lighttpd vulnerable to BEAST attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lighttpd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Upstream release 1.4.30 allows admins to mitigate the BEAST attack. I've been unable to find anything in the lighttpd changelog regarding this, and qualys' ssldb tool indicates the server is still vulnerable. The expected result is that the server would not be vulnerable to BEAST, by preferring stream ciphers (RC4) over CBC mode ciphers.
Apologies in advance if this is a dupe. I'm using Lucid/10.04 on a VPS.
Release announcement: http://
Upstream bug: http://
Background info: https:/
Qualys ssldb tool: https:/
$ lsb_release -rd
Description: Ubuntu 10.04.4 LTS
Release: 10.04
$ apt-cache policy lighttpd
lighttpd:
Installed: 1.4.26-1.1ubuntu3.1
Candidate: 1.4.26-1.1ubuntu3.1
Version table:
*** 1.4.26-1.1ubuntu3.1 0
500 http://
500 http://
100 /var/lib/
1.
500 http://
$ apt-cache policy openssl
openssl:
Installed: 0.9.8k-7ubuntu8.8
Candidate: 0.9.8k-7ubuntu8.8
Version table:
*** 0.9.8k-7ubuntu8.8 0
500 http://
500 http://
100 /var/lib/
0.
500 http://
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res