nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)

To: debian-backports@lists.debian.org
Subject: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
From: Apollon Oikonomopoulos <apollon@skroutz.gr>
Date: Mon, 25 Feb 2013 12:11:10 +0200
Message-id: <[🔎] 20130225101109.GE20345@apollon.skroutz.gr>

Hi,

The version of nginx currently in squeeze-backports (1.2.1-2.2~bpo60+1) 
seems to have SSL compression enabled and is vulnerable to the CRIME 
attack (CVE-2012-4929 - see[1]). The same version in wheezy is *not* 
vulnerable because it links against libssl1.0.0 which has SSL 
compression disabled by default. The backport however links against 
libssl0.9.8 and has SSL compression enabled by default, and thus the 
patch attached in [1] must be applied.

Regards,
Apollon

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700426

Reply to:

Follow-Ups:
- Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
  - From: Cyril LAVIER <cyril.lavier@davromaniak.eu>

Prev by Date: debsums backport
Next by Date: Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Previous by thread: debsums backport
Next by thread: Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Index(es):
- Date
- Thread