Debian Bug report logs - #700426
vulnerable to CRIME SSL attack (CVE-2012-4929)

version graph

Package: nginx; Maintainer for nginx is Kartik Mistry <kartik@debian.org>; Source for nginx is src:nginx.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Tue, 12 Feb 2013 15:30:01 UTC

Severity: grave

Tags: patch, security

Found in version nginx/0.7.67-3

Fixed in versions nginx/1.2.1-2.2, nginx/0.7.67-3+squeeze3

Done: Cyril Lavier <cyril.lavier@davromaniak.eu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#700426; Package nginx. (Tue, 12 Feb 2013 15:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>. (Tue, 12 Feb 2013 15:30:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vulnerable to CRIME SSL attack (CVE-2012-4929)
Date: Tue, 12 Feb 2013 16:27:09 +0100
[Message part 1 (text/plain, inline)]
Package: nginx
Version: 0.7.67-3
Severity: grave
Tags: security patch

Hi,

nginx in squeeze and wheezy is vulnerable to the SSL attack CVE-2012-4929
dubbed 'CRIME'. The attack is related to SSL compression.

The popular solution to the attack is to disable SSL compression. This is
what Apache has done and also what nginx upstream has done in 1.2.2.
Attached patch does that, works for us and we've verified that it solves
the problem.

Upstream info is here: http://forum.nginx.org/read.php?2,231067,231068

I'd gladly hear your view on this patch. Barring any objections I'm planning
to release this as a DSA after the weekend, and also make an upload to
wheezy.


Cheers,
Thijs

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
[CVE-2012-4929.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#700426; Package nginx. (Wed, 13 Feb 2013 14:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril LAVIER <cyril.lavier@davromaniak.eu>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 13 Feb 2013 14:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 700426@bugs.debian.org (full text, mbox):

From: Cyril LAVIER <cyril.lavier@davromaniak.eu>
To: Thijs Kinkhorst <thijs@debian.org>, <700426@bugs.debian.org>
Subject: Re: Bug#700426: vulnerable to CRIME SSL attack (CVE-2012-4929)
Date: Wed, 13 Feb 2013 14:55:46 +0100
Le 2013-02-12 16:27, Thijs Kinkhorst a écrit :
> Package: nginx
> Version: 0.7.67-3
> Severity: grave
> Tags: security patch
>
> Hi,
>
> nginx in squeeze and wheezy is vulnerable to the SSL attack 
> CVE-2012-4929
> dubbed 'CRIME'. The attack is related to SSL compression.
>
> The popular solution to the attack is to disable SSL compression. 
> This is
> what Apache has done and also what nginx upstream has done in 1.2.2.
> Attached patch does that, works for us and we've verified that it 
> solves
> the problem.
>
> Upstream info is here: 
> http://forum.nginx.org/read.php?2,231067,231068
>
> I'd gladly hear your view on this patch. Barring any objections I'm 
> planning
> to release this as a DSA after the weekend, and also make an upload 
> to
> wheezy.
>
>
> Cheers,
> Thijs
>

Hello Thijs.

Thanks for this report.

I think we have to include this patch in the nginx packages (stable and 
unstable).

I don't actually know if you already prepared an upload, so I did it by 
myself (and it was a great time to relearn how to use quilt).

The packages are here :
* Stable : 
http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze3.dsc
* Unstable : http://sources.davromaniak.eu/nginx/nginx_1.2.1-3.dsc

In case you already prepared an upload, just ignore the last lines ;).

When the 1.2.1 package will arrive on the unstable repo, I will 
backport it to squeeze.

Thanks.
-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu



Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#700426; Package nginx. (Wed, 13 Feb 2013 14:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 13 Feb 2013 14:39:05 GMT) Full text and rfc822 format available.

Message #15 received at 700426@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Cyril LAVIER" <cyril.lavier@davromaniak.eu>
Cc: 700426@bugs.debian.org
Subject: Re: Bug#700426: vulnerable to CRIME SSL attack (CVE-2012-4929)
Date: Wed, 13 Feb 2013 15:36:56 +0100
Hi Cyril,

On Wed, February 13, 2013 14:55, Cyril LAVIER wrote:
> Thanks for this report.
>
> I think we have to include this patch in the nginx packages (stable and
> unstable).
>
> I don't actually know if you already prepared an upload, so I did it by
> myself (and it was a great time to relearn how to use quilt).
>
> The packages are here :
> * Stable :
> http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze3.dsc
> * Unstable : http://sources.davromaniak.eu/nginx/nginx_1.2.1-3.dsc
>
> In case you already prepared an upload, just ignore the last lines ;).
>
> When the 1.2.1 package will arrive on the unstable repo, I will
> backport it to squeeze.

Thanks!

Unstable however is already fixed, according to my information, in 1.2.2.
See http://forum.nginx.org/read.php?2,231067,231068

So it does need to be fixed in wheezy, which has 1.2.1, and in stable
indeed. Your package for stable looks good. I'll upload that to security
master so it can get built.

