Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: openSUSE 12.2 apache TLS / CRIME

  1. #11
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: openSUSE 12.2 apache TLS / CRIME

    On 2013-03-29 15:26, tsu2 wrote:
    >
    > CRIME and BEAST patch should be available soon, seems patch was contrib
    > upstream 3/3/2013


    So it took them a full year to correct a security problem? :-O

    And the hack to disable the vulnerable feature apparently does not work
    in openSUSE.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  2. #12
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,716
    Blog Entries
    2

    Default Re: openSUSE 12.2 apache TLS / CRIME

    Quote Originally Posted by robin_listas View Post
    On 2013-03-29 15:26, tsu2 wrote:

    And the hack to disable the vulnerable feature apparently does not work
    in openSUSE.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

    the hack doesn't work because there is no software hook, doesn't exist in the module for Apache 2.2. So, it appears someone noticed and implemented a hook in 2.4 which has became immediately useful.

    That's the problem with hacks... You can't just send commands willy nilly, something somewhere has to accept and understand the command.

    The article I referenced also describes the near non-existent support for SSL/TLS compression anyway (at least for everyone who updates their software) so the actual numbers of people who might be compromised is fairly small. So, bottom line is that like everything else when a problem is no longer rated "critical" it's anyone's guess when and if the problem is addressed.

    TSU

Page 2 of 2 FirstFirst 12

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •