openSUSE Security Update: Security update for lighttpd
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0024-1
Rating:             important
References:         #1146452 #1181400 #1194376 
Cross-References:   CVE-2022-22707
CVSS scores:
                    CVE-2022-22707 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for lighttpd fixes the following issues:

   lighttpd was updated to 1.4.64:

   * CVE-2022-22707: off-by-one stack overflow in the mod_extforward plugin
     (boo#1194376)
   * graceful restart/shutdown timeout changed from 0 (disabled) to 8
     seconds. configure an alternative with: server.feature-flags +=
     (???server.graceful-shutdown-timeout??? => 8)
   * deprecated modules (previously announced) have been removed:
     mod_authn_mysql, mod_mysql_vhost, mod_cml, mod_flv_streaming, mod_geoip,
     mod_trigger_b4_dl

   update to 1.4.63:

   * import xxHash v0.8.1
   * fix reqpool mem corruption in 1.4.62

   includes changes in 1.4.62:

   * [mod_alias] fix use-after-free bug
   * many developer visible bug fixes

   update to 1.4.61:

   * mod_dirlisting: sort "../" to top
   * fix HTTP/2 upload > 64k w/ max-request-size
   * code level and developer visible bug fixes

   update to 1.4.60:

   * HTTP/2 smoother and lower memory use (in general)
   * HTTP/2 tuning to better handle aggressive client initial requests
   * reduce memory footprint; workaround poor glibc behavior; jemalloc is
     better
   * mod_magnet lua performance improvements
   * mod_dirlisting performance improvements and new caching option
   * memory constraints for extreme edge cases in mod_dirlisting, mod_ssi,
     mod_webdav
   * connect(), write(), read() time limits on backends (separate from client
     timeouts)
   * lighttpd restarts if large discontinuity in time occurs (embedded
     systems)
   * RFC7233 Range support for all non-streaming responses, not
     only static files
   * connect() to backend now has default 8 second timeout (configurable)

   - Added hardening to systemd service(s) (boo#1181400).

   update to 1.4.59:

   * HTTP/2 enabled by default
   * mod_deflate zstd suppport
   * new mod_ajp13

   Update to 1.4.58:

