CVE-2022-22707.patch

@@ -0,0 +1,90 @@
+From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001
+From: povcfe <povcfe@qq.com>
+Date: Wed, 5 Jan 2022 11:11:09 +0000
+Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
+
+(thx povcfe)
+
+(edited: gstrauss)
+
+There is a potential remote denial of service in lighttpd mod_extforward
+under specific, non-default and uncommon 32-bit lighttpd mod_extforward
+configurations.
+
+Under specific, non-default and uncommon lighttpd mod_extforward
+configurations, a remote attacker can trigger a 4-byte out-of-bounds
+write of value '-1' to the stack. This is not believed to be exploitable
+in any way beyond triggering a crash of the lighttpd server on systems
+where the lighttpd server has been built 32-bit and with compiler flags
+which enable a stack canary -- gcc/clang -fstack-protector-strong or
+-fstack-protector-all, but bug not visible with only -fstack-protector.
+
+With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
+this bug has not been observed to cause adverse behavior, even with
+gcc/clang -fstack-protector-strong.
+
+For the bug to be reachable, the user must be using a non-default
+lighttpd configuration which enables mod_extforward and configures
+mod_extforward to accept and parse the "Forwarded" header from a trusted
+proxy. At this time, support for RFC7239 Forwarded is not common in CDN
+providers or popular web server reverse proxies. It bears repeating that
+for the user to desire to configure lighttpd mod_extforward to accept
+"Forwarded", the user must also be using a trusted proxy (in front of
+lighttpd) which understands and actively modifies the "Forwarded" header
+sent to lighttpd.
+
+lighttpd natively supports RFC7239 "Forwarded"
+hiawatha natively supports RFC7239 "Forwarded"
+
+nginx can be manually configured to add a "Forwarded" header
+https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
+in front of another 32-bit lighttpd will detect and reject a malicious
+"Forwarded" request header, thereby thwarting an attempt to trigger
+this bug in an upstream 32-bit lighttpd.
+
+The following servers currently do not natively support RFC7239 Forwarded:
+nginx
+apache2
+caddy
+node.js
+haproxy
+squid
+varnish-cache
+litespeed
+
+Given the general dearth of support for RFC7239 Forwarded in popular
+CDNs and web server reverse proxies, and given the prerequisites in
+lighttpd mod_extforward needed to reach this bug, the number of lighttpd
+servers vulnerable to this bug is estimated to be vanishingly small.
+Large systems using reverse proxies are likely running 64-bit lighttpd,
+which is not known to be adversely affected by this bug.
+
+In the future, it is desirable for more servers to implement RFC7239
+Forwarded.  lighttpd developers would like to thank povcfe for reporting
+this bug so that it can be fixed before more CDNs and web servers
+implement RFC7239 Forwarded.
+
+x-ref:
+  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
+  https://redmine.lighttpd.net/issues/3134
+  (not yet written or published)
+  CVE-2022-22707
+---
+ src/mod_extforward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mod_extforward.c b/src/mod_extforward.c
+index 733231fd2..1a04befa6 100644
+--- a/src/mod_extforward.c
++++ b/src/mod_extforward.c
+@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
+         while (s[i] == ' ' || s[i] == '\t') ++i;
+         if (s[i] == ';') { ++i; continue; }
+         if (s[i] == ',') {
+-            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
++            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
+             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+             ++i;
+             continue;

