Update lighttpd to latest version to include all security fixes

luke_nukem · Post by **luke_nukem** » Fri Oct 26, 2018 3:44 am

The version of lighttpd used for the ADM we UI is 1.4.29, this version was released July 03, 2011.

That's 7 years out of date....

Current version is 1.4.51, and there is a large swath of fixes between these versions.

Please keep things updated, especially if there is a chance these may be front-facing towards external ports.

huffie · Post by **huffie** » Tue Feb 02, 2021 3:50 pm

luke_nukem first reported this back in 2018.. and now, 2021 (version 1.4.58), the installed version is still lighttpd/1.4.29-devel-190 (ssl) (Nov 17 2020 01:25:48)

Just like to understand since Asustor is not actively updating lighttpd, possible for us to compile our own and replace the installed version?

father.mande · Post by **father.mande** » Tue Feb 02, 2021 4:20 pm

Hi,

lighttpd ... is used for admin web server only ... so Asustor, I presume, assume that security (due to usage of compiled CGI) is not need at same level than an "open to the world" Web server (but I don't have the response).

Is it not easy to replace the integrated (some things are rebuild at NAS boot) lighttpd server ... and for why ? if Asustor assume that security is checked for the specific usage.

If you manage to use lighttpd for your own ... compile yourself as proposed or use Entware APKG (+2500 packages) and install lighttpd version 1.4.55.4 ... in this case ALL is under your control.

Code: Select all

[/volume1/.@root] # opkg list | grep lighttpd | cut -f 1-10 -d " "
lighttpd - 1.4.55-4 - A flexible and lightweight web server
lighttpd-mod-access - 1.4.55-4 - Access restrictions module
lighttpd-mod-accesslog - 1.4.55-4 - Access logging module
lighttpd-mod-alias - 1.4.55-4 - Directory alias module
lighttpd-mod-auth - 1.4.55-4 - Authentication module
lighttpd-mod-authn_file - 1.4.55-4 - File-based authentication module
lighttpd-mod-authn_ldap - 1.4.55-4 - LDAP-based authentication module
lighttpd-mod-authn_mysql - 1.4.55-4 - Mysql-based authentication module
lighttpd-mod-cgi - 1.4.55-4 - CGI module
lighttpd-mod-cml - 1.4.55-4 - Cache Meta Language module
lighttpd-mod-compress - 1.4.55-4 - Compress output module
lighttpd-mod-deflate - 1.4.55-4 - Compress dynamic output module
lighttpd-mod-evasive - 1.4.55-4 - Evasive module
lighttpd-mod-evhost - 1.4.55-4 - Enhanced Virtual-Hosting module
lighttpd-mod-expire - 1.4.55-4 - Expire module
lighttpd-mod-extforward - 1.4.55-4 - Extract client module
lighttpd-mod-fastcgi - 1.4.55-4 - FastCGI module
lighttpd-mod-flv_streaming - 1.4.55-4 - FLV streaming module
lighttpd-mod-magnet - 1.4.55-4 - Magnet module
lighttpd-mod-mysql_vhost - 1.4.55-4 - Mysql virtual hosting module
lighttpd-mod-proxy - 1.4.55-4 - Proxy module
lighttpd-mod-redirect - 1.4.55-4 - URL redirection module
lighttpd-mod-rewrite - 1.4.55-4 - URL rewriting module
lighttpd-mod-rrdtool - 1.4.55-4 - RRDtool module
lighttpd-mod-scgi - 1.4.55-4 - SCGI module
lighttpd-mod-secdownload - 1.4.55-4 - Secure and fast download module
lighttpd-mod-setenv - 1.4.55-4 - Environment variable setting module
lighttpd-mod-simple_vhost - 1.4.55-4 - Simple virtual hosting module
lighttpd-mod-ssi - 1.4.55-4 - SSI module
lighttpd-mod-status - 1.4.55-4 - Server status display module
lighttpd-mod-trigger_b4_dl - 1.4.55-4 - Trigger before download module
lighttpd-mod-userdir - 1.4.55-4 - User directory module
lighttpd-mod-usertrack - 1.4.55-4 - User tracking module
lighttpd-mod-webdav - 1.4.55-4 - WebDAV module
lighttpd-mod-wstunnel - 1.4.55-4 - Websocket tunneling module
rtorrent-easy-install - 0.2-5 - This pakage helps to configure rtorrent

