I am a lighttpd developer and have prepared patches for Ubuntu updates/backports.
lighttpd 1.4.76 is the current stable lighttpd release and is the best available version of lighttpd. Added in lighttpd 1.4.76: * Detect VU#421644 HTTP/2 CONTINUATION Flood * Avoid CVE-2024-3094 xz supply chain attack Noble should upgrade lighttpd 1.4.74 to lighttpd 1.4.76 The Mantic Minotaur should upgrade lighttpd 1.4.69 to lighttpd 1.4.76 and needs a single patch for behavior compatibility to revert the upgrade to stronger TLS defaults. (revert lighttpd commit 87b3a9cab8d964330aef12db9f78aae66eaf0968) While I consider incremental improvement of secure defaults something that should be backported for best security practices, I understand that Ubuntu policy differs. 0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch The Jammy Jellyfish should upgrade lighttpd 1.4.63 to lighttpd 1.4.76 and needs a few patches for behavior compatibility -- again to downgrade stronger lighttpd TLS defaults to weaker defaults in lighttpd 1.4.63 -- and to restore deprecated TLS directives, and to restore deprecated modules. 0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch 0002-Revert-TLS-simplify-TLS-config-remove-deprecated-opt.patch 0003-Revert-TLS-upgrade-default-cipher-list-to-stronger-s.patch 0004-Revert-multiple-remove-deprecated-modules.patch lighttpd 1.4.73 contains detection for HTTP/2 Rapid Reset attacks, which The Manic Minotaur and The Jammy Jellyfish ought to have in security and/or updates. ** Patch added: "0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch" https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/2058045/+attachment/5764999/+files/0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2058045 Title: please upgrade: lighttpd 1.4.76 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/2058045/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
