Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)

To: <debian-backports@lists.debian.org>
Subject: Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
From: Cyril LAVIER <cyril.lavier@davromaniak.eu>
Date: Mon, 25 Feb 2013 11:56:45 +0100
Message-id: <[🔎] 8f427922ff490186a8a8b6b750890a52@davromaniak.eu>
In-reply-to: <[🔎] 20130225101109.GE20345@apollon.skroutz.gr>
References: <[🔎] 20130225101109.GE20345@apollon.skroutz.gr>

Le 2013-02-25 11:11, Apollon Oikonomopoulos a écrit :

Hi,

The version of nginx currently in squeeze-backports(1.2.1-2.2~bpo60+1)

seems to have SSL compression enabled and is vulnerable to the CRIME
attack (CVE-2012-4929 - see[1]). The same version in wheezy is *not*
vulnerable because it links against libssl1.0.0 which has SSL
compression disabled by default. The backport however links against
libssl0.9.8 and has SSL compression enabled by default, and thus the
patch attached in [1] must be applied.

Regards,
Apollon

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700426


Hello Apollon.

I'm going to perform this backport in the next days (maybe tonight),but I haven't had enough time.

By the way, how do I need to call this version ?, 1.2.1-2.2~bpo+60+1.1?


Thanks.

--
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu

Reply to:

Follow-Ups:
- Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
  - From: Kartik Mistry <kartik.mistry@gmail.com>

References:
- nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
  - From: Apollon Oikonomopoulos <apollon@skroutz.gr>

Prev by Date: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Next by Date: Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Previous by thread: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Next by thread: Re: nginx 1.2.1-2.2~bpo+60.1 and CVE-2012-4929 (CRIME attack)
Index(es):
- Date
- Thread