openSUSE-SU-2022:0024-1

See a problem?

Import Source

https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2022:0024-1.json

JSON Data

https://api.osv.dev/v1/vulns/openSUSE-SU-2022:0024-1

Upstream

CVE-2022-22707

Related

CVE-2022-22707

Published

2022-02-02T12:46:24Z

Modified

2025-05-07T18:13:45.704405Z

Summary

Security update for lighttpd

Details

This update for lighttpd fixes the following issues:

lighttpd was updated to 1.4.64:

CVE-2022-22707: off-by-one stack overflow in the mod_extforward plugin (boo#1194376)
graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds. configure an alternative with: server.feature-flags += (“server.graceful-shutdown-timeout” => 8)
deprecated modules (previously announced) have been removed: modauthnmysql, modmysqlvhost, modcml, modflvstreaming, modgeoip, modtriggerb4_dl

update to 1.4.63:

import xxHash v0.8.1
fix reqpool mem corruption in 1.4.62

includes changes in 1.4.62:

[mod_alias] fix use-after-free bug
many developer visible bug fixes

update to 1.4.61:

mod_dirlisting: sort '../' to top
fix HTTP/2 upload > 64k w/ max-request-size
code level and developer visible bug fixes

update to 1.4.60:

HTTP/2 smoother and lower memory use (in general)
HTTP/2 tuning to better handle aggressive client initial requests
reduce memory footprint; workaround poor glibc behavior; jemalloc is better
mod_magnet lua performance improvements
mod_dirlisting performance improvements and new caching option
memory constraints for extreme edge cases in moddirlisting, modssi, mod_webdav
connect(), write(), read() time limits on backends (separate from client timeouts)
lighttpd restarts if large discontinuity in time occurs (embedded systems)
RFC7233 Range support for all non-streaming responses, not only static files
connect() to backend now has default 8 second timeout (configurable)
Added hardening to systemd service(s) (boo#1181400).

update to 1.4.59:

HTTP/2 enabled by default
mod_deflate zstd suppport
new mod_ajp13

Update to 1.4.58:

