PDA

View Full Version : SLES11 SP2 and apache 2.2.24 (CRIME/BEAST attacks)



josefkarliak
06-Dec-2012, 12:45
Good afternoon,
in the SLES11 SP2 update repo is quite old version (2.2.12.x). This version up to 2.2.24 (I think) are vulnerable to CRIME attacks. Is there some usable official repo which I could use ? For old PHP 5.2.xx I used repo from build service ...
Thanks and best regards
J.Karliak

malcolmlewis
06-Dec-2012, 14:10
On Thu 06 Dec 2012 11:54:03 AM CST, josefkarliak wrote:


Good afternoon,
in the SLES11 SP2 update repo is quite old version (2.2.12.x). This
version up to 2.2.24 (I think) are vulnerable to CRIME attacks. Is there
some usable official repo which I could use ? For old PHP 5.2.xx I used
repo from build service ...
Thanks and best regards
J.Karliak




Hi
Not necessarily security fixes are backported into the versions, you
need to check the changelogs and CVE references.

Again, check the changelogs from the Open Build Service versions as
well.

--
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.2 (x86_64) Kernel 3.4.11-2.16-desktop
up 21:55, 3 users, load average: 0.23, 0.15, 0.10
CPU Intel i5 CPU M520@2.40GHz | Intel Arrandale GPU

dirkmueller
07-Dec-2012, 17:02
in the SLES11 SP2 update repo is quite old version (2.2.12.x). This version up to 2.2.24 (I think) are vulnerable to CRIME attacks. Is there some usable official repo which I could use ? For old PHP 5.2.xx I used repo from build service ...


The BEAST attack is actually fixed in openssl itself, you don't need to update apache2. for the CRIME vulnerability, there is currently no fix in apache2 itself, you can however disable iirc the SSL caching which is the only known workaround. For BEAST, see http://support.novell.com/security/cve/CVE-2011-3389.html