Mark's picture

Hi, does anybody know if a security patch was backported to allow disabling SSL/TLS compression?  

I recently set up my first TKL phpbb appliance and ran a nessus scan on it. It returned a TLS CRIME vulnerability found. The solution is to 'upgrade to 2.2.4' but it doesn't look like there is a Debian distribution for that version. 2.4 seems to be the next release. Any thoughts or suggestions would be welcome.

According to the Debian bug report, it is backported to the source but I'm wondering if it made it into the TKL appliance.

The output of my: apt-cache policy apache2
  Installed: 2.2.22-13
  Candidate: 2.2.22-13
  Version table:
 *** 2.2.22-13 0
        500 wheezy/main amd64 Packages
        100 /var/lib/dpkg/status



Mark's picture


before I go ahead and spin up a new replacement appliance TKL 13.0 for the 12.x I currently have running, I thought I would ask... what version of apache2 does TKL 13.0 come with? If it is 2.2.4 or newer, it will resolve my initial question/post.

Thanks a lot,


Jeremy Davis's picture

Firstly, if there are security patched software (from Debian) on your TKL appliance it will auto update (auto updates run nightly).

Secondly you already have a later version than 2.2.4... Your apt-cache policy states that you have 2.2.22! (A fully 18 releases newer!)

BTW it looks like you already have the Wheezy version of Apache on your v12.1 server... I would still definately recommend spinning up a new server though...

PS sorry for slow reply.

Add new comment