[pkg-lighttpd] Bug#700399: vulnerable to CRIME SSL attack (CVE-2012-4929)
Thijs Kinkhorst
thijs at uvt.nl
Tue Feb 12 15:08:56 UTC 2013
tags 700399 +patch
thanks
Hi,
Attached is a proposed update for squeeze-security to address this issue.
Upstream's patch for client side renegotiation also fixed the SSL compression
issue in the same commit. The SSL compression fix however only works with
openssl >= 1. Therefore, I had to backport another fix (the same one as used
by Apache) to this version in a second patch. I didn't think it was worthwhile
to remove upstream's fix from the renegotiation patch as it's a no-op on
squeeze.
I have not backported the commit that updates the example configuration file
to add an example for the renegotiation option, as this would introduce a
config file prompt in stable.
I've built the package and we're currently running this on our test
environment. It works fine. Also, all compliance tests are now green again.
Built packages for amd64 are available at
https://lissers.uvt.nl/~thijs/lighttpd/
Do you agree on the approach? Barring any objections I'm planning to release
this as a DSA after the weekend.
Cheers,
Thijs
--
Thijs Kinkhorst <thijs at uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 700399.diff
Type: text/x-patch
Size: 9117 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20130212/22208fc6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20130212/22208fc6/attachment.pgp>
More information about the pkg-lighttpd-maintainers
mailing list