   * [mod_wolfssl] use wolfSSL TLS version defines
   * [mod_wolfssl] compile with earlier wolfSSL vers
   * [core] prefer IPv6+IPv4 func vs IPv4-specific func
   * [core] reuse large mem chunks (fix mem usage) (fixes #3033)
   * [core] add comment for FastCGI mem use in hctx->rb (#3033)
   * [mod_proxy] fix sending of initial reqbody chunked
   * [multiple] fdevent_waitpid() wrapper
   * [core] sys-time.h - localtime_r,gmtime_r macros
   * [core] http_date.[ch] encapsulate HTTP-date parse
   * [core] specialized strptime() for HTTP date fmts
   * [multiple] employ http_date.h, sys-time.h
   * [core] http_date_timegm() (portable timegm())
   * buffer_append_path_len() to join paths
   * [core] inet_ntop_cache -> sock_addr_cache
   * [multiple] etag.[ch] -> http_etag.[ch]; better imp
   * [core] fix crash after specific err in config file
   * [core] fix bug in FastCGI uploads (#3033)
   * [core] http_response_match_if_range()
   * [mod_webdav] typedef off_t loff_t for FreeBSD
   * [multiple] chunkqueue_write_chunk()
   * [build] add GNUMAKEFLAGS=--no-print-directory
   * [core] fix bug in read retry found by coverity
   * [core] attempt to quiet some coverity warnings
   * [mod_webdav] compile fix for Mac OSX/11
   * [core] handle U+00A0 in config parser
   * [core] fix lighttpd -1 one-shot with pipes
   * [core] quiet start/shutdown trace in one-shot mode
   * [core] allow keep-alives in one-shot mode (#3042)
   * [mod_webdav] define _ATFILE_SOURCE if AT_FDCWD
   * [core] setsockopt IPV6_V6ONLY if server.v4mapped
   * [core] prefer inet_aton() over inet_addr()
   * [core] add missing mod_wolfssl to ssl compat list
   * [mod_openssl] remove ancient preprocessor logic
   * [core] SHA512_Init, SHA512_Update, SHA512_Final
   * [mod_wolfssl] add complex preproc logic for SNI
   * [core] wrap a macro value with parens
   * [core] fix handling chunked response from backend (fixes #3044)
   * [core] always set file.fd = -1 on FILE_CHUNK reset (fixes #3044)
   * [core] skip some trace if backend Upgrade (#3044)
   * [TLS] cert-staple.sh POSIX sh compat (fixes #3043)
   * [core] portability fix if st_mtime not defined
   * [mod_nss] portability fix
   * [core] warn if mod_authn_file needed in conf
   * [core] fix chunked decoding from backend (fixes #3044)
   * [core] reject excess data after chunked encoding (#3046)
   * [core] track chunked encoding state from backend (fixes #3046)
   * [core] li_restricted_strtoint64()
   * [core] track Content-Length from backend (fixes #3046)
   * [core] enhance config parsing debugging (#3047)
   * [core] reorder srv->config_context to match ndx (fixes #3047)
   * [mod_proxy] proxy.header = ("force-http10" => ...)
   * [mod_authn_ldap] fix crash (fixes #3048)
   * [mod_authn_ldap, mod_vhostdb_ldap] default cafile
   * [core] fix array_copy_array() sorted[]
   * [multiple] replace fall through comment with attr
   * [core] fix crash printing trace if backend is down
   * [core] fix decoding chunked from backend (fixes #3049)
   * [core] attempt to quiet some coverity warnings
   * [core] perf: request processing
   * [core] http_header_str_contains_token()
   * [mod_flv_streaming] parse query string w/o copying
   * [mod_evhost] use local array to split values
   * [core] remove srv->split_vals
   * [core] add User-Agent to http_header_e enum
   * [core] store struct server * in struct connection
   * [core] use func rc to indicate done reading header
   * [core] replace connection_set_state w/ assignment
   * [core] do not pass srv to http header parsing func
   * [core] cold buffer_string_prepare_append_resize()
   * [core] chunkqueue_compact_mem()
   * [core] connection_chunkqueue_compact()
   * [core] pass con around request, not srv and con
   * [core] reduce use of struct parse_header_state
   * [core] perf: HTTP header parsing using \n offsets
   * [core] no need to pass srv to connection_set_state
   * [core] perf: connection_read_header_more()
   * [core] perf: connection_read_header_hoff() hot
   * [core] inline connection_read_header()
   * [core] pass ptr to http_request_parse()
   * [core] more 'const' in request.c prototypes
   * [core] handle common case of alnum or - field-name
   * [mod_extforward] simplify code: use light_isxdigit
   * [core] perf: array.c performance enhancements
   * [core] mark some data_* funcs cold
   * [core] http_header.c internal inline funcs
   * [core] remove unused array_reset()
   * [core] prefer uint32_t to size_t in base.h
   * [core] uint32_t for struct buffer sizes
   * [core] remove unused members of struct server
   * [core] short-circuit path to clear request.headers
   * [core] array keys are non-empty in key-value list
   * [core] keep a->data[] sorted; remove a->sorted[]
   * [core] __attribute_returns_nonnull__
   * [core] differentiate array_get_* for ro and rw
   * [core] (const buffer *) in (struct burl_parts_t)
   * [core] (const buffer *) for con->server_name
   * [core] perf: initialize con->conf using memcpy()
   * [core] run config_setup_connection() fewer times
   * [core] isolate data_config.c, vector.c
   * [core] treat con->conditional_is_valid as bitfield
   * [core] http_header_hkey_get() over const array
   * [core] inline buffer as part of DATA_UNSET key
   * [core] inline buffer key for *_patch_connection()
