CVE-2012-4929

Name	CVE-2012-4929
Description	The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google C ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-0008-1, DLA-400-1, DSA-2579-1, DSA-2626-1, DSA-2627-1, DSA-3253-1
Debian Bugs	689936, 700399, 700426, 727197, 728055

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.66-1~deb11u1	fixed
	bookworm	2.4.66-1~deb12u1	fixed
	bookworm (security)	2.4.62-1~deb12u2	fixed
	trixie	2.4.66-1~deb13u2	fixed
	forky, sid	2.4.66-8	fixed
lighttpd (PTS)	bullseye (security), bullseye	1.4.59-1+deb11u2	fixed
	bookworm	1.4.69-1	fixed
	trixie	1.4.79-2	fixed
	forky, sid	1.4.82-2	fixed
nginx (PTS)	bullseye	1.18.0-6.1+deb11u3	fixed
	bullseye (security)	1.18.0-6.1+deb11u5	fixed
	bookworm	1.22.1-9+deb12u3	fixed
	bookworm (security)	1.22.1-9+deb12u4	fixed
	trixie (security), trixie	1.26.3-3+deb13u2	fixed
	forky, sid	1.30.0-2	fixed
openssl (PTS)	bullseye	1.1.1w-0+deb11u1	fixed
	bullseye (security)	1.1.1w-0+deb11u5	fixed
	bookworm	3.0.18-1~deb12u1	fixed
	bookworm (security)	3.0.19-1~deb12u2	fixed
	trixie	3.5.5-1~deb13u1	fixed
	trixie (security)	3.5.5-1~deb13u2	fixed
	forky, sid	3.6.2-1	fixed
pound (PTS)	bullseye	3.0-2	fixed
	trixie	4.16-3	fixed
	forky, sid	4.22-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
apache2	source	squeeze	2.2.16-6+squeeze10		DSA-2579-1
apache2	source	(unstable)	2.2.22-12			689936
chromium-browser	source	squeeze	(unfixed)	end-of-life
chromium-browser	source	(unstable)	22.0.1229.94~r161065-1
iceweasel	source	(unstable)	(not affected)
lighttpd	source	squeeze	1.4.28-2+squeeze1.2		DSA-2626-1
lighttpd	source	(unstable)	1.4.30-1			700399
nginx	source	squeeze	0.7.67-3+squeeze3		DSA-2627-1
nginx	source	(unstable)	1.2.1-2.2			700426
openssl	source	squeeze	0.9.8o-4squeeze16
openssl	source	wheezy	1.0.1e-2+deb7u11
openssl	source	(unstable)	1.0.1e-5	low		728055
pound	source	squeeze	2.6-1+deb6u1		DLA-400-1
pound	source	wheezy	2.6-2+deb7u1		DSA-3253-1
pound	source	jessie	2.6-6+deb8u1		DSA-3253-1
pound	source	(unstable)	2.6-3			727197
qt4-x11	source	(unstable)	4:4.8.2+dfsg-3

Notes

- iceweasel <not-affected> (Firefox ESV not use TLS/SSL compression)
Chromium fix: https://chromiumcodereview.appspot.com/10825183/
[squeeze] - qt4-x11 <no-dsa> (Minor issue)
openssl redhat announcement https://rhn.redhat.com/errata/RHSA-2013-0587.html
openssl disables compression by default since dc5744cb78da6f2bcafeeefe22c604a51b52dfc5