Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 04 Nov 2013 13:17:48 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: lighttpd using vulnerable cipher
 suites with SNI

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/04/2013 10:16 AM, Stefan Bühler wrote:
> Hi,
> 
> I'd like to request a CVE id for the following bug:
> 
> Nathan Bishop <me@...shop.name> reported 
> (http://redmine.lighttpd.net/issues/2525) that lighttpd uses
> vulnerable cipher suites when SNI is used:
> 
> $HTTP["Host"] == "example.com" { ssl.pemfile =
> "/etc/ssl/certs/example.com.pem" } $SERVER["socket"] == ":443" { 
> ssl.engine = "enable" ssl.pemfile = "/etc/ssl/certs/default.pem" 
> ssl.cipher-list = "HIGH" }
> 
> This config uses the "DEFAULT" cipher list for "example.com",
> which includes export ciphers.
> 
> More details are available at: 
> http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
>
>  Please note that the patch is not final yet, and can't be found in
> SVN.
> 
> We're still discussing: * whether other options should work in SNI
> context (we could add all ssl.ca-files to all SSL_CTX instances) *
> whether to set a default ssl.cipher-list, and which string to pick
> 
> regards, Stefan
> 

Please use CVE-2013-4508 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSeADrAAoJEBYNRVNeJnmT8bcQAI3dNXYLuIug+kRLz1wfWSay
xTY0SBB53w/fvjHYEc2hDHBnGfEeIXuRU4DVO0HVZB2i3djy4sEI1z1jlrWP6WW8
Xk/Xyu63vfuMBoLmUqtKQQ9Zn88uekyr2h5lY/3VlILZtcB5Hfk9SpxcaQzBhOP5
T8fmTR8qsIgWVK1XfNJNmeA1teEReFu5vboTNZQALGKb0zivyqHAWZAORAJ4Pf+6
d0d4ZixNimFQFQQc+HXE28IuRQ8uf27uBjqWgdjdYh/rxtnOnGamfEIwvCCHyT7A
7avX1lxN4w+2oqFfkHISp6o3LXwmePtDUkYVa1zPmTO6TYmlv8e01mSMYwuOlb0G
N53LxD1nKRlWa5HutXk1IudTx/WT/dKpM6b6JE56jvqAS16mrxneCPDcPmt4N5bL
Yc/W4SVdcLjWar3s0SKHbADCoDLJEawEiXhjcikLbUjOjXMfiRtPyfncr6hyFn5u
jQ2cF/8C3En0eyR3iBgYm9kzdK23+/cpzfdQpN5p3MO7mqd3ZChNZzx9PdZrwKpd
s+CSD0TVRrNRZD/PaHnoYnEkkmCyPmmQXcS/jE+3ATn33LoYwHUx1tfHpiuJQMqc
s8w9Q7u/vrHpM8lephvYYdHOzLXm+ai2i2RU+9/PnInygP8MII7ztVOlqA9eQM7X
kzFIJ4X8r1Exiy+Ihpft
=1Bl4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