File _patchinfo of Package patchinfo.17655
<patchinfo incident="17655"> <issue tracker="cve" id="2022-37797"/> <issue tracker="bnc" id="1203358">VUL-0: CVE-2022-37797: lighttpd: null pointer dereference in mod_wstunnel</issue> <packager>AndreasStieger</packager> <rating>moderate</rating> <category>security</category> <summary>Security update for lighttpd</summary> <description>This update for lighttpd fixes the following issues: lighttpd was updated to 1.4.66: * a number of bug fixes * Fix HTTP/2 downloads >= 4GiB * Fix SIGUSR1 graceful restart with TLS * futher bug fixes * CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358) * In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”, “Options” => “-ServerPreference” old defaults: “CipherString” => “HIGH”, “Options” => “ServerPreference” * A number of TLS options are how deprecated and will be removed in a future release: – ssl.honor-cipher-order – ssl.dh-file – ssl.ec-curve – ssl.disable-client-renegotiation – ssl.use-sslv2 – ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be prefered * A number of modules are now deprecated and will be removed in a future release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack can be replaced by mod_magnet and a few lines of lua. update to 1.4.65: * WebSockets over HTTP/2 * RFC 8441 Bootstrapping WebSockets with HTTP/2 * HTTP/2 PRIORITY_UPDATE * RFC 9218 Extensible Prioritization Scheme for HTTP * prefix/suffix conditions in lighttpd.conf * mod_webdav safe partial-PUT * webdav.opts += (“partial-put-copy-modify” => “enable”) * mod_accesslog option: accesslog.escaping = “json” * mod_deflate libdeflate build option * speed up request body uploads via HTTP/2 * Behavior Changes * change default server.max-keep-alive-requests = 1000 to adjust * to increasing HTTP/2 usage and to web2/web3 application usage * (prior default was 100) * mod_status HTML now includes HTTP/2 control stream id 0 in the output * which contains aggregate counts for the HTTP/2 connection * (These lines can be identified with URL ‘*’, part of “PRI *” preface) * alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status * MIME type application/javascript is translated to text/javascript (RFC 9239) </description> </patchinfo>