   * [core] (data_unset *) from array_get_element_klen
   * [core] inline buffer as part of data_string value
   * [core] add const to callers of http_header_*_get()
   * [core] inline array as part of data_array value
   * [core] const char *op in data_config
   * [core] buffer string in data_config
   * [core] streamline config_check_cond()
   * [core] keep a->data[] sorted (REVERT)
   * [core] array a->sorted[] as ptrs rather than pos
   * [core] inline header and env arrays into con
   * [mod_accesslog] avoid alloc for parsing cookie val
   * [core] simpler config_check_cond()
   * [mod_redirect,mod_rewrite] store context_ndx
   * [core] const char *name in struct plugin
   * [core] srv->plugin_slots as compact list
   * [core] rearrange server_config, server members
   * [core] macros CONST_LEN_STR and CONST_STR_LEN
   * [core] struct plugin_data_base
   * [core] improve condition caching perf
   * [core] config_plugin_values_init() new interface
   * [mod_access] use config_plugin_values_init()
   * [core] (const buffer *) from strftime_cache_get()
   * [core] mv config_setup_connection to connections.c
   * [core] use (const char *) in config file parsing
   * [mod_staticfile] use config_plugin_values_init()
   * [mod_skeleton] use config_plugin_values_init()
   * [mod_setenv] use config_plugin_values_init()
   * [mod_alias] use config_plugin_values_init()
   * [mod_indexfile] use config_plugin_values_init()
   * [mod_expire] use config_plugin_values_init()
   * [mod_flv_streaming] use config_plugin_values_init()
   * [mod_magnet] use config_plugin_values_init()
   * [mod_usertrack] use config_plugin_values_init()
   * [mod_userdir] split policy from userdir path build
   * [mod_userdir] use config_plugin_values_init()
   * [mod_ssi] use config_plugin_values_init()
   * [mod_uploadprogress] use config_plugin_values_init()
   * [mod_status] use config_plugin_values_init()
   * [mod_cml] use config_plugin_values_init()
   * [mod_secdownload] use config_plugin_values_init()
   * [mod_geoip] use config_plugin_values_init()
   * [mod_evasive] use config_plugin_values_init()
   * [mod_trigger_b4_dl] use config_plugin_values_init()
   * [mod_accesslog] use config_plugin_values_init()
   * [mod_simple_vhost] use config_plugin_values_init()
   * [mod_evhost] use config_plugin_values_init()
   * [mod_vhostdb*] use config_plugin_values_init()
   * [mod_mysql_vhost] use config_plugin_values_init()
   * [mod_maxminddb] use config_plugin_values_init()
   * [mod_auth*] use config_plugin_values_init()
   * [mod_deflate] use config_plugin_values_init()
   * [mod_compress] use config_plugin_values_init()
   * [core] add xsendfile* check if xdocroot is NULL
   * [mod_cgi] use config_plugin_values_init()
   * [mod_dirlisting] use config_plugin_values_init()
   * [mod_extforward] use config_plugin_values_init()
   * [mod_webdav] use config_plugin_values_init()
   * [core] store addtl data in pcre_keyvalue_buffer
   * [mod_redirect] use config_plugin_values_init()
   * [mod_rewrite] use config_plugin_values_init()
   * [mod_rrdtool] use config_plugin_values_init()
   * [multiple] gw_backends config_plugin_values_init()
   * [core] config_get_config_cond_info()
   * [mod_openssl] use config_plugin_values_init()
   * [core] use config_plugin_values_init()
   * [core] collect more config logic into configfile.c
   * [core] config_plugin_values_init_block()
   * [core] gw_backend config_plugin_values_init_block
   * [core] remove old config_insert_values_*() funcs
   * [multiple] plugin.c handles common FREE_FUNC code
   * [core] run all trigger and sighup handlers
   * [mod_wstunnel] change DEBUG_LOG to use log_error()
   * [core] stat_cache_path_contains_symlink use errh
   * [core] isolate use of data_config, configfile.h
   * [core] split cond cache from cond matches
   * [mod_auth] inline arrays in http_auth_require_t
   * [core] array_init() arg for initial size
   * [core] gw_exts_clear_check_local()
   * [core] gw_backend less pointer chasing
   * [core] connection_handle_errdoc() separate func
   * [multiple] prefer (connection *) to (srv *)
   * [core] create http chunk header on the stack
   * [multiple] connection hooks no longer get (srv *)
   * [multiple] plugin_stats array
   * [core] read up-to fixed size chunk before fionread
   * [core] default chunk size 8k (was 4k)
   * [core] pass con around gw_backend instead of srv
   * [core] log_error_multiline_buffer()
   * [multiple] reduce direct use of srv->cur_ts
   * [multiple] extern log_epoch_secs
   * [multiple] reduce direct use of srv->errh
   * [multiple] stat_cache singleton
   * [mod_expire] parse config into structured data
   * [multiple] generic config array type checking
   * [multiple] rename r to rc rv rd wr to be different
   * [core] (minor) config_plugin_keys_t data packing
   * [core] inline buffer in log_error_st errh
   * [multiple] store srv->tmp_buf in tb var
   * [multiple] quiet clang compiler warnings
   * [core] http_status_set_error_close()
   * [core] http_request_host_policy w/ http_parseopts
   * [multiple] con->proto_default_port
   * [core] store log filename in (log_error_st *)
   * [core] separate log_error_open* funcs
   * [core] fdevent uses uint32_t instead of size_t
   * [mod_webdav] large buffer reuse
