openSUSE-SU-2022:10132-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2022:10132-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2022:10132-1
Related
Published
2022-09-29T09:54:26Z
Modified
2022-09-29T09:54:26Z
Summary
Security update for lighttpd
Details

This update for lighttpd fixes the following issues:

lighttpd was updated to 1.4.66:

  • a number of bug fixes
  • Fix HTTP/2 downloads >= 4GiB
  • Fix SIGUSR1 graceful restart with TLS
  • futher bug fixes
  • CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358)
  • In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”, “Options” => “-ServerPreference” old defaults: “CipherString” => “HIGH”, “Options” => “ServerPreference”
  • A number of TLS options are how deprecated and will be removed in a future release: – ssl.honor-cipher-order – ssl.dh-file – ssl.ec-curve – ssl.disable-client-renegotiation – ssl.use-sslv2 – ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be prefered
  • A number of modules are now deprecated and will be removed in a future release: modevasive, modsecdownload, moduploadprogress, modusertrack can be replaced by mod_magnet and a few lines of lua.

update to 1.4.65:

  • WebSockets over HTTP/2
  • RFC 8441 Bootstrapping WebSockets with HTTP/2
  • HTTP/2 PRIORITY_UPDATE
  • RFC 9218 Extensible Prioritization Scheme for HTTP
  • prefix/suffix conditions in lighttpd.conf
  • mod_webdav safe partial-PUT
  • webdav.opts += (“partial-put-copy-modify” => “enable”)
  • mod_accesslog option: accesslog.escaping = “json”
  • mod_deflate libdeflate build option
  • speed up request body uploads via HTTP/2
  • Behavior Changes
  • change default server.max-keep-alive-requests = 1000 to adjust
  • to increasing HTTP/2 usage and to web2/web3 application usage
  • (prior default was 100)
  • mod_status HTML now includes HTTP/2 control stream id 0 in the output
  • which contains aggregate counts for the HTTP/2 connection
  • (These lines can be identified with URL ‘*’, part of “PRI *” preface)
  • alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  • MIME type application/javascript is translated to text/javascript (RFC 9239)
References

Affected packages

SUSE:Package Hub 15 SP3 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/suse/lighttpd&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.66-bp154.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "lighttpd-mod_vhostdb_mysql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_dbi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_maxminddb": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_gssapi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_pam": "1.4.66-bp154.2.3.1",
            "lighttpd": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_magnet": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_rrdtool": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_pgsql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_webdav": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_sasl": "1.4.66-bp154.2.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP4 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/suse/lighttpd&distro=SUSE%20Package%20Hub%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.66-bp154.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "lighttpd-mod_vhostdb_mysql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_dbi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_maxminddb": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_gssapi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_pam": "1.4.66-bp154.2.3.1",
            "lighttpd": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_magnet": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_rrdtool": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_pgsql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_webdav": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_sasl": "1.4.66-bp154.2.3.1"
        }
    ]
}

openSUSE:Leap 15.3 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/opensuse/lighttpd&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.66-bp154.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "lighttpd-mod_vhostdb_mysql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_dbi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_maxminddb": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_gssapi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_pam": "1.4.66-bp154.2.3.1",
            "lighttpd": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_magnet": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_rrdtool": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_pgsql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_webdav": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_sasl": "1.4.66-bp154.2.3.1"
        }
    ]
}

openSUSE:Leap 15.4 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/opensuse/lighttpd&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.66-bp154.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "lighttpd-mod_vhostdb_mysql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_dbi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_maxminddb": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_gssapi": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_pam": "1.4.66-bp154.2.3.1",
            "lighttpd": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_ldap": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_magnet": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_rrdtool": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_vhostdb_pgsql": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_webdav": "1.4.66-bp154.2.3.1",
            "lighttpd-mod_authn_sasl": "1.4.66-bp154.2.3.1"
        }
    ]
}