[pkg-lighttpd] r560 - in lighttpd/trunk/debian: . conf-available
Arno Töll
atoell-guest at alioth.debian.org
Sun Dec 18 19:28:17 UTC 2011
Author: atoell-guest
Date: 2011-12-18 19:28:17 +0000 (Sun, 18 Dec 2011)
New Revision: 560
Modified:
lighttpd/trunk/debian/NEWS
lighttpd/trunk/debian/changelog
lighttpd/trunk/debian/conf-available/10-ssl.conf
Log:
Update NEWS file to point users to proper workarounds
Modified: lighttpd/trunk/debian/NEWS
===================================================================
--- lighttpd/trunk/debian/NEWS 2011-12-18 18:33:13 UTC (rev 559)
+++ lighttpd/trunk/debian/NEWS 2011-12-18 19:28:17 UTC (rev 560)
@@ -1,3 +1,24 @@
+lighttpd (1.4.30-1) unstable; urgency=medium
+
+ This releases includes an option to force Lighttpd to honor the cipher order
+ in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
+ referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.
+
+ To minimze the risk of this attack it is recommended either to disable all CBC
+ ciphers (beware: this will break older clients), or pursue clients to use safe
+ ciphers where possible at least. To do so, set
+
+ ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+ ssl.honor-cipher-order = "enable"
+
+ in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
+ host you configured. If you did not change this file previously, this upgrade
+ will update it automatically.
+
+ [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
+
+ -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 20:26:50 +0100
+
lighttpd (1.4.23-1) unstable; urgency=low
spawn-fcgi is now separate package. Please install "spawn-fcgi" package if
Modified: lighttpd/trunk/debian/changelog
===================================================================
--- lighttpd/trunk/debian/changelog 2011-12-18 18:33:13 UTC (rev 559)
+++ lighttpd/trunk/debian/changelog 2011-12-18 19:28:17 UTC (rev 560)
@@ -1,6 +1,12 @@
-lighttpd (1.4.30-1) UNRELEASED; urgency=low
+lighttpd (1.4.30-1) UNRELEASED; urgency=medium
* New upstream release
+ + Fix integer overflow (CVE-2011-4362)
+ + Fix attack vector as disclosed by the SSL BEAST attack (related:
+ CVE-2011-3389). Note: If you are upgrading from an older version you need
+ to change your configuration to mitigate effects of the attack. See the
+ corresponding NEWS file for details.
+ + Count SSL renegotiations to prevent client renegotiations
* Adapt to dpkg 1.16.1 API changes regarding build flags. This enables
hardening build flags. This means, lighttpd is now being built with
-fstack-protector and other security related build flags.
@@ -12,7 +18,7 @@
not simply remove all files in /etc/lighttpd as other packages or the user
himself might have left configuration files back (Closes: #642494)
- -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 19:32:51 +0100
+ -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 20:11:10 +0100
lighttpd (1.4.29-1) unstable; urgency=low
Modified: lighttpd/trunk/debian/conf-available/10-ssl.conf
===================================================================
--- lighttpd/trunk/debian/conf-available/10-ssl.conf 2011-12-18 18:33:13 UTC (rev 559)
+++ lighttpd/trunk/debian/conf-available/10-ssl.conf 2011-12-18 19:28:17 UTC (rev 560)
@@ -3,4 +3,7 @@
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
+
+ ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+ ssl.honor-cipher-order = "enable"
}
More information about the pkg-lighttpd-maintainers
mailing list