Re: Debian nginx gzip vulnerability

To: debian-security@lists.debian.org
Subject: Re: Debian nginx gzip vulnerability
From: Joseph <joseph@netletter.at>
Date: Wed, 10 Jun 2015 12:07:09 +0200
Message-id: <[🔎] 55780C4D.50603@netletter.at>
In-reply-to: <[🔎] 0B6E7DE9C27F3B40A85FB56BC130CB23200A5F68@global-ex1.global.local>
References: <[🔎] 0B6E7DE9C27F3B40A85FB56BC130CB23200A5F68@global-ex1.global.local>

Seems to me you are referring to BREACH. There is no single update that will fix your web server for good, instead you will have to implement one or more workarounds to make BREACH not feasible attack vector anymore.

Possible mitigations are explained here: http://breachattack.com/
I've implemented a nginx rule that disables HTTP compression if there is no trusted "Referer" in the request header.

Joseph

Am 10.06.2015 um 11:32 schrieb Alejandro Betancor:

Hello friends.

I write to the list, because I’m using Debian Wheezy like a web server with nginx 1.6.0. I update my nginx to fix the problem with gzip compression, but I test the server and in this package we still have the problem. I wanna know in wich version of nginx is fixed this vulnerability. The CVE is CVE-2013-3587.

Thanks and all the best.

Alejandro Betancor

Reply to:

References:
- Debian nginx gzip vulnerability
  - From: Alejandro Betancor <Betancor@global.de>

Prev by Date: Re: Debian nginx gzip vulnerability
Next by Date: [HITB-Announce] FINAL CALL: HITB GSEC Call for Papers
Previous by thread: Re: Debian nginx gzip vulnerability
Next by thread: [HITB-Announce] FINAL CALL: HITB GSEC Call for Papers
Index(es):
- Date
- Thread