Your message dated Sun, 17 Feb 2013 12:47:27 +0000 with message-id <e1u73er-0000ht...@franck.debian.org> and subject line Bug#700399: fixed in lighttpd 1.4.28-2+squeeze1.1 has caused the Debian Bug report #700399, regarding vulnerable to CRIME SSL attack (CVE-2012-4929) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700399 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: lighttpd Version: 1.4.28-2+squeeze1 Severity: grave Tags: security Hi, lighttpd in squeeze is vulnerable to the SSL attack CVE-2012-4929 dubbed 'CRIME'. The attack is related to SSL compression. The popular solution to the attack is to disable SSL compression. This is what Apache has done and also lighttpd upstream: the issue is addressed in wheezy and above because lighttpd disables SSL compression at compile time. There's an upstream issue here http://redmine.lighttpd.net/issues/2445. I believe a good approach would be to follow what was done in later releases and port the compile time check for SSL compression to the version in squeeze. Cheers, Thijs -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (400, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: lighttpd Source-Version: 1.4.28-2+squeeze1.1 We believe that the bug you reported is fixed in the latest version of lighttpd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thijs Kinkhorst <th...@debian.org> (supplier of updated lighttpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 12 Feb 2013 13:56:53 +0100 Source: lighttpd Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet lighttpd-mod-webdav Architecture: source amd64 all Version: 1.4.28-2+squeeze1.1 Distribution: stable-security Urgency: high Maintainer: Debian lighttpd maintainers <pkg-lighttpd-maintain...@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <th...@debian.org> Description: lighttpd - A fast webserver with minimal memory footprint lighttpd-doc - Documentation for lighttpd lighttpd-mod-cml - Cache meta language module for lighttpd lighttpd-mod-magnet - Control the request handling module for lighttpd lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd lighttpd-mod-trigger-b4-dl - Anti-deep-linking module for lighttpd lighttpd-mod-webdav - WebDAV module for lighttpd Closes: 700399 Changes: lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high . * Non-maintainer upload by the security team. * Backport upstream fixes for SSL attacks: + Disable client triggered renegotiation by default (CVE-2009-3555). Can be re-enabled with ssl.disable-client-renegotiation = "disable". + Disable SSL compression at build time (CVE-2012-4929, 'CRIME'). (closes: #700399) Checksums-Sha1: 889b4f79fb0dc138c03fcaf983e8a9f8af5394a1 2264 lighttpd_1.4.28-2+squeeze1.1.dsc 6b20e8d7b83655f0f28627b922b37028eb6ef2ab 30685 lighttpd_1.4.28-2+squeeze1.1.debian.tar.gz d7c42189b60dff1a4b0e902e7fc5f9070ec44506 287844 lighttpd_1.4.28-2+squeeze1.1_amd64.deb 949344bbf28a0f35616b1494a95179c75df987bc 18810 