I see that you’ve only apache 2.2.12 in the updates, but this version doesn’t solve TLS CRIME attack (disabling SSL compresison). When it will be released ? At least pache 2.2.24 …
Thanks and best regards
Going strictly on version numbers of packages to look for fixes is not
reliable because many fixes are backported so that the enterprise product
line keeps stability (by avoiding unnecessary new features which are less
stable than the older code that has been baking longer) while still
getting current fixes (by being backported by engineering). Typically you
can see these backported fixes by viewing the changelog of a package:
From an RPM released back in April (apache2-2.2.12-1.38.2.x86_64) I see
the following in the changelog indicating this has been fixed since January:
- Mon Jan 14 2013 email@example.com
- ignore case when checking against SNI server names. [bnc#798733]
- better cleanup of busy count after recovering from failure
- new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION; if set to
on, OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
process; openssl will then transparently disable compression.
This change affects start script and sysconfig fillup template.
Default is on, SSL compression disabled. Please see mod_deflate for
compressed transfer at http layer. [bnc#782956]
backend timeouts should not affect the entire worker. [bnc#788121]
- httpd-2.2.x-envvars.diff obsoletes httpd-2.0.54-envvars.dif:
Fix for low profile bug CVE-2012-0883 about improper LD_LIBRARY_PATH
Escape filename for the case that uploads are allowed with untrusted
user’s control over filenames and mod_negotiation enabled on the
same directory. CVE-2012-2687 [bnc#777260]
- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to
reflect the upstream changes. This will prevent the “Invalid URI in
request OPTIONS *” messages in the error log. [bnc#722545]
Really? Well, it doesn’t seem to be fixed yet on my SuSe system.
java -jar TestSSLServer.jar myserver.domain.com 443
Supported versions: SSLv3 TLSv1.0
Deflate compression: YES
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
166ad0fcba920e0394a69a04df32067262adde4e: EMAILADDRESSfirstname.lastname@example.org, CN=thedomain.com, OU=Internet Server, O=Removed company, L=Miami, ST=Florida, C=US
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: protected
[COLOR="#B22222"]CRIME status: vulnerable[/COLOR]
That isn’t a version of apache supplied on SLE SP3?
Repository: SLE11-SDK-SP3-Pool Name: apache2 Version: 2.2.12-1.38.2
Yours is a later version?
The openssl changelog refers to the following bug bnc#779952 in which it
Fri 08 Mar 2013 06:00:00 AM CST - Fix bug[ bnc#779952] CVE-2012-4929: avoid the openssl CRIME attack Modify patch file: compression_methods_switch.patch
What version of SLE and opensl are you running?
Cheers Malcolm Â°Â¿Â° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.16-desktop
up 14:20, 3 users, load average: 0.05, 0.15, 0.15
CPU AMD E2email@example.comGHz | GPU Radeon HD 7340
On 08/08/2013 03:18, malcolmlewis wrote:
That isn’t a version of apache supplied on SLE SP3?[/color]
What version of SLE and opensl are you running?[/color]
Checking various SUSE-related update repositories I have access to I
think star2root is using openSUSE 11.4 and not SUSE Linux Enterprise
Server or Desktop (SLES/SLED).
If that is the case then a) different rules apply since openSUSE is not
the same as SUSE Linux Enterprise, and b) star2root should start a new
thread in the openSUSE Forums (I suggest
SUSE Knowledge Partner