!41 Update to 1.4.72

From: @lyn1001 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

CVE-2022-22707.patch

@@ -1,90 +0,0 @@
-From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001
-From: povcfe <povcfe@qq.com>
-Date: Wed, 5 Jan 2022 11:11:09 +0000
-Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
-
-(thx povcfe)
-
-(edited: gstrauss)
-
-There is a potential remote denial of service in lighttpd mod_extforward
-under specific, non-default and uncommon 32-bit lighttpd mod_extforward
-configurations.
-
-Under specific, non-default and uncommon lighttpd mod_extforward
-configurations, a remote attacker can trigger a 4-byte out-of-bounds
-write of value '-1' to the stack. This is not believed to be exploitable
-in any way beyond triggering a crash of the lighttpd server on systems
-where the lighttpd server has been built 32-bit and with compiler flags
-which enable a stack canary -- gcc/clang -fstack-protector-strong or
--fstack-protector-all, but bug not visible with only -fstack-protector.
-
-With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
-this bug has not been observed to cause adverse behavior, even with
-gcc/clang -fstack-protector-strong.
-
-For the bug to be reachable, the user must be using a non-default
-lighttpd configuration which enables mod_extforward and configures
-mod_extforward to accept and parse the "Forwarded" header from a trusted
-proxy. At this time, support for RFC7239 Forwarded is not common in CDN
-providers or popular web server reverse proxies. It bears repeating that
-for the user to desire to configure lighttpd mod_extforward to accept
-"Forwarded", the user must also be using a trusted proxy (in front of
-lighttpd) which understands and actively modifies the "Forwarded" header
-sent to lighttpd.
-
-lighttpd natively supports RFC7239 "Forwarded"
-hiawatha natively supports RFC7239 "Forwarded"
-
-nginx can be manually configured to add a "Forwarded" header
-https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
-
-A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
-in front of another 32-bit lighttpd will detect and reject a malicious
-"Forwarded" request header, thereby thwarting an attempt to trigger
-this bug in an upstream 32-bit lighttpd.
-
-The following servers currently do not natively support RFC7239 Forwarded:
-nginx
-apache2
-caddy
-node.js
-haproxy
-squid
-varnish-cache
-litespeed
-
-Given the general dearth of support for RFC7239 Forwarded in popular
-CDNs and web server reverse proxies, and given the prerequisites in
-lighttpd mod_extforward needed to reach this bug, the number of lighttpd
-servers vulnerable to this bug is estimated to be vanishingly small.
-Large systems using reverse proxies are likely running 64-bit lighttpd,
-which is not known to be adversely affected by this bug.
-
-In the future, it is desirable for more servers to implement RFC7239
-Forwarded.  lighttpd developers would like to thank povcfe for reporting
-this bug so that it can be fixed before more CDNs and web servers
-implement RFC7239 Forwarded.
-
-x-ref:
-  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
-  https://redmine.lighttpd.net/issues/3134
-  (not yet written or published)
-  CVE-2022-22707
----
- src/mod_extforward.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/mod_extforward.c b/src/mod_extforward.c
-index 733231fd2..1a04befa6 100644
---- a/src/mod_extforward.c
-+++ b/src/mod_extforward.c
-@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
-         while (s[i] == ' ' || s[i] == '\t') ++i;
-         if (s[i] == ';') { ++i; continue; }
-         if (s[i] == ',') {
--            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
-+            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
-             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
-             ++i;
-             continue;

