Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 490432 (CVE-2013-4508)

Summary: <www-servers/lighttpd-1.4.34 : vulnerable cipher suites with SNI (CVE-2013-4508)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: hwoarang, wired
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-11-04 20:54:36 UTC
From ${URL} :

Nathan Bishop <> reported
( that lighttpd uses vulnerable
cipher suites when SNI is used:

    $HTTP["Host"] == "" {
        ssl.pemfile = "/etc/ssl/certs/"
    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/ssl/certs/default.pem"
        ssl.cipher-list = "HIGH"

This config uses the "DEFAULT" cipher list for "", which
includes export ciphers.

More details are available at:

Please note that the patch is not final yet, and can't be found in SVN.

We're still discussing:
* whether other options should work in SNI context (we could
  add all to all SSL_CTX instances)
* whether to set a default ssl.cipher-list, and which string to pick

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:36:51 UTC
CVE-2013-4508 (
  lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers,
  which makes it easier for remote attackers to hijack sessions by inserting
  packets into the client-server data stream or obtain sensitive information
  by sniffing the network.
Comment 2 Sergey Popov gentoo-dev 2014-06-13 20:36:12 UTC
Added to existing GLSA draft
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 20:44:13 UTC
This issue was resolved and addressed in
 GLSA 201406-10 at
by GLSA coordinator Sergey Popov (pinkbyte).