summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/NEWS15
-rw-r--r--debian/changelog18
-rw-r--r--debian/gbp.conf3
-rw-r--r--debian/patches/series2
-rw-r--r--debian/patches/ssl-crime.patch20
-rw-r--r--debian/patches/ssl-reneg.patch182
6 files changed, 237 insertions, 3 deletions
diff --git a/debian/NEWS b/debian/NEWS
index c31c290..6c456f6 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,18 @@
+lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high
+
+ To fix a security vulnerability in the design of the SSL/TLS protocol
+ (CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
+ session renegotiation is no longer supported with old clients that do not
+ implement this extension. This breaks certain configurations with client
+ certificate authentication. If you still need to support old clients, you
+ may restore the old (insecure) behaviour by adding the configuration option
+
+ ssl.disable-client-renegotiation = "disable"
+
+ to /etc/lighttpd/lighttpd.conf.
+
+ -- Thijs Kinkhorst <thijs@debian.org> Thu, 14 Feb 2013 19:42:19 +0100
+
lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
This releases includes an option to force Lighttpd to honor the cipher order
diff --git a/debian/changelog b/debian/changelog
index bfa16d1..3a96b61 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+lighttpd (1.4.28-2+squeeze1.2) stable-security; urgency=high
+
+ * Fix numbering issue with the newly added configuration option.
+ Thanks Wessel Dankers.
+
+ -- Thijs Kinkhorst <thijs@debian.org> Sat, 16 Feb 2013 19:13:19 +0100
+
+lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high
+
+ * Non-maintainer upload by the security team.
+ * Backport upstream fixes for SSL attacks:
+ + Disable client triggered renegotiation by default (CVE-2009-3555).
+ Can be re-enabled with ssl.disable-client-renegotiation = "disable".
+ + Disable SSL compression at build time (CVE-2012-4929, 'CRIME').
+ (closes: #700399)
+
+ -- Thijs Kinkhorst <thijs@debian.org> Tue, 12 Feb 2013 13:56:53 +0100
+
lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
* Backport security issues from 1.4.30:
diff --git a/debian/gbp.conf b/debian/gbp.conf
deleted file mode 100644
index 75eed04..0000000
--- a/debian/gbp.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-[DEFAULT]
-pristine-tar=true
-debian-branch=squeeze
diff --git a/debian/patches/series b/debian/patches/series
index 8441374..3beaef4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@ silence-errors.diff
fix-CVE-2011-4362.patch
ssl-mitigate-beast.patch
debian-changes-1.4.28-2
+ssl-reneg.patch
+ssl-crime.patch
diff --git a/debian/patches/ssl-crime.patch b/debian/patches/ssl-crime.patch
new file mode 100644
index 0000000..49b4728
--- /dev/null
+++ b/debian/patches/ssl-crime.patch
@@ -0,0 +1,20 @@
+Description: Disable SSL compression.
+ Mitigates the SSL CRIME (CVE-2012-4929) attacks.
+ Upstream patch uses option only present in wheezy openssl, so
+ this code is needed to actually disable compression in squeeze.
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/700399
+
+diff -Nur lighttpd-1.4.28/src/network.c lighttpd-1.4.28.new/src/network.c
+--- lighttpd-1.4.28/src/network.c 2013-02-12 15:20:23.000000000 +0100
++++ lighttpd-1.4.28.new/src/network.c 2013-02-12 15:19:51.954559635 +0100
+@@ -566,6 +566,9 @@
+ }
+ }
+
++ /* Debian: disable ssl compression to mitigate CRIME attack. */
++ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
++
+ if (!buffer_is_empty(s->ssl_cipher_list)) {
+ /* Disable support for low encryption ciphers */
+ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
diff --git a/debian/patches/ssl-reneg.patch b/debian/patches/ssl-reneg.patch
new file mode 100644
index 0000000..a967943
--- /dev/null
+++ b/debian/patches/ssl-reneg.patch
@@ -0,0 +1,182 @@
+Description: Disable SSL renegotiation.
+ Mitigates the SSL renegotiation (CVE-2009-3555) attacks.
+ Introduces a new configuration option: ssl.disable-client-renegotiation,
+ default true. Upstream also included code to disable SSL compression
+ in the same commit. This does not work on the openssl in squeeze but
+ doesn't hurt.
