Ubuntu

lighttpd vulnerable to BEAST attack

Reported by SapphirePaw on 2012-02-27
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Medium
Unassigned

Bug Description

Upstream release 1.4.30 allows admins to mitigate the BEAST attack. I've been unable to find anything in the lighttpd changelog regarding this, and qualys' ssldb tool indicates the server is still vulnerable. The expected result is that the server would not be vulnerable to BEAST, by preferring stream ciphers (RC4) over CBC mode ciphers.

Apologies in advance if this is a dupe. I'm using Lucid/10.04 on a VPS.

Release announcement: http://www.lighttpd.net/2011/12/18/1-4-30-faster-than-santa-your-first-present-this-year

Upstream bug: http://redmine.lighttpd.net/issues/2364

Background info: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

Qualys ssldb tool: https://www.ssllabs.com/ssldb/index.html

$ lsb_release -rd
Description: Ubuntu 10.04.4 LTS
Release: 10.04

$ apt-cache policy lighttpd
lighttpd:
  Installed: 1.4.26-1.1ubuntu3.1
  Candidate: 1.4.26-1.1ubuntu3.1
  Version table:
 *** 1.4.26-1.1ubuntu3.1 0
        500 http://security.ubuntu.com/ubuntu/ lucid-security/universe Packages
        500 http://us.archive.ubuntu.com/ubuntu/ lucid-updates/universe Packages
        100 /var/lib/dpkg/status
     1.4.26-1.1ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/universe Packages

$ apt-cache policy openssl
openssl:
  Installed: 0.9.8k-7ubuntu8.8
  Candidate: 0.9.8k-7ubuntu8.8
  Version table:
 *** 0.9.8k-7ubuntu8.8 0
        500 http://security.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     0.9.8k-7ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages

Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
visibility: private → public
Tyler Hicks (tyhicks) wrote :

Marking confirmed, based on the upstream release notes.

Changed in lighttpd (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers