SUSE Package Hub - openSUSE-2022-10132

Update Info

openSUSE-2022-10132

Security update for lighttpd

Type: security

Severity: moderate

Issued: 2022-09-29

Description:

This update for lighttpd fixes the following issues:

lighttpd was updated to 1.4.66:

* a number of bug fixes
* Fix HTTP/2 downloads >= 4GiB
* Fix SIGUSR1 graceful restart with TLS
* futher bug fixes
* CVE-2022-37797: null pointer dereference in mod_wstunnel,
  possibly a remotely triggerable crash (boo#1203358)
* In an upcoming release the TLS modules will default to using
  stronger, modern chiphers and will default to allow client
  preference in selecting ciphers.
  “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
  “Options” => “-ServerPreference”
  old defaults:
  “CipherString” => “HIGH”,
  “Options” => “ServerPreference”
* A number of TLS options are how deprecated and will be removed
  in a future release:
  – ssl.honor-cipher-order
  – ssl.dh-file
  – ssl.ec-curve
  – ssl.disable-client-renegotiation
  – ssl.use-sslv2
  – ssl.use-sslv3
  The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd
  defaults should be prefered
* A number of modules are now deprecated and will be removed in a
  future release: mod_evasive, mod_secdownload, mod_uploadprogress,
  mod_usertrack can be replaced by mod_magnet and a few lines of lua.

update to 1.4.65:

* WebSockets over HTTP/2
* RFC 8441 Bootstrapping WebSockets with HTTP/2
* HTTP/2 PRIORITY_UPDATE
* RFC 9218 Extensible Prioritization Scheme for HTTP
* prefix/suffix conditions in lighttpd.conf
* mod_webdav safe partial-PUT
* webdav.opts += (“partial-put-copy-modify” => “enable”)
* mod_accesslog option: accesslog.escaping = “json”
* mod_deflate libdeflate build option
* speed up request body uploads via HTTP/2
* Behavior Changes
* change default server.max-keep-alive-requests = 1000 to adjust
* to increasing HTTP/2 usage and to web2/web3 application usage
* (prior default was 100)
* mod_status HTML now includes HTTP/2 control stream id 0 in the output
* which contains aggregate counts for the HTTP/2 connection
* (These lines can be identified with URL ‘*’, part of “PRI *” preface)
* alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
* MIME type application/javascript is translated to text/javascript (RFC 9239)

References

CVE: CVE-2022-37797
Bugzilla: 1203358 VUL-0: CVE-2022-37797: lighttpd: null pointer dereference in mod_wstunnel

Packages

lighttpd-1.4.66-bp154.2.3.1