An update that fixes one vulnerability is now available.
Description:
This update for lighttpd fixes the following issues:
lighttpd was updated to 1.4.66:
- a number of bug fixes
- Fix HTTP/2 downloads >= 4GiB
- Fix SIGUSR1 graceful restart with TLS
- futher bug fixes
- CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a
remotely triggerable crash (boo#1203358)
- In an upcoming release the TLS modules will default to using stronger,
modern chiphers and will default to allow client preference in selecting
ciphers. ���CipherString��� =>
���EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384���, ���Options���
=> ���-ServerPreference���
old defaults: ���CipherString��� => ���HIGH���, ���Options��� =>
���ServerPreference���
- A number of TLS options are how deprecated and will be removed in a
future release: ��� ssl.honor-cipher-order ��� ssl.dh-file ���
ssl.ec-curve ��� ssl.disable-client-renegotiation ��� ssl.use-sslv2 ���
ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but
lighttpd defaults should be prefered
- A number of modules are now deprecated and will be removed in a future
release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack
can be replaced by mod_magnet and a few lines of lua.
update to 1.4.65:
- WebSockets over HTTP/2
- RFC 8441 Bootstrapping WebSockets with HTTP/2
- HTTP/2 PRIORITY_UPDATE
- RFC 9218 Extensible Prioritization Scheme for HTTP
- prefix/suffix conditions in lighttpd.conf
- mod_webdav safe partial-PUT
- webdav.opts += (���partial-put-copy-modify��� => ���enable���)
- mod_accesslog option: accesslog.escaping = ���json���
- mod_deflate libdeflate build option
- speed up request body uploads via HTTP/2
- Behavior Changes
- change default server.max-keep-alive-requests = 1000 to adjust
- to increasing HTTP/2 usage and to web2/web3 application usage
- (prior default was 100)
- mod_status HTML now includes HTTP/2 control stream id 0 in the output
- which contains aggregate counts for the HTTP/2 connection
- (These lines can be identified with URL ���*���, part of ���PRI *���
preface)
- alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
- MIME type application/javascript is translated to text/javascript (RFC
9239)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2022-10132=1
-
openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2022-10132=1