CVE-2012-4929
Published: 15 September 2012
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Notes
Author | Note |
---|---|
jdstrand | Fedora/RedHat has a patch to check for OPENSSL_NO_DEFAULT_ZLIB that can be used to mitigate this flaw. See RedHat bug #857051 No patch for upstream OpenSSL. This may be considered a flaw in the applications using OpenSSL and not OpenSSL itself. |
mdeslaur | adding apache2, we should backport the SSLCompression option. in trunk and 2.4, sslcompression defaults to off with a second commit. Second commit to default to off isn't in 2.2 yet. redhat disabled zlib compression by default in openssl: https://rhn.redhat.com/errata/RHSA-2013-0587.html |
Priority
Status
Package | Release | Status |
---|---|---|
apache2 Launchpad, Ubuntu, Debian |
hardy |
Released
(2.2.8-1ubuntu0.24)
|
lucid |
Released
(2.2.14-5ubuntu8.10)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Released
(2.2.20-1ubuntu1.3)
|
|
precise |
Released
(2.2.22-1ubuntu1.2)
|
|
quantal |
Released
(2.2.22-6ubuntu2.1)
|
|
raring |
Released
(2.2.22-6ubuntu3)
|
|
saucy |
Released
(2.2.22-6ubuntu3)
|
|
upstream |
Released
(2.2.22-12)
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1345319 (trunk) upstream: http://svn.apache.org/viewvc?view=revision&revision=1348656 (trunk) upstream: http://svn.apache.org/viewvc?view=revision&revision=1400700 (trunk) upstream: http://svn.apache.org/viewvc?view=revision&revision=1369585 (2.4) upstream: http://svn.apache.org/viewvc?view=revision&revision=1400962 (2.4) upstream: http://svn.apache.org/viewvc?view=revision&revision=1395231 (2.2) vendor: http://patch-tracker.debian.org/patch/series/view/apache2/2.2.22-12/disable-ssl-compression.patch |
||
chromium-browser Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Released
(23.0.1271.97-0ubuntu0.10.04.1)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Released
(23.0.1271.97-0ubuntu0.11.10.1)
|
|
precise |
Released
(23.0.1271.97-0ubuntu0.12.04.1)
|
|
quantal |
Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
|
|
raring |
Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
|
|
saucy |
Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
|
|
upstream |
Pending
(22)
|
|
Patches: upstream: https://chromiumcodereview.appspot.com/10825183 |
||
nss Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Not vulnerable
(code-not-compiled)
|
|
natty |
Not vulnerable
(code-not-compiled)
|
|
oneiric |
Not vulnerable
(code-not-compiled)
|
|
precise |
Not vulnerable
(code-not-compiled)
|
|
quantal |
Not vulnerable
(code-not-compiled)
|
|
raring |
Not vulnerable
(code-not-compiled)
|
|
saucy |
Not vulnerable
(code-not-compiled)
|
|
upstream |
Needs triage
|
|
openssl Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(0.9.8k-7ubuntu8.15)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Released
(1.0.1-4ubuntu5.10)
|
|
quantal |
Released
(1.0.1c-3ubuntu2.5)
|
|
raring |
Released
(1.0.1c-4ubuntu8.1)
|
|
saucy |
Released
(1.0.1e-2ubuntu1.1)
|
|
upstream |
Needs triage
|
|
Patches: vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2 vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1e-env-zlib.patch (updated) |
||
openssl098 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
raring |
Ignored
|
|
saucy |
Ignored
|
|
upstream |
Needs triage
|
|
qt4-x11 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(4:4.6.2-0ubuntu5.5)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Released
(4:4.7.4-0ubuntu8.2)
|
|
precise |
Released
(4:4.8.1-0ubuntu4.3)
|
|
quantal |
Released
(4:4.8.3+dfsg-0ubuntu3)
|
|
raring |
Released
(4:4.8.3+dfsg-0ubuntu3)
|
|
saucy |
Released
(4:4.8.3+dfsg-0ubuntu3)
|
|
upstream |
Released
(4.8.4, 5.0.0)
|
|
Patches: upstream: http://qt.gitorious.org/qt/qt/commit/3488f1db96dbf70bb0486d3013d86252ebf433e0 upstream: http://qt.gitorious.org/qt/qt/commit/d41dc3e101a694dec98d7bbb582d428d209e5401 upstream: http://qt.gitorious.org/qt/qtbase/commit/5ea896fbc63593f424a7dfbb11387599c0025c74 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
- https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212
- https://gist.github.com/3696912
- https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
- https://chromiumcodereview.appspot.com/10825183
- https://bugzilla.redhat.com/show_bug.cgi?id=857051
- http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
- http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
- http://www.ekoparty.org/2012/thai-duong.php
- http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512
- http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
- http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor
- http://news.ycombinator.com/item?id=4510829
- http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
- http://code.google.com/p/chromium/issues/detail?id=139744
- http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
- http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729
- https://ubuntu.com/security/notices/USN-1627-1
- https://ubuntu.com/security/notices/USN-1628-1
- https://ubuntu.com/security/notices/USN-1898-1
- NVD
- Launchpad
- Debian
Bugs
- https://bugzilla.redhat.com/show_bug.cgi?id=857051
- https://bugzilla.novell.com/show_bug.cgi?id=779952
- https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 (apache2)
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 (apache2)
- https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1068854 (apache2)