lighttpd (1.4.30-1) unstable; urgency=medium

  This releases includes an option to force Lighttpd to honor the cipher order
  in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly
  referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details.

  To minimze the risk of this attack it is recommended either to disable all CBC
  ciphers (beware: this will break older clients), or pursue clients to use safe
  ciphers where possible at least. To do so, set

  ssl.cipher-list =  "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
  ssl.honor-cipher-order = "enable"

  in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled
  host you configured. If you did not change this file previously, this upgrade
  will update it automatically.

  [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html

 -- Arno Töll <debian@toell.net>  Sun, 18 Dec 2011 20:26:50 +0100

lighttpd (1.4.23-1) unstable; urgency=low

  spawn-fcgi is now separate package. Please install "spawn-fcgi" package if 
  you need it.

 -- Krzysztof Krzyżaniak (eloy) <eloy@debian.org>  Thu, 09 Jul 2009 15:53:14 +0200
