Your submission was sent successfully! Close

CVE-2012-4929

Published: 15 September 2012

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.2.22-12)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1345319 (trunk)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1348656 (trunk)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1400700 (trunk)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1369585 (2.4)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1400962 (2.4)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1395231 (2.2)
Vendor: http://patch-tracker.debian.org/patch/series/view/apache2/2.2.22-12/disable-ssl-compression.patch
chromium-browser
Launchpad, Ubuntu, Debian
Upstream Pending
(22)
Patches:
Upstream: https://chromiumcodereview.appspot.com/10825183
nss
Launchpad, Ubuntu, Debian
Upstream Needs triage

openssl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2
Vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1e-env-zlib.patch (updated)
openssl098
Launchpad, Ubuntu, Debian
Upstream Needs triage

qt4-x11
Launchpad, Ubuntu, Debian
Upstream
Released (4.8.4, 5.0.0)
Patches:
Upstream: http://qt.gitorious.org/qt/qt/commit/3488f1db96dbf70bb0486d3013d86252ebf433e0
Upstream: http://qt.gitorious.org/qt/qt/commit/d41dc3e101a694dec98d7bbb582d428d209e5401
Upstream: http://qt.gitorious.org/qt/qtbase/commit/5ea896fbc63593f424a7dfbb11387599c0025c74

Notes

AuthorNote
jdstrand
Fedora/RedHat has a patch to check for OPENSSL_NO_DEFAULT_ZLIB that
can be used to mitigate this flaw. See RedHat bug #857051
No patch for upstream OpenSSL. This may be considered a flaw in the
applications using OpenSSL and not OpenSSL itself.
mdeslaur
adding apache2, we should backport the SSLCompression option.
in trunk and 2.4, sslcompression defaults to off with a second
commit. Second commit to default to off isn't in 2.2 yet.
redhat disabled zlib compression by default in openssl:
https://rhn.redhat.com/errata/RHSA-2013-0587.html

References

Bugs