[mod_wolfssl] use wolfSSL TLS version defines
[mod_wolfssl] compile with earlier wolfSSL vers
[core] prefer IPv6+IPv4 func vs IPv4-specific func
[core] reuse large mem chunks (fix mem usage) (fixes #3033)
[core] add comment for FastCGI mem use in hctx->rb (#3033)
[mod_proxy] fix sending of initial reqbody chunked
[multiple] fdevent_waitpid() wrapper
[core] sys-time.h - localtimer,gmtimer macros
[core] http_date.[ch] encapsulate HTTP-date parse
[core] specialized strptime() for HTTP date fmts
[multiple] employ http_date.h, sys-time.h
[core] httpdatetimegm() (portable timegm())
bufferappendpath_len() to join paths
[core] inetntopcache -> sockaddrcache
[multiple] etag.[ch] -> http_etag.[ch]; better imp
[core] fix crash after specific err in config file
[core] fix bug in FastCGI uploads (#3033)
[core] httpresponsematchifrange()
[modwebdav] typedef offt loff_t for FreeBSD
[multiple] chunkqueuewritechunk()
[build] add GNUMAKEFLAGS=--no-print-directory
[core] fix bug in read retry found by coverity
[core] attempt to quiet some coverity warnings
[mod_webdav] compile fix for Mac OSX/11
[core] handle U+00A0 in config parser
[core] fix lighttpd -1 one-shot with pipes
[core] quiet start/shutdown trace in one-shot mode
[core] allow keep-alives in one-shot mode (#3042)
[modwebdav] define _ATFILESOURCE if AT_FDCWD
[core] setsockopt IPV6_V6ONLY if server.v4mapped
[core] prefer inetaton() over inetaddr()
[core] add missing mod_wolfssl to ssl compat list
[mod_openssl] remove ancient preprocessor logic
[core] SHA512Init, SHA512Update, SHA512_Final
[mod_wolfssl] add complex preproc logic for SNI
[core] wrap a macro value with parens
[core] fix handling chunked response from backend (fixes #3044)
[core] always set file.fd = -1 on FILE_CHUNK reset (fixes #3044)
[core] skip some trace if backend Upgrade (#3044)
[TLS] cert-staple.sh POSIX sh compat (fixes #3043)
[core] portability fix if st_mtime not defined
[mod_nss] portability fix
[core] warn if modauthnfile needed in conf
[core] fix chunked decoding from backend (fixes #3044)
[core] reject excess data after chunked encoding (#3046)
[core] track chunked encoding state from backend (fixes #3046)
[core] lirestrictedstrtoint64()
[core] track Content-Length from backend (fixes #3046)
[core] enhance config parsing debugging (#3047)
[core] reorder srv->config_context to match ndx (fixes #3047)
[mod_proxy] proxy.header = ('force-http10' => ...)
[modauthnldap] fix crash (fixes #3048)
[modauthnldap, modvhostdbldap] default cafile
[core] fix arraycopyarray() sorted[]
[multiple] replace fall through comment with attr
[core] fix crash printing trace if backend is down
[core] fix decoding chunked from backend (fixes #3049)
[core] attempt to quiet some coverity warnings
[core] perf: request processing
[core] httpheaderstrcontainstoken()
[modflvstreaming] parse query string w/o copying
[mod_evhost] use local array to split values
[core] remove srv->split_vals
[core] add User-Agent to httpheadere enum
[core] store struct server * in struct connection
[core] use func rc to indicate done reading header
[core] replace connectionsetstate w/ assignment
[core] do not pass srv to http header parsing func
[core] cold bufferstringprepareappendresize()
[core] chunkqueuecompactmem()
[core] connectionchunkqueuecompact()
[core] pass con around request, not srv and con
[core] reduce use of struct parseheaderstate
[core] perf: HTTP header parsing using \n offsets
[core] no need to pass srv to connectionsetstate
[core] perf: connectionreadheader_more()
[core] perf: connectionreadheader_hoff() hot
[core] inline connectionreadheader()
[core] pass ptr to httprequestparse()
[core] more 'const' in request.c prototypes
[core] handle common case of alnum or - field-name
[modextforward] simplify code: use lightisxdigit
[core] perf: array.c performance enhancements
[core] mark some data_* funcs cold
[core] http_header.c internal inline funcs
[core] remove unused array_reset()
[core] prefer uint32t to sizet in base.h
[core] uint32_t for struct buffer sizes
[core] remove unused members of struct server
[core] short-circuit path to clear request.headers
[core] array keys are non-empty in key-value list
[core] keep a->data[] sorted; remove a->sorted[]
[core] attributereturnsnonnull
[core] differentiate arrayget* for ro and rw
[core] (const buffer *) in (struct burlpartst)
