Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 490432 (CVE-2013-4508)

Summary: <www-servers/lighttpd-1.4.34 : vulnerable cipher suites with SNI (CVE-2013-4508)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hwoarang, wired
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/11/04/5
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-11-04 20:54:36 UTC
From ${URL} :

Nathan Bishop <me@nbishop.name> reported
(http://redmine.lighttpd.net/issues/2525) that lighttpd uses vulnerable
cipher suites when SNI is used:

    $HTTP["Host"] == "example.com" {
        ssl.pemfile = "/etc/ssl/certs/example.com.pem"
    }
    $SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/ssl/certs/default.pem"
        ssl.cipher-list = "HIGH"
    }

This config uses the "DEFAULT" cipher list for "example.com", which
includes export ciphers.

More details are available at:
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt

Please note that the patch is not final yet, and can't be found in SVN.

We're still discussing:
* whether other options should work in SNI context (we could
  add all ssl.ca-files to all SSL_CTX instances)
* whether to set a default ssl.cipher-list, and which string to pick



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:36:51 UTC
CVE-2013-4508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4508):
  lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers,
  which makes it easier for remote attackers to hijack sessions by inserting
  packets into the client-server data stream or obtain sensitive information
  by sniffing the network.
Comment 2 Sergey Popov gentoo-dev 2014-06-13 20:36:12 UTC
Added to existing GLSA draft
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 20:44:13 UTC
This issue was resolved and addressed in
 GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).