blob: 33cb310c962767d817447b97fc7ed4ad64f12373 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
lighttpd (1.4.30-1) unstable; urgency=medium
This releases includes an option to force Lighttpd to honor the cipher order
in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.
To minimze the risk of this attack it is recommended either to disable all CBC
ciphers (beware: this will break reasonably old clients or those who support
CBC ciphers only), or pursue clients to use safe ciphers where possible at
least. To do so, set
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
host you configured. If you did not change this file previously, this upgrade
will update it automatically.
[1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
-- Arno Töll <debian@toell.net> Sun, 18 Dec 2011 20:26:50 +0100
lighttpd (1.4.23-1) unstable; urgency=low
spawn-fcgi is now separate package. Please install "spawn-fcgi" package if
you need it.
-- Krzysztof Krzyżaniak (eloy) <eloy@debian.org> Thu, 09 Jul 2009 15:53:14 +0200
|