lighttpd (1.4.28-2+squeeze1.3) stable-security; urgency=high
The default Debian configuration file for PHP invoked from FastCGI was
vulnerable to local symlink attacks and race conditions when an attacker
manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
before the web server started. Possibly the web server could have been
tricked to use a forged PHP.
The problem lies in the configuration, thus this update will fix the problem
only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
If you did, dpkg will not overwrite your changes. Please make sure to set
"socket" => "/var/run/lighttpd/php.socket"
yourself in that case.
-- Arno Töll <
arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100
lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high
To fix a security vulnerability in the design of the SSL/TLS protocol
(CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
session renegotiation is no longer supported with old clients that do not
implement this extension. This breaks certain configurations with client
certificate authentication. If you still need to support old clients, you
may restore the old (insecure) behaviour by adding the configuration option
ssl.disable-client-renegotiation = "disable"
to /etc/lighttpd/lighttpd.conf.
-- Thijs Kinkhorst <
thijs@debian.org> Thu, 14 Feb 2013 19:42:19 +0100