[core] (const buffer *) for con->server_name
[core] perf: initialize con->conf using memcpy()
[core] run configsetupconnection() fewer times
[core] isolate data_config.c, vector.c
[core] treat con->conditionalisvalid as bitfield
[core] httpheaderhkey_get() over const array
[core] inline buffer as part of DATA_UNSET key
[core] inline buffer key for *patchconnection()
[core] (dataunset *) from arraygetelementklen
[core] inline buffer as part of data_string value
[core] add const to callers of httpheader*_get()
[core] inline array as part of data_array value
[core] const char *op in data_config
[core] buffer string in data_config
[core] streamline configcheckcond()
[core] keep a->data[] sorted (REVERT)
[core] array a->sorted[] as ptrs rather than pos
[core] inline header and env arrays into con
[mod_accesslog] avoid alloc for parsing cookie val
[core] simpler configcheckcond()
[modredirect,modrewrite] store context_ndx
[core] const char *name in struct plugin
[core] srv->plugin_slots as compact list
[core] rearrange server_config, server members
[core] macros CONSTLENSTR and CONSTSTRLEN
[core] struct plugindatabase
[core] improve condition caching perf
[core] configpluginvalues_init() new interface
[modaccess] use configpluginvaluesinit()
[core] (const buffer *) from strftimecacheget()
[core] mv configsetupconnection to connections.c
[core] use (const char *) in config file parsing
[modstaticfile] use configpluginvaluesinit()
[modskeleton] use configpluginvaluesinit()
[modsetenv] use configpluginvaluesinit()
[modalias] use configpluginvaluesinit()
[modindexfile] use configpluginvaluesinit()
[modexpire] use configpluginvaluesinit()
[modflvstreaming] use configpluginvalues_init()
[modmagnet] use configpluginvaluesinit()
[modusertrack] use configpluginvaluesinit()
[mod_userdir] split policy from userdir path build
[moduserdir] use configpluginvaluesinit()
[modssi] use configpluginvaluesinit()
[moduploadprogress] use configpluginvaluesinit()
[modstatus] use configpluginvaluesinit()
[modcml] use configpluginvaluesinit()
[modsecdownload] use configpluginvaluesinit()
[modgeoip] use configpluginvaluesinit()
[modevasive] use configpluginvaluesinit()
[modtriggerb4dl] use configpluginvaluesinit()
[modaccesslog] use configpluginvaluesinit()
[modsimplevhost] use configpluginvalues_init()
[modevhost] use configpluginvaluesinit()
[modvhostdb*] use configpluginvaluesinit()
[modmysqlvhost] use configpluginvalues_init()
[modmaxminddb] use configpluginvaluesinit()
[modauth*] use configpluginvaluesinit()
[moddeflate] use configpluginvaluesinit()
[modcompress] use configpluginvaluesinit()
[core] add xsendfile* check if xdocroot is NULL
[modcgi] use configpluginvaluesinit()
[moddirlisting] use configpluginvaluesinit()
[modextforward] use configpluginvaluesinit()
[modwebdav] use configpluginvaluesinit()
[core] store addtl data in pcrekeyvaluebuffer
[modredirect] use configpluginvaluesinit()
[modrewrite] use configpluginvaluesinit()
[modrrdtool] use configpluginvaluesinit()
[multiple] gwbackends configpluginvaluesinit()
[core] configgetconfigcondinfo()
[modopenssl] use configpluginvaluesinit()
[core] use configpluginvalues_init()
[core] collect more config logic into configfile.c
[core] configpluginvaluesinitblock()
[core] gwbackend configpluginvaluesinit_block
[core] remove old configinsertvalues_*() funcs
[multiple] plugin.c handles common FREE_FUNC code
[core] run all trigger and sighup handlers
[modwstunnel] change DEBUGLOG to use log_error()
[core] statcachepathcontainssymlink use errh
[core] isolate use of data_config, configfile.h
[core] split cond cache from cond matches
[modauth] inline arrays in httpauthrequiret
[core] array_init() arg for initial size
[core] gwextsclearchecklocal()
[core] gw_backend less pointer chasing
[core] connectionhandleerrdoc() separate func
[multiple] prefer (connection *) to (srv *)
[core] create http chunk header on the stack
[multiple] connection hooks no longer get (srv *)
[multiple] plugin_stats array
[core] read up-to fixed size chunk before fionread
[core] default chunk size 8k (was 4k)
[core] pass con around gw_backend instead of srv
[core] logerrormultiline_buffer()
[multiple] reduce direct use of srv->cur_ts
[multiple] extern logepochsecs
[multiple] reduce direct use of srv->errh
[multiple] stat_cache singleton
