Debian Bug report logs - #689936
apache2: handling the CRIME attack

version graph

Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@lists.debian.org>;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 8 Oct 2012 00:54:01 UTC

Severity: important

Tags: security

Found in version apache2/2.2.16-6+squeeze8

Fixed in version apache2/2.2.22-12

Done: Stefan Fritsch <sf@sfritsch.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>:
Bug#689936; Package src:root-system. (Mon, 08 Oct 2012 00:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
New Bug report received and forwarded. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>. (Mon, 08 Oct 2012 00:54:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: handling the CRIME attack
Date: Mon, 08 Oct 2012 02:51:40 +0200
[Message part 1 (text/plain, inline)]
Source: root-system
Severity: important
Tags: security

Hi folks,


AFAICS, Debian’s Apache2.2 is still vulnerable to CRIME.

Well, AFAIK, CRIME is thought to be fixed on the browser sides, by them
simply not using compression with TLS.
While this helps in many cases, IMHO it's not enough and I'd rather have
a way to force the server to secure things (just as it is, AFAIK, done
with the BEAST attack).


A feature to disable compression for mod_ssl has been backported to
2.2.x:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

Can we cherry-pick this?


And perhaps enable it per default in mod_ssl's config.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Bug reassigned from package 'src:root-system' to 'src:apache2'. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Mon, 08 Oct 2012 05:48:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#689936; Package src:apache2. (Fri, 19 Oct 2012 18:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to ipso@snappymail.ca:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Fri, 19 Oct 2012 18:33:05 GMT) Full text and rfc822 format available.

Message #12 received at 689936@bugs.debian.org (full text, mbox):

From: Mike <ipso@snappymail.ca>
To: 689936@bugs.debian.org
Subject: apache2: handling the CRIME attack
Date: Fri, 19 Oct 2012 11:18:25 -0700
Currently Debian stable systems are failing PCI compliance scans due to 
not being able to disable SSL compression and therefore vulnerable to 
CRIME attacks.

So it would be really nice to get this patch applied.

-- 
Mike




Added tag(s) pending. Request was from Arno Töll <arno@debian.org> to control@bugs.debian.org. (Sat, 20 Oct 2012 01:21:05 GMT) Full text and rfc822 format available.

Reply sent to Arno Töll <arno@debian.org>:
You have taken responsibility. (Tue, 30 Oct 2012 23:51:05 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Tue, 30 Oct 2012 23:51:05 GMT) Full text and rfc822 format available.

Message #19 received at 689936-close@bugs.debian.org (full text, mbox):

From: Arno Töll <arno@debian.org>
To: 689936-close@bugs.debian.org
Subject: Bug#689936: fixed in apache2 2.2.22-12
Date: Tue, 30 Oct 2012 23:47:45 +0000
Source: apache2
Source-Version: 2.2.22-12

