[pkg-lighttpd] r566 - in lighttpd/tags: . 1.4.19-5+lenny3/debian 1.4.19-5+lenny3/debian/conf-available 1.4.19-5+lenny3/debian/patches
Arno Töll
atoell-guest at alioth.debian.org
Sun Dec 18 23:03:08 UTC 2011
Author: atoell-guest
Date: 2011-12-18 23:03:08 +0000 (Sun, 18 Dec 2011)
New Revision: 566
Added:
lighttpd/tags/1.4.19-5+lenny3/
lighttpd/tags/1.4.19-5+lenny3/debian/patches/fix-CVE-2011-4362.patch
lighttpd/tags/1.4.19-5+lenny3/debian/patches/ssl-mitigate-beast.patch
Modified:
lighttpd/tags/1.4.19-5+lenny3/debian/NEWS
lighttpd/tags/1.4.19-5+lenny3/debian/changelog
lighttpd/tags/1.4.19-5+lenny3/debian/conf-available/10-ssl.conf
lighttpd/tags/1.4.19-5+lenny3/debian/patches/series
Log:
backport security fixes to Squeeze to assist the security team
Modified: lighttpd/tags/1.4.19-5+lenny3/debian/NEWS
===================================================================
--- lighttpd/tags/1.4.19-5+lenny2/debian/NEWS 2011-12-18 22:14:21 UTC (rev 565)
+++ lighttpd/tags/1.4.19-5+lenny3/debian/NEWS 2011-12-18 23:03:08 UTC (rev 566)
@@ -1,3 +1,24 @@
+lighttpd (1.4.19-5+lenny3) oldstable-security; urgency=high
+
+ This releases includes an option to force Lighttpd to honor the cipher order
+ in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
+ referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.
+
+ To minimze the risk of this attack it is recommended either to disable all CBC
+ ciphers (beware: this will break older clients), or pursue clients to use safe
+ ciphers where possible at least. To do so, set
+
+ ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+ ssl.honor-cipher-order = "enable"
+
+ in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
+ host you configured. If you did not change this file previously, this upgrade
+ will update it automatically.
+
+ [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
+
+ -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 23:32:16 +0100
+
lighttpd (1.4.19-1) unstable; urgency=low
Lighttpd must load mod_auth first, else some other modules may not work
Modified: lighttpd/tags/1.4.19-5+lenny3/debian/changelog
===================================================================
--- lighttpd/tags/1.4.19-5+lenny2/debian/changelog 2011-12-18 22:14:21 UTC (rev 565)
+++ lighttpd/tags/1.4.19-5+lenny3/debian/changelog 2011-12-18 23:03:08 UTC (rev 566)
@@ -1,3 +1,14 @@
+lighttpd (1.4.19-5+lenny3) oldstable-security; urgency=high
+
+ * Backport security issues from 1.4.30:
+ + Fix integer overflow (CVE-2011-4362)
+ + Fix attack vector as disclosed by the SSL BEAST attack (related:
+ CVE-2011-3389). Note: If you are upgrading from an older version you need
+ to change your configuration to mitigate effects of the attack. See the
+ corresponding NEWS file for details.
