[Pkg-nginx-maintainers] Bug#921550: nginx: Default nginx.conf leaves sites vulnerable to BREACH (and does not warn about it)
Gabriel Corona
gabriel.corona at enst-bretagne.fr
Wed Feb 6 18:16:43 GMT 2019
Source: nginx
Version: 1.10.3-1+deb9u2
Severity: important
Tags: security
Hi,
The default nginx.conf includes 'gzip on' which opens up the
applications (by default) to BREACH.
This deviates from the default upstream configuration (and the nginx
default).
A previous bug (#773332) was filed about this and was closed in 2015
because a warning had been added in the configuration example. I do
not find this warning anymore.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Pkg-nginx-maintainers
mailing list