Security update for lighttpd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10140-1 Final 1 1 2022-10-03T12:02:08Z current 2022-10-03T12:02:08Z 2022-10-03T12:02:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for lighttpd This update for lighttpd fixes the following issues: lighttpd was updated to 1.4.67: * Update comment about TCP_INFO on OpenBSD * [mod_ajp13] fix crash with bad response headers (fixes #3170) * [core] handle RDHUP when collecting chunked body CVE-2022-41556 (boo#1203872) * [core] tweak streaming request body to backends * [core] handle ENOSPC with pwritev() (#3171) * [core] manually calculate off_t max (fixes #3171) * [autoconf] force large file support (#3171) * [multiple] quiet coverity warnings using casts * [meson] add license keyword to project declaration The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10140 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T6C6UOQL3XPIYN6MAYXR6H6PCUA7Q4N4/ E-Mail link for openSUSE-SU-2022:10140-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203872 SUSE Bug 1203872 https://www.suse.com/security/cve/CVE-2022-41556/ SUSE CVE CVE-2022-41556 page SUSE Package Hub 15 SP3 SUSE Package Hub 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 lighttpd-1.4.67-bp154.2.6.1 lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 lighttpd-mod_magnet-1.4.67-bp154.2.6.1 lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 lighttpd-mod_webdav-1.4.67-bp154.2.6.1 lighttpd-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_magnet-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-mod_webdav-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP3 lighttpd-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_magnet-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-mod_webdav-1.4.67-bp154.2.6.1 as a component of SUSE Package Hub 15 SP4 lighttpd-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_magnet-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-mod_webdav-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.3 lighttpd-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_magnet-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 lighttpd-mod_webdav-1.4.67-bp154.2.6.1 as a component of openSUSE Leap 15.4 A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. CVE-2022-41556 SUSE Package Hub 15 SP3:lighttpd-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_magnet-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP3:lighttpd-mod_webdav-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_magnet-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 SUSE Package Hub 15 SP4:lighttpd-mod_webdav-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_magnet-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 openSUSE Leap 15.3:lighttpd-mod_webdav-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_authn_gssapi-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_authn_ldap-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_authn_pam-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_authn_sasl-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_magnet-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_maxminddb-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_rrdtool-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_vhostdb_dbi-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_vhostdb_ldap-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_vhostdb_mysql-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_vhostdb_pgsql-1.4.67-bp154.2.6.1 openSUSE Leap 15.4:lighttpd-mod_webdav-1.4.67-bp154.2.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T6C6UOQL3XPIYN6MAYXR6H6PCUA7Q4N4/ https://www.suse.com/security/cve/CVE-2022-41556.html CVE-2022-41556 https://bugzilla.suse.com/1203872 SUSE Bug 1203872