Security update for lighttpd (moderate)

An update that fixes one vulnerability is now available.

Description:

This update for lighttpd fixes the following issues:

lighttpd was updated to 1.4.66:

• a number of bug fixes
• Fix HTTP/2 downloads >= 4GiB
• Fix SIGUSR1 graceful restart with TLS
• futher bug fixes
• CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a
  remotely triggerable crash (boo#1203358)
• In an upcoming release the TLS modules will default to using stronger,
  modern chiphers and will default to allow client preference in selecting
  ciphers. ���CipherString��� =>
  ���EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384���, ���Options���
  => ���-ServerPreference���
  old defaults: ���CipherString��� => ���HIGH���, ���Options��� =>
  ���ServerPreference���
• A number of TLS options are how deprecated and will be removed in a
  future release: ��� ssl.honor-cipher-order ��� ssl.dh-file ���
  ssl.ec-curve ��� ssl.disable-client-renegotiation ��� ssl.use-sslv2 ���
  ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but
  lighttpd defaults should be prefered
• A number of modules are now deprecated and will be removed in a future
  release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack
  can be replaced by mod_magnet and a few lines of lua.

update to 1.4.65:

• WebSockets over HTTP/2
• RFC 8441 Bootstrapping WebSockets with HTTP/2
• HTTP/2 PRIORITY_UPDATE
• RFC 9218 Extensible Prioritization Scheme for HTTP
• prefix/suffix conditions in lighttpd.conf
• mod_webdav safe partial-PUT
• webdav.opts += (���partial-put-copy-modify��� => ���enable���)
• mod_accesslog option: accesslog.escaping = ���json���
• mod_deflate libdeflate build option
• speed up request body uploads via HTTP/2
• Behavior Changes
• change default server.max-keep-alive-requests = 1000 to adjust
• to increasing HTTP/2 usage and to web2/web3 application usage
• (prior default was 100)
• mod_status HTML now includes HTTP/2 control stream id 0 in the output
• which contains aggregate counts for the HTTP/2 connection
• (These lines can be identified with URL ���*���, part of ���PRI *���
  preface)
• alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
• MIME type application/javascript is translated to text/javascript (RFC
  9239)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Backports SLE-15-SP4:

  zypper in -t patch openSUSE-2022-10132=1

• openSUSE Backports SLE-15-SP3:

  zypper in -t patch openSUSE-2022-10132=1