fix-loading-mod_auth-after-dynamic-modules.patch

@@ -1,62 +0,0 @@
-From 492773a20f8a1deb1c94e25d40023970dd9608a1 Mon Sep 17 00:00:00 2001
-From: Glenn Strauss <gstrauss@gluelogic.com>
-Date: Sun, 5 Dec 2021 07:50:17 -0500
-Subject: [PATCH] [core] fix trace issued for loading mod_auth (fixes #3121)
-
-Origin:https://github.com/lighttpd/lighttpd1.4/commit/492773a20f8a1deb1c94e25d40023970dd9608a1
-
-fix trace issued for loading mod_auth after dynamic modules
-
-x-ref:
-  "Curious message on startup with version 1.4.63"
-  https://redmine.lighttpd.net/boards/2/topics/10182
-  "mod_auth warning on startup"
-  https://redmine.lighttpd.net/issues/3121
----
- src/configfile.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/src/configfile.c b/src/configfile.c
-index 5760bb43..033f2c46 100644
---- a/src/configfile.c
-+++ b/src/configfile.c
-@@ -369,6 +369,7 @@ static void config_compat_module_load (server *srv) {
-     int contains_mod_auth      = 0;
-     int prepend_mod_auth       = 0;
-     int prepend_mod_vhostdb    = 0;
-+    const char *dyn_name = NULL;
- 
-     for (uint32_t i = 0; i < srv->srvconf.modules->used; ++i) {
-         buffer *m = &((data_string *)srv->srvconf.modules->data[i])->value;
-@@ -390,8 +391,15 @@ static void config_compat_module_load (server *srv) {
-         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_wolfssl")))
-             append_mod_openssl = 0;
-         else if (0 == strncmp(m->ptr, "mod_auth", sizeof("mod_auth")-1)) {
--            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth")))
--                contains_mod_auth = 1;
-+            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth"))) {
-+                if (!contains_mod_auth) {
-+                    contains_mod_auth = 1;
-+                    if (dyn_name)
-+                        log_error(srv->errh, __FILE__, __LINE__,
-+                          "Warning: mod_auth should be listed in server.modules"
-+                          " before dynamic backends such as %s", dyn_name);
-+                }
-+            }
-             else if (!contains_mod_auth)
-                 prepend_mod_auth = 1;
- 
-@@ -422,11 +430,8 @@ static void config_compat_module_load (server *srv) {
-                                          sizeof("mod_sockproxy")-1)
-                  || 0 == strncmp(m->ptr, "mod_wstunnel",
-                                          sizeof("mod_wstunnel")-1)) {
--            if (!contains_mod_auth) {
--                log_error(srv->errh, __FILE__, __LINE__,
--                  "Warning: mod_auth should be listed in server.modules before "
--                  "dynamic backends such as %s", m->ptr);
--            }
-+            if (NULL == dyn_name)
-+                dyn_name = m->ptr;
-         }
-     }
- 

lighttpd-1.4.65-defaultconf.patch

@@ -7,7 +7,7 @@
 -var.server_root = "/srv/www"
 -var.state_dir   = "/run"
 +var.server_root = "/var/www"
-+var.state_dir   = "/var/run"
++var.state_dir   = "/run/lighttpd"
  var.home_dir    = "/var/lib/lighttpd"
  var.conf_dir    = "/etc/lighttpd"
  
@@ -20,3 +20,14 @@
  ##
  ##   # (recommended to accept only TLSv1.2 and TLSv1.3)
  ##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
+--- doc/config/lighttpd.conf~	2022-07-28 10:49:14.928564535 -0500
++++ doc/config/lighttpd.conf	2022-07-28 10:49:47.161444622 -0500
+@@ -118,7 +118,7 @@
+ ##
+ ## Document root
+ ##
+-server.document-root = server_root + "/htdocs"
++server.document-root = server_root + "/lighttpd"
+ 
+ ##
+ ## The value for the "Server:" response field.

lighttpd.init

@@ -1,114 +0,0 @@
-#!/bin/sh
-#
-# lighttpd     Lightning fast webserver with light system requirements
-#
-# chkconfig:   - 85 15
-# description: Secure, fast, compliant and very flexible web-server which has \
-#              been optimized for high-performance environments. It has a \
-#              very low memory footprint compared to other web servers and \
-#              takes care of cpu-load.
-
-### BEGIN INIT INFO
-# Provides: httpd
-# Required-Start: $local_fs $network
-# Required-Stop: $local_fs $network
-# Should-Start: $named
-# Should-Stop: $named
-# Default-Start: 
-# Default-Stop: 0 1 2 3 4 5 6
-# Short-Description: Lightning fast webserver with light system requirements
-# Description:       Secure, fast, compliant and very flexible web-server which
-#                    has been optimized for high-performance environments. It
-#                    has a very low memory footprint compared to other web
-#                    servers and takes care of cpu-load.
-### END INIT INFO
-
-# Source function library.
-. /etc/rc.d/init.d/functions
-
-exec="/usr/sbin/lighttpd"
-prog="lighttpd"
-config="/etc/lighttpd/lighttpd.conf"
-
-[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
-
-lockfile=/var/lock/subsys/$prog
-
-start() {
-    [ -x $exec ] || exit 5
-    [ -f $config ] || exit 6
-    echo -n $"Starting $prog: "
-    daemon $exec -f $config
-    retval=$?
-    echo
-    [ $retval -eq 0 ] && touch $lockfile
-    return $retval
-}
-
-stop() {
-    echo -n $"Stopping $prog: "
-    killproc $prog
-    retval=$?
-    echo
-    [ $retval -eq 0 ] && rm -f $lockfile
-    return $retval
-}
-
-restart() {
-    stop
-    start
-}
-
-reload() {
-    echo -n $"Reloading $prog: "
-    killproc $prog -USR1
-    retval=$?
-    echo
-    return $retval
-}
-
-force_reload() {
-    restart
-}
-
-rh_status() {
-    status $prog
-}
-
-rh_status_q() {
-    rh_status &>/dev/null
-}
-
-
-case "$1" in
-    start)
-        rh_status_q && exit 0
-        $1
-        ;;
-    stop)
-        rh_status_q || exit 0
-        $1
-        ;;
-    restart)
-        $1
-        ;;
-    reload)
-        rh_status_q || exit 7
-        $1
-        ;;
-    force-reload)
-        force_reload
-        ;;
-    status)
-        rh_status
-        ;;
-    condrestart|try-restart)
-        rh_status_q || exit 0
-        restart
-        ;;
-    *)
-        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
-        exit 2
-esac
-exit $?
-