   * [mod_accesslog] flush file log buffer at 8k size
   * [core] include settings.h where used
   * [core] static buffers for mtime_cache
   * [core] convenience macros to check req methods
   * [core] support multiple error logs
   * [multiple] omit passing srv to fdevent_handler
   * [core] remove unused arg to fdevent_fcntl_set_nb*
   * [core] slightly simpify server_(over)load_check()
   * [core] isolate fdevent subsystem
   * [core] isolate stat_cache subsystem
   * [core] remove include base.h where unused
   * [core] restart dead piped loggers every 64 sec
   * [mod_webdav] use copy_file_range() if available
   * [core] perf: buffer copy and append
   * [core] copy some srv->srvconf into con->conf
   * [core] move keep_alive flag into request_st
   * [core] pass scheme port to http_request_parse()
   * [core] pass http_parseopts around request.c
   * [core] rename specific_config to request_config
   * [core] move request_st,request_config to request.h
   * [core] pass (request_st *) to request.c funcs
   * [core] remove unused request_st member 'request'
   * [core] rename content_length to reqbody_length
   * [core] t/test_request.c using (request_st *)
   * [core] (const connection *) in http_header_*_get()
   * [mod_accesslog] log_access_record() fmt log record
   * [core] move request start ts into (request_st *)
   * [core] move addtl request-specific struct members
   * [core] move addtl request-specific struct members
   * [core] move plugin_ctx into (request_st *)
   * [core] move addtl request-specific struct members
   * [core] move request state into (request_st *)
   * [core] store (plugin *) in p->data
   * [core] store subrequest_handler instead of mode
   * [multiple] copy small struct instead of memcpy()
   * [multiple] split con, request (very large change)
   * [core] r->uri.path always set, though might be ""
   * [core] C99 restrict on some base funcs
   * [core] dispatch handler in handle_request func
   * [core] http_request_parse_target()
   * [mod_magnet] modify r->target with "uri.path-raw"
   * [core] remove r->uri.path_raw; generate as needed
   * [core] http_response_comeback()
   * [core] http_response_config()
   * [tests] use buffer_eq_slen() for str comparison
   * [core] http_status_append() short-circuit 200 OK
   * [core] mark some chunk.c funcs as pure
   * [core] use uint32_t in http_header.[ch]
   * [core] perf: tighten some code in some hot paths
   * [core] parse header label before end of line
   * [mod_auth] "nonce_secret" option to validate nonce (fixes #2976)
   * [build] fix build on MacOS X Tiger
   * [doc] lighttpd.conf: lighttpd choose event-handler
   * [config] blank server.tag if whitespace-only
   * [mod_proxy] stream request using HTTP/1.1 chunked (fixes #3006)
   * [multiple] correct misspellings in comments
   * [multiple] fix some cc warnings in 32-bit, powerpc
   * [tests] fix skip count in mod-fastcgi w/o php-cgi
   * [multiple] ./configure --with-nettle to use Nettle
   * [core] skip excess close() when FD_CLOEXEC defined
   * [mod_cgi] remove redundant calls to set FD_CLOEXEC
   * [core] return EINVAL if stat_cache_get_entry w/o /
   * [mod_webdav] define PATH_MAX if not defined
   * [mod_accesslog] process backslash-escapes in fmt
   * [mod_openssl] disable cert vrfy if ALPN acme-tls/1
   * [core] add seed before openssl RAND_pseudo_bytes()
   * [mod_mbedtls] mbedTLS option for TLS
   * [core] prefer getxattr() instead of get_attr()
   * [multiple] use *(unsigned char *) with ctypes
   * [mod_openssl] do not log ECONNRESET unless debug
   * [mod_openssl] SSL_R_UNEXPECTED_EOF_WHILE_READING
   * [mod_gnutls] GnuTLS option for TLS (fixes #109)
   * [mod_openssl] rotate session ticket encryption key
   * [mod_openssl] set cert from callback in 1.0.2+ (fixes #2842)
   * [mod_openssl] set chains from callback in 1.0.2+ (#2842)
   * [core] RFC-strict parse of Content-Length
   * [build] point ./configure --help to support forum
   * [core] stricter parse of numerical digits
   * [multiple] add summaries to top of some modules
   * [core] sys-crypto-md.h w/ inline message digest fn
   * [mod_openssl] enable read-ahead, if set, after SNI
   * [mod_openssl] issue warning for deprecated options
   * [mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail
   * [mod_openssl] use openssl feature define for ALPN
   * [mod_openssl] update default DH params
   * [core] SecureZeroMemory() on _WIN32
   * [core] safe memset calls memset() through volatile
   * [doc] update comments in doc/config/modules.conf
   * [core] more precise check for request stream flags
   * [mod_openssl] rotate session ticket encryption key
   * [mod_openssl] ssl.stek-file to specify encrypt key
   * [mod_mbedtls] ssl.stek-file to specify encrypt key
   * [mod_gnutls] ssl.stek-file to specify encrypt key
   * [mod_openssl] disable session cache; prefer ticket
   * [mod_openssl] compat with LibreSSL
   * [mod_openssl] compat with WolfSSL
   * [mod_openssl] set SSL_OP_PRIORITIZE_CHACHA
   * [mod_openssl] move SSL_CTX curve conf to new func
   * [mod_openssl] basic SSL_CONF_cmd for alt TLS libs
   * [mod_openssl] OCSP stapling (fixes #2469)
   * [TLS] cert-staple.sh - refresh OCSP responses (#2469)
   * [mod_openssl] compat with BoringSSL
   * [mod_gnutls] option to override GnuTLS priority
