Your message dated Tue, 24 Oct 2023 05:51:13 -0400 with message-id <ZTeTkTw7fs2BU0ZQ@xps13> and subject line Re: Bug#1054465: Separate HTTP/2 into conf-available has caused the Debian Bug report #1054465, regarding Separate HTTP/2 into conf-available to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1054465: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054465 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: lighttpd Version: 1.4.69-1 Dear maintainer, With the recent discovery of the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487) I took a closer look at the web services I host on lighttpd and came to the conclusion that the increased complexity of HTTP/2 provides no benefit to these trivially simple pages. So I decided that I'd rather disable HTTP/2. Unfortunately integrating this into my configuration management was more difficult than I had hoped for, since it required patching of the /etc/lighttpd/lighttpd.conf file. Please consider splitting the HTTP/2 configuration into a separate conf-available file to make it easier to enable/disable the configuration (lighttpd-(en|dis)able-mod). Thank you. Kind regards, Dennis
--- End Message ---
--- Begin Message ---On Tue, Oct 24, 2023 at 10:04:54AM +0200, Dennis Camera wrote: > Package: lighttpd > Version: 1.4.69-1 > > Dear maintainer, > > With the recent discovery of the HTTP/2 Rapid Reset vulnerability > (CVE-2023-44487) I took a closer look at the web services I host on > lighttpd and came to the conclusion that the increased complexity of > HTTP/2 provides no benefit to these trivially simple pages. For the HTTP/2 rapid reset attack variants I tested, lighttpd is not vulnerable to HTTP/2 rapid reset attacks any more than other types of denial of service (DoS) attacks, and in numerous variants, HTTP/2 rapid reset attack is not effective against lighttpd at all. > So I decided that I'd rather disable HTTP/2. > Unfortunately integrating this into my configuration management was > more difficult than I had hoped for, since it required patching of the > /etc/lighttpd/lighttpd.conf file. You are mistaken. To disable HTTP/2 in lighttpd, all you need is server.feature-flags := ("server.h2proto" => "disable") in a file in conf-enabled, e.g. /etc/lighttpd/conf-enabled/no_h2.conf Note the := syntax to overwrite the value of the entire list. https://wiki.lighttpd.net/Docs_Configuration > Please consider splitting the HTTP/2 configuration into a separate > conf-available file to make it easier to enable/disable the > configuration (lighttpd-(en|dis)able-mod). I do not think something so trivial needs a separate lighty-enable target, though you could easily make one yourself by putting the above in /etc/lighttpd/conf-available/01-no_h2.conf, and then using lighty-enable-mod no_h2 Cheers, Glenn
--- End Message ---
