PDA

View Full Version : SLES11SP and never version of Apache



chosinek
12-Jun-2013, 08:54
Good morning,
I see that you've only apache 2.2.12 in the updates, but this version doesn't solve TLS CRIME attack (disabling SSL compresison). When it will be released ? At least pache 2.2.24 ...
Thanks and best regards
J.Karliak.

ab
12-Jun-2013, 12:15
Going strictly on version numbers of packages to look for fixes is not
reliable because many fixes are backported so that the enterprise product
line keeps stability (by avoiding unnecessary new features which are less
stable than the older code that has been baking longer) while still
getting current fixes (by being backported by engineering). Typically you
can see these backported fixes by viewing the changelog of a package:

Code:
---------
rpm -q --changelog packageNameHere
---------

From an RPM released back in April (apache2-2.2.12-1.38.2.x86_64) I see
the following in the changelog indicating this has been fixed since January:

Code:
---------
* Mon Jan 14 2013 draht@suse.de
- ignore case when checking against SNI server names. [bnc#798733]
httpd-2.2.x-SNI_ignorecase-bnc798733.diff
- better cleanup of busy count after recovering from failure
[bnc#789828] httpd-2.2.x-bnc789828-mod_balancer.diff
- new sysconfig variable APACHE_DISABLE_SSL_COMPRESSION; if set to
on, OPENSSL_NO_DEFAULT_ZLIB will be inherited to the apache
process; openssl will then transparently disable compression.
This change affects start script and sysconfig fillup template.
Default is on, SSL compression disabled. Please see mod_deflate for
compressed transfer at http layer. [bnc#782956]
- httpd-2.2.x-bnc788121-CVE-2012-4557-mod_proxy_ajp_timeout.diff:
backend timeouts should not affect the entire worker. [bnc#788121]
- httpd-2.2.x-envvars.diff obsoletes httpd-2.0.54-envvars.dif:
Fix for low profile bug CVE-2012-0883 about improper LD_LIBRARY_PATH
handling. [bnc#757710]
- httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff
Escape filename for the case that uploads are allowed with untrusted
user's control over filenames and mod_negotiation enabled on the
same directory. CVE-2012-2687 [bnc#777260]
- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff reworked to
reflect the upstream changes. This will prevent the "Invalid URI in
request OPTIONS *" messages in the error log. [bnc#722545]
---------


Good luck.

star2root
08-Aug-2013, 02:38
Really? Well, it doesn't seem to be fixed yet on my SuSe system. :(

apache2-2.2.17-4.13.1.i586

in /etc/sysconfig/apache2
APACHE_DISABLE_SSL_COMPRESSION="on"

# java -jar TestSSLServer.jar myserver.domain.com 443
Supported versions: SSLv3 TLSv1.0
Deflate compression: YES
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
SSLv3
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
(TLSv1.0: idem)
----------------------
Server certificate(s):
166ad0fcba920e0394a69a04df32067262adde4e: EMAILADDRESS=removed@thedomain.com, CN=thedomain.com, OU=Internet Server, O=Removed company, L=Miami, ST=Florida, C=US
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: protected
CRIME status: vulnerable

malcolmlewis
08-Aug-2013, 03:18
On Thu 08 Aug 2013 01:44:01 AM CDT, star2root wrote:


Really? Well, it doesn't seem to be fixed yet on my SuSe system. :(

apache2-2.2.17-4.13.1.i586

in /etc/sysconfig/apache2
APACHE_DISABLE_SSL_COMPRESSION="on"

# java -jar TestSSLServer.jar myserver.domain.com 443
Supported versions: SSLv3 TLSv1.0
Deflate compression: YES
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
SSLv3
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
(TLSv1.0: idem)
----------------------
Server certificate(s):
166ad0fcba920e0394a69a04df32067262adde4e:
EMAILADDRESS=removed@thedomain.com, CN=thedomain.com, OU=Internet
Server, O=Removed company, L=Miami, ST=Florida, C=US
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: protected
*CRIME status: vulnerable*




Hi
That isn't a version of apache supplied on SLE SP3?


Repository: SLE11-SDK-SP3-Pool
Name: apache2
Version: 2.2.12-1.38.2

Yours is a later version?

The openssl changelog refers to the following bug bnc#779952 in which it
was fixed;
https://bugzilla.novell.com/show_bug.cgi?id=779952
http://support.novell.com/security/cve/CVE-2012-4929.html


Fri 08 Mar 2013 06:00:00 AM CST

- Fix bug[ bnc#779952] CVE-2012-4929: avoid the openssl CRIME attack
Modify patch file: compression_methods_switch.patch

What version of SLE and opensl are you running?

--
Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 12.3 (x86_64) Kernel 3.7.10-1.16-desktop
up 14:20, 3 users, load average: 0.05, 0.15, 0.15
CPU AMD E2-1800@1.70GHz | GPU Radeon HD 7340

smflood
08-Aug-2013, 16:28
On 08/08/2013 03:18, malcolmlewis wrote:

> That isn't a version of apache supplied on SLE SP3?

...snip..

> What version of SLE and opensl are you running?

Checking various SUSE-related update repositories I have access to I
think star2root is using openSUSE 11.4 and not SUSE Linux Enterprise
Server or Desktop (SLES/SLED).

If that is the case then a) different rules apply since openSUSE is not
the same as SUSE Linux Enterprise, and b) star2root should start a new
thread in the openSUSE Forums (I suggest
https://forums.opensuse.org/english/get-technical-help-here/network-internet/
).

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
Do you work with SUSE technologies at a university, college or school?
If so, your campus could benefit from joining the Technology Transfer
Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------