N+rhe0d8+9Dob2qJWhZb NwYwLxBECPoFDpbiIEN++/vyhMz7+ZmrzqxXbhIi7oIAUrfukaA0Pt+Tedf5Iw6U CjNcuU8875JdVL5oTSoj =4CjL -----END PGP SIGNATURE-----
--- End Message ---