lighttpd.service

@@ -3,10 +3,12 @@ Description=Lightning Fast Webserver With Light System Requirements
 After=syslog.target network.target
 
 [Service]
-PIDFile=/var/run/lighttpd.pid
+PIDFile=/run/lighttpd.pid
 EnvironmentFile=-/etc/sysconfig/lighttpd
+ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
 ExecReload=/bin/kill -USR1 $MAINPID
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target

lighttpd.spec

@@ -1,58 +1,68 @@
 %define webroot /var/www/lighttpd
-%global _hardened_build 1
 %define confswitch() %{expand:%%{?with_%{1}:--with-%{1}}%%{!?with_%{1}:--without-%{1}}}
-%bcond_without mysql
-%bcond_without ldap
 %bcond_without attr
-%bcond_without openssl
+%bcond_with    pcre
-%bcond_without kerberos5
+%bcond_without pcre2
-%bcond_without pcre
+%bcond_without nettle
-%bcond_with    fam
+%bcond_with    unwind
 %bcond_without lua
+%bcond_without brotli
+%bcond_with    bzip2
+%bcond_without zlib
+%bcond_without zstd
+%bcond_without maxminddb
+%bcond_without dbi
+%bcond_without ldap
+%bcond_without mysql
+%bcond_without pgsql
 %bcond_without krb5
 %bcond_without pam
-%bcond_with    webdavprops
+%bcond_without sasl
-%bcond_with    webdavlocks
+%bcond_without gnutls
-%bcond_without gdbm
+%bcond_with    mbedtls
-%bcond_with    memcache
+%bcond_without nss
+%bcond_without openssl
+%bcond_without webdavprops
+%bcond_without webdavlocks
 %bcond_without tmpfiles
-%bcond_without systemd
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
-Version:             1.4.63
+Version:             1.4.72
-Release:             4
+Release:             1
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
-Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz
 Source1:             lighttpd.logrotate
 Source2:             php.d-lighttpd.ini
-Source3:             lighttpd.init
+Source3:             lighttpd.service
-Source4:             lighttpd.service
+Patch0:              lighttpd-1.4.65-defaultconf.patch
-Patch0:              lighttpd-1.4.62-defaultconf.patch
+Requires:            %{name}-filesystem system-logos
-Patch1:              make-setrlimit-warn-not-fatal.patch
-Patch2:              fix-loading-mod_auth-after-dynamic-modules.patch
-Patch3:              CVE-2022-22707.patch
-Requires:            %{name}-filesystem
-%if %{with systemd}
 Requires(post):      systemd
 Requires(preun):     systemd
 Requires(postun):    systemd
 BuildRequires:       systemd
-%else
+Requires(post):      %{name}-mod_deflate
-Requires(post):      /sbin/chkconfig
+Requires(post):      %{name}-mod_webdav
-Requires(preun):     /sbin/service, /sbin/chkconfig
+%{?with_ldap:Requires(post): %{name}-mod_authn_ldap}
-Requires(postun):    /sbin/service
+%{?with_ldap:Requires(post): %{name}-mod_vhostdb_ldap}
-%endif
+%{?with_lua:Requires(post): %{name}-mod_magnet}
+%{?with_openssl:Requires(post): %{name}-mod_openssl}
 Provides:            webserver
 BuildRequires:       openssl-devel, pcre-devel, bzip2-devel, zlib-devel, autoconf, automake, libtool
-BuildRequires:       /usr/bin/awk, libattr-devel
+BuildRequires:       /usr/bin/awk, libattr-devel, m4, pkg-config
-%{?with_ldap:BuildRequires: openldap-devel}
+%{?with_pcre:BuildRequires: pcre-devel}
-%{?with_fam:BuildRequires: gamin-devel}
+%{?with_pcre2:BuildRequires: pcre2-devel}
-%{?with_webdavprops:BuildRequires: libxml2-devel}
+%{?with_nettle:BuildRequires: nettle-devel}
-%{?with_webdavlocks:BuildRequires: sqlite-devel}
+%{?with_unwind:BuildRequires: libunwind-devel}
-%{?with_gdbm:BuildRequires: gdbm-devel}
+
-%{?with_memcache:BuildRequires: memcached-devel}
+Provides: %{name}-mod_authn_mysql = %{version}-%{release}
-%{?with_lua:BuildRequires: lua-devel}
+Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1
+ 
+Provides: %{name}-mod_mysql_vhost = %{version}-%{release}
+Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1
+
+Provides: %{name}-mod_geoip = %{version}-%{release}
+Obsoletes: %{name}-mod_geoip <= 1.4.63-1
 
