[pkg-lighttpd] r564 - in lighttpd/tags: . 1.4.28-2+squeeze1/debian 1.4.28-2+squeeze1/debian/conf-available 1.4.28-2+squeeze1/debian/patches

Arno Töll atoell-guest at alioth.debian.org
Sun Dec 18 21:50:28 UTC 2011


Author: atoell-guest
Date: 2011-12-18 21:50:28 +0000 (Sun, 18 Dec 2011)
New Revision: 564

Added:
   lighttpd/tags/1.4.28-2+squeeze1/
   lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch
   lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch
Modified:
   lighttpd/tags/1.4.28-2+squeeze1/debian/NEWS
   lighttpd/tags/1.4.28-2+squeeze1/debian/changelog
   lighttpd/tags/1.4.28-2+squeeze1/debian/conf-available/10-ssl.conf
   lighttpd/tags/1.4.28-2+squeeze1/debian/patches/series
Log:
backport security fixes to Squeeze to assist the security team

Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/NEWS
===================================================================
--- lighttpd/tags/1.4.28-2/debian/NEWS	2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/NEWS	2011-12-18 21:50:28 UTC (rev 564)
@@ -1,3 +1,24 @@
+lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
+
+  This releases includes an option to force Lighttpd to honor the cipher order
+  in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
+  referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.
+
+  To minimze the risk of this attack it is recommended either to disable all CBC
+  ciphers (beware: this will break older clients), or pursue clients to use safe
+  ciphers where possible at least. To do so, set
+
+  ssl.ciphers =  "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+  ssl.honor-cipher-order = "enable"
+
+  in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
+  host you configured. If you did not change this file previously, this upgrade
+  will update it automatically.
+
+  [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
+
+ -- Arno Töll <debian at toell.net>  Sun, 18 Dec 2011 21:20:12 +0100
+
 lighttpd (1.4.23-1) unstable; urgency=low
 
   spawn-fcgi is now separate package. Please install "spawn-fcgi" package if 

Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/changelog
===================================================================
--- lighttpd/tags/1.4.28-2/debian/changelog	2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/changelog	2011-12-18 21:50:28 UTC (rev 564)
@@ -1,3 +1,14 @@
+lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
+
+  * Backport security issues from 1.4.30:
+    + Fix integer overflow (CVE-2011-4362)
+    + Fix attack vector as disclosed by the SSL BEAST attack (related:
+      CVE-2011-3389). Note: If you are upgrading from an older version you need
+      to change your configuration to mitigate effects of the attack. See the
+      corresponding NEWS file for details.
+
+ -- Arno Töll <debian at toell.net>  Sun, 18 Dec 2011 20:37:18 +0100
+
 lighttpd (1.4.28-2) unstable; urgency=medium
 
   [ Olaf van der Spek ]

Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/conf-available/10-ssl.conf
===================================================================
--- lighttpd/tags/1.4.28-2/debian/conf-available/10-ssl.conf	2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/conf-available/10-ssl.conf	2011-12-18 21:50:28 UTC (rev 564)
@@ -3,4 +3,7 @@
 $SERVER["socket"] == "0.0.0.0:443" {
 	ssl.engine  = "enable"
 	ssl.pemfile = "/etc/lighttpd/server.pem"
+
+	ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+	ssl.honor-cipher-order = "enable"
 }

Added: lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch
===================================================================
--- lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch	                        (rev 0)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/patches/fix-CVE-2011-4362.patch	2011-12-18 21:50:28 UTC (rev 564)
@@ -0,0 +1,37 @@
+--- a/src/http_auth.c
++++ b/src/http_auth.c
+@@ -89,7 +89,7 @@
+ 	ch = in[0];
+ 	/* run through the whole string, converting as we go */
+ 	for (i = 0; i < in_len; i++) {
+-		ch = in[i];
++		ch = (unsigned char) in[i];
+ 
+ 		if (ch == '\0') break;
+ 
+--- a/tests/mod-auth.t
++++ b/tests/mod-auth.t
+@@ -8,7 +8,7 @@
+ 
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+ 
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+ 
+ $t->{REQUEST}  = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
++
++$t->{REQUEST}  = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+  );

Modified: lighttpd/tags/1.4.28-2+squeeze1/debian/patches/series
===================================================================
--- lighttpd/tags/1.4.28-2/debian/patches/series	2011-12-18 20:55:43 UTC (rev 562)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/patches/series	2011-12-18 21:50:28 UTC (rev 564)
@@ -1,2 +1,4 @@
 silence-errors.diff
+fix-CVE-2011-4362.patch
+ssl-mitigate-beast.patch
 debian-changes-1.4.28-2

Added: lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch
===================================================================
--- lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch	                        (rev 0)
+++ lighttpd/tags/1.4.28-2+squeeze1/debian/patches/ssl-mitigate-beast.patch	2011-12-18 21:50:28 UTC (rev 564)
@@ -0,0 +1,67 @@
+--- a/src/base.h
++++ b/src/base.h
+@@ -275,6 +275,7 @@
+ 	buffer *ssl_pemfile;
+ 	buffer *ssl_ca_file;
+ 	buffer *ssl_cipher_list;
++	unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ 	unsigned short ssl_use_sslv2;
+ 	unsigned short ssl_verifyclient;
+ 	unsigned short ssl_verifyclient_enforce;
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -102,6 +102,7 @@
+ 		{ "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },     /* 60 */
+ 
+ 		{ "server.set-v6only",           NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */
++		{ "ssl.honor-cipher-order",      NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER},      /* 62 */
+ 
+ 		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ 		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -171,6 +172,7 @@
+ 		s->max_write_idle = 360;
+ 		s->use_xattr     = 0;
+ 		s->is_ssl        = 0;
++		s->ssl_honor_cipher_order = 1;
+ 		s->ssl_use_sslv2 = 0;
+ 		s->use_ipv6      = 0;
+ 		s->set_v6only    = 1;
+@@ -246,6 +248,7 @@
+ 		cv[58].destination = &(s->ssl_verifyclient_depth);
+ 		cv[59].destination = s->ssl_verifyclient_username;
+ 		cv[60].destination = &(s->ssl_verifyclient_export_cert);
++		cv[62].destination = &(s->ssl_honor_cipher_order);
+ 
+ 		srv->config_storage[i] = s;
+ 
+@@ -324,6 +327,7 @@
+ #endif
+ 	PATCH(ssl_ca_file);
+ 	PATCH(ssl_cipher_list);
++	PATCH(ssl_honor_cipher_order);
+ 	PATCH(ssl_use_sslv2);
+ 	PATCH(etag_use_inode);
+ 	PATCH(etag_use_mtime);
+@@ -388,6 +392,8 @@
+ #endif
+ 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ 				PATCH(ssl_ca_file);
++			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++				PATCH(ssl_honor_cipher_order);
+ 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ 				PATCH(ssl_use_sslv2);
+ 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
+--- a/src/network.c
++++ b/src/network.c
+@@ -552,6 +552,11 @@
+ 						ERR_error_string(ERR_get_error(), NULL));
+ 				return -1;
+ 			}
++
++			if (s->ssl_honor_cipher_order) {
++				SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++			}
++
+ 		}
+ 
+ 		if (!buffer_is_empty(s->ssl_ca_file)) {




More information about the pkg-lighttpd-maintainers mailing list