[Bug 1178090] [NEW] Existing header not overwritten when using the 'always' condition with Header set
Public bug reported: I have an application that sets some headers, but I also have Apache setting them as well to handle some special cases. I'm using the mod_headers syntax of 'Header always set X-Foo bar'. I specifically use the 'always' condition table, as I want to include these headers on non-2xx responses (such as 301, 302). However, if I use 'always' (instead of the default 'onsuccess' condition table), the headers are duplicated, which goes against what the 'set' action is supposed to do (overwrite any existing header). STR: * Have some app served by Apache set 'X-Foo: bar' * Add 'Header always set X-Foo bar' to Apache config * Notice duplicate headers * Remove the 'always' condition, and everything will be fine (only one header) Package: apache2 2.2.14-5ubuntu8.10 Distibution: Ubuntu 10.04.4 LTS ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1178090 Title: Existing header not overwritten when using the 'always' condition with Header set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1178090/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-2687 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
Virendra, as far as I know, this isn't in any released Apache version. ** Changed in: apache2 (Ubuntu) Status: Fix Released = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
Debian just released apache2 v2.2.22-12 to address this issue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] [NEW] Support option to disable TLS compression to protect against CRIME attack
Public bug reported: Upstream Apache recently committed a change to be in Apache 2.2.24 (not yet released) that would allow for disabling TLS compression to protect against the CRIME attack. As it's probably going to be a way before 2.2.24 is released, it would be great to backport this patch as a one- off SRU to at least precise (LTS) and quantal until the new release. There's also been some mention that supporting TLS compression is possibly causing some people's PCI compliance tests to fail, so having this option would be extremely useful to help pass their compliance tests (plus just protecting against CRIME and CRIME-like attacks). More info: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689936 https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html ** Affects: apache2 Importance: Unknown Status: Unknown ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Affects: apache2 (Debian) Importance: Unknown Status: Unknown ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4929 ** Bug watch added: Debian Bug tracker #674142 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 ** Also affects: apache2 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 Importance: Unknown Status: Unknown ** Bug watch added: Apache Software Foundation Bugzilla #53219 http://issues.apache.org/bugzilla/show_bug.cgi?id=53219 ** Also affects: apache2 via http://issues.apache.org/bugzilla/show_bug.cgi?id=53219 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1068854] Re: Support option to disable TLS compression to protect against CRIME attack
Note that Red Hat already supports a workaround [0] that allows for disabling zlib at the OpenSSL layer, which prevents TLS compression working in Apache. As far as I am aware, no such option exists for Ubuntu, leaving users vulnerable until a new package is available. [0] https://bugzilla.redhat.com/show_bug.cgi?id=857051#c5 ** Bug watch added: Red Hat Bugzilla #857051 https://bugzilla.redhat.com/show_bug.cgi?id=857051 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in Ubuntu. https://bugs.launchpad.net/bugs/1068854 Title: Support option to disable TLS compression to protect against CRIME attack To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1068854/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 943502] Re: whois doesn't properly query .hr/.sx/.pe TLDs and incorrect format for whois.arin.net
whois 5.0.15 was just released with fixes for two other TLDs (including .pe, which wasn't correctly fixed in 5.0.14). Would be nice to pick those fixes up as well. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to whois in Ubuntu. https://bugs.launchpad.net/bugs/943502 Title: whois doesn't properly query .hr/.sx/.pe TLDs and incorrect format for whois.arin.net To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/whois/+bug/943502/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