Can you take care of the process of updating wheezy? I think you need to
sollicit input from the release team before you can upload to
testing-proposed-updates.


Cheers,
Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#700426; Package nginx. (Wed, 13 Feb 2013 14:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril LAVIER <cyril.lavier@davromaniak.eu>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 13 Feb 2013 14:45:03 GMT) Full text and rfc822 format available.

Message #20 received at 700426@bugs.debian.org (full text, mbox):

From: Cyril LAVIER <cyril.lavier@davromaniak.eu>
To: Thijs Kinkhorst <thijs@debian.org>, <700426@bugs.debian.org>
Subject: Re: Bug#700426: vulnerable to CRIME SSL attack (CVE-2012-4929)
Date: Wed, 13 Feb 2013 15:42:28 +0100
Le 2013-02-13 15:36, Thijs Kinkhorst a écrit :
> Hi Cyril,
>
> On Wed, February 13, 2013 14:55, Cyril LAVIER wrote:
>> Thanks for this report.
>>
>> I think we have to include this patch in the nginx packages (stable 
>> and
>> unstable).
>>
>> I don't actually know if you already prepared an upload, so I did it 
>> by
>> myself (and it was a great time to relearn how to use quilt).
>>
>> The packages are here :
>> * Stable :
>> http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze3.dsc
>> * Unstable : http://sources.davromaniak.eu/nginx/nginx_1.2.1-3.dsc
>>
>> In case you already prepared an upload, just ignore the last lines 
>> ;).
>>
>> When the 1.2.1 package will arrive on the unstable repo, I will
>> backport it to squeeze.
>
> Thanks!
>
> Unstable however is already fixed, according to my information, in 
> 1.2.2.
> See http://forum.nginx.org/read.php?2,231067,231068
>
> So it does need to be fixed in wheezy, which has 1.2.1, and in stable
> indeed. Your package for stable looks good. I'll upload that to 
> security
> master so it can get built.
>
> Can you take care of the process of updating wheezy? I think you need 
> to
> sollicit input from the release team before you can upload to
> testing-proposed-updates.
>
>
> Cheers,
> Thijs

Actually, when I typed "Unstable :" or "unstable", I meant "Testing :" 
or "testing". I don't know why I mistyped a big part of this mail :(.

So the nginx_1.2.1-3.dsc source package is for testing (wheezy).

Sorry for this mistake.

Thanks.

-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu



Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#700426; Package nginx. (Wed, 13 Feb 2013 14:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 13 Feb 2013 14:54:03 GMT) Full text and rfc822 format available.

Message #25 received at 700426@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Cyril LAVIER" <cyril.lavier@davromaniak.eu>
Cc: 700426@bugs.debian.org
Subject: Re: Bug#700426: vulnerable to CRIME SSL attack (CVE-2012-4929)
Date: Wed, 13 Feb 2013 15:51:42 +0100
On Wed, February 13, 2013 15:42, Cyril LAVIER wrote:
> Le 2013-02-13 15:36, Thijs Kinkhorst a écrit :
>> Hi Cyril,
>>
>> On Wed, February 13, 2013 14:55, Cyril LAVIER wrote:
>>> Thanks for this report.
>>>
>>> I think we have to include this patch in the nginx packages (stable
>>> and
>>> unstable).
>>>
>>> I don't actually know if you already prepared an upload, so I did it
>>> by
>>> myself (and it was a great time to relearn how to use quilt).
>>>
>>> The packages are here :
>>> * Stable :
>>> http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze3.dsc
>>> * Unstable : http://sources.davromaniak.eu/nginx/nginx_1.2.1-3.dsc
>>>
>>> In case you already prepared an upload, just ignore the last lines
>>> ;).
>>>
>>> When the 1.2.1 package will arrive on the unstable repo, I will
>>> backport it to squeeze.
>>
>> Thanks!
>>
>> Unstable however is already fixed, according to my information, in
>> 1.2.2.
>> See http://forum.nginx.org/read.php?2,231067,231068
>>
>> So it does need to be fixed in wheezy, which has 1.2.1, and in stable
>> indeed. Your package for stable looks good. I'll upload that to
>> security
>> master so it can get built.
>>
>> Can you take care of the process of updating wheezy? I think you need
>> to
>> sollicit input from the release team before you can upload to
>> testing-proposed-updates.
>>
>>
>> Cheers,
>> Thijs
>
> Actually, when I typed "Unstable :" or "unstable", I meant "Testing :"
> or "testing". I don't know why I mistyped a big part of this mail :(.
>
> So the nginx_1.2.1-3.dsc source package is for testing (wheezy).
>
> Sorry for this mistake.

Right, I see that now: I skipped it because of the label ;-)

OK, I took a closer look at the version in wheezy and no action is
necessary. Code is already present in the version in wheezy that disables
the compression for openssl>=1.0.0+ (using SSL_OP_NO_COMPRESSION), which
is the version we have in wheezy. The additional code is only needed when
running with openssl 0.9.

