ALT-PU-2014-1074-1
Closed vulnerabilities
Published: 2013-11-08
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2013-4508
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
- http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
- JVN#37417423
- JVN#37417423
- openSUSE-SU-2014:0072
- openSUSE-SU-2014:0072
- HPSBGN03191
- HPSBGN03191
- [oss-security] 20131104 Re: CVE Request: lighttpd using vulnerable cipher suites with SNI
- [oss-security] 20131104 Re: CVE Request: lighttpd using vulnerable cipher suites with SNI
- http://redmine.lighttpd.net/issues/2525
- http://redmine.lighttpd.net/issues/2525
- http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/
- http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff/
- DSA-2795
- DSA-2795