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689936@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arno Töll <arno@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 31 Oct 2012 00:23:59 +0100
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-mpm-itk apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-dbg
Architecture: source amd64 all
Version: 2.2.22-12
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Arno Töll <arno@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-itk - multiuser MPM for Apache 2.2
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 674142 689936
Changes: 
 apache2 (2.2.22-12) unstable; urgency=low
 .
   * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
     "off". This mitigates impact of CRIME attacks. Fixes:
     - "handling the CRIME attack" (Closes: #689936)
     - "make it possible to disable ssl compression in apache2 mod_ssl"
       (Closes: #674142)
Checksums-Sha1: 
 6d0cf1e0e358a5721454e2e8422f18cc760caab3 2885 apache2_2.2.22-12.dsc
 9fb2e4aabec9534900e2a532f20cbd8695c83f41 196863 apache2_2.2.22-12.debian.tar.gz
 6453f01b1be9119ae4510fda41c654c8a2a9a167 290370 apache2.2-common_2.2.22-12_amd64.deb
 778a67b1eeb7fe5628207027b03c54cf9b5718a5 780540 apache2.2-bin_2.2.22-12_amd64.deb
 02ef6214f265743830dbe7e41fa8ac44826c98e8 2250 apache2-mpm-worker_2.2.22-12_amd64.deb
 e42d824027cea5c95f0aa8230f87b8cb2bb8f80b 2362 apache2-mpm-prefork_2.2.22-12_amd64.deb
 b239f70a0f6ea7379c7485f6be204de8166a5bfe 2316 apache2-mpm-event_2.2.22-12_amd64.deb
 5a002ea84b373acaa17c5728bae807422e2b1228 2342 apache2-mpm-itk_2.2.22-12_amd64.deb
 541d720a59894a71be12fe0377a0221535e75c40 161586 apache2-utils_2.2.22-12_amd64.deb
 e5d16c19f7697ad4e788f27e9aeefc13814202cf 105390 apache2-suexec_2.2.22-12_amd64.deb
 62033a8ba9a6c7573b772e8b578328f1083b8702 106874 apache2-suexec-custom_2.2.22-12_amd64.deb
 78463097f42aa7d5a6585ddb7f5e56e48fab2b13 1436 apache2_2.2.22-12_amd64.deb
 65b162fdd9aa99dcb83639aee3cdbdbcbb293013 1770476 apache2-doc_2.2.22-12_all.deb
 cf5632f3e20b3625990cdb1ebcfc53cf67bca94e 114182 apache2-prefork-dev_2.2.22-12_amd64.deb
 74fe45f3b4537f936f72129fb97d5db3e9b3e899 115020 apache2-threaded-dev_2.2.22-12_amd64.deb
 56e66c52ae09be01e1e5942a3630e759f0beb646 1727278 apache2-dbg_2.2.22-12_amd64.deb
Checksums-Sha256: 
 eafa3378fb34f329cb19f41892b7077e75ed48907595ea098efb65ea17291987 2885 apache2_2.2.22-12.dsc
 3ae9569a5e06a434705838f2639effa25856d72470b4a1b7a179f5c12b055957 196863 apache2_2.2.22-12.debian.tar.gz
 9c5dd2a4240913ca226d3e02438ee3eb0a9bc00f472d12de73ae486feef4e37d 290370 apache2.2-common_2.2.22-12_amd64.deb
 857d28a0e0f0c7928ea13e6e351bbe11af5bb2003451ab2327da535dfedc22aa 780540 apache2.2-bin_2.2.22-12_amd64.deb
 e0ff2f2cf8a1c2d7b99889968e0afe70ec1fac5cceef242442df798135a5ab41 2250 apache2-mpm-worker_2.2.22-12_amd64.deb
 be2f32cd5ad34aa5d02145f5ba35bdb9c0527528333a72738f497d3552d5f451 2362 apache2-mpm-prefork_2.2.22-12_amd64.deb
 f813935b75ae5cd7c708f8a224a8e100c1e0564e4eb6d350ac003330f41da73e 2316 apache2-mpm-event_2.2.22-12_amd64.deb
 57c80e64d7c0c96e51abbdbf66ee801c58d28054c46213238f84994bd8851d84 2342 apache2-mpm-itk_2.2.22-12_amd64.deb
 9736646d878b0161d17fd2d5b43e8ec5a23a20197b9a164b5bb6d976e2697aa2 161586 apache2-utils_2.2.22-12_amd64.deb
 ac75d277717783df4007c700170c4093431569e83e9092a16b62ec4370aaaa79 105390 apache2-suexec_2.2.22-12_amd64.deb
 4d68b6dcd737cf25c0d5a92115e23b1b68996c6c6db3afd2f05e94e3e0c7e241 106874 apache2-suexec-custom_2.2.22-12_amd64.deb
 c2f41db13ef76966b3f8d41ee957ff88b0a2527789be2d7c1ab826ff4c1004ef 1436 apache2_2.2.22-12_amd64.deb
 4da79bf236f01662959407587f8419a0c0bfb3a59b8309dc0ba426e30f09cd2f 1770476 apache2-doc_2.2.22-12_all.deb
 5baa7750aa8577d82bc721ffd8d401698469515387206ad87040dd5d9b4cf8f4 114182 apache2-prefork-dev_2.2.22-12_amd64.deb
 9c55d0bd5a62c4f8f6cb532c4c60dda05b82cc67baa716c513bff65375b9a53f 115020 apache2-threaded-dev_2.2.22-12_amd64.deb
 1dc6ac5eab5ae5f5c8ea616ae590ada0bd66100e844e858cc65d278b7add0948 1727278 apache2-dbg_2.2.22-12_amd64.deb
Files: 
 42ac643ee968bf4a3032fcc818c5e434 2885 httpd optional apache2_2.2.22-12.dsc
 a874f9022b84d8a8598906a2c6e92587 196863 httpd optional apache2_2.2.22-12.debian.tar.gz
 e27e7bd03801421768e9feb734e40747 290370 httpd optional apache2.2-common_2.2.22-12_amd64.deb
 8b4ab0ceeba5ac4ebbbfe0f3f1f53b09 780540 httpd optional apache2.2-bin_2.2.22-12_amd64.deb
 b3481312fb98b183caa0cd2f8f969186 2250 httpd optional apache2-mpm-worker_2.2.22-12_amd64.deb
 a73bd7ea18cfc2cd7c7650a3427572bf 2362 httpd optional apache2-mpm-prefork_2.2.22-12_amd64.deb
 6c56e3f4570d6ebc64f565fdf9692e4c 2316 httpd optional apache2-mpm-event_2.2.22-12_amd64.deb
 9594cb266fa79c0a80bcde274768a4a5 2342 httpd extra apache2-mpm-itk_2.2.22-12_amd64.deb
 1923051f78643a104be2a3eaa317d926 161586 httpd optional apache2-utils_2.2.22-12_amd64.deb
 19de10a8523868adaab7010c971c375e 105390 httpd optional apache2-suexec_2.2.22-12_amd64.deb
 5f6da6484695dcb3eeb6645459f4dbe2 106874 httpd extra apache2-suexec-custom_2.2.22-12_amd64.deb
 c92cba7e28dad1f03b04053772252760 1436 httpd optional apache2_2.2.22-12_amd64.deb
 e81a4f468a5931d49f56ac254e41ef69 1770476 doc optional apache2-doc_2.2.22-12_all.deb
 379b7aae2516213fc9c0ed734a193d5e 114182 httpd extra apache2-prefork-dev_2.2.22-12_amd64.deb
 e9950b38f2421190436b51aa7e7323aa 115020 httpd extra apache2-threaded-dev_2.2.22-12_amd64.deb
 da2216516b4e8ff61e43e0c64d928fb7 1727278 debug extra apache2-dbg_2.2.22-12_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkGTfAAoJEMcrUe6dgPNt9JMP/AlGuRTEXOBx8BzcZO6/nvD8
AP3WOUGJMyrBbix3iU2qKSkBweE6U20I1FiykVUVPXG+2u1rIbv5dQqNf0Ba/nis
Hn0vS18WscjXg9I2EhBl/SL00F1i6JueOA9KM6Q+bJo+cnSjDfvLXYAcijnw7dOt
sZVt+YjbMhUOMqW2CB3Ar4HkzA2QuAutqOWvQi7YkAPT2HAXG0mhHQXOzAmfObHq
PuMtbhVrC/bu4SZSI7JYye2F7v/nXlEiI2NLv/PCWTrZkJWtvRVi5w8A6CbntTSw
NCgRZsiFpH/HXsqAgUPUpbitv/etDr2xIuwOD95C3THY3s/Uj+Fx46ndtQOAYUoS
RwaUgwkA8TTzfTenOM2lijQr8okbUIHAnlML9oXEh/bezHJpHt1At5RJj2sXFyHU
ryM/OQijrirqIcUGe9lmIefvhcxmoVnsiuegTlI+zs1DurO/VN+UtiVrb/rxqOMV
0lA8E1McBdpb45OrqgG4sCLdEaMiPyI7P4ZQ2yGMIy/P8uxujZMf9zQR8HyDExvY
qKq0HpWH/lrK3YSR1vpuBcBfbQ7whoU9j57/ElkBIR43N+rhe0d8+9Dob2qJWhZb
NwYwLxBECPoFDpbiIEN++/vyhMz7+ZmrzqxXbhIi7oIAUrfukaA0Pt+Tedf5Iw6U
CjNcuU8875JdVL5oTSoj
=4CjL
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#689936; Package src:apache2. (Wed, 28 Nov 2012 09:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Wed, 28 Nov 2012 09:03:03 GMT) Full text and rfc822 format available.

