PDA

View Full Version : SLES SP3 and Apache CRIME exploit



dennisdcs
08-Apr-2014, 17:12
Is there any fix for it? SLES is using and old version of Apache (2.2.12) and I really don't want to start having to compile things to get a fixed version.

jmozdzen
08-Apr-2014, 17:42
Hi dennisdcs,

Is there any fix for it? SLES is using and old version of Apache (2.2.12) and I really don't want to start having to compile things to get a fixed version.

generally speaking, SLES is very often using old versions that are patched individually to cover bugs. This is a stability measure - you still get the old behaviour, minus the bugs. But as the version numbers aren't updated (so not to confuse people to think that the code is based on a newer available version), it is not obvious which patches are included.

See i.e. https://forums.suse.com/showthread.php?2859-SLES11SP-and-never-version-of-Apache&p=15014#post15014 for details on the CRIME fix for SLES.

Reegards,
Jens

ab
08-Apr-2014, 17:44
This has come up before.

https://forums.suse.com/archive/index.php/t-2105.html

If you have done some testing and found your system still vulnerable,
please post the tests done and system details to have it reproduced.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

malcolmlewis
08-Apr-2014, 17:51
On Tue 08 Apr 2014 04:14:02 PM CDT, dennisdcs wrote:


Is there any fix for it? SLES is using and old version of Apache
(2.2.12) and I really don't want to start having to compile things to
get a fixed version.




Hi
Have you checked the apache2 changelog? Security fixes are backported,
so the version of a package can be irrelevant.

AFAIK the code to fix is openssl;


rpm -qa --changelog |grep CVE-2012-4929

https://bugzilla.novell.com/show_bug.cgi?id=779952

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE 13.1 (Bottle) (x86_64) GNOME 3.10.1 Kernel 3.11.10-7-desktop
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

dennisdcs
08-Apr-2014, 18:33
Thanks for the replies. Apparently one of the patches fixed the issue.