-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4914
                         lighttpd security update
                              4 October 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lighttpd
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-37797  

Original Bulletin: 
   https://www.debian.org/lts/security/2022/dla-3133

Comment: CVSS (Max):  7.5 CVE-2022-37797 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3133-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Helmut Grohne
October 03, 2022                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : lighttpd
Version        : 1.4.53-4+deb10u3
CVE ID         : CVE-2022-37797

An invalid HTTP request (websocket handshake) may cause a NULL
pointer dereference in the wstunnel module.

For Debian 10 buster, this problem has been fixed in version
1.4.53-4+deb10u3.

We recommend that you upgrade your lighttpd packages.

For the detailed security status of lighttpd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lighttpd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETMLS2QqNFlTb+HOqLRqqzyREREIFAmM6k58ACgkQLRqqzyRE
REJF4A/+IuORABs0eMgijx+GWpVO2EDoC9UmqHd6qiM3cidntkgmHHVn0f+SBmZP
a0yp6fyoRs+YLEnLTOJOCd3BhHf4B/6YzFL6k4uiSc2VNQPtoFshbDOqSf11n0Cw
tAUD6MYZgBMd3vHRitfaF1pIZ7XR6T+hh9TuO5jpYudH2qYH9Lvl2P+KFnH6JG85
IU0FuP8G+qOMtmQx07wlrohKXzWPX2TTg3FvWMrlJR/9HQ2/pjYVF4yjsLuqWWUo
oCm7JjJ+HSqSpxwHG8jF34eOPNu80qFS3FS9L6Fc9RwYzSP7qhqFB1Z3HK/joY7W
DnkOPu8QdlAUl9FbBLelL6gHqwh4q+WYcvHUaGSXM00/gwXnkF67qydsOZ4eXAZs
1o+r5OnzGec9tfGFIYvPeyknOkjg8WMU39zQYcX+3ajvq+eKccCtAix7OwumF9tX
YXY0NWl0XSlnAn1E95IqZlxY/WGP1H9HyfDKbEIGg5ppIkQ/3ps4cpCdmODYxpaP
x0wR5HdG/KucNP9/HayR6Xd347kdngK0ZDcG02BZQFOZmTnbQy7/RouDJLLGD4yW
7I9qI8xa3757IH8jst0BfZeLD37ZgfYLP2XGsgukATzC4lyO/j/rTxetA3PG6NpT
0KofnMKg80SL9VFKly66jb+EMz/moypXBCc0wkd8aevMjMdqpVQ=
=5LZk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYzumSckNZI30y1K9AQiuuxAAgVZSg9cKF7uzvxUr9f8LctFVY7WzZ62H
QWVZjTYt9fge5xfXvbRIBlXGRnVRu/YYfoCmLd5lg9wSLR+JQ8iKfn7f/FeM6XlR
gj8N9GBMI4l2hFQs8eYNvfgAOT2vIu/W1X2ppQVLaFEc+6CV+jKwBg7Ygcr66tkv
ma6bDSvUwE3gHlvkAQm0TgKUmGA0d1YAuIjK1YaCEuoOgq426kqiwElv+mDQxUZE
OWRlGgRcLNcQjmE+35s5vXrGzZEXvk1fZyI4E9DWhbcS9thLGL1N8Xz4+Y3RGdbj
7XeIQN5kyea2JYqwIHwCe4yN5u13pKZfKm9mCY6NwbscWlDJLgyjUSKe9i4UoDvi
g92NLlk5Yfgt/0HroiHbKKev39bJeymKMdCdkXEN7RIQcH8KqAk9DBBay9zT4sAJ
A9fMvcg3S1ei2B+bWkiTHYWptuXMcn/13U7Kz5GptgGFKmd+AEv4/FSHS7IpwQFk
vEwMfIuyBw0sb0/5XI0+G25qyTK6ZYdcIgli3Ijayj7z1jTZUHNBb+mB1TjcWENu
F7oW66esa7DbaE1odhnpxdCH85yxFXzwP4dVWou3BGTx5hOZBrAaSBau+R7RlKcu
rdBk7Jlw0+sUts3Kh4PCjGyJIdgAXfhFon1U2FrW+R6nVACy4f5uPK2I3cR4xGaG
yBfoHIRpaMA=
=iD3n
-----END PGP SIGNATURE-----