   * [mod_gnutls] OCSP stapling (#2469)
   * [mod_extforward] config warning for module order
   * [mod_webdav] store webdav.opts as bitflags
   * [mod_webdav] limit webdav_propfind_dir() recursion
   * [mod_webdav] unsafe-propfind-follow-symlink option
   * [mod_webdav] webdav.opts "propfind-depth-infinity"
   * [mod_openssl] detect certs marked OCSP Must-Staple
   * [mod_gnutls] detect certs marked OCSP Must-Staple
   * [mod_openssl] default to set MinProtocol TLSv1.2
   * [mod_nss] NSS option for TLS (fixes #1218)
   * [core] fdevent_load_file() shared code
   * [mod_openssl,mbedtls,gnutls,nss] fdevent_load_file
   * [core] error if s->socket_perms chmod() fails
   * [mod_openssl] prefer some WolfSSL native APIs
   * quiet clang analyzer scan-build warnings
   * [core] uint32_t is plenty large for path names
   * [mod_mysql_vhost] deprecated; use mod_vhostdb_mysql
   * [core] splaytree_djbhash() in splaytree.h (reuse)
   * [cmake] update deps for src/t/test_*
   * [cmake] update deps for src/t/test_*
   * [build] remove tests/mod-userdir.t from builds
   * [build] fix typo in src/Makefile.am EXTRA_DIST
   * [core] remove unused mbedtls_enabled flag
   * [core] store fd in srv->stdin_fd during setup
   * [multiple] address coverity warnings
   * [mod_webdav] fix theoretical NULL dereference
   * [mod_webdav] update rc for PROPFIND allprop
   * [mod_webdav] build fix: ifdef live_properties
   * [multiple] address coverity warnings
   * [meson] fix libmariadb dependency
   * [meson] add missing libmaxminddb section
   * [mod_auth,mod_vhostdb] add caching option (fixes #2805)
   * [mod_authn_ldap,mod_vhostdb_ldap] add timeout opt (#2805)
   * [mod_auth] accept "nonce-secret" & "nonce_secret"
   * [mod_openssl] fix build warnings on MacOS X
   * [core] Nettle assert()s if buffer len > digest sz
   * [mod_authn_dbi] authn backend employing DBI
   * [mod_authn_mysql,file] use crypt() to save stack
   * [mod_vhostdb_dbi] allow strings and ints in config
   * add ci-build.sh
   * move ci-build.sh to scripts
   * [build] build fixes for AIX
   * [mod_deflate] Brotli support
   * [build] bzip2 default to not-enabled in build
   * [mod_deflate] fix typo in config option
   * [mod_deflate] propagate errs from internal funcs
   * [mod_deflate] deflate.cache-dir compressed cache
   * [mod_deflate] mod_deflate subsumes mod_compress
   * [doc] mod_compress -> mod_deflate
   * [tests] mod_compress -> mod_deflate
   * [mod_compress] remove mod_compress
   * [build] add --with-brotli to CI build
   * [core] server.feature-flags extensible config
   * [core] con layer plugin_ctx separate from request
   * [multiple] con hooks store ctx in con->plugin_ctx
   * [core] separate funcs to reset (request_st *)
   * [multiple] rename connection_reset hook to request
   * [mod_nss] func renames for consistency
   * [core] detect and reject TLS connect to cleartext
   * [mod_deflate] quicker check for Content-Encoding
   * [mod_openssl] read secret data w/ BIO_new_mem_buf
   * [core] decode Transfer-Encoding: chunked from gw
   * [mod_fastcgi] decode Transfer-Encoding: chunked
   * [core] stricter parsing of POST chunked block hdr
   * [mod_proxy] send HTTP/1.1 requests to backends
   * [tests] test_base64.c clear buf vs reset
   * [core] http_header_remove_token()
   * [mod_webdav] fix inadvertent string truncation
   * [core] add some missing standard includes
   * [mod_extforward] attempt to quiet Coverity warning
   * [mod_authn_dbi,mod_authn_mysql] fix coverity issue
   * scons: fix check environment
   * Add avahi service file under doc/avahi/
   * [mod_webdav] fix fallback if linkat() fails
   * [mod_proxy] do not forward Expect: 100-continue
   * [core] chunkqueue_compact_mem() must upd cq->last
   * [core] dlsym for FAMNoExists() for compat w/ fam
   * [core] disperse settings.h to appropriate headers
   * [core] inline buffer_reset()
   * [mod_extforward] save proto per connection
   * [mod_extforward] skip after HANDLER_COMEBACK
   * [core] server.feature-flags to enable h2
   * [core] HTTP_VERSION_2
   * [multiple] allow TLS ALPN "h2" if "server.h2proto"
   * [mod_extforward] preserve changed addr for h2 con
   * [core] do not send Connection: close if h2
   * [core] lowercase response hdr field names for h2
   * [core] recognize status: 421 Misdirected Request
   * [core] parse h2 pseudo-headers
   * [core] request_headers_process()
   * [core] connection_state_machine_loop()
   * [core] reset connection counters per connection
   * [mod_accesslog,mod_rrdtool] HTTP/2 basic accounting
   * [core] connection_set_fdevent_interest()
   * [core] HTTP2-Settings
   * [core] adjust http_request_headers_process()
   * [core] http_header_parse_hoff()
   * [core] move http_request_headers_process()
   * [core] reqpool.[ch] for (request_st *)
   * [multiple] modules read reqbody via fn ptr
   * [multiple] isolate more con code in connections.c
   * [core] isolate more resp code in response.c
   * [core] h2.[ch] with stub funcs (incomplete)
   * [core] alternate between two joblists
   * [core] connection transition to HTTP/2; incomplete
   * [core] mark some error paths with attribute cold
   * [core] discard 100 102 103 responses from backend
   * [core] skip write throttle for 100 Continue
