[Bug 1187195] Re: OpenSSL site-wide compression disable tracking bug
Theodotos Andreou
1187195 at bugs.launchpad.net
Tue Jun 18 21:11:48 UTC 2013
OKI enabled the proposed repo and now I got the updated version:
# aptitude show openssl | grep -i version
Version: 1.0.1-4ubuntu5.10
But running TestSSLServer against my dovecot pop3s (port 995) I still
get that the system is vulnerable to CRIME.
Compression is supposed to be disabled by default and only enabled when
you use the OPENSSL_DEFAULT_ZLIB environment variable right?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1187195
Title:
OpenSSL site-wide compression disable tracking bug
Status in “openssl” package in Ubuntu:
Fix Released
Status in “openssl” source package in Lucid:
Fix Committed
Status in “openssl” source package in Precise:
Fix Committed
Status in “openssl” source package in Quantal:
Fix Committed
Status in “openssl” source package in Raring:
Fix Committed
Status in “openssl” source package in Saucy:
Fix Released
Bug description:
This bug is a tracking bug for OpenSSL patches that introduce a new
environment variable OPENSSL_DEFAULT_ZLIB that is necessary for re-
enabling compression on a per-application basis.
Many applications, such as Apache Webserver, Qt's wrappers, and
others, provide controls that can be used to configure if compression
is required, allowed, or forbidden.
This bug tracks an update to include a patch from Fedora,
http://pkgs.fedoraproject.org/cgit/openssl.git/plain/openssl-1.0.1e-
env-zlib.patch , that will disable OpenSSL's automatic compression for
all programs that do not have the OPENSSL_DEFAULT_ZLIB environment
variable defined. (Value does not matter.) This is necessary because
some programs, e.g. Postfix, do not have controls exposed to disable
compression.
I do not know if the compression-related SSL attacks even make sense
for SMTP, but some PCI-DSS auditors are flagging Postfix
configurations with this flaw. It is safer to turn off compression
everywhere it is not necessary.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1187195/+subscriptions
More information about the foundations-bugs
mailing list