[pkg-lighttpd] Proposing a change for Lighttpd (CVE-2011-4362 and other)

Arno Töll debian at toell.net
Mon Dec 19 00:42:09 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I'm proposing the attached diffs for (old-)stable-security. They fix the
following issues for stable and oldstable:

* http://redmine.lighttpd.net/issues/2370 (CVE-2011-4362)

An integer overflow was discovered in the base 64 decoder Lighttpd uses
internally. This potentially allows out-of-bounds reads which might lead
to a denial-of-service (DoS) attack.

* http://redmine.lighttpd.net/issues/2364 (related: CVE-2011-3389)

When using CBC ciphers on a SSL enabled virtual host to communicate with
certain client, a so called BEAST attack allows man-in-the-middle
attackers to obtain plaintext HTTP headers via a blockwise
chosen-boundary attack (BCBA) on an HTTPS session. To workaround the
problem it is suggested to disable CBC ciphers entirely - this may,
however, break some (older) clients. To mitigate the impact it is
recommended to prefer secure SSL ciphers.

To do so, site administrators may set

ssl.cipher-list =
"ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

in their SSL enabled virtual hosts. This is possible without any further
upgrade. Moreover, lighttpd should be instructed to prefer non-CBC
ciphers over CBC ciphers. To do so, the site administrator should set

ssl.honor-cipher-order = "enable"

as well. This option is available in lighttpd 1.4.30 and later and was
backported to the Debian versions of Lighttpd in Squeeze and Lenny.






Note, upstream commit 2810 does not fix the issue all alone. It is
needed to enable the suggested workaround to limit the impact by
changing the configuration. I wrote a NEWS file giving instructions to
the site administrator and updated the configuration files accordingly.

For Unstable the problem has been fixed by preparing a new upstream
release (1.4.30) which fixes both problems. I am no Debian developer
yet, hence I can not upload the new upstream release to Unstable.
Krzysztof, would you take care of that? Alternatively someone from the
security team might take care possibly?

All changes can also be found in our SVN repository:

* the new upstream release [1]
* the fix for Lenny [2]
* the fix for Squeeze [3]

Also note, all issues are public already so no confidentiality is needed
anymore. Furthermore I invite all my co-maintainers to test my proposed
fixes and give feedback.

[1] http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/trunk/
[2]
http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/tags/1.4.19-5%2Blenny3/
[3]
http://anonscm.debian.org/viewvc/pkg-lighttpd/lighttpd/tags/1.4.28-2%2Bsqueeze1/
- -- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO7ohgAAoJEMcrUe6dgPNtWxkP+wWjC8D6eNV/rRn2mTimmXna
zYkEZH3vWHnBbmpBw5wlvb9ctjsoGgmCenkarizH1r97VaWaueA2HeLgdfbBehIW
D/0rW8t5LAIRKiM114NrjC+DRrjxh1qf52WyMk/8PiQSMpu1EB46KJXoUfQ8tCG1
1Kv+eY4RcWBX+Cwc3tzeKrhmrdag22QgcRLd8rqCLwnmtpZbaAjkI2dTvgaw3Kw+
snNchNMKVX4jYIx+V34CR9bQbx8b2f7+7of69UEr4iMc8p4/cjoMWdSpsTvacYRO
zWzyzGIl7IR27HG9UkM1l/wz14CfXV2n31PmskIX6QaYE1kSx3OfgALumaOIfrsr
vS/HvAJS7dUaN7CyjhULKTZVG/rqmZ0hZoc79yrCKPIdphE/Q4AMI8iJBuJAo8zt
01SIIvHjVyGRpx2CUCnO2yjrMXgv4iNtRpsKaDGcI89DmGFL70k4uwT3+GAMrhKv
BtLKgf819hEWgTuPrbzUjvo1HXRMCGN7LoRqiw8PaBxlVK0L/UnN2nxcOSRor0RD
L3BwtbC13gphCaG+BEkz7Jzl9WCJW1H8pJlzkGcJ79/XeIz+8pIIT5HAfth5De71
tnAT5sLycS7ZkDYW5RnDKKq7s3teXJpylid0eREcwL0LrjQa8Q1vO7XNWWxuoGsL
E1k5NEKaqKwpX/LBEjk5
=/jo6
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lighttpd_1.4.19+lenny3.diff
Type: text/x-patch
Size: 7627 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20111219/5ca49529/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lighttpd_1.4.28+squeeze1.diff
Type: text/x-patch
Size: 7190 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20111219/5ca49529/attachment-0003.bin>


More information about the pkg-lighttpd-maintainers mailing list