openSUSE-SU-2022:10132-1: moderate: Security update for lighttpd
openSUSE Security Update: Security update for lighttpd
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:10132-1
Rating: moderate
References: #1203358
Cross-References: CVE-2022-37797
CVSS scores:
CVE-2022-37797 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-37797 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for lighttpd fixes the following issues:
lighttpd was updated to 1.4.66:
* a number of bug fixes
* Fix HTTP/2 downloads >= 4GiB
* Fix SIGUSR1 graceful restart with TLS
* futher bug fixes
* CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a
remotely triggerable crash (boo#1203358)
* In an upcoming release the TLS modules will default to using stronger,
modern chiphers and will default to allow client preference in selecting
ciphers. ???CipherString??? =>
???EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384???, ???Options???
=> ???-ServerPreference???
old defaults: ???CipherString??? => ???HIGH???, ???Options??? =>
???ServerPreference???
* A number of TLS options are how deprecated and will be removed in a
future release: ??? ssl.honor-cipher-order ??? ssl.dh-file ???
ssl.ec-curve ??? ssl.disable-client-renegotiation ??? ssl.use-sslv2 ???
ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but
lighttpd defaults should be prefered
* A number of modules are now deprecated and will be removed in a future
release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack
can be replaced by mod_magnet and a few lines of lua.
update to 1.4.65:
* WebSockets over HTTP/2
* RFC 8441 Bootstrapping WebSockets with HTTP/2
* HTTP/2 PRIORITY_UPDATE
* RFC 9218 Extensible Prioritization Scheme for HTTP
* prefix/suffix conditions in lighttpd.conf
* mod_webdav safe partial-PUT
* webdav.opts += (???partial-put-copy-modify??? => ???enable???)
* mod_accesslog option: accesslog.escaping = ???json???
* mod_deflate libdeflate build option
* speed up request body uploads via HTTP/2
* Behavior Changes
* change default server.max-keep-alive-requests = 1000 to adjust
* to increasing HTTP/2 usage and to web2/web3 application usage
* (prior default was 100)
* mod_status HTML now includes HTTP/2 control stream id 0 in the output
* which contains aggregate counts for the HTTP/2 connection
* (These lines can be identified with URL ???*???, part of ???PRI *???
preface)
* alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
* MIME type application/javascript is translated to text/javascript (RFC
9239)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-10132=1
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2022-10132=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
lighttpd-1.4.66-bp154.2.3.1
lighttpd-debuginfo-1.4.66-bp154.2.3.1
lighttpd-debugsource-1.4.66-bp154.2.3.1
lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1
lighttpd-mod_authn_gssapi-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1
lighttpd-mod_authn_ldap-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1
lighttpd-mod_authn_pam-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1
lighttpd-mod_authn_sasl-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_magnet-1.4.66-bp154.2.3.1
lighttpd-mod_magnet-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1
lighttpd-mod_maxminddb-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1
lighttpd-mod_rrdtool-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_dbi-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_ldap-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_mysql-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1
lighttpd-mod_vhostdb_pgsql-debuginfo-1.4.66-bp154.2.3.1
lighttpd-mod_webdav-1.4.66-bp154.2.3.1
lighttpd-mod_webdav-debuginfo-1.4.66-bp154.2.3.1
- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):
lighttpd-1.4.66-bp153.2.9.1
lighttpd-mod_authn_gssapi-1.4.66-bp153.2.9.1
lighttpd-mod_authn_ldap-1.4.66-bp153.2.9.1
lighttpd-mod_authn_pam-1.4.66-bp153.2.9.1
lighttpd-mod_authn_sasl-1.4.66-bp153.2.9.1
lighttpd-mod_magnet-1.4.66-bp153.2.9.1
lighttpd-mod_maxminddb-1.4.66-bp153.2.9.1
lighttpd-mod_rrdtool-1.4.66-bp153.2.9.1
lighttpd-mod_vhostdb_dbi-1.4.66-bp153.2.9.1
lighttpd-mod_vhostdb_ldap-1.4.66-bp153.2.9.1
lighttpd-mod_vhostdb_mysql-1.4.66-bp153.2.9.1
lighttpd-mod_vhostdb_pgsql-1.4.66-bp153.2.9.1
lighttpd-mod_webdav-1.4.66-bp153.2.9.1
References:
https://www.suse.com/security/cve/CVE-2022-37797.html
https://bugzilla.suse.com/1203358
A lighttpd security update has been released for SUSE Linux Enterprise 15 SP3 and SP4.
