OpenSSL site-wide compression disable tracking bug
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
Saucy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This bug is a tracking bug for OpenSSL patches that introduce a new environment variable OPENSSL_
Many applications, such as Apache Webserver, Qt's wrappers, and others, provide controls that can be used to configure if compression is required, allowed, or forbidden.
This bug tracks an update to include a patch from Fedora, http://
I do not know if the compression-related SSL attacks even make sense for SMTP, but some PCI-DSS auditors are flagging Postfix configurations with this flaw. It is safer to turn off compression everywhere it is not necessary.
tags: |
added: verification-done removed: verification-needed |
Pocket copied openssl to proposed.
Please test and give feedback here. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed.
Thank you in advance!