lighttpd (1.4.31-4) unstable; urgency=high

  The default Debian configuration file for PHP invoked from FastCGI was
  vulnerable to local symlink attacks and race conditions when an attacker
  manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3)
  before the web server started. Possibly the web server could have been
  tricked to use a forged PHP.

  The problem lies in the configuration, thus this update will fix the problem
  only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf
   If you did, dpkg will not overwrite your changes. Please make sure to set

        "socket" => "/var/run/lighttpd/php.socket"

  yourself in that case.

 -- Arno Töll <arno@debian.org>  Thu, 14 Mar 2013 01:57:42 +0100

lighttpd (1.4.30-1) unstable; urgency=medium

  This releases includes an option to force Lighttpd to honor the cipher order
  in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
  referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.

  To minimze the risk of this attack it is recommended either to disable all CBC
  ciphers (beware: this will break reasonably old clients or those who support
  CBC ciphers only), or pursue clients to use safe ciphers where possible at
  least. To do so, set

  ssl.cipher-list =  "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
  ssl.honor-cipher-order = "enable"

  in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
  host you configured. If you did not change this file previously, this upgrade
  will update it automatically.

  [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html

 -- Arno Töll <debian@toell.net>  Sun, 18 Dec 2011 20:26:50 +0100

lighttpd (1.4.23-1) unstable; urgency=low

  spawn-fcgi is now separate package. Please install "spawn-fcgi" package if 
  you need it.

 -- Krzysztof Krzyżaniak (eloy) <eloy@debian.org>  Thu, 09 Jul 2009 15:53:14 +0200