CVE-2012-4929

Priority
Description
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google
Chrome, Qt, and other products, can encrypt compressed data without
properly obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext HTTP headers by observing
length differences during a series of guesses in which a string in an HTTP
request potentially matches an unknown string in an HTTP header, aka a
"CRIME" attack.
Notes
jdstrandFedora/RedHat has a patch to check for OPENSSL_NO_DEFAULT_ZLIB that
can be used to mitigate this flaw. See RedHat bug #857051
No patch for upstream OpenSSL. This may be considered a flaw in the
applications using OpenSSL and not OpenSSL itself.
mdeslauradding apache2, we should backport the SSLCompression option.
in trunk and 2.4, sslcompression defaults to off with a second
commit. Second commit to default to off isn't in 2.2 yet.
redhat disabled zlib compression by default in openssl:
https://rhn.redhat.com/errata/RHSA-2013-0587.html
Package
Upstream:pending (22)
Patches:
Upstream:https://chromiumcodereview.appspot.com/10825183
Package
Source: nss (LP Ubuntu Debian)
Upstream:needs-triage
Package
Upstream:needs-triage
More Information

Updated: 2019-12-05 21:00:45 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)