[HEADS UP]: CVE-2012-4929 (CRIME)
wxs at FreeBSD.org
Thu Oct 25 13:22:18 UTC 2012
I think there is nothing FreeBSD can do about this besides making sure
our users are aware of it. The situation in which this is a problem is
specific but one you should consider if you are using TLS with
TLS 1.2 and earlier are vulnerable to an attack commonly known as CRIME.
The attack involves TLS sessions using compression where an attacker is
able to inject known plaintext into the stream. Through a series of
guesses and measuring the length of the encrypted text an attacker is
able to determine the plaintext.
The recommended workaround for now is to disable compression on servers
where this may have an impact. As this is a flaw in a protocol and no
one specific implementation please consult the documentation for any
affected services to determine how to turn off TLS compression.
More information is available at:
More information about the freebsd-ports