CVE-2012-4929

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
apache2	13.10 saucy	Fixed 2.2.22-6ubuntu3
	13.04 raring	Fixed 2.2.22-6ubuntu3
	12.10 quantal	Fixed 2.2.22-6ubuntu2.1
	12.04 LTS precise	Fixed 2.2.22-1ubuntu1.2
	11.10 oneiric	Fixed 2.2.20-1ubuntu1.3
	11.04 natty	Ignored
	10.04 LTS lucid	Fixed 2.2.14-5ubuntu8.10
	8.04 LTS hardy	Fixed 2.2.8-1ubuntu0.24
chromium-browser	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Fixed 23.0.1271.97-0ubuntu0.12.04.1
	11.10 oneiric	Fixed 23.0.1271.97-0ubuntu0.11.10.1
	11.04 natty	Ignored
	10.04 LTS lucid	Fixed 23.0.1271.97-0ubuntu0.10.04.1
	8.04 LTS hardy	Not in release
nss	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	11.10 oneiric	Not affected
	11.04 natty	Not affected
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Ignored
openssl	13.10 saucy	Fixed 1.0.1e-2ubuntu1.1
	13.04 raring	Fixed 1.0.1c-4ubuntu8.1
	12.10 quantal	Fixed 1.0.1c-3ubuntu2.5
	12.04 LTS precise	Fixed 1.0.1-4ubuntu5.10
	11.10 oneiric	Ignored
	11.04 natty	Ignored
	10.04 LTS lucid	Fixed 0.9.8k-7ubuntu8.15
	8.04 LTS hardy	Ignored
openssl098	13.10 saucy	Ignored
	13.04 raring	Ignored
	12.10 quantal	Ignored
	12.04 LTS precise	Ignored
	11.10 oneiric	Ignored
	11.04 natty	Not in release
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release
qt4-x11	13.10 saucy	Fixed 4:4.8.3+dfsg-0ubuntu3
	13.04 raring	Fixed 4:4.8.3+dfsg-0ubuntu3
	12.10 quantal	Fixed 4:4.8.3+dfsg-0ubuntu3
	12.04 LTS precise	Fixed 4:4.8.1-0ubuntu4.3
	11.10 oneiric	Fixed 4:4.7.4-0ubuntu8.2
	11.04 natty	Ignored
	10.04 LTS lucid	Fixed 4:4.6.2-0ubuntu5.5
	8.04 LTS hardy	Ignored

Notes

jdstrand

Fedora/RedHat has a patch to check for OPENSSL_NO_DEFAULT_ZLIB that can be used to mitigate this flaw. See RedHat bug #857051 No patch for upstream OpenSSL. This may be considered a flaw in the applications using OpenSSL and not OpenSSL itself.

mdeslaur

adding apache2, we should backport the SSLCompression option. in trunk and 2.4, sslcompression defaults to off with a second commit. Second commit to default to off isn't in 2.2 yet. redhat disabled zlib compression by default in openssl: https://rhn.redhat.com/errata/RHSA-2013-0587.html

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
apache2	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1345319 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1348656 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1400700 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1369585 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1400962 Upstream: http://svn.apache.org/viewvc?view=revision&revision=1395231 Vendor: http://patch-tracker.debian.org/patch/series/view/apache2/2.2.22-12/disable-ssl-compression.patch
chromium-browser	Upstream: https://chromiumcodereview.appspot.com/10825183
openssl	Vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2 Vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1e-env-zlib.patch
qt4-x11	Upstream: 3488f1d Upstream: d41dc3e Upstream: 5ea896f

References

Related Ubuntu Security Notices (USN)

USN-1898-1
OpenSSL vulnerability
4 July 2013

USN-1628-1
Qt vulnerability
8 November 2012

USN-1627-1
Apache HTTP Server vulnerabilities
8 November 2012

Status

Notes

Patch details

References

Related Ubuntu Security Notices (USN)

Other references