Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2012-4929

Published: 15 September 2012

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Notes

AuthorNote
jdstrand
Fedora/RedHat has a patch to check for OPENSSL_NO_DEFAULT_ZLIB that
can be used to mitigate this flaw. See RedHat bug #857051
No patch for upstream OpenSSL. This may be considered a flaw in the
applications using OpenSSL and not OpenSSL itself.
mdeslaur
adding apache2, we should backport the SSLCompression option.
in trunk and 2.4, sslcompression defaults to off with a second
commit. Second commit to default to off isn't in 2.2 yet.
redhat disabled zlib compression by default in openssl:
https://rhn.redhat.com/errata/RHSA-2013-0587.html

Priority

Medium

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
hardy
Released (2.2.8-1ubuntu0.24)
lucid
Released (2.2.14-5ubuntu8.10)
natty Ignored
(end of life)
oneiric
Released (2.2.20-1ubuntu1.3)
precise
Released (2.2.22-1ubuntu1.2)
quantal
Released (2.2.22-6ubuntu2.1)
raring
Released (2.2.22-6ubuntu3)
saucy
Released (2.2.22-6ubuntu3)
upstream
Released (2.2.22-12)
Patches:
upstream: http://svn.apache.org/viewvc?view=revision&revision=1345319 (trunk)
upstream: http://svn.apache.org/viewvc?view=revision&revision=1348656 (trunk)
upstream: http://svn.apache.org/viewvc?view=revision&revision=1400700 (trunk)
upstream: http://svn.apache.org/viewvc?view=revision&revision=1369585 (2.4)
upstream: http://svn.apache.org/viewvc?view=revision&revision=1400962 (2.4)
upstream: http://svn.apache.org/viewvc?view=revision&revision=1395231 (2.2)
vendor: http://patch-tracker.debian.org/patch/series/view/apache2/2.2.22-12/disable-ssl-compression.patch






chromium-browser
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (23.0.1271.97-0ubuntu0.10.04.1)
natty Ignored
(end of life)
oneiric
Released (23.0.1271.97-0ubuntu0.11.10.1)
precise
Released (23.0.1271.97-0ubuntu0.12.04.1)
quantal Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
raring Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
saucy Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
upstream Pending
(22)
Patches:







upstream: https://chromiumcodereview.appspot.com/10825183





nss
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid Not vulnerable
(code-not-compiled)
natty Not vulnerable
(code-not-compiled)
oneiric Not vulnerable
(code-not-compiled)
precise Not vulnerable
(code-not-compiled)
quantal Not vulnerable
(code-not-compiled)
raring Not vulnerable
(code-not-compiled)
saucy Not vulnerable
(code-not-compiled)
upstream Needs triage

openssl
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid
Released (0.9.8k-7ubuntu8.15)
natty Ignored
(end of life)
oneiric Ignored
(end of life)
precise
Released (1.0.1-4ubuntu5.10)
quantal
Released (1.0.1c-3ubuntu2.5)
raring
Released (1.0.1c-4ubuntu8.1)
saucy
Released (1.0.1e-2ubuntu1.1)
upstream Needs triage

Patches:








vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2
vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1e-env-zlib.patch (updated)



openssl098
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

natty Does not exist

oneiric Ignored
(end of life)
precise Ignored

quantal Ignored

raring Ignored

saucy Ignored

upstream Needs triage

qt4-x11
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid
Released (4:4.6.2-0ubuntu5.5)
natty Ignored
(end of life)
oneiric
Released (4:4.7.4-0ubuntu8.2)
precise
Released (4:4.8.1-0ubuntu4.3)
quantal
Released (4:4.8.3+dfsg-0ubuntu3)
raring
Released (4:4.8.3+dfsg-0ubuntu3)
saucy
Released (4:4.8.3+dfsg-0ubuntu3)
upstream
Released (4.8.4, 5.0.0)
Patches:










upstream: http://qt.gitorious.org/qt/qt/commit/3488f1db96dbf70bb0486d3013d86252ebf433e0
upstream: http://qt.gitorious.org/qt/qt/commit/d41dc3e101a694dec98d7bbb582d428d209e5401
upstream: http://qt.gitorious.org/qt/qtbase/commit/5ea896fbc63593f424a7dfbb11387599c0025c74

References

Bugs