1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high
To fix a security vulnerability in the design of the SSL/TLS protocol
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
session renegotiation is no longer supported with old clients that do not
implement this extension. This breaks certain configurations with client
certificate authentication. If you still need to support old clients, you
may restore the old (insecure) behaviour by adding the configuration option
ssl.disable-client-renegotiation = "disable"
to /etc/lighttpd/lighttpd.conf.
-- Thijs Kinkhorst <thijs@debian.org> Thu, 14 Feb 2013 19:42:19 +0100
lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high
This releases includes an option to force Lighttpd to honor the cipher order
in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.
To minimze the risk of this attack it is recommended either to disable all CBC
ciphers (beware: this will break older clients), or pursue clients to use safe
ciphers where possible at least. To do so, set
ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
host you configured. If you did not change this file previously, this upgrade
will update it automatically.
[1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
-- Arno Töll <debian@toell.net> Sun, 18 Dec 2011 21:20:12 +0100
lighttpd (1.4.23-1) unstable; urgency=low
spawn-fcgi is now separate package. Please install "spawn-fcgi" package if
you need it.
-- Krzysztof Krzyżaniak (eloy) <eloy@debian.org> Thu, 09 Jul 2009 15:53:14 +0200
lighttpd (1.4.19-1) unstable; urgency=low
Lighttpd must load mod_auth first, else some other modules may not work
properly (See #419176). For this reason, mod_status configuration has been
moved out from lighttpd.conf and put in conf-available/10-status.conf.
Also the files 10-auth.conf are automatically renamed by the lighttpd
package (provided that a sane environment is met) into 05-auth.conf, and
symlinks (if they exists) are also updated properly.
This is done to ensure that auth.conf is loaded first. If during your
lighttpd upgrade you read:
Not touching .../10-auth.conf because .../05-auth.conf exists !!!
Please read /usr/share/doc/lighttpd/NEWS.Debian
then you probably have both 10-auth.conf and 05-auth.conf, which is a bad
situation that you should fix.
-- Pierre Habouzit <madcoder@debian.org> Sun, 16 Mar 2008 10:56:22 +0100
|