fix-loading-mod_auth-after-dynamic-modules.patch

@@ -0,0 +1,62 @@
+From 492773a20f8a1deb1c94e25d40023970dd9608a1 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 5 Dec 2021 07:50:17 -0500
+Subject: [PATCH] [core] fix trace issued for loading mod_auth (fixes #3121)
+
+Origin:https://github.com/lighttpd/lighttpd1.4/commit/492773a20f8a1deb1c94e25d40023970dd9608a1
+
+fix trace issued for loading mod_auth after dynamic modules
+
+x-ref:
+  "Curious message on startup with version 1.4.63"
+  https://redmine.lighttpd.net/boards/2/topics/10182
+  "mod_auth warning on startup"
+  https://redmine.lighttpd.net/issues/3121
+---
+ src/configfile.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/configfile.c b/src/configfile.c
+index 5760bb43..033f2c46 100644
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -369,6 +369,7 @@ static void config_compat_module_load (server *srv) {
+     int contains_mod_auth      = 0;
+     int prepend_mod_auth       = 0;
+     int prepend_mod_vhostdb    = 0;
++    const char *dyn_name = NULL;
+ 
+     for (uint32_t i = 0; i < srv->srvconf.modules->used; ++i) {
+         buffer *m = &((data_string *)srv->srvconf.modules->data[i])->value;
+@@ -390,8 +391,15 @@ static void config_compat_module_load (server *srv) {
+         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_wolfssl")))
+             append_mod_openssl = 0;
+         else if (0 == strncmp(m->ptr, "mod_auth", sizeof("mod_auth")-1)) {
+-            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth")))
+-                contains_mod_auth = 1;
++            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth"))) {
++                if (!contains_mod_auth) {
++                    contains_mod_auth = 1;
++                    if (dyn_name)
++                        log_error(srv->errh, __FILE__, __LINE__,
++                          "Warning: mod_auth should be listed in server.modules"
++                          " before dynamic backends such as %s", dyn_name);
++                }
++            }
+             else if (!contains_mod_auth)
+                 prepend_mod_auth = 1;
+ 
+@@ -422,11 +430,8 @@ static void config_compat_module_load (server *srv) {
+                                          sizeof("mod_sockproxy")-1)
+                  || 0 == strncmp(m->ptr, "mod_wstunnel",
+                                          sizeof("mod_wstunnel")-1)) {
+-            if (!contains_mod_auth) {
+-                log_error(srv->errh, __FILE__, __LINE__,
+-                  "Warning: mod_auth should be listed in server.modules before "
+-                  "dynamic backends such as %s", m->ptr);
+-            }
++            if (NULL == dyn_name)
++                dyn_name = m->ptr;
+         }
+     }
+ 

lighttpd-1.4.62-defaultconf.patch

@@ -7,7 +7,7 @@
 -var.server_root = "/srv/www"
 -var.state_dir   = "/run"
 +var.server_root = "/var/www"
-+var.state_dir   = "/run/lighttpd"
++var.state_dir   = "/var/run"
  var.home_dir    = "/var/lib/lighttpd"
  var.conf_dir    = "/etc/lighttpd"
  
@@ -20,14 +20,3 @@
  ##
  ##   # (recommended to accept only TLSv1.2 and TLSv1.3)
  ##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
---- doc/config/lighttpd.conf~	2022-07-28 10:49:14.928564535 -0500
-+++ doc/config/lighttpd.conf	2022-07-28 10:49:47.161444622 -0500
-@@ -118,7 +118,7 @@
- ##
- ## Document root
- ##
--server.document-root = server_root + "/htdocs"
-+server.document-root = server_root + "/lighttpd"
- 
- ##
- ## The value for the "Server:" response field.

lighttpd.init

@@ -0,0 +1,114 @@
+#!/bin/sh
+#
+# lighttpd     Lightning fast webserver with light system requirements
+#
+# chkconfig:   - 85 15
+# description: Secure, fast, compliant and very flexible web-server which has \
+#              been optimized for high-performance environments. It has a \
+#              very low memory footprint compared to other web servers and \
+#              takes care of cpu-load.
+
+### BEGIN INIT INFO
+# Provides: httpd
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Should-Start: $named
+# Should-Stop: $named
+# Default-Start: 
+# Default-Stop: 0 1 2 3 4 5 6
+# Short-Description: Lightning fast webserver with light system requirements
+# Description:       Secure, fast, compliant and very flexible web-server which
+#                    has been optimized for high-performance environments. It
+#                    has a very low memory footprint compared to other web
+#                    servers and takes care of cpu-load.
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+exec="/usr/sbin/lighttpd"
+prog="lighttpd"
+config="/etc/lighttpd/lighttpd.conf"
+
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon $exec -f $config
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc $prog
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    echo -n $"Reloading $prog: "
+    killproc $prog -USR1
+    retval=$?
+    echo
+    return $retval
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    status $prog
+}
+
+rh_status_q() {
+    rh_status &>/dev/null
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+

lighttpd.service

@@ -3,12 +3,10 @@ Description=Lightning Fast Webserver With Light System Requirements
 After=syslog.target network.target
 