   * [core] adjust (disabled) debug code
   * [core] update comment
   * [core] link in ls-hpack (EXPERIMENTAL)
   * [core] HTTP/2 HPACK using LiteSpeed ls-hpack
   * [core] h2_send_headers() specialized for resp hdrs
   * [core] http_request_parse_header() specialized
   * [core] comment possible future ls-hpack optimize
   * [mod_status] separate funcs to print request table
   * [mod_status] adjust to print HTTP/2 requests
   * [core] redirect to dir using relative-path
   * [core] ignore empty field-name from backends
   * [mod_auth] fix crash if auth.require misconfigured (fixes #3023)
   * [core] fix 1-char trunc of default server.tag
   * [core] request_acquire(), request_release()
   * [core] keep pool of (request_st *) for HTTP/2
   * [mod_status] dedicated funcs for r->state labels
   * [core] move connections_get_state to connections.c
   * [core] fix crash on master after graceful restart
   * [core] defer optimization to read small files
   * [core] do not require '\0' term for k,v hdr parse
   * [scripts] cert-staple.sh enhancements
   * [core] document algorithm used in lighttpd etag
   * [core] ls-hpack optimizations
   * [core] fix crash on master if blank line request
   * [core] use djbhash in gw_backend to choose host
   * [core] rename md5.[ch] to algo_md5.[ch]
   * [core] move djbhash(), dekhash() to algo_md.h
   * [core] rename splaytree.[ch] to algo_splaytree.[ch]
   * [core] import xxHash v0.8.0
   * [build] modify build, includes for xxHash v0.8.0
   * [build] remove ls-hpack/deps
   * [core] xxhash no inline hints; let compiler choose
   * [mod_dirlisting] fix config parsing crash
   * [mod_openssl] clarify trace w/ deprecated options
   * [doc] refresh doc/config/*/*
   * [core] code size: disable XXH64(), XXH3()
   * [doc] update README and INSTALL
   * [core] combine Cookie request headers with ';'
   * [core] log stream id with debug.log-state-handling
   * [core] set r->state in h2.c
   * [mod_ssi] update chunk after shell output redirect
   * [mod_webdav] preserve bytes_out when chunks merged
   * [multiple] inline chunkqueue_length()
   * [core] cold h2_log_response_header*() funcs
   * [core] update HTTP status codes list from IANA
   * [mod_wolfssl] standalone module
   * [core] Content-Length in http_response_send_file()
   * [core] adjust response header prep for common case
   * [core] light_isupper(), light_islower()
   * [core] tst,set,clr macros for r->{rqst,resp}_htags
   * [core] separate http_header_e from _htags bitmask
   * [core] http_header_hkey_get_lc() for HTTP/2
   * [core] array.[ch] using uint32_t instead of size_t
   * [core] extend (data_string *) to store header id
   * [multiple] extend enum http_header_e list
   * [core] http_header_e <=> lshpack_static_hdr_idx
   * [core] skip ls-hpack decode work unused by lighttpd
   * [TLS] error if inherit empty TLS cfg from globals
   * [core] connection_check_expect_100()
   * [core] support multiple 1xx responses from backend
   * [core] reload c after chunkqueue_compact_mem()
   * [core] relay 1xx from backend over HTTP/2
   * [core] relay 1xx from backend over HTTP/1.1
   * [core] chunkqueue_{peek,read}_data(), squash
   * [multiple] TLS modules use chunkqueue_peek_data()
   * [mod_magnet] magnet.attract-response-start-to
   * [multiple] code reuse chunkqueue_peek_data()
   * [core] reuse r->start_hp.tv_sec for r->start_ts
   * [core] config_plugin_value_tobool() accept "0","1"
   * [core] graceful and immediate restart option
   * [mod_ssi] init status var before waitpid()
   * [core] graceful shutdown timeout option
   * [core] lighttpd -1 supports pipes (e.g. netcat)
   * [core] perf adjustments to avoid load miss
   * [multiple] use sock_addr_get_family in more places
   * [multiple] inline chunkqueue where always alloc'd
   * [core] propagate state after writing
   * [core] server_run_con_queue()
   * [core] defer handling FDEVENT_HUP and FDEVENT_ERR
   * [core] handle unexpected EOF reading FILE_CHUNK
   * [core] short-circuit connection_write_throttle()
   * [core] walk queue in connection_write_chunkqueue()
   * [core] connection_joblist global
   * [core] be more precise checking streaming flags
   * [core] fdevent_load_file_bytes()
   * [TLS] use fdevent_load_file_bytes() for STEK file
   * [core] allow symlinks under /dev for rand devices
   * [multiple] use light_btst() for hdr existence chk
   * [mod_deflate] fix potential NULL deref in err case
   * [core] save errno around close() if fstat() fails
   * [mod_ssi] use stat_cache_open_rdonly_fstat()
   * [core] fdevent_dup_cloexec()
   * [core] dup FILE_CHUNK fd when splitting FILE_CHUNK
   * [core] stat_cache_path_isdir()
   * [multiple] use stat_cache_path_isdir()
   * [mod_mbedtls] quiet CLOSE_NOTIFY after conn reset
   * [mod_gnutls] quiet CLOSE_NOTIFY after conn reset
   * [core] limit num ranges in Range requests
   * [core] remove unused r->content_length
   * [core] http_response_parse_range() const file sz
   * [core] pass open fd to http_response_parse_range
   * [core] stat_cache_get_entry_open()
   * [core,mod_deflate] leverage cache of open fd
   * [doc] comment out config disabling Range for .pdf
   * [core] coalesce nearby ranges in Range requests
   * [mod_fastcgi] decode chunked is cold code path
   * [core] fix chunkqueue_compact_mem w/ partial chunk
