[pkg-lighttpd] Bug#700399: vulnerable to CRIME SSL attack (CVE-2012-4929)
Thijs Kinkhorst
thijs at debian.org
Tue Feb 12 12:21:01 UTC 2013
Package: lighttpd
Version: 1.4.28-2+squeeze1
Severity: grave
Tags: security
Hi,
lighttpd in squeeze is vulnerable to the SSL attack CVE-2012-4929 dubbed
'CRIME'. The attack is related to SSL compression.
The popular solution to the attack is to disable SSL compression. This is
what Apache has done and also lighttpd upstream: the issue is addressed
in wheezy and above because lighttpd disables SSL compression at compile
time.
There's an upstream issue here http://redmine.lighttpd.net/issues/2445.
I believe a good approach would be to follow what was done in later
releases and port the compile time check for SSL compression to the
version in squeeze.
Cheers,
Thijs
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the pkg-lighttpd-maintainers
mailing list