[Bug 942110] [NEW] lighttpd vulnerable to BEAST attack

Fri, 02 Mar 2012 14:09:54 -0800 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Tyler Hicks (tyhicks):

Upstream release 1.4.30 allows admins to mitigate the BEAST attack.
I've been unable to find anything in the lighttpd changelog regarding
this, and qualys' ssldb tool indicates the server is still vulnerable.
The expected result is that the server would not be vulnerable to BEAST,
by preferring stream ciphers (RC4) over CBC mode ciphers.

Apologies in advance if this is a dupe.  I'm using Lucid/10.04 on a VPS.

Release announcement: http://www.lighttpd.net/2011/12/18/1-4-30-faster-
than-santa-your-first-present-this-year

Upstream bug: http://redmine.lighttpd.net/issues/2364

Background info:
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-
the-beast-attack-on-tls

Qualys ssldb tool: https://www.ssllabs.com/ssldb/index.html

$ lsb_release -rd
Description:    Ubuntu 10.04.4 LTS
Release:        10.04

$ apt-cache policy lighttpd
lighttpd:
  Installed: 1.4.26-1.1ubuntu3.1
  Candidate: 1.4.26-1.1ubuntu3.1
  Version table:
 *** 1.4.26-1.1ubuntu3.1 0
        500 http://security.ubuntu.com/ubuntu/ lucid-security/universe Packages
        500 http://us.archive.ubuntu.com/ubuntu/ lucid-updates/universe Packages
        100 /var/lib/dpkg/status
     1.4.26-1.1ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/universe Packages

$ apt-cache policy openssl
openssl:
  Installed: 0.9.8k-7ubuntu8.8
  Candidate: 0.9.8k-7ubuntu8.8
  Version table:
 *** 0.9.8k-7ubuntu8.8 0
        500 http://security.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     0.9.8k-7ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages

** Affects: lighttpd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
lighttpd vulnerable to BEAST attack
https://bugs.launchpad.net/bugs/942110
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to