   * [core] alloc optim reading file, sending chunked
   * [core] reuse chunkqueue_compact_mem*()
   * [mod_cgi] use splice() to send input to CGI
   * [multiple] ignore openssl 3.0.0 deprecation warns
   * [mod_openssl] migrate ticket cb to openssl 3.0.0
   * [mod_openssl] construct OSSL_PARAM on stack
   * [mod_openssl] merge ssl_tlsext_ticket_key_cb impls
   * [multiple] openssl 3.0.0 digest interface migrate
   * [tests] detect multiple SSL/TLS/crypto providers
   * [core] sys-crypto-md.h consistent interfaces
   * [wolfssl] wolfSSL_CTX_set_mode differs from others
   * [multiple] use NSS crypto if no other crypto avail
   * [multiple] stat_cache_path_stat() for struct st
   * [TLS] ignore empty "CipherString" in ssl-conf-cmd
   * [multiple] remove chunk file.start member
   * [core] modify use of getrlimit() to not be fatal
   * [mod_webdav] add missing update to cq accounting
   * [mod_webdav] update defaults after worker_init
   * [mod_openssl] use newer openssl 3.0.0 func
   * [core] config_plugin_value_to_int32()
   * [core] minimize pause during graceful restart
   * [mod_deflate] use large mmap chunks to compress
   * [core] stat_cache_entry reference counting
   * [core] FILE_CHUNK can hold stat_cache_entry ref
   * [core] http_chunk_append_file_ref_range()
   * [multiple] use http_chunk_append_file_ref()
   * [core] always lseek() with shared fd
   * [core] silence coverity warnings (false positives)
   * [core] silence coverity warnings in ls-hpack
   * [core] silence coverity warnings (another try)
   * [core] fix fd sharing when splitting file chunk
   * [mod_mbedtls] quiet unused variable warning
   * [core] use inline funcs in sys-crypto-md.h
   * [core] add missing declaration for NSS rand
   * [core] init NSS lib for basic crypto algorithms
   * [doc] change mod_compress refs to mod_deflate
   * [doc] replace bzip2 refs with brotli
   * [build] remove svnversion from versionstamp rule
   * [doc] /var/run -> /run
   * [multiple] test for nss includes
   * [mod_nss] more nss includes fixes
   * [mod_webdav] define _NETBSD_SOURCE on NetBSD
   * [core] silence coverity warnings (another try)
   * [mod_mbedtls] newer mbedTLS vers support TLSv1.3
   * [mod_accesslog] update defaults after cycling log
   * [multiple] add some missing config cleanup
   * [core] fix (startup) mem leaks in configparser.y
   * [core] STAILQ_* -> SIMPLEQ_* on OpenBSD
   * [mod_wolfssl] use more wolfssl/options.h defines
   * [mod_wolfssl] cripple SNI if not built OPENSSL_ALL
   * [mod_wolfssl] need to build --enable-alpn for ALPN
   * [mod_secdownload] fix compile w/ NSS on FreeBSD
   * [mod_mbedtls] wrap addtl code in preproc defines
   * [TLS] server.feature-flags "ssl.session-cache"
   * [core] workaround fragile code in wolfssl types.h
   * [core] move misplaced error trace to match option
   * [core] adjust wolfssl workaround for another case
   * [multiple] consistent order for crypto lib select
   * [multiple] include mbedtls/config.h after select
   * [multiple] include wolfssl/options.h after select
   * [core] set NSS_VER_INCLUDE after crypto lib select
   * [core] use system xxhash lib if available
   * [doc] refresh doc/config/conf.d/mime.conf
   * [meson] add matching -I for lua lib version
   * [build] prepend search for lua version 5.4
   * [core] use inotify in stat_cache.[ch] on Linux
   * [build] detect inotify header 
   * [mod_nss] update session ticket NSS devel comment
   * [core] set last_used on rd/wr from backend (fixes #3029)
   * [core] cold func for gw_recv_response error case
   * [core] use kqueue() instead of FAM/gamin on *BSD
   * [core] no graceful-restart-bg on OpenBSD, NetBSD
   * [mod_openssl] add LIBRESSL_VERSION_NUMBER checks
   * [core] use struct kevent on stack in stat_cache
   * [core] stat_cache preprocessor paranoia
   * [mod_openssl] adjust LIBRESSL_VERSION_NUMBER check
   * [mod_maxminddb] fix config validation typo
   * [tests] allow LIGHTTPD_EXE_PATH override
   * [multiple] handle NULL val as empty in *_env_add (fixes #3030)
   * [core] accept "HTTP/2.0", "HTTP/3.0" from backends (fixes #3031)
   * [build] check for xxhash in more ways
   * [core] accept "HTTP/2.0", "HTTP/3.0" from backends (#3031)
   * [core] http_response_buffer_append_authority()
   * [core] define SHA*_DIGEST_LENGTH macros if missing
   * [doc] update optional pkg dependencies in INSTALL
   * [mod_alias] validate given order, not sorted order
   * [core] filter out duplicate modules
   * [mod_cgi] fix crash if initial write to CGI fails
   * [mod_cgi] ensure tmp file open() before splice()
   * [multiple] add back-pressure gw data pump (fixes #3033)
   * [core] fix bug when HTTP/2 frames span chunks
   * [multiple] more forgiving config str to boolean (fixes #3036)
   * [core] check for __builtin_expect() availability
   * [core] quiet more request parse errs unless debug
   * [core] consolidate chunk size checks
   * [mod_flv_streaming] use stat_cache_get_entry_open
   * [mod_webdav] pass full path to webdav_unlinkat()
   * [mod_webdav] fallbacks if _ATFILE_SOURCE not avail
   * [mod_fastcgi] move src/fastcgi.h into src/compat/
   * [mod_status] add additional HTML-encoding
   * [core] server.v4mapped option
   * [mod_webdav] workaround for gvfs dir redir bug

