Package: lighttpd Version: 1.4.69-1 Dear maintainer,
With the recent discovery of the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487) I took a closer look at the web services I host on lighttpd and came to the conclusion that the increased complexity of HTTP/2 provides no benefit to these trivially simple pages. So I decided that I'd rather disable HTTP/2. Unfortunately integrating this into my configuration management was more difficult than I had hoped for, since it required patching of the /etc/lighttpd/lighttpd.conf file. Please consider splitting the HTTP/2 configuration into a separate conf-available file to make it easier to enable/disable the configuration (lighttpd-(en|dis)able-mod). Thank you. Kind regards, Dennis
