Vulnerable against "CRIME" attack

Bug #1057578 reported by Felix Geyer
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qt4-x11 (Ubuntu)
Fix Released
Undecided
Felix Geyer
Lucid
Fix Released
Undecided
Seth Arnold
Natty
Won't Fix
Undecided
Seth Arnold
Oneiric
Fix Released
Undecided
Seth Arnold
Precise
Fix Released
Undecided
Seth Arnold
Quantal
Fix Released
Undecided
Felix Geyer

Bug Description

Qt(WebKit) is vulnerable against the "CRIME" attack.

Patches for Qt 4.8 and <= 4.7 have been released:
http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729

CVE References

Felix Geyer (debfx)
Changed in qt4-x11 (Ubuntu Quantal):
assignee: nobody → Felix Geyer (debfx)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.3+dfsg-0ubuntu3

---------------
qt4-x11 (4:4.8.3+dfsg-0ubuntu3) quantal-proposed; urgency=low

  [ Iain Lane ]
  * On armel and armhf, build with -gstabs instead of -g in an effort to get
    the link step for QtWebkit to complete before timed out by the builders.

  [ Felix Geyer ]
  * Disabling SSL/TLS compression to mitigate the "CRIME" attack. (LP: #1057578)
    - Add disable-SSL-compression-by-default.patch
 -- Iain Lane <email address hidden> Tue, 02 Oct 2012 10:36:17 +0100

Changed in qt4-x11 (Ubuntu Quantal):
status: In Progress → Fix Released
Changed in qt4-x11 (Ubuntu Precise):
assignee: nobody → Seth Arnold (seth-arnold)
status: New → In Progress
Changed in qt4-x11 (Ubuntu Oneiric):
assignee: nobody → Seth Arnold (seth-arnold)
status: New → In Progress
Changed in qt4-x11 (Ubuntu Natty):
assignee: nobody → Seth Arnold (seth-arnold)
Changed in qt4-x11 (Ubuntu Lucid):
assignee: nobody → Seth Arnold (seth-arnold)
Changed in qt4-x11 (Ubuntu Natty):
status: New → In Progress
Changed in qt4-x11 (Ubuntu Lucid):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.6.2-0ubuntu5.5

---------------
qt4-x11 (4:4.6.2-0ubuntu5.5) lucid-security; urgency=low

  * SECURITY UPDATE: fix for SSL compression "CRIME" attack
    - debian/patches/CVE-2012-4929.patch: Disable SSL compression by default
    - CVE-2012-4929
    - LP: #1057578
 -- Seth Arnold <email address hidden> Mon, 22 Oct 2012 10:44:46 -0700

Changed in qt4-x11 (Ubuntu Lucid):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.7.4-0ubuntu8.2

---------------
qt4-x11 (4:4.7.4-0ubuntu8.2) oneiric-security; urgency=low

  * SECURITY UPDATE: fix for SSL compression "CRIME" attack
    - debian/patches/CVE-2012-4929.patch: Disable SSL compression by default
    - CVE-2012-4929
    - LP: #1057578
 -- Seth Arnold <email address hidden> Mon, 22 Oct 2012 10:52:08 -0700

Changed in qt4-x11 (Ubuntu Oneiric):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qt4-x11 - 4:4.8.1-0ubuntu4.3

---------------
qt4-x11 (4:4.8.1-0ubuntu4.3) precise-security; urgency=low

  * SECURITY UPDATE: fix for SSL compression "CRIME" attack
    - debian/patches/CVE-2012-4929.patch: Disable SSL compression by default
    - CVE-2012-4929
    - LP: #1057578
 -- Seth Arnold <email address hidden> Mon, 22 Oct 2012 10:54:05 -0700

Changed in qt4-x11 (Ubuntu Precise):
status: In Progress → Fix Released
Changed in qt4-x11 (Ubuntu Natty):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.