So for wheezy and unstable we're done.

What's left is indeed squeeze, as discussed above, I'll handle that with
your package.

And the version of nginx in backports: because it has been backported to
squeeze, meaning openssl 0.9, it doesn't have the fix, so the patch does
need to be added there.


Cheers,
Thijs




Marked as fixed in versions nginx/1.2.1-2.2. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 13 Feb 2013 15:03:02 GMT) Full text and rfc822 format available.

Reply sent to Cyril Lavier <cyril.lavier@davromaniak.eu>:
You have taken responsibility. (Sun, 17 Feb 2013 12:51:05 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sun, 17 Feb 2013 12:51:06 GMT) Full text and rfc822 format available.

Message #32 received at 700426-close@bugs.debian.org (full text, mbox):

From: Cyril Lavier <cyril.lavier@davromaniak.eu>
To: 700426-close@bugs.debian.org
Subject: Bug#700426: fixed in nginx 0.7.67-3+squeeze3
Date: Sun, 17 Feb 2013 12:47:23 +0000
Source: nginx
Source-Version: 0.7.67-3+squeeze3

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700426@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Lavier <cyril.lavier@davromaniak.eu> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Feb 2013 14:32:44 +0100
Source: nginx
Binary: nginx nginx-dbg
Architecture: source amd64
Version: 0.7.67-3+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Jose Parrella <bureado@debian.org>
Changed-By: Cyril Lavier <cyril.lavier@davromaniak.eu>
Description: 
 nginx      - small, but very powerful and efficient web server and mail proxy
 nginx-dbg  - Debugging symbols for nginx
Closes: 700426
Changes: 
 nginx (0.7.67-3+squeeze3) stable-security; urgency=high
 .
   * debian/patches/CVE-2012-4929.diff:
     + Fixes the vulnerability to CRIME SSL attack. See: CVE-2012-4929 for more
       details.(Closes: #700426).
Checksums-Sha1: 
 14e7c9c5e82a6598572307e07ebfeef77b130b27 1737 nginx_0.7.67-3+squeeze3.dsc
 f19099cc1485f3d9ed739f523c1bcc8a396a12f1 26858 nginx_0.7.67-3+squeeze3.debian.tar.gz
 75e0f15b6f765f759b1a08f31c834a05733c491d 325372 nginx_0.7.67-3+squeeze3_amd64.deb
 ef73b84284ee471f92b0d08f5956bbd900c6da42 1924886 nginx-dbg_0.7.67-3+squeeze3_amd64.deb
Checksums-Sha256: 
 1508403fdcb89fbf53f68a5a5c24a994a9ac5846ebbd1e51788baa67df020a85 1737 nginx_0.7.67-3+squeeze3.dsc
 1bd980e0e045d22f5e36fc175b3ad78d23def92d19b31dfaa3260023c65c872c 26858 nginx_0.7.67-3+squeeze3.debian.tar.gz
 c1b6b7661d1f60547443d7e4c0887845947fb4f65547acab6fe994350ed0e86f 325372 nginx_0.7.67-3+squeeze3_amd64.deb
 b19de4c1875740a3fa1c8cb5b697fd8df572bead7cea802d77c5510815e22dfe 1924886 nginx-dbg_0.7.67-3+squeeze3_amd64.deb
Files: 
 f9ca9f114c9cec23ac8ec99ce0fea133 1737 httpd optional nginx_0.7.67-3+squeeze3.dsc
 da3470797ea22cf0e8f79c9b32058a94 26858 httpd optional nginx_0.7.67-3+squeeze3.debian.tar.gz
 d484c1655313f44bece15a0c7bd64a95 325372 httpd optional nginx_0.7.67-3+squeeze3_amd64.deb
 e537d160f98d4965d8ec2438a77784f5 1924886 debug extra nginx-dbg_0.7.67-3+squeeze3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJRG7jIAAoJEFb2GnlAHawEmb4H/3ZVf9LJn7GFfI4rgL+xJMCa
XYRUIzxUzYyPLaFnZ5WsmenlccRYAKJK9ml69f/p7Wgc6Uym7lBxjeTZgCgicnfp
sDDkvVIguPcTPoVkHMTH9ddGMWT7nOMBeYgG7mfYiW87qwDMyEy4cW4FSTtENZGZ
EyF1NBAKe7+WxFfb1Ns1+5tFYOQFVWHA12tKkboTcyT95ZvJfqG5FLtubdT8nkwj
7upEO0AKuNe5uvMq60JJRL1n9bWN7lRB3Va5VEVNc+lPLwUipPQOYyNm2HUSkTBq
nMDe64K5KxBDzjU8x73Oyw7kq0liEQBQVp5GazyWcltLmFLru4iUtdqytvja0U4=
=BWt1
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Mar 2013 07:26:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 03:55:17 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.