[pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update
bernat at debian.org
Thu Dec 22 18:16:49 UTC 2011
OoO Peu avant le début de l'après-midi du jeudi 22 décembre 2011, vers
13:38, Arno Töll <debian at toell.net> disait :
> I'm sorry you're right. I was indeed misleading as I just copied the
> NEWS entry I wrote for Unstable where things are slightly different. I
> admit I shouldn't have copied it for Stable and Unstable as it was, as
> things are not directly adaptable there.
OpenSSL in unstable does not support TLS 1.2 either. I think that the
solution is for a future OpenSSL version (maybe TLS 1.2 is supported in
1.1 but I am not sure).
> Regarding your comments I can see how I could have been more clear but I
> think the things you mentioned aren't that crucial it would justify a
> new DSA. I will however reformulate some parts for the next Unstable
Yes, you are right. Your advice still works since without TLS 1.2 the
only mitigation available is to fallback to RC4 and that's what happen
with the provided configuration.
Vincent Bernat ☯ http://vincent.bernat.im
panic("Attempted to kill the idle task!");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the pkg-lighttpd-maintainers