Noble should upgrade lighttpd 1.4.74 to lighttpd 1.4.76
The Mantic Minotaur should upgrade lighttpd 1.4.69 to lighttpd 1.4.76 and needs a single patch for behavior compatibility to revert the upgrade to stronger TLS defaults. (revert lighttpd commit 87b3a9cab8d964330aef12db9f78aae66eaf0968) While I consider incremental improvement of secure defaults something that should be backported for best security practices, I understand that Ubuntu policy differs.
0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch
The Jammy Jellyfish should upgrade lighttpd 1.4.63 to lighttpd 1.4.76 and needs a few patches for behavior compatibility -- again to downgrade stronger lighttpd TLS defaults to weaker defaults in lighttpd 1.4.63 -- and to restore deprecated TLS directives, and to restore deprecated modules.
0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch
0002-Revert-TLS-simplify-TLS-config-remove-deprecated-opt.patch
0003-Revert-TLS-upgrade-default-cipher-list-to-stronger-s.patch
0004-Revert-multiple-remove-deprecated-modules.patch
0005-Revert-multiple-remove-long-deprecated-modules.patch
lighttpd 1.4.73 contains detection for HTTP/2 Rapid Reset attacks, which The Manic Minotaur and The Jammy Jellyfish ought to have in security and/or updates.
I am a lighttpd developer and have prepared patches for Ubuntu updates/backports.
lighttpd 1.4.76 is the current stable lighttpd release and is the best available version of lighttpd.
Added in lighttpd 1.4.76:
* Detect VU#421644 HTTP/2 CONTINUATION Flood
* Avoid CVE-2024-3094 xz supply chain attack
Noble should upgrade lighttpd 1.4.74 to lighttpd 1.4.76
The Mantic Minotaur should upgrade lighttpd 1.4.69 to lighttpd 1.4.76 and needs a single patch for behavior compatibility to revert the upgrade to stronger TLS defaults. (revert lighttpd commit 87b3a9cab8d9643 30aef12db9f78aa e66eaf0968) While I consider incremental improvement of secure defaults something that should be backported for best security practices, I understand that Ubuntu policy differs. TLS-default- to-stronger- ciphers- w-PFS-and- AEA.patch
0001-Revert-
The Jammy Jellyfish should upgrade lighttpd 1.4.63 to lighttpd 1.4.76 and needs a few patches for behavior compatibility -- again to downgrade stronger lighttpd TLS defaults to weaker defaults in lighttpd 1.4.63 -- and to restore deprecated TLS directives, and to restore deprecated modules. TLS-default- to-stronger- ciphers- w-PFS-and- AEA.patch TLS-simplify- TLS-config- remove- deprecated- opt.patch TLS-upgrade- default- cipher- list-to- stronger- s.patch multiple- remove- deprecated- modules. patch multiple- remove- long-deprecated -modules. patch
0001-Revert-
0002-Revert-
0003-Revert-
0004-Revert-
0005-Revert-
lighttpd 1.4.73 contains detection for HTTP/2 Rapid Reset attacks, which The Manic Minotaur and The Jammy Jellyfish ought to have in security and/or updates.