Lighttpd是德国软件开发者Jan Kneschke所研发的一款开源的Web服务器,它的主要特点是仅需少量的内存及CPU资源即可达到同类网页服务器的性能。lighttpd 1.4.34之前的版本中存在安全漏洞,该漏洞源于程序配置服务器名字指示(Server Name Indication,SNI)时,使用默认的SSL密码。远程攻击者可利用该漏洞通过向客户服务器数据流中插入数据包劫持会话,或通过嗅探网络获取敏感 信息。
January 20, 2014
Important changes
There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).
We updated the “standard” ssl cipher string recommendation to ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see below for the detailed reasons.
Regression warning
The fix for lighttpd SA-2013-01 (CVE-2013-4508, “Using possibly vulnerable cipher suites with SNI”) includes a regression:
Each SSL_CTX also gets loaded with all values for ssl.ca-file from all blocks in the config.
This means that your ssl.ca-files must not contain cyclic chains and should use unique subject names.
See Debian Bug – #729555 for more details.
Security fixes
下载地址:
http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.bz2