SuSE Local Security Checks : openSUSE: Security Advisory for lighttpd (openSUSE-SU-2022:10132-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.833002

Category: SuSE Local Security Checks

Title: openSUSE: Security Advisory for lighttpd (openSUSE-SU-2022:10132-1)

Summary: The remote host is missing an update for the 'lighttpd'; package(s) announced via the openSUSE-SU-2022:10132-1 advisory.

Description: Summary:
The remote host is missing an update for the 'lighttpd'
package(s) announced via the openSUSE-SU-2022:10132-1 advisory.

Vulnerability Insight:
This update for lighttpd fixes the following issues:
lighttpd was updated to 1.4.66:

* a number of bug fixes

* Fix HTTP/2 downloads = 4GiB

* Fix SIGUSR1 graceful restart with TLS

* further bug fixes

* CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a
remotely triggerable crash (boo#1203358)

* In an upcoming release the TLS modules will default to using stronger,
modern chiphers and will default to allow client preference in selecting
ciphers. CipherString =
EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384, Options
= -ServerPreference
old defaults: CipherString = HIGH, Options =
ServerPreference

* A number of TLS options are how deprecated and will be removed in a
future release: ssl.honor-cipher-order ssl.dh-file
ssl.ec-curve ssl.disable-client-renegotiation ssl.use-sslv2
ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but
lighttpd defaults should be preferred

* A number of modules are now deprecated and will be removed in a future
release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack
can be replaced by mod_magnet and a few lines of lua.
update to 1.4.65:

* WebSockets over HTTP/2

* RFC 8441 Bootstrapping WebSockets with HTTP/2

* HTTP/2 PRIORITY_UPDATE

* RFC 9218 Extensible Prioritization Scheme for HTTP

* prefix/suffix conditions in lighttpd.conf

* mod_webdav safe partial-PUT

* webdav.opts += (partial-put-copy-modify = enable)

* mod_accesslog option: accesslog.escaping = json

* mod_deflate libdeflate build option

* speed up request body uploads via HTTP/2

* Behavior Changes

* change default server.max-keep-alive-requests = 1000 to adjust

* to increasing HTTP/2 usage and to web2/web3 application usage

* (prior default was 100)

* mod_status HTML now includes HTTP/2 control stream id 0 in the output

* which contains aggregate counts for the HTTP/2 connection

Affected Software/OS:
'lighttpd' package(s) on openSUSE Backports SLE-15-SP4.

Solution:
Please install the updated package(s).

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2022-37797
Debian Security Information: DSA-5243 (Google Search)
https://www.debian.org/security/2022/dsa-5243
https://security.gentoo.org/glsa/202210-12
https://redmine.lighttpd.net/issues/3165
https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.833002
Category:	SuSE Local Security Checks
Title:	openSUSE: Security Advisory for lighttpd (openSUSE-SU-2022:10132-1)
Summary:	The remote host is missing an update for the 'lighttpd'; package(s) announced via the openSUSE-SU-2022:10132-1 advisory.
Description:	Summary: The remote host is missing an update for the 'lighttpd' package(s) announced via the openSUSE-SU-2022:10132-1 advisory. Vulnerability Insight: This update for lighttpd fixes the following issues: lighttpd was updated to 1.4.66: * a number of bug fixes * Fix HTTP/2 downloads = 4GiB * Fix SIGUSR1 graceful restart with TLS * further bug fixes * CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358) * In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. CipherString = EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384, Options = -ServerPreference old defaults: CipherString = HIGH, Options = ServerPreference * A number of TLS options are how deprecated and will be removed in a future release: ssl.honor-cipher-order ssl.dh-file ssl.ec-curve ssl.disable-client-renegotiation ssl.use-sslv2 ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be preferred * A number of modules are now deprecated and will be removed in a future release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack can be replaced by mod_magnet and a few lines of lua. update to 1.4.65: * WebSockets over HTTP/2 * RFC 8441 Bootstrapping WebSockets with HTTP/2 * HTTP/2 PRIORITY_UPDATE * RFC 9218 Extensible Prioritization Scheme for HTTP * prefix/suffix conditions in lighttpd.conf * mod_webdav safe partial-PUT * webdav.opts += (partial-put-copy-modify = enable) * mod_accesslog option: accesslog.escaping = json * mod_deflate libdeflate build option * speed up request body uploads via HTTP/2 * Behavior Changes * change default server.max-keep-alive-requests = 1000 to adjust * to increasing HTTP/2 usage and to web2/web3 application usage * (prior default was 100) * mod_status HTML now includes HTTP/2 control stream id 0 in the output * which contains aggregate counts for the HTTP/2 connection Affected Software/OS: 'lighttpd' package(s) on openSUSE Backports SLE-15-SP4. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2022-37797 Debian Security Information: DSA-5243 (Google Search) https://www.debian.org/security/2022/dsa-5243 https://security.gentoo.org/glsa/202210-12 https://redmine.lighttpd.net/issues/3165 https://lists.debian.org/debian-lts-announce/2022/10/msg00002.html
Copyright	Copyright (C) 2024 Greenbone AG