Package: lighttpd Version: 1.4.28-2+squeeze1 Severity: grave Tags: security
Hi, lighttpd in squeeze is vulnerable to the SSL attack CVE-2012-4929 dubbed 'CRIME'. The attack is related to SSL compression. The popular solution to the attack is to disable SSL compression. This is what Apache has done and also lighttpd upstream: the issue is addressed in wheezy and above because lighttpd disables SSL compression at compile time. There's an upstream issue here http://redmine.lighttpd.net/issues/2445. I believe a good approach would be to follow what was done in later releases and port the compile time check for SSL compression to the version in squeeze. Cheers, Thijs -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (400, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