[mod_expire] parse config into structured data
[multiple] generic config array type checking
[multiple] rename r to rc rv rd wr to be different
[core] (minor) configpluginkeys_t data packing
[core] inline buffer in logerrorst errh
[multiple] store srv->tmp_buf in tb var
[multiple] quiet clang compiler warnings
[core] httpstatusseterrorclose()
[core] httprequesthostpolicy w/ httpparseopts
[multiple] con->protodefaultport
[core] store log filename in (logerrorst *)
[core] separate logerroropen* funcs
[core] fdevent uses uint32t instead of sizet
[mod_webdav] large buffer reuse
[mod_accesslog] flush file log buffer at 8k size
[core] include settings.h where used
[core] static buffers for mtime_cache
[core] convenience macros to check req methods
[core] support multiple error logs
[multiple] omit passing srv to fdevent_handler
[core] remove unused arg to fdeventfcntlset_nb*
[core] slightly simpify server(over)loadcheck()
[core] isolate fdevent subsystem
[core] isolate stat_cache subsystem
[core] remove include base.h where unused
[core] restart dead piped loggers every 64 sec
[modwebdav] use copyfile_range() if available
[core] perf: buffer copy and append
[core] copy some srv->srvconf into con->conf
[core] move keepalive flag into requestst
[core] pass scheme port to httprequestparse()
[core] pass http_parseopts around request.c
[core] rename specificconfig to requestconfig
[core] move requestst,requestconfig to request.h
[core] pass (request_st *) to request.c funcs
[core] remove unused request_st member 'request'
[core] rename contentlength to reqbodylength
[core] t/testrequest.c using (requestst *)
[core] (const connection ) in http_header__get()
[modaccesslog] logaccess_record() fmt log record
[core] move request start ts into (request_st *)
[core] move addtl request-specific struct members
[core] move addtl request-specific struct members
[core] move pluginctx into (requestst *)
[core] move addtl request-specific struct members
[core] move request state into (request_st *)
[core] store (plugin *) in p->data
[core] store subrequest_handler instead of mode
[multiple] copy small struct instead of memcpy()
[multiple] split con, request (very large change)
[core] r->uri.path always set, though might be ''
[core] C99 restrict on some base funcs
[core] dispatch handler in handle_request func
[core] httprequestparse_target()
[mod_magnet] modify r->target with 'uri.path-raw'
[core] remove r->uri.path_raw; generate as needed
[core] httpresponsecomeback()
[core] httpresponseconfig()
[tests] use buffereqslen() for str comparison
[core] httpstatusappend() short-circuit 200 OK
[core] mark some chunk.c funcs as pure
[core] use uint32t in httpheader.[ch]
[core] perf: tighten some code in some hot paths
[core] parse header label before end of line
[modauth] 'noncesecret' option to validate nonce (fixes #2976)
[build] fix build on MacOS X Tiger
[doc] lighttpd.conf: lighttpd choose event-handler
[config] blank server.tag if whitespace-only
[mod_proxy] stream request using HTTP/1.1 chunked (fixes #3006)
[multiple] correct misspellings in comments
[multiple] fix some cc warnings in 32-bit, powerpc
[tests] fix skip count in mod-fastcgi w/o php-cgi
[multiple] ./configure --with-nettle to use Nettle
[core] skip excess close() when FD_CLOEXEC defined
[modcgi] remove redundant calls to set FDCLOEXEC
[core] return EINVAL if statcacheget_entry w/o /
[modwebdav] define PATHMAX if not defined
[mod_accesslog] process backslash-escapes in fmt
[mod_openssl] disable cert vrfy if ALPN acme-tls/1
[core] add seed before openssl RANDpseudobytes()
[mod_mbedtls] mbedTLS option for TLS
[core] prefer getxattr() instead of get_attr()
[multiple] use *(unsigned char *) with ctypes
[mod_openssl] do not log ECONNRESET unless debug
[modopenssl] SSLRUNEXPECTEDEOFWHILEREADING
[mod_gnutls] GnuTLS option for TLS (fixes #109)
[mod_openssl] rotate session ticket encryption key
[mod_openssl] set cert from callback in 1.0.2+ (fixes #2842)
[mod_openssl] set chains from callback in 1.0.2+ (#2842)
[core] RFC-strict parse of Content-Length
[build] point ./configure --help to support forum
[core] stricter parse of numerical digits
[multiple] add summaries to top of some modules
[core] sys-crypto-md.h w/ inline message digest fn
[mod_openssl] enable read-ahead, if set, after SNI
