nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Hi,
The version of nginx currently in squeeze-backports (1.2.1-2.2~bpo60+1)
seems to have SSL compression enabled and is vulnerable to the CRIME
attack (CVE-2012-4929 - see[1]). The same version in wheezy is *not*
vulnerable because it links against libssl1.0.0 which has SSL
compression disabled by default. The backport however links against
libssl0.9.8 and has SSL compression enabled by default, and thus the
patch attached in [1] must be applied.
Regards,
Apollon
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700426
Reply to: