Mark's picture

Hi, does anybody know if a security patch was backported to allow disabling SSL/TLS compression?  

I recently set up my first TKL phpbb appliance and ran a nessus scan on it. It returned a TLS CRIME vulnerability found. The solution is to 'upgrade to 2.2.4' but it doesn't look like there is a Debian distribution for that version. 2.4 seems to be the next release. Any thoughts or suggestions would be welcome.

https://discussions.nessus.org/thread/5546

https://issues.apache.org/bugzilla/show_bug.cgi?id=53219

According to the Debian bug report, it is backported to the source but I'm wondering if it made it into the TKL appliance.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142

The output of my: apt-cache policy apache2
apache2:
  Installed: 2.2.22-13
  Candidate: 2.2.22-13
  Version table:
 *** 2.2.22-13 0
        500 http://cdn.debian.net/debian/ wheezy/main amd64 Packages
        100 /var/lib/dpkg/status
 

Best,

Mark

Forum: 
Mark's picture

Hi,

before I go ahead and spin up a new replacement appliance TKL 13.0 for the 12.x I currently have running, I thought I would ask... what version of apache2 does TKL 13.0 come with? If it is 2.2.4 or newer, it will resolve my initial question/post.

Thanks a lot,

Mark

Jeremy Davis's picture

Firstly, if there are security patched software (from Debian) on your TKL appliance it will auto update (auto updates run nightly).

Secondly you already have a later version than 2.2.4... Your apt-cache policy states that you have 2.2.22! (A fully 18 releases newer!)

BTW it looks like you already have the Wheezy version of Apache on your v12.1 server... I would still definately recommend spinning up a new server though...

PS sorry for slow reply.

Add new comment