openSUSE: 2022:10132-1 moderate: lighttpd | LinuxSecurity.com

   openSUSE Security Update: Security update for lighttpd
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10132-1
Rating:             moderate
References:         #1203358 
Cross-References:   CVE-2022-37797
CVSS scores:
                    CVE-2022-37797 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-37797 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP3
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for lighttpd fixes the following issues:

   lighttpd was updated to 1.4.66:

   * a number of bug fixes
   * Fix HTTP/2 downloads >= 4GiB
   * Fix SIGUSR1 graceful restart with TLS
   * futher bug fixes
   * CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a
     remotely triggerable crash (boo#1203358)
   * In an upcoming release the TLS modules will default to using stronger,
     modern chiphers and will default to allow client preference in selecting
     ciphers. ???CipherString??? =>
     ???EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384???, ???Options???
     => ???-ServerPreference???
     old defaults: ???CipherString??? => ???HIGH???, ???Options??? =>
      ???ServerPreference???
   * A number of TLS options are how deprecated and will be removed in a
     future release: ??? ssl.honor-cipher-order ??? ssl.dh-file ???
     ssl.ec-curve ??? ssl.disable-client-renegotiation ??? ssl.use-sslv2 ???
     ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but
     lighttpd defaults should be prefered
   * A number of modules are now deprecated and will be removed in a future
     release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack
     can be replaced by mod_magnet and a few lines of lua.

   update to 1.4.65:

   * WebSockets over HTTP/2
   * RFC 8441 Bootstrapping WebSockets with HTTP/2
   * HTTP/2 PRIORITY_UPDATE
   * RFC 9218 Extensible Prioritization Scheme for HTTP
   * prefix/suffix conditions in lighttpd.conf
   * mod_webdav safe partial-PUT
   * webdav.opts += (???partial-put-copy-modify??? => ???enable???)
   * mod_accesslog option: accesslog.escaping = ???json???
   * mod_deflate libdeflate build option
   * speed up request body uploads via HTTP/2
   * Behavior Changes
   * change default server.max-keep-alive-requests = 1000 to adjust
   * to increasing HTTP/2 usage and to web2/web3 application usage
   * (prior default was 100)
   * mod_status HTML now includes HTTP/2 control stream id 0 in the output
   * which contains aggregate counts for the HTTP/2 connection
   * (These lines can be identified with URL ???*???, part of ???PRI *???
     preface)
   * alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
   * MIME type application/javascript is translated to text/javascript (RFC
     9239)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10132=1

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-10132=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

      lighttpd-1.4.66-bp154.2.3.1
      lighttpd-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-debugsource-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_gssapi-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_ldap-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_pam-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1
      lighttpd-mod_authn_sasl-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_magnet-1.4.66-bp154.2.3.1
      lighttpd-mod_magnet-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1
      lighttpd-mod_maxminddb-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1
      lighttpd-mod_rrdtool-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_dbi-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_ldap-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_mysql-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1
      lighttpd-mod_vhostdb_pgsql-debuginfo-1.4.66-bp154.2.3.1
      lighttpd-mod_webdav-1.4.66-bp154.2.3.1
      lighttpd-mod_webdav-debuginfo-1.4.66-bp154.2.3.1

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      lighttpd-1.4.66-bp153.2.9.1
      lighttpd-mod_authn_gssapi-1.4.66-bp153.2.9.1
      lighttpd-mod_authn_ldap-1.4.66-bp153.2.9.1
      lighttpd-mod_authn_pam-1.4.66-bp153.2.9.1
      lighttpd-mod_authn_sasl-1.4.66-bp153.2.9.1
      lighttpd-mod_magnet-1.4.66-bp153.2.9.1
      lighttpd-mod_maxminddb-1.4.66-bp153.2.9.1
      lighttpd-mod_rrdtool-1.4.66-bp153.2.9.1
      lighttpd-mod_vhostdb_dbi-1.4.66-bp153.2.9.1
      lighttpd-mod_vhostdb_ldap-1.4.66-bp153.2.9.1
      lighttpd-mod_vhostdb_mysql-1.4.66-bp153.2.9.1
      lighttpd-mod_vhostdb_pgsql-1.4.66-bp153.2.9.1
      lighttpd-mod_webdav-1.4.66-bp153.2.9.1


