Bug#691894: unblock: apache2/2.2.22-12
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package apache2.
This upload mitigates impact of the so called "CRIME" attacks to SSL. That's
primarily a browser issue and no vulnerability in Apache's code. Having that said,
this patch disables SSL compression globally by default so that vulnerable
browsers can't be exploited while talking to a web server with this patch.
Please note, we are planning to upload the very same patch to s-p-u (same patch,
just adapted to Squeeze's Apache version and in dpatch format). Do you agree with
our plans with that? Alternatively we can discuss this in a separate bug if you prefer.
This is the patch:
diff --git a/debian/changelog b/debian/changelog
index 665b678..3d4d908 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+apache2 (2.2.22-12) unstable; urgency=low
+
+ * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
+ "off". This mitigates impact of CRIME attacks. Fixes:
+ - "handling the CRIME attack" (Closes: #689936)
+ - "make it possible to disable ssl compression in apache2 mod_ssl"
+ (Closes: #674142)
+
+ -- Arno Töll <arno@debian.org> Wed, 31 Oct 2012 00:23:59 +0100
+
apache2 (2.2.22-11) unstable; urgency=low
* Be more careful regarding link attacks when purging the cache disk
diff --git a/debian/patches/disable-ssl-compression.patch b/debian/patches/disable-ssl-compression.patch
new file mode 100644
index 0000000..6878f68
--- /dev/null
+++ b/debian/patches/disable-ssl-compression.patch
@@ -0,0 +1,121 @@
+From: Bjoern Jacke <debianbugs@j3e.de>
+Subject: Allow mod_ssl to disable ssl compression
+
+Patch submitted upstream, merged into 2.2.24. This patch adds a "Compression
+on|off" directive to mod_ssl.
+
+Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
+
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -146,6 +146,9 @@
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+ SSL_CMD_SRV(HonorCipherOrder, FLAG,
+ "Use the server's cipher ordering preference")
++ SSL_CMD_SRV(Compression, FLAG,
++ "Enable SSL level compression"
++ "(`on', `off')")
+ SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+ "Enable support for insecure renegotiation")
+ SSL_CMD_ALL(UserName, TAKE1,
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -178,6 +178,9 @@
+ #ifdef HAVE_FIPS
+ sc->fips = UNSET;
+ #endif
++#ifndef OPENSSL_NO_COMP
++ sc->compression = UNSET;
++#endif
+
+ modssl_ctx_init_proxy(sc, p);
+
+@@ -275,6 +278,9 @@
+ #ifdef HAVE_FIPS
+ cfgMergeBool(fips);
+ #endif
++#ifndef OPENSSL_NO_COMP
++ cfgMergeBool(compression);
++#endif
+
+ modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+
+@@ -708,6 +714,23 @@
+
+ }
+
++const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
++{
++#if !defined(OPENSSL_NO_COMP)
++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++#ifndef SSL_OP_NO_COMPRESSION
++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
++ if (err)
++ return "This version of openssl does not support configuring "
++ "compression within <VirtualHost> sections.";
++#endif
++ sc->compression = flag ? TRUE : FALSE;
++ return NULL;
++#else
++ return "Setting Compression mode unsupported; not implemented by the SSL library";
++#endif
++}
++
+ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+ {
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -532,6 +532,18 @@
+ }
+ #endif
+
++
++#ifndef OPENSSL_NO_COMP
diff --git a/debian/changelog b/debian/changelog
index 665b678..3d4d908 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+apache2 (2.2.22-12) unstable; urgency=low
+
+ * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
+ "off". This mitigates impact of CRIME attacks. Fixes:
+ - "handling the CRIME attack" (Closes: #689936)
+ - "make it possible to disable ssl compression in apache2 mod_ssl"
+ (Closes: #674142)
+
+ -- Arno Töll <arno@debian.org> Wed, 31 Oct 2012 00:23:59 +0100
+
apache2 (2.2.22-11) unstable; urgency=low
* Be more careful regarding link attacks when purging the cache disk
diff --git a/debian/patches/disable-ssl-compression.patch b/debian/patches/disable-ssl-compression.patch
new file mode 100644
index 0000000..6878f68
--- /dev/null
+++ b/debian/patches/disable-ssl-compression.patch
@@ -0,0 +1,121 @@
+From: Bjoern Jacke <debianbugs@j3e.de>
+Subject: Allow mod_ssl to disable ssl compression
+
+Patch submitted upstream, merged into 2.2.24. This patch adds a "Compression
+on|off" directive to mod_ssl.
+
+Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
+
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -146,6 +146,9 @@
+ "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+ SSL_CMD_SRV(HonorCipherOrder, FLAG,
+ "Use the server's cipher ordering preference")
++ SSL_CMD_SRV(Compression, FLAG,
++ "Enable SSL level compression"
++ "(`on', `off')")
+ SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+ "Enable support for insecure renegotiation")
+ SSL_CMD_ALL(UserName, TAKE1,
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -178,6 +178,9 @@
+ #ifdef HAVE_FIPS
+ sc->fips = UNSET;
+ #endif
++#ifndef OPENSSL_NO_COMP
++ sc->compression = UNSET;
unblock apache2/2.2.22-12
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: