[pkg-lighttpd] r564 - in lighttpd/tags: . 1.4.28-2+squeeze1/debian 1.4.28-2+squeeze1/debian/conf-available 1.4.28-2+squeeze1/debian/patches
Arno Töll
atoell-guest at alioth.debian.org
Sun Dec 18 21:50:28 UTC 2011
Author: atoell-guest
Date: 2011-12-18 21:50:28 +0000 (Sun, 18 Dec 2011)
New Revision: 564
Added:
lighttpd/tags/1.4.28-2+squeeze1/
lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch
lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch
Modified:
lighttpd/tags/1.4.28-2+squeeze1/debian/NEWS
lighttpd/tags/1.4.28-2+squeeze1/debian/changelog
lighttpd/tags/1.4.28-2+squeeze1/debian/conf-available/10-ssl.conf
lighttpd/tags/1.4.28-2+squeeze1/debian/patches/series
Log:
backport security fixes to Squeeze to assist the security team
Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/NEWS
===================================================================
--- lighttpd/tags/1.4.28-2/debian/NEWS 2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/NEWS 2011-12-18 21:50:28 UTC (rev 564)
@@ -1,3 +1,24 @@
+lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
+
+ This releases includes an option to force Lighttpd to honor the cipher order
+ in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
+ referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.
+
+ To minimze the risk of this attack it is recommended either to disable all CBC
+ ciphers (beware: this will break older clients), or pursue clients to use safe
+ ciphers where possible at least. To do so, set
+
+ ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+ ssl.honor-cipher-order = "enable"
+
+ in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
+ host you configured. If you did not change this file previously, this upgrade
+ will update it automatically.
+
+ [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
+
+ -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 21:20:12 +0100
+
lighttpd (1.4.23-1) unstable; urgency=low
spawn-fcgi is now separate package. Please install "spawn-fcgi" package if
Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/changelog
===================================================================
--- lighttpd/tags/1.4.28-2/debian/changelog 2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/changelog 2011-12-18 21:50:28 UTC (rev 564)
@@ -1,3 +1,14 @@
+lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
+
+ * Backport security issues from 1.4.30:
+ + Fix integer overflow (CVE-2011-4362)
+ + Fix attack vector as disclosed by the SSL BEAST attack (related:
+ CVE-2011-3389). Note: If you are upgrading from an older version you need
+ to change your configuration to mitigate effects of the attack. See the
+ corresponding NEWS file for details.
+
+ -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 20:37:18 +0100
+
lighttpd (1.4.28-2) unstable; urgency=medium
[ Olaf van der Spek ]
Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/conf-available/10-ssl.conf
===================================================================
--- lighttpd/tags/1.4.28-2/debian/conf-available/10-ssl.conf 2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/conf-available/10-ssl.conf 2011-12-18 21:50:28 UTC (rev 564)
@@ -3,4 +3,7 @@
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
+
+ ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+ ssl.honor-cipher-order = "enable"
}
Added: lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch
===================================================================
--- lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch (rev 0)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch 2011-12-18 21:50:28 UTC (rev 564)
@@ -0,0 +1,37 @@
+--- a/src/http_auth.c
++++ b/src/http_auth.c
+@@ -89,7 +89,7 @@
+ ch = in[0];
+ /* run through the whole string, converting as we go */
+ for (i = 0; i < in_len; i++) {
+- ch = in[i];
++ ch = (unsigned char) in[i];
+
+ if (ch == '\0') break;
+
+--- a/tests/mod-auth.t
++++ b/tests/mod-auth.t
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+
+ $t->{REQUEST} = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
++
++$t->{REQUEST} = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+ );
Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/patches/series
===================================================================
--- lighttpd/tags/1.4.28-2/debian/patches/series 2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/patches/series 2011-12-18 21:50:28 UTC (rev 564)
@@ -1,2 +1,4 @@
silence-errors.diff
+fix-CVE-2011-4362.patch
+ssl-mitigate-beast.patch
debian-changes-1.4.28-2
Added: lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch
===================================================================
--- lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch (rev 0)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch 2011-12-18 21:50:28 UTC (rev 564)
@@ -0,0 +1,67 @@
+--- a/src/base.h
++++ b/src/base.h
+@@ -275,6 +275,7 @@
+ buffer *ssl_pemfile;
+ buffer *ssl_ca_file;
+ buffer *ssl_cipher_list;
++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ unsigned short ssl_use_sslv2;
+ unsigned short ssl_verifyclient;
+ unsigned short ssl_verifyclient_enforce;
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -102,6 +102,7 @@
+ { "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 60 */
+
+ { "server.set-v6only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */
++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER}, /* 62 */
+
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -171,6 +172,7 @@
+ s->max_write_idle = 360;
+ s->use_xattr = 0;
+ s->is_ssl = 0;
++ s->ssl_honor_cipher_order = 1;
+ s->ssl_use_sslv2 = 0;
+ s->use_ipv6 = 0;
+ s->set_v6only = 1;
+@@ -246,6 +248,7 @@
+ cv[58].destination = &(s->ssl_verifyclient_depth);
+ cv[59].destination = s->ssl_verifyclient_username;
+ cv[60].destination = &(s->ssl_verifyclient_export_cert);
++ cv[62].destination = &(s->ssl_honor_cipher_order);
+
+ srv->config_storage[i] = s;
+
+@@ -324,6 +327,7 @@
+ #endif
+ PATCH(ssl_ca_file);
+ PATCH(ssl_cipher_list);
++ PATCH(ssl_honor_cipher_order);
+ PATCH(ssl_use_sslv2);
+ PATCH(etag_use_inode);
+ PATCH(etag_use_mtime);
+@@ -388,6 +392,8 @@
+ #endif
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++ PATCH(ssl_honor_cipher_order);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
+--- a/src/network.c
++++ b/src/network.c
+@@ -552,6 +552,11 @@
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
++
++ if (s->ssl_honor_cipher_order) {
++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
++
+ }
+
+ if (!buffer_is_empty(s->ssl_ca_file)) {
More information about the pkg-lighttpd-maintainers
mailing list