   - Remove SuSEfirewall2 service files, SuSEfirewall2 does not exist anymore

   - Changed /etc/logrotate.d/lighttpd from init.d to systemd fix boo#1146452.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-24=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      lighttpd-1.4.64-bp153.2.3.1
      lighttpd-mod_authn_gssapi-1.4.64-bp153.2.3.1
      lighttpd-mod_authn_ldap-1.4.64-bp153.2.3.1
      lighttpd-mod_authn_pam-1.4.64-bp153.2.3.1
      lighttpd-mod_authn_sasl-1.4.64-bp153.2.3.1
      lighttpd-mod_magnet-1.4.64-bp153.2.3.1
      lighttpd-mod_maxminddb-1.4.64-bp153.2.3.1
      lighttpd-mod_rrdtool-1.4.64-bp153.2.3.1
      lighttpd-mod_vhostdb_dbi-1.4.64-bp153.2.3.1
      lighttpd-mod_vhostdb_ldap-1.4.64-bp153.2.3.1
      lighttpd-mod_vhostdb_mysql-1.4.64-bp153.2.3.1
      lighttpd-mod_vhostdb_pgsql-1.4.64-bp153.2.3.1
      lighttpd-mod_webdav-1.4.64-bp153.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2022-22707.html
   https://bugzilla.suse.com/1146452
   https://bugzilla.suse.com/1181400
   https://bugzilla.suse.com/1194376