+
+ -- Arno Töll <debian at toell.net> Sun, 18 Dec 2011 23:41:49 +0100
+
lighttpd (1.4.19-5+lenny2) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
Modified: lighttpd/tags/1.4.19-5+lenny3/debian/conf-available/10-ssl.conf
===================================================================
--- lighttpd/tags/1.4.19-5+lenny2/debian/conf-available/10-ssl.conf 2011-12-18 22:14:21 UTC (rev 565)
+++ lighttpd/tags/1.4.19-5+lenny3/debian/conf-available/10-ssl.conf 2011-12-18 23:03:08 UTC (rev 566)
@@ -7,4 +7,7 @@
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
+
+ ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
+ ssl.honor-cipher-order = "enable"
}
Added: lighttpd/tags/1.4.19-5+lenny3/debian/patches/fix-CVE-2011-4362.patch
===================================================================
--- lighttpd/tags/1.4.19-5+lenny3/debian/patches/fix-CVE-2011-4362.patch (rev 0)
+++ lighttpd/tags/1.4.19-5+lenny3/debian/patches/fix-CVE-2011-4362.patch 2011-12-18 23:03:08 UTC (rev 566)
@@ -0,0 +1,37 @@
+--- a/src/http_auth.c
++++ b/src/http_auth.c
+@@ -90,7 +90,7 @@
+ ch = in[0];
+ /* run through the whole string, converting as we go */
+ for (i = 0; i < in_len; i++) {
+- ch = in[i];
++ ch = (unsigned char) in[i];
+
+ if (ch == '\0') break;
+
+--- a/tests/mod-auth.t
++++ b/tests/mod-auth.t
+@@ -8,7 +8,7 @@
+
+ use strict;
+ use IO::Socket;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ use LightyTest;
+
+ my $tf = LightyTest->new();
+@@ -25,6 +25,14 @@
+
+ $t->{REQUEST} = ( <<EOF
+ GET /server-status HTTP/1.0
++Authorization: Basic \x80mFuOmphb
++EOF
++ );
++$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 401 } ];
++ok($tf->handle_http($t) == 0, 'Basic-Auth: Invalid base64 Auth-token');
++
++$t->{REQUEST} = ( <<EOF
++GET /server-status HTTP/1.0
+ Authorization: Basic amFuOmphb
+ EOF
+ );
Modified: lighttpd/tags/1.4.19-5+lenny3/debian/patches/series
===================================================================
--- lighttpd/tags/1.4.19-5+lenny2/debian/patches/series 2011-12-18 22:14:21 UTC (rev 565)
+++ lighttpd/tags/1.4.19-5+lenny3/debian/patches/series 2011-12-18 23:03:08 UTC (rev 566)
@@ -7,3 +7,5 @@
lighttpd-1.4.x_userdir_lowercase.patch -p0
lighttpd-1.4.x_rewrite_redirect_decode_url.patch -p0
ssl-retval-fix.patch
+fix-CVE-2011-4362.patch
+ssl-mitigate-beast.patch
Added: lighttpd/tags/1.4.19-5+lenny3/debian/patches/ssl-mitigate-beast.patch
===================================================================
--- lighttpd/tags/1.4.19-5+lenny3/debian/patches/ssl-mitigate-beast.patch (rev 0)
+++ lighttpd/tags/1.4.19-5+lenny3/debian/patches/ssl-mitigate-beast.patch 2011-12-18 23:03:08 UTC (rev 566)
@@ -0,0 +1,67 @@
+--- a/src/base.h
++++ b/src/base.h
+@@ -265,6 +265,7 @@
+ buffer *ssl_pemfile;
+ buffer *ssl_ca_file;
+ buffer *ssl_cipher_list;
++ unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
+ unsigned short ssl_use_sslv2;
+
+ unsigned short use_ipv6;
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -92,6 +92,7 @@
+ { "etag.use-inode", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 48 */
+ { "etag.use-mtime", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 49 */
+ { "etag.use-size", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 50 */
++ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER},/* 51 */
+ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+ { "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
+@@ -157,6 +158,7 @@
+ s->max_write_idle = 360;
+ s->use_xattr = 0;
+ s->is_ssl = 0;
++ s->ssl_honor_cipher_order = 1;
+ s->ssl_use_sslv2 = 1;
+ s->use_ipv6 = 0;
+ #ifdef HAVE_LSTAT
+@@ -214,6 +216,7 @@
+ cv[48].destination = &(s->etag_use_inode);
+ cv[49].destination = &(s->etag_use_mtime);
+ cv[50].destination = &(s->etag_use_size);
++ cv[51].destination = &(s->ssl_honor_cipher_order);
+
+ srv->config_storage[i] = s;
+
+@@ -287,6 +290,7 @@
+ PATCH(ssl_pemfile);
+ PATCH(ssl_ca_file);
+ PATCH(ssl_cipher_list);
++ PATCH(ssl_honor_cipher_order);
+ PATCH(ssl_use_sslv2);
+ PATCH(etag_use_inode);
+ PATCH(etag_use_mtime);
+@@ -345,6 +349,8 @@
+ PATCH(ssl_pemfile);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
+ PATCH(ssl_ca_file);
++ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
++ PATCH(ssl_honor_cipher_order);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
+ PATCH(ssl_use_sslv2);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
+--- a/src/network.c
++++ b/src/network.c
+@@ -359,6 +359,11 @@
+ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
+ return -1;
+ }
++
++ if (s->ssl_honor_cipher_order) {
++ SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
++ }
++
+ }
+
+ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
More information about the pkg-lighttpd-maintainers
mailing list