1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2626-1] lighttpd security update

    From Thijs Kinkhorst@1:229/2 to All on Sun Feb 17 12:20:02 2013
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2626-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst February 17, 2013 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : lighttpd
    Vulnerability : several issues
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2009-3555 CVE-2012-4929
    Debian Bug : 700399

    Several vulnerabilities were discovered in the TLS/SSL protocol. This
    update addresses these protocol vulnerabilities in lighttpd.

    CVE-2009-3555

    Marsh Ray, Steve Dispensa, and Martin Rex discovered that the TLS
    and SSLv3 protocols do not properly associate renegotiation
    handshakes with an existing connection, which allows man-in-the-middle
    attackers to insert data into HTTPS sessions. This issue is solved
    in lighttpd by disabling client initiated renegotiation by default.

    Those users that do actually need such renegotiations, can reenable
    them via the new 'ssl.disable-client-renegotiation' parameter.

    CVE-2012-4929

    Juliano Rizzo and Thai Duong discovered a weakness in the TLS/SSL
    protocol when using compression. This side channel attack, dubbed
    'CRIME', allows eavesdroppers to gather information to recover the
    original plaintext in the protocol. This update disables compression.

    For the stable distribution (squeeze), these problems have been fixed in version 1.4.28-2+squeeze1.2.

    For the testing distribution (wheezy), and the unstable distribution (sid) these problems have been fixed in version 1.4.30-1.

    We recommend that you upgrade your lighttpd packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)

    iQEcBAEBAgAGBQJRILsuAAoJEFb2GnlAHawE8p0IAJPU6W8ZVjchba6XRJUOUGOR GMeqbCEXkAo8f8+WUyWk5c+z7UxX4MuxZgE1542BKrX9mCYj2rbGUpbAUwCEaw+g Rv8bPDy3LNENrZDYB4NEJOS3z7OW47QEO9s25i+ronkB9Tdp05jKMAlmozvlqBFg WbwL1uX8HYNzeMV5GJVHtSnz83pbqxD4Y945hQPvAmZNOQMkm02y2wpesMWa4/xU N9lPCuDeQdRCocMqJGx3eNIV92JA9/Cigzp8w67GjgFXprUAJpdHjfCKYGc+Ygjf I+URlmoV8I4BWJx77OLMXrZZOfLTw2MYeLUnQIDTwk1yAIMfvcrc5mLQuJxoK68=
    =ZX99
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)