[mod_openssl] issue warning for deprecated options
[modopenssl] use SSLOPNORENEGOTIATION if avail
[mod_openssl] use openssl feature define for ALPN
[mod_openssl] update default DH params
[core] SecureZeroMemory() on _WIN32
[core] safe memset calls memset() through volatile
[doc] update comments in doc/config/modules.conf
[core] more precise check for request stream flags
[mod_openssl] rotate session ticket encryption key
[mod_openssl] ssl.stek-file to specify encrypt key
[mod_mbedtls] ssl.stek-file to specify encrypt key
[mod_gnutls] ssl.stek-file to specify encrypt key
[mod_openssl] disable session cache; prefer ticket
[mod_openssl] compat with LibreSSL
[mod_openssl] compat with WolfSSL
[modopenssl] set SSLOPPRIORITIZECHACHA
[modopenssl] move SSLCTX curve conf to new func
[modopenssl] basic SSLCONF_cmd for alt TLS libs
[mod_openssl] OCSP stapling (fixes #2469)
[TLS] cert-staple.sh - refresh OCSP responses (#2469)
[mod_openssl] compat with BoringSSL
[mod_gnutls] option to override GnuTLS priority
[mod_gnutls] OCSP stapling (#2469)
[mod_extforward] config warning for module order
[mod_webdav] store webdav.opts as bitflags
[modwebdav] limit webdavpropfind_dir() recursion
[mod_webdav] unsafe-propfind-follow-symlink option
[mod_webdav] webdav.opts 'propfind-depth-infinity'
[mod_openssl] detect certs marked OCSP Must-Staple
[mod_gnutls] detect certs marked OCSP Must-Staple
[mod_openssl] default to set MinProtocol TLSv1.2
[mod_nss] NSS option for TLS (fixes #1218)
[core] fdeventloadfile() shared code
[modopenssl,mbedtls,gnutls,nss] fdeventload_file
[core] error if s->socket_perms chmod() fails
[mod_openssl] prefer some WolfSSL native APIs
quiet clang analyzer scan-build warnings
[core] uint32_t is plenty large for path names
[modmysqlvhost] deprecated; use modvhostdbmysql
[core] splaytree_djbhash() in splaytree.h (reuse)
[cmake] update deps for src/t/test_*
[cmake] update deps for src/t/test_*
[build] remove tests/mod-userdir.t from builds
[build] fix typo in src/Makefile.am EXTRA_DIST
[core] remove unused mbedtls_enabled flag
[core] store fd in srv->stdin_fd during setup
[multiple] address coverity warnings
[mod_webdav] fix theoretical NULL dereference
[mod_webdav] update rc for PROPFIND allprop
[modwebdav] build fix: ifdef liveproperties
[multiple] address coverity warnings
[meson] fix libmariadb dependency
[meson] add missing libmaxminddb section
[modauth,modvhostdb] add caching option (fixes #2805)
[modauthnldap,modvhostdbldap] add timeout opt (#2805)
[modauth] accept 'nonce-secret' & 'noncesecret'
[mod_openssl] fix build warnings on MacOS X
[core] Nettle assert()s if buffer len > digest sz
[modauthndbi] authn backend employing DBI
[modauthnmysql,file] use crypt() to save stack
[modvhostdbdbi] allow strings and ints in config
add ci-build.sh
move ci-build.sh to scripts
[build] build fixes for AIX
[mod_deflate] Brotli support
[build] bzip2 default to not-enabled in build
[mod_deflate] fix typo in config option
[mod_deflate] propagate errs from internal funcs
[mod_deflate] deflate.cache-dir compressed cache
[moddeflate] moddeflate subsumes mod_compress
[doc] modcompress -> moddeflate
[tests] modcompress -> moddeflate
[modcompress] remove modcompress
[build] add --with-brotli to CI build
[core] server.feature-flags extensible config
[core] con layer plugin_ctx separate from request
[multiple] con hooks store ctx in con->plugin_ctx
[core] separate funcs to reset (request_st *)
[multiple] rename connection_reset hook to request
[mod_nss] func renames for consistency
[core] detect and reject TLS connect to cleartext
[mod_deflate] quicker check for Content-Encoding
[modopenssl] read secret data w/ BIOnewmembuf
[core] decode Transfer-Encoding: chunked from gw
[mod_fastcgi] decode Transfer-Encoding: chunked
[core] stricter parsing of POST chunked block hdr
[mod_proxy] send HTTP/1.1 requests to backends
[tests] test_base64.c clear buf vs reset
[core] httpheaderremove_token()
[mod_webdav] fix inadvertent string truncation
[core] add some missing standard includes
[mod_extforward] attempt to quiet Coverity warning
[modauthndbi,modauthnmysql] fix coverity issue
scons: fix check environment
Add avahi service file under doc/avahi/
[mod_webdav] fix fallback if linkat() fails
[mod_proxy] do not forward Expect: 100-continue
[core] chunkqueuecompactmem() must upd cq->last