 [Service]
-PIDFile=/run/lighttpd.pid
+PIDFile=/var/run/lighttpd.pid
 EnvironmentFile=-/etc/sysconfig/lighttpd
-ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
 ExecReload=/bin/kill -USR1 $MAINPID
-Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target

lighttpd.spec

@@ -1,68 +1,58 @@
 %define webroot /var/www/lighttpd
+%global _hardened_build 1
 %define confswitch() %{expand:%%{?with_%{1}:--with-%{1}}%%{!?with_%{1}:--without-%{1}}}
-%bcond_without attr
-%bcond_with    pcre
-%bcond_without pcre2
-%bcond_without nettle
-%bcond_with    unwind
-%bcond_without lua
-%bcond_without brotli
-%bcond_with    bzip2
-%bcond_without zlib
-%bcond_without zstd
-%bcond_without maxminddb
-%bcond_without dbi
-%bcond_without ldap
 %bcond_without mysql
-%bcond_without pgsql
+%bcond_without ldap
+%bcond_without attr
+%bcond_without openssl
+%bcond_without kerberos5
+%bcond_without pcre
+%bcond_with    fam
+%bcond_without lua
 %bcond_without krb5
 %bcond_without pam
-%bcond_without sasl
+%bcond_with    webdavprops
-%bcond_without gnutls
+%bcond_with    webdavlocks
-%bcond_with    mbedtls
+%bcond_without gdbm
-%bcond_without nss
+%bcond_with    memcache
-%bcond_without openssl
-%bcond_without webdavprops
-%bcond_without webdavlocks
 %bcond_without tmpfiles
+%bcond_without systemd
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
-Version:             1.4.72
+Version:             1.4.63
-Release:             1
+Release:             4
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
-Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
 Source1:             lighttpd.logrotate
 Source2:             php.d-lighttpd.ini
-Source3:             lighttpd.service
+Source3:             lighttpd.init
-Patch0:              lighttpd-1.4.65-defaultconf.patch
+Source4:             lighttpd.service
-Requires:            %{name}-filesystem system-logos
+Patch0:              lighttpd-1.4.62-defaultconf.patch
+Patch1:              make-setrlimit-warn-not-fatal.patch
+Patch2:              fix-loading-mod_auth-after-dynamic-modules.patch
+Patch3:              CVE-2022-22707.patch
+Requires:            %{name}-filesystem
+%if %{with systemd}
 Requires(post):      systemd
 Requires(preun):     systemd
 Requires(postun):    systemd
 BuildRequires:       systemd
-Requires(post):      %{name}-mod_deflate
+%else
-Requires(post):      %{name}-mod_webdav
+Requires(post):      /sbin/chkconfig
-%{?with_ldap:Requires(post): %{name}-mod_authn_ldap}
+Requires(preun):     /sbin/service, /sbin/chkconfig
-%{?with_ldap:Requires(post): %{name}-mod_vhostdb_ldap}
+Requires(postun):    /sbin/service
-%{?with_lua:Requires(post): %{name}-mod_magnet}
+%endif
-%{?with_openssl:Requires(post): %{name}-mod_openssl}
 Provides:            webserver
 BuildRequires:       openssl-devel, pcre-devel, bzip2-devel, zlib-devel, autoconf, automake, libtool
-BuildRequires:       /usr/bin/awk, libattr-devel, m4, pkg-config
+BuildRequires:       /usr/bin/awk, libattr-devel
-%{?with_pcre:BuildRequires: pcre-devel}
+%{?with_ldap:BuildRequires: openldap-devel}
-%{?with_pcre2:BuildRequires: pcre2-devel}
+%{?with_fam:BuildRequires: gamin-devel}
-%{?with_nettle:BuildRequires: nettle-devel}
+%{?with_webdavprops:BuildRequires: libxml2-devel}
-%{?with_unwind:BuildRequires: libunwind-devel}
+%{?with_webdavlocks:BuildRequires: sqlite-devel}
-
+%{?with_gdbm:BuildRequires: gdbm-devel}
-Provides: %{name}-mod_authn_mysql = %{version}-%{release}
+%{?with_memcache:BuildRequires: memcached-devel}
-Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1
+%{?with_lua:BuildRequires: lua-devel}
- 
-Provides: %{name}-mod_mysql_vhost = %{version}-%{release}
-Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1
-
-Provides: %{name}-mod_geoip = %{version}-%{release}
-Obsoletes: %{name}-mod_geoip <= 1.4.63-1
 
