Your message dated Wed, 28 Nov 2012 12:47:41 +0100 with message-id <50B5F9DD.70006@debian.org> and subject line Re: Bug#689936: apache2: handling the CRIME attack has caused the Debian Bug report #689936, regarding apache2: handling the CRIME attack to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 689936: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689936 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2: handling the CRIME attack
- From: Christoph Anton Mitterer <calestyo@scientia.net>
- Date: Mon, 08 Oct 2012 02:51:40 +0200
- Message-id: <1349657500.6470.23.camel@fermat.scientia.net>
Source: root-system Severity: important Tags: security Hi folks, AFAICS, Debian’s Apache2.2 is still vulnerable to CRIME. Well, AFAIK, CRIME is thought to be fixed on the browser sides, by them simply not using compression with TLS. While this helps in many cases, IMHO it's not enough and I'd rather have a way to force the server to secure things (just as it is, AFAIK, done with the BEAST attack). A feature to disable compression for mod_ssl has been backported to 2.2.x: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 Can we cherry-pick this? And perhaps enable it per default in mod_ssl's config. Cheers, Chris.Attachment: smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
- To: Henri Salo <henri@nerv.fi>, 689936-done@bugs.debian.org
- Subject: Re: Bug#689936: apache2: handling the CRIME attack
- From: Arno Töll <arno@debian.org>
- Date: Wed, 28 Nov 2012 12:47:41 +0100
- Message-id: <50B5F9DD.70006@debian.org>
- In-reply-to: <[🔎] 20121128090050.GC14011@kludge.henri.nerv.fi>
- References: <[🔎] 20121128090050.GC14011@kludge.henri.nerv.fi>
Hi, On 28.11.2012 10:00, Henri Salo wrote: > Can we get this #689936 issue fixed also in stable with DSA, thanks? Please see #674142. Closing here. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36DAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---