+Forwarded: not-needed
+Origin: upstream, r2808 r2809 r2812
+Bug-Debian: http://bugs.debian.org/700399
+
+Index: b/src/network.c
+===================================================================
+--- a/src/network.c 2013-02-16 19:18:04.438541647 +0100
++++ b/src/network.c 2013-02-16 19:18:07.278507389 +0100
+@@ -27,6 +27,19 @@
+ # include <openssl/rand.h>
+ #endif
+
++#ifdef USE_OPENSSL
++static void ssl_info_callback(const SSL *ssl, int where, int ret) {
++ UNUSED(ret);
++
++ if (0 != (where & SSL_CB_HANDSHAKE_START)) {
++ connection *con = SSL_get_app_data(ssl);
++ ++con->renegotiations;
++ } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
++ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
++ }
++}
++#endif
++
+ static handler_t network_server_handle_fdevent(server *srv, void *context, int revents) {
+ server_socket *srv_socket = (server_socket *)context;
+ connection *con;
+@@ -504,6 +517,11 @@
+ /* load SSL certificates */
+ for (i = 0; i < srv->config_context->used; i++) {
+ specific_config *s = srv->config_storage[i];
++#ifndef SSL_OP_NO_COMPRESSION
++# define SSL_OP_NO_COMPRESSION 0
++#endif
++ long ssloptions =
++ SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_COMPRESSION;
+
+ if (buffer_is_empty(s->ssl_pemfile)) continue;
+
+@@ -536,6 +554,9 @@
+ return -1;
+ }
+
++ SSL_CTX_set_options(s->ssl_ctx, ssloptions);
++ SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);
++
+ if (!s->ssl_use_sslv2) {
+ /* disable SSLv2 */
+ if (!(SSL_OP_NO_SSLv2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2))) {
+Index: b/src/base.h
+===================================================================
+--- a/src/base.h 2013-02-16 19:18:04.426502421 +0100
++++ b/src/base.h 2013-02-16 19:18:04.466500766 +0100
+@@ -282,6 +282,7 @@
+ unsigned short ssl_verifyclient_depth;
+ buffer *ssl_verifyclient_username;
+ unsigned short ssl_verifyclient_export_cert;
++ unsigned short ssl_disable_client_renegotiation;
+
+ unsigned short use_ipv6, set_v6only; /* set_v6only is only a temporary option */
+ unsigned short defer_accept;
+@@ -435,6 +436,7 @@
+ # ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+ # endif
++ unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+ #endif
+ /* etag handling */
+ etag_flags_t etag_flags;
+Index: b/src/network_openssl.c
+===================================================================
+--- a/src/network_openssl.c 2013-02-16 19:17:56.758505345 +0100
++++ b/src/network_openssl.c 2013-02-16 19:18:04.486539910 +0100
+@@ -87,7 +87,14 @@
+ */
+
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
++ r = SSL_write(ssl, offset, toSend);
++
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+@@ -190,7 +197,14 @@
+ close(ifd);
+
+ ERR_clear_error();
+- if ((r = SSL_write(ssl, s, toSend)) <= 0) {
++ r = SSL_write(ssl, s, toSend);
++
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
++ if (r <= 0) {
+ unsigned long err;
+
+ switch ((ssl_r = SSL_get_error(ssl, r))) {
+Index: b/src/connections.c
+===================================================================
+--- a/src/connections.c 2013-02-16 19:18:04.402514856 +0100
++++ b/src/connections.c 2013-02-16 19:18:04.490538415 +0100
+@@ -223,6 +223,12 @@
+
+ len = SSL_read(con->ssl, b->ptr + read_offset, toread);
+
++ if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
++ connection_set_state(srv, con, CON_STATE_ERROR);
++ log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client");
++ return -1;
++ }
++
+ if (len > 0) {
+ if (b->used > 0) b->used--;
+ b->used += len;
+@@ -1352,6 +1358,7 @@
+ return NULL;
+ }
+
++ con->renegotiations = 0;
+ #ifndef OPENSSL_NO_TLSEXT
+ SSL_set_app_data(con->ssl, con);
+ #endif
+Index: b/src/configfile.c
+===================================================================
+--- a/src/configfile.c 2013-02-16 19:18:04.430500920 +0100
++++ b/src/configfile.c 2013-02-16 19:18:04.494546359 +0100
+@@ -103,6 +103,7 @@
+
+ { "server.set-v6only", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 61 */
+ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER}, /* 62 */
++ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 63 */
+
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -195,6 +196,7 @@
+ s->ssl_verifyclient_username = buffer_init();
+ s->ssl_verifyclient_depth = 9;
+ s->ssl_verifyclient_export_cert = 0;
++ s->ssl_disable_client_renegotiation = 1;
+
+ cv[2].destination = s->errorfile_prefix;
+
+@@ -249,6 +251,7 @@
+ cv[59].destination = s->ssl_verifyclient_username;
+ cv[60].destination = &(s->ssl_verifyclient_export_cert);
+ cv[62].destination = &(s->ssl_honor_cipher_order);
++ cv[63].destination = &(s->ssl_disable_client_renegotiation);
+
+ srv->config_storage[i] = s;
+
+@@ -338,6 +341,7 @@
+ PATCH(ssl_verifyclient_depth);
+ PATCH(ssl_verifyclient_username);
+ PATCH(ssl_verifyclient_export_cert);
++ PATCH(ssl_disable_client_renegotiation);
+
+ return 0;
+ }
+@@ -442,6 +446,8 @@
+ PATCH(ssl_verifyclient_username);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.exportcert"))) {
+ PATCH(ssl_verifyclient_export_cert);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.disable-client-renegotiation"))) {
++ PATCH(ssl_disable_client_renegotiation);
+ }
+ }
+ }