CVE-2012-4929

Name	CVE-2012-4929
Description	The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-0008-1, DLA-400-1, DSA-2579-1, DSA-2626-1, DSA-2627-1, DSA-3253-1
Debian Bugs	689936, 700399, 700426, 727197, 728055

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u29	fixed
	stretch (security)	2.4.25-3+deb9u13	fixed
	stretch (lts), stretch	2.4.25-3+deb9u19	fixed
	buster, buster (lts)	2.4.59-1~deb10u4	fixed
	buster (security)	2.4.59-1~deb10u1	fixed
	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.62-1~deb11u2	fixed
	bookworm (security), bookworm	2.4.62-1~deb12u2	fixed
	sid, trixie	2.4.62-3	fixed
chromium-browser (PTS)	jessie, jessie (lts)	57.0.2987.98-1~deb8u1	fixed
	stretch (security), stretch (lts), stretch	71.0.3578.80-1~deb9u1	fixed
lighttpd (PTS)	jessie, jessie (lts)	1.4.35-4+deb8u1	fixed
	stretch (security), stretch (lts), stretch	1.4.45-1+deb9u1	fixed
	buster (security), buster, buster (lts)	1.4.53-4+deb10u3	fixed
	bullseye (security), bullseye	1.4.59-1+deb11u2	fixed
	bookworm	1.4.69-1	fixed
	sid, trixie	1.4.76-1	fixed
nginx (PTS)	jessie, jessie (lts)	1.6.2-5+deb8u10	fixed
	stretch (security)	1.10.3-1+deb9u7	fixed
	stretch (lts), stretch	1.10.3-1+deb9u8	fixed
	buster (security), buster, buster (lts)	1.14.2-2+deb10u5	fixed
	bullseye (security), bullseye	1.18.0-6.1+deb11u3	fixed
	bookworm	1.22.1-9	fixed
	sid, trixie	1.26.0-3	fixed
openssl (PTS)	jessie, jessie (lts)	1.0.1t-1+deb8u21	fixed
	stretch (security)	1.1.0l-1~deb9u6	fixed
	stretch (lts), stretch	1.1.0l-1~deb9u9	fixed
	buster (security), buster, buster (lts)	1.1.1n-0+deb10u6	fixed
	bullseye	1.1.1w-0+deb11u1	fixed
	bullseye (security)	1.1.1w-0+deb11u2	fixed
	bookworm	3.0.15-1~deb12u1	fixed
	bookworm (security)	3.0.14-1~deb12u2	fixed
	sid, trixie	3.3.2-2	fixed
pound (PTS)	jessie, jessie (lts)	2.6-6+deb8u3	fixed
	stretch	2.7-1.3+deb9u1	fixed
	bullseye	3.0-2	fixed
	sid, trixie	4.15-1	fixed
qt4-x11 (PTS)	jessie, jessie (lts)	4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u5	fixed
	stretch (security)	4:4.8.7+dfsg-11+deb9u3	fixed
	stretch (lts), stretch	4:4.8.7+dfsg-11+deb9u4	fixed
	buster (security), buster, buster (lts)	4:4.8.7+dfsg-18+deb10u2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
apache2	source	squeeze	2.2.16-6+squeeze10		DSA-2579-1
apache2	source	(unstable)	2.2.22-12			689936
chromium-browser	source	squeeze	(unfixed)	end-of-life
chromium-browser	source	(unstable)	22.0.1229.94~r161065-1
iceweasel	source	(unstable)	(not affected)
lighttpd	source	squeeze	1.4.28-2+squeeze1.2		DSA-2626-1
lighttpd	source	(unstable)	1.4.30-1			700399
nginx	source	squeeze	0.7.67-3+squeeze3		DSA-2627-1
nginx	source	(unstable)	1.2.1-2.2			700426
openssl	source	squeeze	0.9.8o-4squeeze16
openssl	source	wheezy	1.0.1e-2+deb7u11
openssl	source	(unstable)	1.0.1e-5	low		728055
pound	source	squeeze	2.6-1+deb6u1		DLA-400-1
pound	source	wheezy	2.6-2+deb7u1		DSA-3253-1
pound	source	jessie	2.6-6+deb8u1		DSA-3253-1
pound	source	(unstable)	2.6-3			727197
qt4-x11	source	(unstable)	4:4.8.2+dfsg-3

Notes

- iceweasel <not-affected> (Firefox ESV not use TLS/SSL compression)
Chromium fix: https://chromiumcodereview.appspot.com/10825183/
[squeeze] - qt4-x11 <no-dsa> (Minor issue)
openssl redhat announcement https://rhn.redhat.com/errata/RHSA-2013-0587.html
openssl disables compression by default since dc5744cb78da6f2bcafeeefe22c604a51b52dfc5