lighttpd-mod-mysql-vhost_1.4.28-2+squeeze1.1_amd64.deb 8125f8d908b6fec9e34f18ab500bb32769185fc3 20424 lighttpd-mod-trigger-b4-dl_1.4.28-2+squeeze1.1_amd64.deb 2ae83514f205e4a5810d11da2a7d2e49bed8c192 23584 lighttpd-mod-cml_1.4.28-2+squeeze1.1_amd64.deb 58288edcc27e7f5d1fb585299142901dc3457409 24776 lighttpd-mod-magnet_1.4.28-2+squeeze1.1_amd64.deb 522d109122479f54e1ad78282408fe1c068f152b 30800 lighttpd-mod-webdav_1.4.28-2+squeeze1.1_amd64.deb ba19288e3cfd9cdcc722f50a9e0d5e5d0e958f61 60720 lighttpd-doc_1.4.28-2+squeeze1.1_all.deb Checksums-Sha256: d081ee8a04ac3caf1113e5bf56dc4ff4d32d754793580d0e9f177c53eafd4278 2264 lighttpd_1.4.28-2+squeeze1.1.dsc 5cea176e40f9acb5fa74371cef5c94c798fd916f2410e9622af8f48eb39b8838 30685 lighttpd_1.4.28-2+squeeze1.1.debian.tar.gz ddf7c322dd974104eac33567a24c912820edc587b0566231f5141fc335d5d1bf 287844 lighttpd_1.4.28-2+squeeze1.1_amd64.deb 45ae1d7589a6fa3d79a2aa348cfe0fc2598121420f7c56036398bf4eecdfe6c9 18810 lighttpd-mod-mysql-vhost_1.4.28-2+squeeze1.1_amd64.deb e8bbd39ce52e63d09169fd44bd3552aa562f547f9e437029abcf6bcaf63742a7 20424 lighttpd-mod-trigger-b4-dl_1.4.28-2+squeeze1.1_amd64.deb b4b7009fbbdd0929abe802b2c5a6faa7dcb7dbe4d3191f960e5dfdba51bc8136 23584 lighttpd-mod-cml_1.4.28-2+squeeze1.1_amd64.deb 5c9bdbc0015c50aa18a291c1100f0c691cfb0e2c9e8a29175ae94ba9fb932a91 24776 lighttpd-mod-magnet_1.4.28-2+squeeze1.1_amd64.deb 6cfb58a2acf1c3d7328ae218d5de115b65f29d41c2d30bfd1f296cbb406e45d2 30800 lighttpd-mod-webdav_1.4.28-2+squeeze1.1_amd64.deb a0a76196dae0eda49765da6be416a1df72adb4d00d464e119cadc78f9a5752d0 60720 lighttpd-doc_1.4.28-2+squeeze1.1_all.deb Files: a4e30ed85b270eb3964c628b8e3982a3 2264 httpd optional lighttpd_1.4.28-2+squeeze1.1.dsc a6ec51a245a2722bad541684297d437a 30685 httpd optional lighttpd_1.4.28-2+squeeze1.1.debian.tar.gz 23e64654ff76f9df2bc11468bde97b39 287844 httpd optional lighttpd_1.4.28-2+squeeze1.1_amd64.deb b86a028e8cc0f80ff7130d8f8735d3e9 18810 httpd optional lighttpd-mod-mysql-vhost_1.4.28-2+squeeze1.1_amd64.deb 61a3cc20faaeae6ed893bc15b71c0467 20424 httpd optional lighttpd-mod-trigger-b4-dl_1.4.28-2+squeeze1.1_amd64.deb 4d39a47d48eb63c0d732a816dae39614 23584 httpd optional lighttpd-mod-cml_1.4.28-2+squeeze1.1_amd64.deb 10ddca1e10e43d87bccbada03ef2c551 24776 httpd optional lighttpd-mod-magnet_1.4.28-2+squeeze1.1_amd64.deb 4f0225ac98d401eb749fdb44af7027cd 30800 httpd optional lighttpd-mod-webdav_1.4.28-2+squeeze1.1_amd64.deb 0a2a5fe842a8fc5a8add445e605d37c0 60720 doc optional lighttpd-doc_1.4.28-2+squeeze1.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRHTH8AAoJEFb2GnlAHawEdb4IAKwkDdvjKGqySG6xIbifwenN x28s1NI4l5PmDSgkQuebMvqQTzjTP+WtG6AGy97kBH5k8d4Hp3LiM1+/fVQlgJhR XnNokisHDL8b7mRshNjCyBynGk/Gp0irtBBk+qqglXcV9SoX9IN4P9v5lvgJBcrr rgVXJstN4iDO0c90k1qqPFOomrfICzNc6227PE1TPzTiNxjfaf/bTqR3304iH7gi Qi/IRMMHO6MkP/m9BqUrp8dEr2YyHNZFWWBlatKZX260W559zteZhfc/zRWQkdHr mRy/QQVVU5t4fbg4mRxCp5F8J59gLJOfji0i/oyc746VNgKtbKI519Iinwgi8wU= =qvkW -----END PGP SIGNATURE-----
--- End Message ---