[core] dlsym for FAMNoExists() for compat w/ fam
[core] disperse settings.h to appropriate headers
[core] inline buffer_reset()
[mod_extforward] save proto per connection
[modextforward] skip after HANDLERCOMEBACK
[core] server.feature-flags to enable h2
[core] HTTPVERSION2
[multiple] allow TLS ALPN 'h2' if 'server.h2proto'
[mod_extforward] preserve changed addr for h2 con
[core] do not send Connection: close if h2
[core] lowercase response hdr field names for h2
[core] recognize status: 421 Misdirected Request
[core] parse h2 pseudo-headers
[core] requestheadersprocess()
[core] connectionstatemachine_loop()
[core] reset connection counters per connection
[modaccesslog,modrrdtool] HTTP/2 basic accounting
[core] connectionsetfdevent_interest()
[core] HTTP2-Settings
[core] adjust httprequestheaders_process()
[core] httpheaderparse_hoff()
[core] move httprequestheaders_process()
[core] reqpool.[ch] for (request_st *)
[multiple] modules read reqbody via fn ptr
[multiple] isolate more con code in connections.c
[core] isolate more resp code in response.c
[core] h2.[ch] with stub funcs (incomplete)
[core] alternate between two joblists
[core] connection transition to HTTP/2; incomplete
[core] mark some error paths with attribute cold
[core] discard 100 102 103 responses from backend
[core] skip write throttle for 100 Continue
[core] adjust (disabled) debug code
[core] update comment
[core] link in ls-hpack (EXPERIMENTAL)
[core] HTTP/2 HPACK using LiteSpeed ls-hpack
[core] h2sendheaders() specialized for resp hdrs
[core] httprequestparse_header() specialized
[core] comment possible future ls-hpack optimize
[mod_status] separate funcs to print request table
[mod_status] adjust to print HTTP/2 requests
[core] redirect to dir using relative-path
[core] ignore empty field-name from backends
[mod_auth] fix crash if auth.require misconfigured (fixes #3023)
[core] fix 1-char trunc of default server.tag
[core] requestacquire(), requestrelease()
[core] keep pool of (request_st *) for HTTP/2
[mod_status] dedicated funcs for r->state labels
[core] move connectionsgetstate to connections.c
[core] fix crash on master after graceful restart
[core] defer optimization to read small files
[core] do not require '\0' term for k,v hdr parse
[scripts] cert-staple.sh enhancements
[core] document algorithm used in lighttpd etag
[core] ls-hpack optimizations
[core] fix crash on master if blank line request
[core] use djbhash in gw_backend to choose host
[core] rename md5.[ch] to algo_md5.[ch]
[core] move djbhash(), dekhash() to algo_md.h
[core] rename splaytree.[ch] to algo_splaytree.[ch]
[core] import xxHash v0.8.0
[build] modify build, includes for xxHash v0.8.0
[build] remove ls-hpack/deps
[core] xxhash no inline hints; let compiler choose
[mod_dirlisting] fix config parsing crash
[mod_openssl] clarify trace w/ deprecated options
[doc] refresh doc/config//
[core] code size: disable XXH64(), XXH3()
[doc] update README and INSTALL
[core] combine Cookie request headers with ';'
[core] log stream id with debug.log-state-handling
[core] set r->state in h2.c
[mod_ssi] update chunk after shell output redirect
[modwebdav] preserve bytesout when chunks merged
[multiple] inline chunkqueue_length()
[core] cold h2logresponse_header*() funcs
[core] update HTTP status codes list from IANA
[mod_wolfssl] standalone module
[core] Content-Length in httpresponsesend_file()
[core] adjust response header prep for common case
[core] lightisupper(), lightislower()
[core] tst,set,clr macros for r->{rqst,resp}_htags
[core] separate httpheadere from _htags bitmask
[core] httpheaderhkeygetlc() for HTTP/2
[core] array.[ch] using uint32t instead of sizet
[core] extend (data_string *) to store header id
[multiple] extend enum httpheadere list
[core] httpheadere <=> lshpackstatichdr_idx
[core] skip ls-hpack decode work unused by lighttpd
[TLS] error if inherit empty TLS cfg from globals
[core] connectioncheckexpect_100()
[core] support multiple 1xx responses from backend
[core] reload c after chunkqueuecompactmem()
[core] relay 1xx from backend over HTTP/2
[core] relay 1xx from backend over HTTP/1.1
[core] chunkqueue{peek,read}data(), squash
[multiple] TLS modules use chunkqueuepeekdata()
[mod_magnet] magnet.attract-response-start-to
[multiple] code reuse chunkqueuepeekdata()
[core] reuse r->starthp.tvsec for r->start_ts
