Test ID:	1.3.6.1.4.1.25623.1.0.702627
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-2627-1)
Summary:	The remote host is missing an update for the Debian 'nginx' package(s) announced via the DSA-2627-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'nginx' package(s) announced via the DSA-2627-1 advisory. Vulnerability Insight: Juliano Rizzo and Thai Duong discovered a weakness in the TLS/SSL protocol when using compression. This side channel attack, dubbed CRIME, allows eavesdroppers to gather information to recover the original plaintext in the protocol. This update to nginx disables SSL compression. For the stable distribution (squeeze), this problem has been fixed in version 0.7.67-3+squeeze3. For the testing distribution (wheezy), and unstable distribution (sid), this problem has been fixed in version 1.1.16-1. We recommend that you upgrade your nginx packages. Affected Software/OS: 'nginx' package(s) on Debian 6. Solution: Please install the updated package(s). CVSS Score: 2.6 CVSS Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-4929 http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html BugTraq ID: 55704 http://www.securityfocus.com/bid/55704 Debian Security Information: DSA-2579 (Google Search) http://www.debian.org/security/2012/dsa-2579 Debian Security Information: DSA-2627 (Google Search) http://www.debian.org/security/2013/dsa-2627 Debian Security Information: DSA-3253 (Google Search) http://www.debian.org/security/2015/dsa-3253 http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html HPdes Security Advisory: HPSBUX02866 http://marc.info/?l=bugtraq&m=136612293908376&w=2 HPdes Security Advisory: SSRT101139 http://jvn.jp/en/jp/JVN65273415/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html http://news.ycombinator.com/item?id=4510829 http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312 http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512 http://www.ekoparty.org/2012/thai-duong.php http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091 http://www.theregister.co.uk/2012/09/14/crime_tls_attack/ https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls https://gist.github.com/3696912 https://github.com/mpgn/CRIME-poc https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920 RedHat Security Advisories: RHSA-2013:0587 http://rhn.redhat.com/errata/RHSA-2013-0587.html SuSE Security Announcement: openSUSE-SU-2012:1420 (Google Search) http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html SuSE Security Announcement: openSUSE-SU-2013:0143 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html SuSE Security Announcement: openSUSE-SU-2013:0157 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html http://www.ubuntu.com/usn/USN-1627-1 http://www.ubuntu.com/usn/USN-1628-1 http://www.ubuntu.com/usn/USN-1898-1
Copyright	Copyright (C) 2013 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.