openSUSE-SU-2022:10132-1

Опубликовано: 29 сент. 2022

Источник: suse-cvrf

Описание

Security update for lighttpd

This update for lighttpd fixes the following issues:

lighttpd was updated to 1.4.66:

a number of bug fixes
Fix HTTP/2 downloads >= 4GiB
Fix SIGUSR1 graceful restart with TLS
futher bug fixes
CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358)
In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”, “Options” => “-ServerPreference” old defaults: “CipherString” => “HIGH”, “Options” => “ServerPreference”
A number of TLS options are how deprecated and will be removed in a future release: – ssl.honor-cipher-order – ssl.dh-file – ssl.ec-curve – ssl.disable-client-renegotiation – ssl.use-sslv2 – ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be prefered
A number of modules are now deprecated and will be removed in a future release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack can be replaced by mod_magnet and a few lines of lua.

update to 1.4.65:

WebSockets over HTTP/2
RFC 8441 Bootstrapping WebSockets with HTTP/2
HTTP/2 PRIORITY_UPDATE
RFC 9218 Extensible Prioritization Scheme for HTTP
prefix/suffix conditions in lighttpd.conf
mod_webdav safe partial-PUT
webdav.opts += (“partial-put-copy-modify” => “enable”)
mod_accesslog option: accesslog.escaping = “json”
mod_deflate libdeflate build option
speed up request body uploads via HTTP/2
Behavior Changes
change default server.max-keep-alive-requests = 1000 to adjust
to increasing HTTP/2 usage and to web2/web3 application usage
(prior default was 100)
mod_status HTML now includes HTTP/2 control stream id 0 in the output
which contains aggregate counts for the HTTP/2 connection
(These lines can be identified with URL ‘*’, part of “PRI *” preface)
alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
MIME type application/javascript is translated to text/javascript (RFC 9239)

Список пакетов

SUSE Package Hub 15 SP3

lighttpd-1.4.66-bp154.2.3.1

lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1

lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1

lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1

lighttpd-mod_magnet-1.4.66-bp154.2.3.1

lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1

lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1

lighttpd-mod_webdav-1.4.66-bp154.2.3.1

SUSE Package Hub 15 SP4

lighttpd-1.4.66-bp154.2.3.1

lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1

lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1

lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1

lighttpd-mod_magnet-1.4.66-bp154.2.3.1

lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1

lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1

lighttpd-mod_webdav-1.4.66-bp154.2.3.1

openSUSE Leap 15.3

lighttpd-1.4.66-bp154.2.3.1

lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1

lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1

lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1

lighttpd-mod_magnet-1.4.66-bp154.2.3.1

lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1

lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1

lighttpd-mod_webdav-1.4.66-bp154.2.3.1

openSUSE Leap 15.4

lighttpd-1.4.66-bp154.2.3.1

lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1

lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1

lighttpd-mod_authn_sasl-1.4.66-bp154.2.3.1

lighttpd-mod_magnet-1.4.66-bp154.2.3.1

lighttpd-mod_maxminddb-1.4.66-bp154.2.3.1

lighttpd-mod_rrdtool-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_dbi-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_ldap-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_mysql-1.4.66-bp154.2.3.1

lighttpd-mod_vhostdb_pgsql-1.4.66-bp154.2.3.1

lighttpd-mod_webdav-1.4.66-bp154.2.3.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ATUOJQDWIRALBMVI5GOSOGPZP5AWVAZF/
E-Mail link for openSUSE-SU-2022:10132-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1203358
SUSE Bug 1203358
https://www.suse.com/security/cve/CVE-2022-37797/
SUSE CVE CVE-2022-37797 page

Описание

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

Затронутые продукты

SUSE Package Hub 15 SP3:lighttpd-1.4.66-bp154.2.3.1

SUSE Package Hub 15 SP3:lighttpd-mod_authn_gssapi-1.4.66-bp154.2.3.1

SUSE Package Hub 15 SP3:lighttpd-mod_authn_ldap-1.4.66-bp154.2.3.1

SUSE Package Hub 15 SP3:lighttpd-mod_authn_pam-1.4.66-bp154.2.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-37797.html
CVE-2022-37797
https://bugzilla.suse.com/1203358
SUSE Bug 1203358

openSUSE-SU-2022:10132-1

Описание

Список пакетов

SUSE Package Hub 15 SP3

SUSE Package Hub 15 SP4

openSUSE Leap 15.3

openSUSE Leap 15.4

Ссылки

Уязвимость: CVE-2022-37797

Описание

Затронутые продукты

Ссылки