[pkg-lighttpd] [SECURITY] [DSA 2368-1] lighttpd security update

Vincent Bernat bernat at debian.org
Thu Dec 22 18:16:49 UTC 2011

OoO Peu avant  le début de l'après-midi du jeudi  22 décembre 2011, vers
13:38, Arno Töll <debian at toell.net> disait :

> I'm sorry you're right. I was indeed misleading as I just copied the
> NEWS entry I wrote for Unstable where things are slightly different. I
> admit I shouldn't have copied it for Stable and Unstable as it was, as
> things are not directly adaptable there.

OpenSSL in  unstable does not support  TLS 1.2 either. I  think that the
solution is for a future OpenSSL  version (maybe TLS 1.2 is supported in
1.1 but I am not sure).

> Regarding your comments I can see how I could have been more clear but I
> think the things you mentioned aren't that crucial it would justify a
> new DSA. I will however reformulate some parts for the next Unstable
> upload.

Yes, you  are right. Your advice  still works since without  TLS 1.2 the
only mitigation available  is to fallback to RC4  and that's what happen
with the provided configuration.
Vincent Bernat ☯ http://vincent.bernat.im

panic("Attempted to kill the idle task!");
	2.2.16 /usr/src/linux/kernel/exit.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20111222/561aeb6c/attachment.pgp>

More information about the pkg-lighttpd-maintainers mailing list