[Pkg-openssl-devel] Bug#728055: Bug#728055: openssl: CVE-2012-4929
Kurt Roeckx
kurt at roeckx.be
Fri Nov 1 13:42:42 UTC 2013
On Sun, Oct 27, 2013 at 06:25:49PM -0400, Michael Gilbert wrote:
> package: openssl
> severity: important
> version: 0.9.8o-1
> tag: security
>
> Hi,
>
> This is the CVE for the CRIME issue. Redhat and Ubuntu have corrected
> this in openssl by disabling zlib compression by default. Please see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4929
I'm not sure what to do with this. As far as I understand this,
this is only a problem if the client side can somehow automate an
attack.
There are basicly 4 places that can fix this:
- The library the client program is using
- The client program itself
- The library the server is using
- The server itself
But there is also a problem of using compression not at the SSL
level but at the HTTP level (BREACH) which can only be fixed in
the client and server, not in the libraries. So at least the
client and server need to get changed anyway.
You can of course use SSL without HTTP, but I think it's a lot
harder in those cases to get the a client to automate many
connection attempts.
So I'm wondering if I should just disable compression support
completly or not. Redhat seems to make it conditional on
an evironment variable. I have to wonder if there is still
a good use case for having compression support at the SSL
level. If applications think it's safe to have compression
support they can do it at the application layer.
Kurt
More information about the Pkg-openssl-devel
mailing list