lighttpd (1.4.28-2+squeeze1.3) stable-security; urgency=high

  The default Debian configuration file for PHP invoked from FastCGI was
  vulnerable to local symlink attacks and race conditions when an attacker
  manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
  before the web server started. Possibly the web server could have been
  tricked to use a forged PHP.

  The problem lies in the configuration, thus this update will fix the problem
  only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
   If you did, dpkg will not overwrite your changes. Please make sure to set

        "socket" => "/var/run/lighttpd/php.socket"

  yourself in that case.

 -- Arno Töll <arno@debian.org>  Thu, 14 Mar 2013 01:57:42 +0100

lighttpd (1.4.28-2+squeeze1.1) stable-security; urgency=high

  To fix a security vulnerability in the design of the SSL/TLS protocol
  (CVE-2009-3555), the protocol had to be extended (RFC 5746). By default,
  session renegotiation is no longer supported with old clients that do not
  implement this extension. This breaks certain configurations with client
  certificate authentication. If you still need to support old clients, you
  may restore the old (insecure) behaviour by adding the configuration option

      ssl.disable-client-renegotiation = "disable"

  to /etc/lighttpd/lighttpd.conf.

 -- Thijs Kinkhorst <thijs@debian.org>  Thu, 14 Feb 2013 19:42:19 +0100

lighttpd (1.4.28-2+squeeze1) stable-security; urgency=high

  This releases includes an option to force Lighttpd to honor the cipher order
  in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
  referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.

  To minimze the risk of this attack it is recommended either to disable all CBC
  ciphers (beware: this will break older clients), or pursue clients to use safe
  ciphers where possible at least. To do so, set

  ssl.ciphers =  "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
  ssl.honor-cipher-order = "enable"

  in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
  host you configured. If you did not change this file previously, this upgrade
  will update it automatically.

  [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html

 -- Arno Töll <debian@toell.net>  Sun, 18 Dec 2011 21:20:12 +0100

lighttpd (1.4.23-1) unstable; urgency=low

  spawn-fcgi is now separate package. Please install "spawn-fcgi" package if 
  you need it.

 -- Krzysztof Krzyżaniak (eloy) <eloy@debian.org>  Thu, 09 Jul 2009 15:53:14 +0200

lighttpd (1.4.19-1) unstable; urgency=low

  Lighttpd must load mod_auth first, else some other modules may not work
  properly (See #419176). For this reason, mod_status configuration has been
  moved out from lighttpd.conf and put in conf-available/10-status.conf.

  Also the files 10-auth.conf are automatically renamed by the lighttpd
  package (provided that a sane environment is met) into 05-auth.conf, and
  symlinks (if they exists) are also updated properly.

  This is done to ensure that auth.conf is loaded first. If during your
  lighttpd upgrade you read:

    Not touching .../10-auth.conf because .../05-auth.conf exists !!!
    Please read /usr/share/doc/lighttpd/NEWS.Debian

  then you probably have both 10-auth.conf and 05-auth.conf, which is a bad
  situation that you should fix.

 -- Pierre Habouzit <madcoder@debian.org>  Sun, 16 Mar 2008 10:56:22 +0100