References:

   https://www.suse.com/security/cve/CVE-2022-37797.html
   https://bugzilla.suse.com/1203358

openSUSE: 2022:10132-1 moderate: lighttpd

September 29, 2022
An update that fixes one vulnerability is now available

Description

This update for lighttpd fixes the following issues: lighttpd was updated to 1.4.66: * a number of bug fixes * Fix HTTP/2 downloads >= 4GiB * Fix SIGUSR1 graceful restart with TLS * futher bug fixes * CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358) * In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. ???CipherString??? => ???EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384???, ???Options??? => ???-ServerPreference??? old defaults: ???CipherString??? => ???HIGH???, ???Options??? => ???ServerPreference??? * A number of TLS options are how deprecated and will be removed in a future release: ??? ssl.honor-cipher-order ??? ssl.dh-file ??? ssl.ec-curve ??? ssl.disable-client-renegotiation ??? ssl.use-sslv2 ??? ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be prefered * A number of modules are now deprecated and will be removed in a future release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack can be replaced by mod_magnet and a few lines of lua. update to 1.4.65: * WebSockets over HTTP/2 * RFC 8441 Bootstrapping WebSockets with HTTP/2 * HTTP/2 PRIORITY_UPDATE * RFC 9218 Extensible Prioritization Scheme for HTTP * prefix/suffix conditions in lighttpd.conf * mod_webdav safe partial-PUT * webdav.opts += (???partial-put-copy-modify??? => ???enable???) * mod_accesslog option: accesslog.escaping = ???json??? * mod_deflate libdeflate build option * speed up request body uploads via HTTP/2 * Behavior Changes * change default server.max-keep-alive-requests = 1000 to adjust * to increasing HTTP/2 usage and to web2/web3 application usage * (prior default was 100) * mod_status HTML now includes HTTP/2 control stream id 0 in the output * which contains aggregate counts for the HTTP/2 connection * (These lines can be identified with URL ???*???, part of ???PRI *??? preface) * alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status * MIME type application/javascript is translated to text/javascript (RFC 9239)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10132=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10132=1


Package List

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): lighttpd-1.4.66-bp154.2.3.1 lighttpd-debuginfo-1.4.66-bp154.2.3.1 lighttpd-debugsource-1.4.66-bp154.2.3.1 lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1 lighttpd-mod_authn_gssapi-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1 lighttpd-mod_authn_ldap-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1 lighttpd-mod_authn_pam-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1 lighttpd-mod_authn_sasl-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_magnet-1.4.66-bp154.2.3.1 lighttpd-mod_magnet-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1 lighttpd-mod_maxminddb-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1 lighttpd-mod_rrdtool-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_dbi-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_ldap-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_mysql-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1 lighttpd-mod_vhostdb_pgsql-debuginfo-1.4.66-bp154.2.3.1 lighttpd-mod_webdav-1.4.66-bp154.2.3.1 lighttpd-mod_webdav-debuginfo-1.4.66-bp154.2.3.1 - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): lighttpd-1.4.66-bp153.2.9.1 lighttpd-mod_authn_gssapi-1.4.66-bp153.2.9.1 lighttpd-mod_authn_ldap-1.4.66-bp153.2.9.1 lighttpd-mod_authn_pam-1.4.66-bp153.2.9.1 lighttpd-mod_authn_sasl-1.4.66-bp153.2.9.1 lighttpd-mod_magnet-1.4.66-bp153.2.9.1 lighttpd-mod_maxminddb-1.4.66-bp153.2.9.1 lighttpd-mod_rrdtool-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_dbi-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_ldap-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_mysql-1.4.66-bp153.2.9.1 lighttpd-mod_vhostdb_pgsql-1.4.66-bp153.2.9.1 lighttpd-mod_webdav-1.4.66-bp153.2.9.1


References

https://www.suse.com/security/cve/CVE-2022-37797.html https://bugzilla.suse.com/1203358


Severity
Announcement ID: openSUSE-SU-2022:10132-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 . Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 .

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.