[core] configpluginvalue_tobool() accept '0','1'
[core] graceful and immediate restart option
[mod_ssi] init status var before waitpid()
[core] graceful shutdown timeout option
[core] lighttpd -1 supports pipes (e.g. netcat)
[core] perf adjustments to avoid load miss
[multiple] use sockaddrget_family in more places
[multiple] inline chunkqueue where always alloc'd
[core] propagate state after writing
[core] serverruncon_queue()
[core] defer handling FDEVENTHUP and FDEVENTERR
[core] handle unexpected EOF reading FILE_CHUNK
[core] short-circuit connectionwritethrottle()
[core] walk queue in connectionwritechunkqueue()
[core] connection_joblist global
[core] be more precise checking streaming flags
[core] fdeventloadfile_bytes()
[TLS] use fdeventloadfile_bytes() for STEK file
[core] allow symlinks under /dev for rand devices
[multiple] use light_btst() for hdr existence chk
[mod_deflate] fix potential NULL deref in err case
[core] save errno around close() if fstat() fails
[modssi] use statcacheopenrdonly_fstat()
[core] fdeventdupcloexec()
[core] dup FILECHUNK fd when splitting FILECHUNK
[core] statcachepath_isdir()
[multiple] use statcachepath_isdir()
[modmbedtls] quiet CLOSENOTIFY after conn reset
[modgnutls] quiet CLOSENOTIFY after conn reset
[core] limit num ranges in Range requests
[core] remove unused r->content_length
[core] httpresponseparse_range() const file sz
[core] pass open fd to httpresponseparse_range
[core] statcachegetentryopen()
[core,mod_deflate] leverage cache of open fd
[doc] comment out config disabling Range for .pdf
[core] coalesce nearby ranges in Range requests
[mod_fastcgi] decode chunked is cold code path
[core] fix chunkqueuecompactmem w/ partial chunk
[core] alloc optim reading file, sending chunked
[core] reuse chunkqueuecompactmem*()
[mod_cgi] use splice() to send input to CGI
[multiple] ignore openssl 3.0.0 deprecation warns
[mod_openssl] migrate ticket cb to openssl 3.0.0
[modopenssl] construct OSSLPARAM on stack
[modopenssl] merge ssltlsextticketkey_cb impls
[multiple] openssl 3.0.0 digest interface migrate
[tests] detect multiple SSL/TLS/crypto providers
[core] sys-crypto-md.h consistent interfaces
[wolfssl] wolfSSLCTXset_mode differs from others
[multiple] use NSS crypto if no other crypto avail
[multiple] statcachepath_stat() for struct st
[TLS] ignore empty 'CipherString' in ssl-conf-cmd
[multiple] remove chunk file.start member
[core] modify use of getrlimit() to not be fatal
[mod_webdav] add missing update to cq accounting
[modwebdav] update defaults after workerinit
[mod_openssl] use newer openssl 3.0.0 func
[core] configpluginvaluetoint32()
[core] minimize pause during graceful restart
[mod_deflate] use large mmap chunks to compress
[core] statcacheentry reference counting
[core] FILECHUNK can hold statcache_entry ref
[core] httpchunkappendfileref_range()
[multiple] use httpchunkappendfileref()
[core] always lseek() with shared fd
[core] silence coverity warnings (false positives)
[core] silence coverity warnings in ls-hpack
[core] silence coverity warnings (another try)
[core] fix fd sharing when splitting file chunk
[mod_mbedtls] quiet unused variable warning
[core] use inline funcs in sys-crypto-md.h
[core] add missing declaration for NSS rand
[core] init NSS lib for basic crypto algorithms
[doc] change modcompress refs to moddeflate
[doc] replace bzip2 refs with brotli
[build] remove svnversion from versionstamp rule
[doc] /var/run -> /run
[multiple] test for nss includes
[mod_nss] more nss includes fixes
[modwebdav] define _NETBSDSOURCE on NetBSD
[core] silence coverity warnings (another try)
[mod_mbedtls] newer mbedTLS vers support TLSv1.3
[mod_accesslog] update defaults after cycling log
[multiple] add some missing config cleanup
[core] fix (startup) mem leaks in configparser.y
[core] STAILQ* -> SIMPLEQ* on OpenBSD
[mod_wolfssl] use more wolfssl/options.h defines
[modwolfssl] cripple SNI if not built OPENSSLALL
[mod_wolfssl] need to build --enable-alpn for ALPN
[mod_secdownload] fix compile w/ NSS on FreeBSD
[mod_mbedtls] wrap addtl code in preproc defines
[TLS] server.feature-flags 'ssl.session-cache'
[core] workaround fragile code in wolfssl types.h
[core] move misplaced error trace to match option
[core] adjust wolfssl workaround for another case
[multiple] consistent order for crypto lib select