 %description
 Secure, fast, compliant and very flexible web-server which has been optimized
@@ -75,205 +65,37 @@ problems.
 %package fastcgi
 Summary:             FastCGI module and spawning helper for lighttpd and PHP configuration
 Requires:            %{name} = %{version}-%{release} spawn-fcgi
-%description fastcgi 
+%description fastcgi
 This package contains the spawn-fcgi helper for lighttpd's automatic spawning
 of local FastCGI programs. Included is also a PHP .ini file to change a few
 defaults needed for correct FastCGI behavior.
 
-%if %{with dbi}
+%package mod_mysql_vhost
-%package mod_authn_dbi
+Summary:             Virtual host module for lighttpd that uses a MySQL database
-Summary:             Authentication module for lighttpd that uses DBI
 Requires:            %{name} = %{version}-%{release}
-%{?with_dbi:BuildRequires: libdbi-devel}
+BuildRequires:       mariadb-connector-c-devel
-%{?with_dbi:Suggests: libdbi-dbd-mysql}
+%description mod_mysql_vhost
-%{?with_dbi:Suggests: libdbi-dbd-pgsql}
+Virtual host module for lighttpd that uses a MySQL database.
-%{?with_dbi:Suggests: libdbi-dbd-sqlite}
 
-%description mod_authn_dbi
+%package mod_authn_mysql
-Authentication module for lighttpd that uses DBI
+Summary:             Authentication module for lighttpd that uses a MySQL database
-%endif
+Requires:            %{name} = %{version}-%{release}
+BuildRequires:       mariadb-connector-c-devel
+%description mod_authn_mysql
+Authentication module for lighttpd that uses a MySQL database.
 
-%if %{with krb5}
 %package mod_authn_gssapi
 Summary:             Authentication module for lighttpd that uses GSSAPI
 Requires:            %{name} = %{version}-%{release}
-%{?with_krb5:BuildRequires: krb5-devel}
-
 %description mod_authn_gssapi
 Authentication module for lighttpd that uses GSSAPI
-%endif
 