 %description
 Secure, fast, compliant and very flexible web-server which has been optimized
@@ -70,32 +80,200 @@ This package contains the spawn-fcgi helper for lighttpd's automatic spawning
 of local FastCGI programs. Included is also a PHP .ini file to change a few
 defaults needed for correct FastCGI behavior.
 
-%package mod_mysql_vhost
+%if %{with dbi}
-Summary:             Virtual host module for lighttpd that uses a MySQL database
+%package mod_authn_dbi
+Summary:             Authentication module for lighttpd that uses DBI
 Requires:            %{name} = %{version}-%{release}
-BuildRequires:       mariadb-connector-c-devel
+%{?with_dbi:BuildRequires: libdbi-devel}
-%description mod_mysql_vhost
+%{?with_dbi:Suggests: libdbi-dbd-mysql}
-Virtual host module for lighttpd that uses a MySQL database.
+%{?with_dbi:Suggests: libdbi-dbd-pgsql}
+%{?with_dbi:Suggests: libdbi-dbd-sqlite}
 
-%package mod_authn_mysql
+%description mod_authn_dbi
-Summary:             Authentication module for lighttpd that uses a MySQL database
+Authentication module for lighttpd that uses DBI
-Requires:            %{name} = %{version}-%{release}
+%endif
-BuildRequires:       mariadb-connector-c-devel
-%description mod_authn_mysql
-Authentication module for lighttpd that uses a MySQL database.
 
+%if %{with krb5}
 %package mod_authn_gssapi
 Summary:             Authentication module for lighttpd that uses GSSAPI
 Requires:            %{name} = %{version}-%{release}
+%{?with_krb5:BuildRequires: krb5-devel}
+
 %description mod_authn_gssapi
 Authentication module for lighttpd that uses GSSAPI
+%endif
 
+%if %{with ldap}
+%package mod_authn_ldap
+Summary:             Authentication module for lighttpd that uses LDAP
+Requires:            %{name} = %{version}-%{release}
+%{?with_ldap:BuildRequires: openldap-devel}
+
+%description mod_authn_ldap
+Authentication module for lighttpd that uses LDAP
+%endif
+
+%if %{with pam}
 %package mod_authn_pam
 Summary:             Authentication module for lighttpd that uses PAM
 Requires:            %{name} = %{version}-%{release}
-BuildRequires:       pam-devel
+%{?with_pam:BuildRequires: pam-devel}
+
 %description mod_authn_pam
 Authentication module for lighttpd that uses PAM.
+%endif
+
+
+%if %{with sasl}
+%package mod_authn_sasl
+Summary:             Authentication module for lighttpd that uses SASL
+Requires:            %{name} = %{version}-%{release}
+%{?with_sasl:BuildRequires: cyrus-sasl-devel}
+
+%description mod_authn_sasl
+Authentication module for lighttpd that uses SASL.
+%endif
+
+
+%package mod_deflate
+Summary:             Compression module for lighttpd
+Requires:            %{name} = %{version}-%{release}
+%{?with_zlib:BuildRequires: zlib-devel}
+%{?with_zstd:BuildRequires: libzstd-devel}
+%{?with_bzip2:BuildRequires: bzip2-devel}
+%{?with_brotli:BuildRequires: brotli-devel}
+
+%description mod_deflate
+Compression module for lighttpd.
+
+
+%if %{with gnutls}
+%package mod_gnutls
+Summary:             TLS module for lighttpd that uses GnuTLS
+Requires:            %{name} = %{version}-%{release}
+%{?with_gnutls:BuildRequires: gnutls-devel}
+
+%description mod_gnutls
+TLS module for lighttpd that uses GnuTLS.
+%endif
+
+
+%if %{with lua}
+%package mod_magnet
+Summary:             Lua module for lighttpd
+Requires:            %{name} = %{version}-%{release}
+%{?with_lua:BuildRequires: lua-devel}
+
+%description mod_magnet
+Lua module for lighttpd.
+%endif
+
+
+%if %{with maxminddb}
+%package mod_maxminddb
+Summary:             GeoIP2 module for lighttpd to use for location lookups
+Requires:            %{name} = %{version}-%{release}
+%{?with_maxminddb:BuildRequires: libmaxminddb-devel}
+%{?with_maxminddb:Recommends: GeoIP-GeoLite-data}
+%{?with_maxminddb:Recommends: GeoIP-GeoLite-data-extra}
+%{?with_maxminddb:Suggests: geoipupdate}
+%{?with_maxminddb:Suggests: geoipupdate-cron}
+
+%description mod_maxminddb
+GeoIP2 module for lighttpd to use for location lookups.
+%endif
+
+
+%if %{with mbedtls}
+%package mod_mbedtls
+Summary:             TLS module for lighttpd that uses mbedTLS
+Requires:            %{name} = %{version}-%{release}
+%{?with_mbedtls:BuildRequires: mbedtls-devel}
+
+%description mod_mbedtls
+TLS module for lighttpd that uses mbedTLS.
+%endif
+
+
+%if %{with nss}
+%package mod_nss
+Summary:             TLS module for lighttpd that uses NSS
+Requires:            %{name} = %{version}-%{release}
+%{?with_nss:BuildRequires: nss-devel}
+
+%description mod_nss
+TLS module for lighttpd that uses NSS.
+%endif
+
+
+%if %{with openssl}
+%package mod_openssl
+Summary:             TLS module for lighttpd that uses OpenSSL
+Requires:            %{name} = %{version}-%{release}
+%{?with_openssl:BuildRequires: openssl-devel}
+
+%description mod_openssl
+TLS module for lighttpd that uses OpenSSL.
+%endif
+
+
+%if %{with dbi}
+%package mod_vhostdb_dbi
+Summary:             Virtual host module for lighttpd that uses DBI
+Requires:            %{name} = %{version}-%{release}
+%{?with_dbi:BuildRequires: libdbi-devel}
+%{?with_dbi:Suggests: libdbi-dbd-mysql}
+%{?with_dbi:Suggests: libdbi-dbd-pgsql}
+%{?with_dbi:Suggests: libdbi-dbd-sqlite}
+
+%description mod_vhostdb_dbi
+Virtual host module for lighttpd that uses DBI.
+%endif
+
+
+%if %{with ldap}
+%package mod_vhostdb_ldap
+Summary:             Virtual host module for lighttpd that uses LDAP
+Requires:            %{name} = %{version}-%{release}
+%{?with_ldap:BuildRequires: openldap-devel}
+
+%description mod_vhostdb_ldap
+Virtual host module for lighttpd that uses LDAP.
+%endif
+
+
+%if %{with mysql}
+%package mod_vhostdb_mysql
+Summary:               Virtual host module for lighttpd that uses MySQL
+Requires:              %{name} = %{version}-%{release}
+%{?with_mysql:BuildRequires: mariadb-connector-c-devel}
+
+%description mod_vhostdb_mysql
+Virtual host module for lighttpd that uses MySQL.
+%endif
+
+
+%if %{with pgsql}
+%package mod_vhostdb_pgsql
+Summary:             Virtual host module for lighttpd that uses PostgreSQL
+Requires:            %{name} = %{version}-%{release}
+%{?with_pgsql:BuildRequires: libpq-devel}
+
+%description mod_vhostdb_pgsql
+Virtual host module for lighttpd that uses PostgreSQL.
+%endif
+
+
+%package mod_webdav
+Summary:             WebDAV module for lighttpd
+Requires:            %{name} = %{version}-%{release}
+%{?with_webdavprops:BuildRequires: libxml2-devel}
+%{?with_webdavprops:BuildRequires: sqlite-devel}
+%{?with_webdavlocks:BuildRequires: libuuid-devel}
+%{?with_webdavlocks:BuildRequires: sqlite-devel}
+
+%description mod_webdav
+WebDAV module for lighttpd.
 
 %package filesystem
 Summary:             The basic directory layout for lighttpd
@@ -109,42 +287,45 @@ for the directories.
 %prep
 %setup -q
 %patch0 -p0 -b .defaultconf
-%patch1 -p1 -b .setrlimit
-%patch2 -p1 -b .fixtrace
-%patch3 -p1
 
 %build
 autoreconf -if
 %configure \
     --libdir='%{_libdir}/lighttpd' \
-    %{confswitch mysql} \
-    %{confswitch pam} \
-    %{confswitch ldap} \
-    %{confswitch attr} \
-    %{confswitch openssl} \
     %{confswitch pcre} \
-    %{confswitch fam} \
+    %{confswitch pcre2} \
+    %{confswitch nettle} \
+    %{confswitch attr} \
+    %{confswitch mysql} \
+    %{confswitch pgsql} \
+    %{confswitch dbi} \
+    %{confswitch krb5} \
+    %{confswitch ldap} \
+    %{confswitch pam} \
+    %{confswitch sasl} \
+    %{confswitch gnutls} \
+    %{confswitch mbedtls} \
+    %{confswitch nss} \
+    %{confswitch openssl} \
     %{?with_webdavprops:--with-webdav-props} \
     %{?with_webdavlocks:--with-webdav-locks} \
-    %{confswitch gdbm} \
+    %{?with_lua:--with-lua=lua} \
-    %{confswitch memcached} \
+    %{confswitch zlib} \
-    %{confswitch lua} \
+    %{confswitch zstd} \
-    %{confswitch krb5}
+    %{confswitch bzip2} \
-make %{?_smp_mflags}
+    %{confswitch brotli} \
+    %{confswitch maxminddb} \
+    %{confswitch unwind}
+%make_build
 
 %install
-make install DESTDIR=%{buildroot}
+%make_install
 install -D -p -m 0644 %{SOURCE1} \
     %{buildroot}%{_sysconfdir}/logrotate.d/lighttpd
 install -D -p -m 0644 %{SOURCE2} \
     %{buildroot}%{_sysconfdir}/php.d/lighttpd.ini
-%if %{with systemd}
+install -D -p -m 0644 %{SOURCE3} \
-install -D -p -m 0644 %{SOURCE4} \
     %{buildroot}%{_unitdir}/lighttpd.service
-%else
-install -D -p -m 0755 %{SOURCE3} \
-    %{buildroot}%{_sysconfdir}/rc.d/init.d/lighttpd
-%endif
 mkdir -p %{buildroot}%{webroot}
 rm -rf config
 cp -a doc/config config
@@ -155,40 +336,25 @@ cp -a config/*.conf config/*.d %{buildroot}%{_sysconfdir}/lighttpd/
 mkdir -p %{buildroot}%{_var}/log/lighttpd
 mkdir -p %{buildroot}%{_var}/run/lighttpd
 %if %{with tmpfiles}
-mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
+mkdir -p %{buildroot}/usr/lib/tmpfiles.d
-echo 'D /var/run/lighttpd 0750 lighttpd lighttpd -' > \
+echo 'D /run/lighttpd 0750 lighttpd lighttpd -' > \
-    %{buildroot}%{_sysconfdir}/tmpfiles.d/lighttpd.conf
+    %{buildroot}/usr/lib/tmpfiles.d/lighttpd.conf
 %endif
+mkdir -p %{buildroot}%{_var}/lib/lighttpd/
 
 %pre filesystem
 /usr/sbin/useradd -s /sbin/nologin -M -r -d %{webroot} \
     -c 'lighttpd web server' lighttpd &>/dev/null || :
 
 %post
-%if %{with systemd}
 %systemd_post lighttpd.service
-%else
-/sbin/chkconfig --add lighttpd
-%endif
 
 %preun
-%if %{with systemd}
 %systemd_preun lighttpd.service
-%else
-if [ $1 -eq 0 ]; then
-    /sbin/service lighttpd stop &>/dev/null || :
-    /sbin/chkconfig --del lighttpd
-fi
-%endif
 
 %postun
-%if %{with systemd}
 %systemd_postun_with_restart lighttpd.service
-%else
+
-if [ $1 -ge 1 ]; then
-    /sbin/service lighttpd condrestart &>/dev/null || :
-fi
-%endif
 
 %files
 %license COPYING
@@ -196,68 +362,177 @@ fi
 %doc config/ doc/scripts/rrdtool-graph.sh
 %config(noreplace) %{_sysconfdir}/lighttpd/*.conf
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf
+%exclude %{_sysconfdir}/lighttpd/conf.d/deflate.conf
 %exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
-%exclude %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
+%exclude %{_sysconfdir}/lighttpd/conf.d/magnet.conf
+%exclude %{_sysconfdir}/lighttpd/conf.d/webdav.conf
 %config %{_sysconfdir}/lighttpd/conf.d/mod.template
 %config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template
 %config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd
-%if %{with systemd}
 %{_unitdir}/lighttpd.service
-%else
-%{_sysconfdir}/rc.d/init.d/lighttpd
-%endif
 %if %{with tmpfiles}
-%config(noreplace) %{_sysconfdir}/tmpfiles.d/lighttpd.conf
+%config(noreplace) /usr/lib/tmpfiles.d/lighttpd.conf
 %endif
 %{_sbindir}/lighttpd
 %{_sbindir}/lighttpd-angel
 %{_libdir}/lighttpd/
-%exclude %{_libdir}/lighttpd/*.la
+%exclude %{_libdir}/lighttpd/mod_authn_dbi.so
-%exclude %{_libdir}/lighttpd/mod_fastcgi.so
-%exclude %{_libdir}/lighttpd/mod_mysql_vhost.so
-%exclude %{_libdir}/lighttpd/mod_authn_mysql.so
 %exclude %{_libdir}/lighttpd/mod_authn_gssapi.so
+%exclude %{_libdir}/lighttpd/mod_authn_ldap.so
+%exclude %{_libdir}/lighttpd/mod_authn_pam.so
+%exclude %{_libdir}/lighttpd/mod_authn_sasl.so
+%exclude %{_libdir}/lighttpd/mod_deflate.so
+%exclude %{_libdir}/lighttpd/mod_gnutls.so
+%exclude %{_libdir}/lighttpd/mod_magnet.so
+%exclude %{_libdir}/lighttpd/mod_maxminddb.so
+%exclude %{_libdir}/lighttpd/mod_openssl.so
+%exclude %{_libdir}/lighttpd/mod_nss.so
+%exclude %{_libdir}/lighttpd/mod_vhostdb_dbi.so
+%exclude %{_libdir}/lighttpd/mod_vhostdb_ldap.so
+%exclude %{_libdir}/lighttpd/mod_vhostdb_mysql.so
+%exclude %{_libdir}/lighttpd/mod_vhostdb_pgsql.so
 %{_mandir}/man8/lighttpd*8*
 
 %files fastcgi
 %doc doc/outdated/fastcgi*.txt doc/scripts/spawn-php.sh
 %config(noreplace) %{_sysconfdir}/php.d/lighttpd.ini
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_fastcgi.so
 
-%files mod_mysql_vhost
+%if %{with dbi}
-%doc doc/outdated/mysqlvhost.txt
+%files mod_authn_dbi
-%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
 %dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_mysql_vhost.so
+%{_libdir}/lighttpd/mod_authn_dbi.so
-
+%endif
-%files mod_authn_mysql
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_authn_mysql.so
 
+%if %{with krb5}
 %files mod_authn_gssapi
 %dir %{_libdir}/lighttpd/
 %{_libdir}/lighttpd/mod_authn_gssapi.so
+%endif
 