[multiple] include mbedtls/config.h after select
[multiple] include wolfssl/options.h after select
[core] set NSSVERINCLUDE after crypto lib select
[core] use system xxhash lib if available
[doc] refresh doc/config/conf.d/mime.conf
[meson] add matching -I for lua lib version
[build] prepend search for lua version 5.4
[core] use inotify in stat_cache.[ch] on Linux
[build] detect inotify header <sys/inotify.h>
[mod_nss] update session ticket NSS devel comment
[core] set last_used on rd/wr from backend (fixes #3029)
[core] cold func for gwrecvresponse error case
[core] use kqueue() instead of FAM/gamin on *BSD
[core] no graceful-restart-bg on OpenBSD, NetBSD
[modopenssl] add LIBRESSLVERSION_NUMBER checks
[core] use struct kevent on stack in stat_cache
[core] stat_cache preprocessor paranoia
[modopenssl] adjust LIBRESSLVERSION_NUMBER check
[mod_maxminddb] fix config validation typo
[tests] allow LIGHTTPDEXEPATH override
[multiple] handle NULL val as empty in *envadd (fixes #3030)
[core] accept 'HTTP/2.0', 'HTTP/3.0' from backends (fixes #3031)
[build] check for xxhash in more ways
[core] accept 'HTTP/2.0', 'HTTP/3.0' from backends (#3031)
[core] httpresponsebufferappendauthority()
[core] define SHA*DIGESTLENGTH macros if missing
[doc] update optional pkg dependencies in INSTALL
[mod_alias] validate given order, not sorted order
[core] filter out duplicate modules
[mod_cgi] fix crash if initial write to CGI fails
[mod_cgi] ensure tmp file open() before splice()
[multiple] add back-pressure gw data pump (fixes #3033)
[core] fix bug when HTTP/2 frames span chunks
[multiple] more forgiving config str to boolean (fixes #3036)
[core] check for _builtinexpect() availability
[core] quiet more request parse errs unless debug
[core] consolidate chunk size checks
[modflvstreaming] use statcachegetentryopen
[modwebdav] pass full path to webdavunlinkat()
[modwebdav] fallbacks if _ATFILESOURCE not avail
[mod_fastcgi] move src/fastcgi.h into src/compat/
[mod_status] add additional HTML-encoding
[core] server.v4mapped option
[mod_webdav] workaround for gvfs dir redir bug
Remove SuSEfirewall2 service files, SuSEfirewall2 does not exist anymore
Changed /etc/logrotate.d/lighttpd from init.d to systemd fix boo#1146452.

References

Affected packages

SUSE:Package Hub 15 SP3 / lighttpd

Package

Name: lighttpd
Purl: pkg:rpm/suse/lighttpd&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.64-bp153.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "lighttpd-mod_authn_sasl": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_maxminddb": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_ldap": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_webdav": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_authn_gssapi": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_authn_pam": "1.4.64-bp153.2.3.1",
            "lighttpd": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_mysql": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_rrdtool": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_dbi": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_magnet": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_authn_ldap": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_pgsql": "1.4.64-bp153.2.3.1"
        }
    ]
}

openSUSE:Leap 15.3 / lighttpd

Package

Name: lighttpd
Purl: pkg:rpm/opensuse/lighttpd&distro=openSUSE%20Leap%2015.3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.64-bp153.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "lighttpd-mod_authn_sasl": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_maxminddb": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_ldap": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_webdav": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_authn_gssapi": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_authn_pam": "1.4.64-bp153.2.3.1",
            "lighttpd": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_mysql": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_rrdtool": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_dbi": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_magnet": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_authn_ldap": "1.4.64-bp153.2.3.1",
            "lighttpd-mod_vhostdb_pgsql": "1.4.64-bp153.2.3.1"
        }
    ]
}