-%if %{with ldap}
-%package mod_authn_ldap
-Summary:             Authentication module for lighttpd that uses LDAP
-Requires:            %{name} = %{version}-%{release}
-%{?with_ldap:BuildRequires: openldap-devel}
-
-%description mod_authn_ldap
-Authentication module for lighttpd that uses LDAP
-%endif
-
-%if %{with pam}
 %package mod_authn_pam
 Summary:             Authentication module for lighttpd that uses PAM
 Requires:            %{name} = %{version}-%{release}
-%{?with_pam:BuildRequires: pam-devel}
+BuildRequires:       pam-devel
-
 %description mod_authn_pam
 Authentication module for lighttpd that uses PAM.
-%endif
-
-
-%if %{with sasl}
-%package mod_authn_sasl
-Summary:             Authentication module for lighttpd that uses SASL
-Requires:            %{name} = %{version}-%{release}
-%{?with_sasl:BuildRequires: cyrus-sasl-devel}
-
-%description mod_authn_sasl
-Authentication module for lighttpd that uses SASL.
-%endif
-
-
-%package mod_deflate
-Summary:             Compression module for lighttpd
-Requires:            %{name} = %{version}-%{release}
-%{?with_zlib:BuildRequires: zlib-devel}
-%{?with_zstd:BuildRequires: libzstd-devel}
-%{?with_bzip2:BuildRequires: bzip2-devel}
-%{?with_brotli:BuildRequires: brotli-devel}
-
-%description mod_deflate
-Compression module for lighttpd.
-
-
-%if %{with gnutls}
-%package mod_gnutls
-Summary:             TLS module for lighttpd that uses GnuTLS
-Requires:            %{name} = %{version}-%{release}
-%{?with_gnutls:BuildRequires: gnutls-devel}
-
-%description mod_gnutls
-TLS module for lighttpd that uses GnuTLS.
-%endif
-
-
-%if %{with lua}
-%package mod_magnet
-Summary:             Lua module for lighttpd
-Requires:            %{name} = %{version}-%{release}
-%{?with_lua:BuildRequires: lua-devel}
-
-%description mod_magnet
-Lua module for lighttpd.
-%endif
-
-
-%if %{with maxminddb}
-%package mod_maxminddb
-Summary:             GeoIP2 module for lighttpd to use for location lookups
-Requires:            %{name} = %{version}-%{release}
-%{?with_maxminddb:BuildRequires: libmaxminddb-devel}
-%{?with_maxminddb:Recommends: GeoIP-GeoLite-data}
-%{?with_maxminddb:Recommends: GeoIP-GeoLite-data-extra}
-%{?with_maxminddb:Suggests: geoipupdate}
-%{?with_maxminddb:Suggests: geoipupdate-cron}
-
-%description mod_maxminddb
-GeoIP2 module for lighttpd to use for location lookups.
-%endif
-
-
-%if %{with mbedtls}
-%package mod_mbedtls
-Summary:             TLS module for lighttpd that uses mbedTLS
-Requires:            %{name} = %{version}-%{release}
-%{?with_mbedtls:BuildRequires: mbedtls-devel}
-
-%description mod_mbedtls
-TLS module for lighttpd that uses mbedTLS.
-%endif
-
-
-%if %{with nss}
-%package mod_nss
-Summary:             TLS module for lighttpd that uses NSS
-Requires:            %{name} = %{version}-%{release}
-%{?with_nss:BuildRequires: nss-devel}
-
-%description mod_nss
-TLS module for lighttpd that uses NSS.
-%endif
-
-
-%if %{with openssl}
-%package mod_openssl
-Summary:             TLS module for lighttpd that uses OpenSSL
-Requires:            %{name} = %{version}-%{release}
-%{?with_openssl:BuildRequires: openssl-devel}
-
-%description mod_openssl
-TLS module for lighttpd that uses OpenSSL.
-%endif
-
-
-%if %{with dbi}
-%package mod_vhostdb_dbi
-Summary:             Virtual host module for lighttpd that uses DBI
-Requires:            %{name} = %{version}-%{release}
-%{?with_dbi:BuildRequires: libdbi-devel}
-%{?with_dbi:Suggests: libdbi-dbd-mysql}
-%{?with_dbi:Suggests: libdbi-dbd-pgsql}
-%{?with_dbi:Suggests: libdbi-dbd-sqlite}
-
-%description mod_vhostdb_dbi
-Virtual host module for lighttpd that uses DBI.
-%endif
-
-
-%if %{with ldap}
-%package mod_vhostdb_ldap
-Summary:             Virtual host module for lighttpd that uses LDAP
-Requires:            %{name} = %{version}-%{release}
-%{?with_ldap:BuildRequires: openldap-devel}
-
-%description mod_vhostdb_ldap
-Virtual host module for lighttpd that uses LDAP.
-%endif
-
-
-%if %{with mysql}
-%package mod_vhostdb_mysql
-Summary:               Virtual host module for lighttpd that uses MySQL
-Requires:              %{name} = %{version}-%{release}
-%{?with_mysql:BuildRequires: mariadb-connector-c-devel}
-
-%description mod_vhostdb_mysql
-Virtual host module for lighttpd that uses MySQL.
-%endif
-
-
-%if %{with pgsql}
-%package mod_vhostdb_pgsql
-Summary:             Virtual host module for lighttpd that uses PostgreSQL
-Requires:            %{name} = %{version}-%{release}
-%{?with_pgsql:BuildRequires: libpq-devel}
-
-%description mod_vhostdb_pgsql
-Virtual host module for lighttpd that uses PostgreSQL.
-%endif
-
-
-%package mod_webdav
-Summary:             WebDAV module for lighttpd
-Requires:            %{name} = %{version}-%{release}
-%{?with_webdavprops:BuildRequires: libxml2-devel}
-%{?with_webdavprops:BuildRequires: sqlite-devel}
-%{?with_webdavlocks:BuildRequires: libuuid-devel}
-%{?with_webdavlocks:BuildRequires: sqlite-devel}
-
-%description mod_webdav
-WebDAV module for lighttpd.
 
 %package filesystem
 Summary:             The basic directory layout for lighttpd
@@ -287,45 +109,42 @@ for the directories.
 %prep
 %setup -q
 %patch0 -p0 -b .defaultconf
+%patch1 -p1 -b .setrlimit
+%patch2 -p1 -b .fixtrace
+%patch3 -p1
 
 %build
 autoreconf -if
 %configure \
     --libdir='%{_libdir}/lighttpd' \
-    %{confswitch pcre} \
-    %{confswitch pcre2} \
-    %{confswitch nettle} \
-    %{confswitch attr} \
     %{confswitch mysql} \
-    %{confswitch pgsql} \
-    %{confswitch dbi} \
-    %{confswitch krb5} \
-    %{confswitch ldap} \
     %{confswitch pam} \
-    %{confswitch sasl} \
+    %{confswitch ldap} \
-    %{confswitch gnutls} \
+    %{confswitch attr} \
-    %{confswitch mbedtls} \
-    %{confswitch nss} \
     %{confswitch openssl} \
+    %{confswitch pcre} \
+    %{confswitch fam} \
     %{?with_webdavprops:--with-webdav-props} \
     %{?with_webdavlocks:--with-webdav-locks} \
-    %{?with_lua:--with-lua=lua} \
+    %{confswitch gdbm} \
-    %{confswitch zlib} \
+    %{confswitch memcached} \
-    %{confswitch zstd} \
+    %{confswitch lua} \
-    %{confswitch bzip2} \
+    %{confswitch krb5}
-    %{confswitch brotli} \
+make %{?_smp_mflags}
-    %{confswitch maxminddb} \
-    %{confswitch unwind}
-%make_build
 
 %install
-%make_install
+make install DESTDIR=%{buildroot}
 install -D -p -m 0644 %{SOURCE1} \
     %{buildroot}%{_sysconfdir}/logrotate.d/lighttpd
 install -D -p -m 0644 %{SOURCE2} \
     %{buildroot}%{_sysconfdir}/php.d/lighttpd.ini
-install -D -p -m 0644 %{SOURCE3} \
+%if %{with systemd}
+install -D -p -m 0644 %{SOURCE4} \
     %{buildroot}%{_unitdir}/lighttpd.service
+%else
+install -D -p -m 0755 %{SOURCE3} \
+    %{buildroot}%{_sysconfdir}/rc.d/init.d/lighttpd
+%endif
 mkdir -p %{buildroot}%{webroot}
 rm -rf config
 cp -a doc/config config
@@ -336,25 +155,40 @@ cp -a config/*.conf config/*.d %{buildroot}%{_sysconfdir}/lighttpd/
 mkdir -p %{buildroot}%{_var}/log/lighttpd
 mkdir -p %{buildroot}%{_var}/run/lighttpd
 %if %{with tmpfiles}
-mkdir -p %{buildroot}/usr/lib/tmpfiles.d
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
-echo 'D /run/lighttpd 0750 lighttpd lighttpd -' > \
+echo 'D /var/run/lighttpd 0750 lighttpd lighttpd -' > \
-    %{buildroot}/usr/lib/tmpfiles.d/lighttpd.conf
+    %{buildroot}%{_sysconfdir}/tmpfiles.d/lighttpd.conf
 %endif
-mkdir -p %{buildroot}%{_var}/lib/lighttpd/
 
 %pre filesystem
 /usr/sbin/useradd -s /sbin/nologin -M -r -d %{webroot} \
     -c 'lighttpd web server' lighttpd &>/dev/null || :
 
 %post
+%if %{with systemd}
 %systemd_post lighttpd.service
+%else
+/sbin/chkconfig --add lighttpd
+%endif
 
 %preun
+%if %{with systemd}
 %systemd_preun lighttpd.service
+%else
+if [ $1 -eq 0 ]; then
+    /sbin/service lighttpd stop &>/dev/null || :
+    /sbin/chkconfig --del lighttpd
+fi
+%endif
 
 %postun
+%if %{with systemd}
 %systemd_postun_with_restart lighttpd.service
-
+%else
+if [ $1 -ge 1 ]; then
+    /sbin/service lighttpd condrestart &>/dev/null || :
+fi
+%endif
 
 %files
 %license COPYING
@@ -362,177 +196,68 @@ mkdir -p %{buildroot}%{_var}/lib/lighttpd/
 %doc config/ doc/scripts/rrdtool-graph.sh
 %config(noreplace) %{_sysconfdir}/lighttpd/*.conf
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf
-%exclude %{_sysconfdir}/lighttpd/conf.d/deflate.conf
 %exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
-%exclude %{_sysconfdir}/lighttpd/conf.d/magnet.conf
+%exclude %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
-%exclude %{_sysconfdir}/lighttpd/conf.d/webdav.conf
 %config %{_sysconfdir}/lighttpd/conf.d/mod.template
 %config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template
 %config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd
+%if %{with systemd}
 %{_unitdir}/lighttpd.service
+%else
+%{_sysconfdir}/rc.d/init.d/lighttpd
+%endif
 %if %{with tmpfiles}
-%config(noreplace) /usr/lib/tmpfiles.d/lighttpd.conf
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/lighttpd.conf
 %endif
 %{_sbindir}/lighttpd
 %{_sbindir}/lighttpd-angel
 %{_libdir}/lighttpd/
-%exclude %{_libdir}/lighttpd/mod_authn_dbi.so
+%exclude %{_libdir}/lighttpd/*.la
+%exclude %{_libdir}/lighttpd/mod_fastcgi.so
+%exclude %{_libdir}/lighttpd/mod_mysql_vhost.so
+%exclude %{_libdir}/lighttpd/mod_authn_mysql.so
 %exclude %{_libdir}/lighttpd/mod_authn_gssapi.so
-%exclude %{_libdir}/lighttpd/mod_authn_ldap.so
-%exclude %{_libdir}/lighttpd/mod_authn_pam.so
-%exclude %{_libdir}/lighttpd/mod_authn_sasl.so
-%exclude %{_libdir}/lighttpd/mod_deflate.so
-%exclude %{_libdir}/lighttpd/mod_gnutls.so
-%exclude %{_libdir}/lighttpd/mod_magnet.so
-%exclude %{_libdir}/lighttpd/mod_maxminddb.so
-%exclude %{_libdir}/lighttpd/mod_openssl.so
-%exclude %{_libdir}/lighttpd/mod_nss.so
-%exclude %{_libdir}/lighttpd/mod_vhostdb_dbi.so
-%exclude %{_libdir}/lighttpd/mod_vhostdb_ldap.so
-%exclude %{_libdir}/lighttpd/mod_vhostdb_mysql.so
-%exclude %{_libdir}/lighttpd/mod_vhostdb_pgsql.so
 %{_mandir}/man8/lighttpd*8*
 
 %files fastcgi
 %doc doc/outdated/fastcgi*.txt doc/scripts/spawn-php.sh
 %config(noreplace) %{_sysconfdir}/php.d/lighttpd.ini
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
-
-%if %{with dbi}
-%files mod_authn_dbi
 %dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_authn_dbi.so
+%{_libdir}/lighttpd/mod_fastcgi.so
-%endif
+
+%files mod_mysql_vhost
+%doc doc/outdated/mysqlvhost.txt
+%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_mysql_vhost.so
+
+%files mod_authn_mysql
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_authn_mysql.so
 
-%if %{with krb5}
 %files mod_authn_gssapi
 %dir %{_libdir}/lighttpd/
 %{_libdir}/lighttpd/mod_authn_gssapi.so
-%endif
 
-%if %{with ldap}
-%files mod_authn_ldap
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_authn_ldap.so
-%endif
-
-%if %{with pam}
 %files mod_authn_pam
 %dir %{_libdir}/lighttpd/
 %{_libdir}/lighttpd/mod_authn_pam.so
-%endif
-
-%if %{with sasl}
-%files mod_authn_sasl
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_authn_sasl.so
-%endif
-
-%files mod_deflate
-%doc doc/outdated/compress.txt
-%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/deflate.conf
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_deflate.so
-
-%if %{with gnutls}
-%files mod_gnutls
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_gnutls.so
-%endif
-
-%if %{with lua}
-%files mod_magnet
-%doc doc/outdated/magnet.txt
-%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/magnet.conf
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_magnet.so
-%endif
-
-%if %{with maxminddb}
-%files mod_maxminddb
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_maxminddb.so
-%endif
-
-%if %{with mbedtls}
-%files mod_mbedtls
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_mbedtls.so
-%endif
-
-%if %{with nss}
-%files mod_nss
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_nss.so
-%endif
-
-%if %{with openssl}
-%files mod_openssl
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_openssl.so
-%endif
-
-%if %{with dbi}
-%files mod_vhostdb_dbi
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_vhostdb_dbi.so
-%endif
-
-%if %{with ldap}
-%files mod_vhostdb_ldap
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_vhostdb_ldap.so
-%endif
-
-%if %{with mysql}
-%files mod_vhostdb_mysql
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_vhostdb_mysql.so
-%endif
-
-%if %{with pgsql}
-%files mod_vhostdb_pgsql
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_vhostdb_pgsql.so
-%endif
-
-%files mod_webdav
-%doc doc/outdated/webdav.txt
-%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/webdav.conf
-%dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_webdav.so
 
 %files filesystem
 %dir %{_sysconfdir}/lighttpd/
 %dir %{_sysconfdir}/lighttpd/conf.d/
 %dir %{_sysconfdir}/lighttpd/vhosts.d/
 %dir %{_var}/run/lighttpd/
-%dir %{_var}/lib/lighttpd/
 %if %{with tmpfiles}
 %ghost %attr(0750, lighttpd, lighttpd) %{_var}/run/lighttpd/
 %else
 %attr(0750, lighttpd, lighttpd) %{_var}/run/lighttpd/
 %endif
-%attr(0750, lighttpd, lighttpd) %{_var}/lib/lighttpd/
 %attr(0750, lighttpd, lighttpd) %{_var}/log/lighttpd/
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
-* Fri Oct 27 2023 liyanan <liyanan61@h-parners.com> - 1.4.72-1
-- Update to 1.4.72
-
-* Mon May 29 2023 Jia Chao <jiachao2130@126.com> - 1.4.67-3
-- Remove unsupport BuildRequires: gamin-devel, this pkg is dropped.
-
-* Thu Feb 02 2023 xu_ping <xuping33@h-partners.com> - 1.4.67-2
-- Add buildrequires krb5-devel to fix check configure error
-
-* Wed Oct 12 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1.4.67-1
-- update to 1.4.67 to fix CVE-2022-41556
-
-* Tue Sep 13 2022 cenhuilin <cenhuilin@kylinos.cn> - 1.4.63-5
-- Fix CVE-2022-37797
-
 * Fri Mar 11 2022 baizhonggui <baizhonggui@huawei.com> - 1.4.63-4
 - Modify var.state_dir path from /etc/lighttpd/lighttpd.conf in lighttpd-1.4.62-defaultconf.patch
 
@@ -553,4 +278,3 @@ mkdir -p %{buildroot}%{_var}/lib/lighttpd/
 
 * Fri Jan 8 2021 chengzihan <chengzihan2@huawei.com> - 1.4.53-1
 - Package init
-

make-setrlimit-warn-not-fatal.patch

@@ -0,0 +1,29 @@
+From 5a257fab511225bbfa56b4f1a8b2bb7085f96478 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 8 Dec 2021 18:42:31 -0500
+Subject: [PATCH] [core] make setrlimit() warn, not fatal
+
+Origin:https://github.com/lighttpd/lighttpd1.4/commit/5a257fab511225bbfa56b4f1a8b2bb7085f96478
+
+(thx limb)
+
+make setrlimit() issue warning on error, not fatal,
+and add suggesting to configure SELinux permissions
+---
+ src/server.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/server.c b/src/server.c
+index f2ff7b73..beca364a 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -1357,7 +1357,8 @@ static int server_main_setup (server * const srv, int argc, char **argv) {
+ 
+ 			if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) {
+ 				log_perror(srv->errh, __FILE__, __LINE__, "setrlimit()");
+-				return -1;
++				log_error(srv->errh, __FILE__, __LINE__, "setrlimit() may need root to run once: setsebool -P httpd_setrlimit on");
++				use_rlimit = 0;
+ 			}
+ 		}
+