Debian has issued an advisory on September 28: https://www.debian.org/security/2022/dsa-5243 The issues are fixed upstream in 1.4.67.
CC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 1.4.67
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition. (CVE-2022-37797) A resource leak in mod_fastcgi and mod_scgi could lead to a denial of service after a large number of bad HTTP requests. (CVE-2022-41556) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41556 https://www.debian.org/security/2022/dsa-5243 ======================== Updated packages in core/updates_testing: ======================== lighttpd-mod_webdav-1.4.59-1.2.mga8 lighttpd-mod_cml-1.4.59-1.2.mga8 lighttpd-mod_mysql_vhost-1.4.59-1.2.mga8 lighttpd-mod_auth-1.4.59-1.2.mga8 lighttpd-mod_authn_ldap-1.4.59-1.2.mga8 lighttpd-mod_magnet-1.4.59-1.2.mga8 lighttpd-mod_uploadprogress-1.4.59-1.2.mga8 lighttpd-mod_geoip-1.4.59-1.2.mga8 lighttpd-mod_authn_file-1.4.59-1.2.mga8 lighttpd-mod_ajp13-1.4.59-1.2.mga8 lighttpd-mod_authn_mysql-1.4.59-1.2.mga8 lighttpd-mod_trigger_b4_dl-1.4.59-1.2.mga8 lighttpd-mod_deflate-1.4.59-1.2.mga8 lighttpd-1.4.59-1.2.mga8 from SRPM: lighttpd-1.4.59-1.2.mga8.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2022-37797, CVE-2022-41556Status comment: Fixed upstream in 1.4.67 => (none)Assignee: smelror => qa-bugs
Tested in a mga8-64 Plasma VirtualBox guest. Installed current versions of the above packages, then... # systemctl start lighttpd # systemctl status lighttpd ● lighttpd.service - Lightning Fast Webserver With Light System Requirements Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-10-12 19:34:09 EDT; 18s ago Process: 11176 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS) Main PID: 11177 (lighttpd-angel) Tasks: 2 (limit: 4695) Memory: 924.0K CPU: 18ms CGroup: /system.slice/lighttpd.service ├─11177 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf └─11178 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf Oct 12 19:34:09 localhost systemd[1]: Starting Lightning Fast Webserver With Light System Requirements... Oct 12 19:34:09 localhost lighttpd[11176]: Syntax OK Oct 12 19:34:09 localhost systemd[1]: Started Lightning Fast Webserver With Light System Requirements. Oct 12 19:34:09 localhost lighttpd-angel[11178]: 2022-10-12 19:34:09: network.c.221) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty ad> ~ Stopped lighttpd service. Used qarepo to download and update the above packages, with no installation issues, then... # systemctl start lighttpd # systemctl status lighttpd ● lighttpd.service - Lightning Fast Webserver With Light System Requirements Loaded: loaded (/usr/lib/systemd/system/lighttpd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-10-12 19:43:45 EDT; 34s ago Process: 23209 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS) Main PID: 23210 (lighttpd-angel) Tasks: 2 (limit: 4695) Memory: 912.0K CPU: 19ms CGroup: /system.slice/lighttpd.service ├─23210 /usr/sbin/lighttpd-angel -D -f /etc/lighttpd/lighttpd.conf └─23211 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf Oct 12 19:43:45 localhost systemd[1]: Starting Lightning Fast Webserver With Light System Requirements... Oct 12 19:43:45 localhost lighttpd[23209]: Syntax OK Oct 12 19:43:45 localhost systemd[1]: Started Lightning Fast Webserver With Light System Requirements. Oct 12 19:43:45 localhost lighttpd-angel[23211]: 2022-10-12 19:43:45: network.c.221) warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty ad> No differences that I see, other than timestamps. Looks OK to me. Validating. Advisory in Comment 1.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0369.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED