lighttpd vulnerable to BEAST attack

Bug #942110 reported by SapphirePaw on 2012-02-27
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)

Bug Description

Upstream release 1.4.30 allows admins to mitigate the BEAST attack. I've been unable to find anything in the lighttpd changelog regarding this, and qualys' ssldb tool indicates the server is still vulnerable. The expected result is that the server would not be vulnerable to BEAST, by preferring stream ciphers (RC4) over CBC mode ciphers.

Apologies in advance if this is a dupe. I'm using Lucid/10.04 on a VPS.

Release announcement:

Upstream bug:

Background info:

Qualys ssldb tool:

$ lsb_release -rd
Description: Ubuntu 10.04.4 LTS
Release: 10.04

$ apt-cache policy lighttpd
  Installed: 1.4.26-1.1ubuntu3.1
  Candidate: 1.4.26-1.1ubuntu3.1
  Version table:
 *** 1.4.26-1.1ubuntu3.1 0
        500 lucid-security/universe Packages
        500 lucid-updates/universe Packages
        100 /var/lib/dpkg/status
     1.4.26-1.1ubuntu3 0
        500 lucid/universe Packages

$ apt-cache policy openssl
  Installed: 0.9.8k-7ubuntu8.8
  Candidate: 0.9.8k-7ubuntu8.8
  Version table:
 *** 0.9.8k-7ubuntu8.8 0
        500 lucid-updates/main Packages
        500 lucid-security/main Packages
        100 /var/lib/dpkg/status
     0.9.8k-7ubuntu8 0
        500 lucid/main Packages

Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information:

visibility: private → public
visibility: private → public
Tyler Hicks (tyhicks) wrote :

Marking confirmed, based on the upstream release notes.

Changed in lighttpd (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers