enterprise-support team mailing list archive

Thread
Date

[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1068854@xxxxxxxxxxxxxxxxxx>
Date: Thu, 08 Nov 2012 19:57:16 -0000
Reply-to: Bug 1068854 <1068854@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.24

---------------
apache2 (2.2.8-1ubuntu0.24) hardy-security; urgency=low

  * SECURITY UPDATE: XSS vulnerability in mod_negotiation
    - debian/patches/224_CVE-2012-2687.dpatch: escape filenames in
      modules/mappers/mod_negotiation.c.
    - CVE-2012-2687
  * SECURITY UPDATE: CRIME attack ssl attack (LP: #1068854)
    - debian/patches/225_CVE-2012-4929.dpatch: backport SSLCompression
      on|off directive. Defaults to off as enabling compression enables the
      CRIME attack.
    - CVE-2012-4929
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Tue, 06 Nov 2012 15:01:07 -0500

** Changed in: apache2 (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2687

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1068854

Title:
  Support option to disable TLS compression to protect against CRIME
  attack

To manage notifications about this bug go to:
https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions