OESA-2022-1491

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1491
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2022-1491.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2022-1491
Upstream
Published
2022-01-22T11:03:28Z
Modified
2025-08-12T05:12:28.594176Z
Summary
lighttpd security update
Details

Secure, fast, compliant and very flexible web-server which has been optimized for high-performance environments. It has a very low memory footprint compared to other webservers and takes care of cpu-load. Its advanced feature-set (FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make it the perfect webserver-software for every server that is suffering load problems.

Security Fix(es):

In lighttpd 1.4.46 through 1.4.63, the modextforwardForwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes representing -1), as demonstrated by remote denial of service (daemon crash) in a non-default configuration. The non-default configuration requires handling of the Forwarded header in a somewhat unusual manner. Also, a 32-bit system is much more likely to be affected than a 64-bit system.(CVE-2022-22707)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/openEuler/lighttpd&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.53-2.oe1

Ecosystem specific 

{
    "noarch": [
        "lighttpd-filesystem-1.4.53-2.oe1.noarch.rpm"
    ],
    "src": [
        "lighttpd-1.4.53-2.oe1.src.rpm"
    ],
    "aarch64": [
        "lighttpd-mod_authn_mysql-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-fastcgi-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_gssapi-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_pam-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_mysql_vhost-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-debuginfo-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-debugsource-1.4.53-2.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "lighttpd-debuginfo-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_gssapi-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-debugsource-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_mysql-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_mysql_vhost-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_pam-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-fastcgi-1.4.53-2.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP2 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/openEuler/lighttpd&distro=openEuler-20.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.53-2.oe1

Ecosystem specific 

{
    "noarch": [
        "lighttpd-filesystem-1.4.53-2.oe1.noarch.rpm"
    ],
    "src": [
        "lighttpd-1.4.53-2.oe1.src.rpm"
    ],
    "aarch64": [
        "lighttpd-debugsource-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-fastcgi-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_mysql_vhost-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_pam-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_gssapi-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-debuginfo-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_mysql-1.4.53-2.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "lighttpd-mod_authn_gssapi-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_mysql_vhost-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-debuginfo-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_mysql-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_pam-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-fastcgi-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-debugsource-1.4.53-2.oe1.x86_64.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / lighttpd

Package

Name
lighttpd
Purl
pkg:rpm/openEuler/lighttpd&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.53-2.oe1

Ecosystem specific 

{
    "noarch": [
        "lighttpd-filesystem-1.4.53-2.oe1.noarch.rpm"
    ],
    "src": [
        "lighttpd-1.4.53-2.oe1.src.rpm"
    ],
    "aarch64": [
        "lighttpd-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-debuginfo-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_mysql-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_pam-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_mysql_vhost-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-fastcgi-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-mod_authn_gssapi-1.4.53-2.oe1.aarch64.rpm",
        "lighttpd-debugsource-1.4.53-2.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "lighttpd-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-debugsource-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_mysql-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-fastcgi-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_gssapi-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_authn_pam-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-debuginfo-1.4.53-2.oe1.x86_64.rpm",
        "lighttpd-mod_mysql_vhost-1.4.53-2.oe1.x86_64.rpm"
    ]
}