Oval Definition:oval:org.opensuse.security:def:438
Revision Date:2022-09-29Version:1
Title:Security update for lighttpd (Moderate)
Description:
This update for lighttpd fixes the following issues:

lighttpd was updated to 1.4.66:

* a number of bug fixes
* Fix HTTP/2 downloads >= 4GiB
* Fix SIGUSR1 graceful restart with TLS
* futher bug fixes
* CVE-2022-37797: null pointer dereference in mod_wstunnel,
possibly a remotely triggerable crash (boo#1203358)
* In an upcoming release the TLS modules will default to using
stronger, modern chiphers and will default to allow client
preference in selecting ciphers.
“CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
“Options” => “-ServerPreference”
old defaults:
“CipherString” => “HIGH”,
“Options” => “ServerPreference”
* A number of TLS options are how deprecated and will be removed
in a future release:
– ssl.honor-cipher-order
– ssl.dh-file
– ssl.ec-curve
– ssl.disable-client-renegotiation
– ssl.use-sslv2
– ssl.use-sslv3
The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd
defaults should be prefered
* A number of modules are now deprecated and will be removed in a
future release: mod_evasive, mod_secdownload, mod_uploadprogress,
mod_usertrack can be replaced by mod_magnet and a few lines of lua.

update to 1.4.65:

* WebSockets over HTTP/2
* RFC 8441 Bootstrapping WebSockets with HTTP/2
* HTTP/2 PRIORITY_UPDATE
* RFC 9218 Extensible Prioritization Scheme for HTTP
* prefix/suffix conditions in lighttpd.conf
* mod_webdav safe partial-PUT
* webdav.opts += (“partial-put-copy-modify” => “enable”)
* mod_accesslog option: accesslog.escaping = “json”
* mod_deflate libdeflate build option
* speed up request body uploads via HTTP/2
* Behavior Changes
* change default server.max-keep-alive-requests = 1000 to adjust
* to increasing HTTP/2 usage and to web2/web3 application usage
* (prior default was 100)
* mod_status HTML now includes HTTP/2 control stream id 0 in the output
* which contains aggregate counts for the HTTP/2 connection
* (These lines can be identified with URL ‘*’, part of “PRI *” preface)
* alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
* MIME type application/javascript is translated to text/javascript (RFC 9239)
Family:unixClass:patch
Status:Reference(s):1203358
CVE-2013-6369
CVE-2013-6369
CVE-2022-37797
openSUSE-SU-2022:10132-1
Platform(s):openSUSE 12.3 Update
openSUSE 13.1
openSUSE Leap 15.4
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 15 SP1
SUSE Linux Enterprise for SAP 12
SUSE Linux Enterprise High Availability 12
SUSE Linux Enterprise High Performance Computing 15 SP1
SUSE Linux Enterprise Live Patching 12
SUSE Linux Enterprise Module for Basesystem 15 SP1
SUSE Linux Enterprise Module for CAP 15
SUSE Linux Enterprise Module for CAP 15 SP1
SUSE Linux Enterprise Module for Containers 15
SUSE Linux Enterprise Module for Development Tools 15
SUSE Linux Enterprise Module for Legacy Software 12
SUSE Linux Enterprise Module for Public Cloud 12
SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
SUSE Linux Enterprise Software Development Kit 12
SUSE Linux Enterprise Storage 6
SUSE Manager Proxy 4.0
SUSE Manager Server 4.0
Product(s):
Definition Synopsis
  • openSUSE Leap 15.4 is installed
  • AND Package Information
  • lighttpd-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_magnet-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1 is installed
  • OR lighttpd-mod_webdav-1.4.66-bp154.2.3.1 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Desktop 12 SP1 is installed
  • AND Package Information
  • pam-1.1.8-14 is installed
  • OR pam-32bit-1.1.8-14 is installed
  • OR pam-doc-1.1.8-14 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed
  • AND Package Information
  • libjbig-devel-2.1-1.31 is installed
  • OR libjbig2-2.1-1.31 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed
  • AND Package Information
  • libjbig-devel-2.1-1 is installed
  • OR libjbig2-2.1-1 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Module for CAP 15 is installed
  • AND cf-cli-6.43.0-3.3 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Module for CAP 15 SP1 is installed
  • AND cf-cli-6.43.0-3.3 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Module for Containers 15 is installed
  • AND Package Information
  • containerd-1.2.5-5.13 is installed
  • OR docker-18.09.6_ce-6.17 is installed
  • OR docker-bash-completion-18.09.6_ce-6.17 is installed
  • OR docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12 is installed
  • OR docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18 is installed
  • OR golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12 is installed
  • Definition Synopsis
  • SUSE Linux Enterprise Module for Development Tools 15 is installed
  • AND perl-Tk-devel-804.034-1 is installed
  • BACK