Message #24 received at 689936@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 689936@bugs.debian.org
Cc: debian-apache@lists.debian.org, calestyo@scientia.net, Mike <ipso@snappymail.ca>, Arno Töll <arno@debian.org>
Subject: apache2: handling the CRIME attack
Date: Wed, 28 Nov 2012 11:00:50 +0200
Hello,

Can we get this #689936 issue fixed also in stable with DSA, thanks?

- Henri Salo



Bug reopened Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 28 Nov 2012 09:06:03 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions apache2/2.2.22-12. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 28 Nov 2012 09:06:04 GMT) Full text and rfc822 format available.

Marked as found in versions apache2/2.2.16-6+squeeze8. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 28 Nov 2012 09:06:04 GMT) Full text and rfc822 format available.

Marked as fixed in versions apache2/2.2.22-12. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 28 Nov 2012 09:12:06 GMT) Full text and rfc822 format available.

Reply sent to Arno Töll <arno@debian.org>:
You have taken responsibility. (Wed, 28 Nov 2012 11:51:12 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Wed, 28 Nov 2012 11:51:12 GMT) Full text and rfc822 format available.

Message #37 received at 689936-done@bugs.debian.org (full text, mbox):

From: Arno Töll <arno@debian.org>
To: Henri Salo <henri@nerv.fi>, 689936-done@bugs.debian.org
Subject: Re: Bug#689936: apache2: handling the CRIME attack
Date: Wed, 28 Nov 2012 12:47:41 +0100
[Message part 1 (text/plain, inline)]
Hi,

On 28.11.2012 10:00, Henri Salo wrote:
> Can we get this #689936 issue fixed also in stable with DSA, thanks?

Please see #674142. Closing here.

-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Stefan Fritsch <sf@sfritsch.de>:
You have taken responsibility. (Fri, 30 Nov 2012 13:27:09 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Fri, 30 Nov 2012 13:27:09 GMT) Full text and rfc822 format available.

Message #42 received at 689936-done@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 689936-done@bugs.debian.org, 674142-done@bugs.debian.org
Subject: fixed in squeeze in DSA 2579-1
Date: Fri, 30 Nov 2012 14:25:50 +0100
version: apache2/2.2.16-6+squeeze10

fixed in squeeze in DSA 2579-1



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 29 Dec 2012 07:26:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:56:42 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.