pound: TLS compression is insecure (CRIME attack) and can't be disabled

To: debian-security@lists.debian.org
Subject: pound: TLS compression is insecure (CRIME attack) and can't be disabled
From: Stefan Eriksson <stefan@glesys.se>
Date: Thu, 14 Nov 2013 16:23:41 +0100
Message-id: <[🔎] 5284EAFD.9030709@glesys.se>

Hi this is still an issue with Pound:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727197

I'm now using stable wheezy version:
Package: pound
Version: 2.6-2

And hosting an SSL-cert with pound results in:

This server does not mitigate the CRIME attack. Grade capped to B.

when testing with:

https://www.ssllabs.com/ssltest/

There is a fix listed in the bugreport and also in the repo below forboth openssl 0.9.8 and openssl 1.0.0


> > My suggestion to anyone who needs PCI-DSS compliance is to run my
> branch here:
> > https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b
> >
> > Zip here:
> > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip
> >
> > This is based on 2.7b, and includes a bunch of patches that I
> > usually include in pound, to do things like SNI, CertDir includes,
> IncludeDir, PCRE redirects, etc.
> >
> >
> > If you don't feel comfortable running a 2.7 branch, or don't want to
> > include those patches, I've rolled a new branch:
> > https://github.com/goochjj/pound/tree/pcidss/v2.6
> > Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip
> >
> > Which includes only the XSRF, SSLv2, SSL compression and cipher
> > enhancements against a 2.6 baseline.


If fell this has to get prio to backport as its a vulnerability

Thanks
Stefan

Reply to:

Prev by Date: Re: SSL for debian.org/security?
Next by Date: cmrekey.adv ?
Previous by thread: Re: How (un)safe would Debian be when only using the security.debian.org repository?
Next by thread: cmrekey.adv ?
Index(es):
- Date
- Thread