!28 [sync] PR-27: Update to 1.4.56 and fix CVE-2022-37797

From: @openeuler-sync-bot 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw

CVE-2022-37797.patch

@@ -0,0 +1,31 @@
+From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 13 Sep 2022 05:51:02 +0000
+Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
+
+x-ref:
+  "mod_wstunnel null pointer dereference"
+  https://redmine.lighttpd.net/issues/3165
+---
+ src/mod_wstunnel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index 6d17d4d..97b89f0 100644
+--- a/src/mod_wstunnel.c
++++ b/src/mod_wstunnel.c
+@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
+     hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
+     hctx->conf = p->conf; /*(copies struct)*/
+     hybivers = wstunnel_check_request(r, hctx);
+-    if (hybivers < 0) return HANDLER_FINISHED;
++    if (hybivers < 0) {
++        r->handler_module = NULL;
++        return HANDLER_FINISHED;
++    }
+     hctx->hybivers = hybivers;
+     if (0 == hybivers) {
+         DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
+-- 
+2.33.0
+

lighttpd-1.4.56-defaultconf.patch

@@ -1,25 +1,3 @@
---- doc/config/lighttpd.conf~	2014-03-12 11:40:36.000000000 -0500
-+++ doc/config/lighttpd.conf	2014-07-07 08:22:46.934838985 -0500
-@@ -417,7 +417,7 @@
- ##     # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
- ##     #
- ##     # If you know you have RSA keys (standard), you can use:
--##     ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"
-+##     ssl.cipher-list             = "PROFILE=SYSTEM"
- ##     # The more generic version (without the restriction to RSA keys) is
- ##     # ssl.cipher-list           = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
- ##     #
---- doc/config/lighttpd.conf~	2016-03-01 10:14:50.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-03-01 10:17:59.194568947 -0500
-@@ -14,7 +14,7 @@
- ## chroot example aswell.
- ##
- var.log_root    = "/var/log/lighttpd"
--var.server_root = "/srv/www"
-+var.server_root = "/var/www"
- var.state_dir   = "/var/run"
- var.home_dir    = "/var/lib/lighttpd"
- var.conf_dir    = "/etc/lighttpd"
 --- doc/config/lighttpd.conf.orig	2016-07-19 09:09:39.000000000 -0500
 +++ doc/config/lighttpd.conf	2016-07-19 09:25:40.282577966 -0500
 @@ -204,7 +204,9 @@
@@ -55,3 +33,36 @@
  
  ##
  #######################################################################
+--- doc/config/lighttpd.conf~	2020-04-27 10:48:12.000000000 -0500
++++ doc/config/lighttpd.conf	2020-04-27 10:55:12.145316446 -0500
+@@ -90,7 +90,7 @@
+ ##
+ ## Use IPv6?
+ ##
+-server.use-ipv6 = "enable"
++#server.use-ipv6 = "enable"
+ 
+ ##
+ ## bind to a specific IP
+--- doc/config/lighttpd.conf~	2020-10-26 14:23:23.000000000 -0500
++++ doc/config/lighttpd.conf	2020-10-26 14:27:55.577840608 -0500
+@@ -14,8 +14,8 @@
+ ## chroot example aswell.
+ ##
+ var.log_root    = "/var/log/lighttpd"
+-var.server_root = "/srv/www"
+-var.state_dir   = "/run"
++var.server_root = "/var/www"
++var.state_dir   = "/run/lighttpd"
+ var.home_dir    = "/var/lib/lighttpd"
+ var.conf_dir    = "/etc/lighttpd"
+ 
+@@ -438,7 +438,7 @@
+ ##
+ ##     # Check your cipher list with: openssl ciphers -v '...'
+ ##     # (use single quotes as your shell won't like ! in double quotes)
+-##     #ssl.cipher-list             = "HIGH"   # default
++##     #ssl.cipher-list             = "PROFILE=SYSTEM"
+ ##
+ ##     # (recommended to accept only TLSv1.2 and TLSv1.3)
+ ##     #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")

lighttpd.spec

@@ -19,17 +19,18 @@
 %bcond_without systemd
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
-Version:             1.4.53
+Version:             1.4.56
-Release:             2
+Release:             1
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
-Source0:             https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.53.tar.gz
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
 Source1:             lighttpd.logrotate
 Source2:             php.d-lighttpd.ini
 Source3:             lighttpd.init
 Source4:             lighttpd.service
-Patch0:              lighttpd-1.4.45-defaultconf.patch
+Patch0:              lighttpd-1.4.56-defaultconf.patch
 Patch1:              CVE-2022-22707.patch
+Patch2:              CVE-2022-37797.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@@ -105,9 +106,10 @@ for the lighttpd server including the correct permissions
 for the directories.
 
 %prep
-%setup -q -n lighttpd1.4-%{name}-%{version}
+%setup -q
 %patch0 -p0 -b .defaultconf
 %patch1 -p1
+%patch2 -p1
 
 %build
 autoreconf -if
@@ -254,6 +256,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
+* Wed Sep 21 2022 yaoxin <yaoxin30@h-partners.com> - 1.4.56-1
+- Update to 1.4.56 and fix CVE-2022-37797
+
 * Fri Jan 14 2022 yaoxin <yaoxin30@huawei.com> - 1.4.53-2
 - Fix CVE-2022-22707