+%if %{with ldap}
+%files mod_authn_ldap
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_authn_ldap.so
+%endif
+
+%if %{with pam}
 %files mod_authn_pam
 %dir %{_libdir}/lighttpd/
 %{_libdir}/lighttpd/mod_authn_pam.so
+%endif
+
+%if %{with sasl}
+%files mod_authn_sasl
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_authn_sasl.so
+%endif
+
+%files mod_deflate
+%doc doc/outdated/compress.txt
+%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/deflate.conf
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_deflate.so
+
+%if %{with gnutls}
+%files mod_gnutls
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_gnutls.so
+%endif
+
+%if %{with lua}
+%files mod_magnet
+%doc doc/outdated/magnet.txt
+%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/magnet.conf
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_magnet.so
+%endif
+
+%if %{with maxminddb}
+%files mod_maxminddb
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_maxminddb.so
+%endif
+
+%if %{with mbedtls}
+%files mod_mbedtls
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_mbedtls.so
+%endif
+
+%if %{with nss}
+%files mod_nss
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_nss.so
+%endif
+
+%if %{with openssl}
+%files mod_openssl
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_openssl.so
+%endif
+
+%if %{with dbi}
+%files mod_vhostdb_dbi
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_vhostdb_dbi.so
+%endif
+
+%if %{with ldap}
+%files mod_vhostdb_ldap
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_vhostdb_ldap.so
+%endif
+
+%if %{with mysql}
+%files mod_vhostdb_mysql
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_vhostdb_mysql.so
+%endif
+
+%if %{with pgsql}
+%files mod_vhostdb_pgsql
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_vhostdb_pgsql.so
+%endif
+
+%files mod_webdav
+%doc doc/outdated/webdav.txt
+%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/webdav.conf
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_webdav.so
 
 %files filesystem
 %dir %{_sysconfdir}/lighttpd/
 %dir %{_sysconfdir}/lighttpd/conf.d/
 %dir %{_sysconfdir}/lighttpd/vhosts.d/
 %dir %{_var}/run/lighttpd/
+%dir %{_var}/lib/lighttpd/
 %if %{with tmpfiles}
 %ghost %attr(0750, lighttpd, lighttpd) %{_var}/run/lighttpd/
 %else
 %attr(0750, lighttpd, lighttpd) %{_var}/run/lighttpd/
 %endif
+%attr(0750, lighttpd, lighttpd) %{_var}/lib/lighttpd/
 %attr(0750, lighttpd, lighttpd) %{_var}/log/lighttpd/
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
+* Fri Oct 27 2023 liyanan <liyanan61@h-parners.com> - 1.4.72-1
+- Update to 1.4.72
+
+* Mon May 29 2023 Jia Chao <jiachao2130@126.com> - 1.4.67-3
+- Remove unsupport BuildRequires: gamin-devel, this pkg is dropped.
+
+* Thu Feb 02 2023 xu_ping <xuping33@h-partners.com> - 1.4.67-2
+- Add buildrequires krb5-devel to fix check configure error
+
+* Wed Oct 12 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1.4.67-1
+- update to 1.4.67 to fix CVE-2022-41556
+
+* Tue Sep 13 2022 cenhuilin <cenhuilin@kylinos.cn> - 1.4.63-5
+- Fix CVE-2022-37797
+
 * Fri Mar 11 2022 baizhonggui <baizhonggui@huawei.com> - 1.4.63-4
 - Modify var.state_dir path from /etc/lighttpd/lighttpd.conf in lighttpd-1.4.62-defaultconf.patch
 
@@ -278,3 +553,4 @@ fi
 
 * Fri Jan 8 2021 chengzihan <chengzihan2@huawei.com> - 1.4.53-1
 - Package init
+

make-setrlimit-warn-not-fatal.patch

@@ -1,29 +0,0 @@
-From 5a257fab511225bbfa56b4f1a8b2bb7085f96478 Mon Sep 17 00:00:00 2001
-From: Glenn Strauss <gstrauss@gluelogic.com>
-Date: Wed, 8 Dec 2021 18:42:31 -0500
-Subject: [PATCH] [core] make setrlimit() warn, not fatal
-
-Origin:https://github.com/lighttpd/lighttpd1.4/commit/5a257fab511225bbfa56b4f1a8b2bb7085f96478
-
-(thx limb)
-
-make setrlimit() issue warning on error, not fatal,
-and add suggesting to configure SELinux permissions
----
- src/server.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/server.c b/src/server.c
-index f2ff7b73..beca364a 100644
---- a/src/server.c
-+++ b/src/server.c
-@@ -1357,7 +1357,8 @@ static int server_main_setup (server * const srv, int argc, char **argv) {
- 
- 			if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) {
- 				log_perror(srv->errh, __FILE__, __LINE__, "setrlimit()");
--				return -1;
-+				log_error(srv->errh, __FILE__, __LINE__, "setrlimit() may need root to run once: setsebool -P httpd_setrlimit on");
-+				use_rlimit = 0;
- 			}
- 		}
-