Philippe.

huffie · Post by **huffie** » Wed Feb 03, 2021 11:08 am

Thanks Philippe for the advice and suggestion, however, now I'm a bit confused now. If I were to do lighttpd -v I see

Code: Select all

lighttpd/1.4.29-devel-190 (ssl) - a light and fast webserver
Build-Date: Nov 17 2020 01:25:48

But when I do as what you have suggested (assuming it is to see what mod has been configured/ set), I see a different version reported

Code: Select all

root # opkg list | grep lighttpd | cut -f 1-10 -d " "
lighttpd - 1.4.48-2 - A flexible and lightweight web server
lighttpd-mod-access - 1.4.48-2 - Access restrictions module
lighttpd-mod-accesslog - 1.4.48-2 - Access logging module
lighttpd-mod-alias - 1.4.48-2 - Directory alias module
lighttpd-mod-auth - 1.4.48-2 - Authentication module
lighttpd-mod-authn_file - 1.4.48-2 - File-based authentication module
lighttpd-mod-authn_ldap - 1.4.48-2 - LDAP-based authentication module
lighttpd-mod-authn_mysql - 1.4.48-2 - Mysql-based authentication module
lighttpd-mod-cgi - 1.4.48-2 - CGI module
lighttpd-mod-cml - 1.4.48-2 - Cache Meta Language module
lighttpd-mod-compress - 1.4.48-2 - Compress output module
lighttpd-mod-deflate - 1.4.48-2 - Compress dynamic output module
lighttpd-mod-evasive - 1.4.48-2 - Evasive module
lighttpd-mod-evhost - 1.4.48-2 - Enhanced Virtual-Hosting module
lighttpd-mod-expire - 1.4.48-2 - Expire module
lighttpd-mod-extforward - 1.4.48-2 - Extract client module
lighttpd-mod-fastcgi - 1.4.48-2 - FastCGI module
lighttpd-mod-flv_streaming - 1.4.48-2 - FLV streaming module
lighttpd-mod-magnet - 1.4.48-2 - Magnet module
lighttpd-mod-mysql_vhost - 1.4.48-2 - Mysql virtual hosting module
lighttpd-mod-proxy - 1.4.48-2 - Proxy module
lighttpd-mod-redirect - 1.4.48-2 - URL redirection module
lighttpd-mod-rewrite - 1.4.48-2 - URL rewriting module
lighttpd-mod-rrdtool - 1.4.48-2 - RRDtool module
lighttpd-mod-scgi - 1.4.48-2 - SCGI module
lighttpd-mod-secdownload - 1.4.48-2 - Secure and fast download module
lighttpd-mod-setenv - 1.4.48-2 - Environment variable setting module
lighttpd-mod-simple_vhost - 1.4.48-2 - Simple virtual hosting module
lighttpd-mod-ssi - 1.4.48-2 - SSI module
lighttpd-mod-status - 1.4.48-2 - Server status display module
lighttpd-mod-trigger_b4_dl - 1.4.48-2 - Trigger before download module
lighttpd-mod-userdir - 1.4.48-2 - User directory module
lighttpd-mod-usertrack - 1.4.48-2 - User tracking module
lighttpd-mod-webdav - 1.4.48-2 - WebDAV module
rtorrent-easy-install - 0.2-3 - This pakage helps to configure rtorrent

So is my system running version 1.4.48 or 1.4.29 ?

father.mande · Post by **father.mande** » Wed Feb 03, 2021 4:06 pm

Hi,

You obtain 1.4.29 when you ask default /usr/sbin/lighttpd -v ...
when you install lighttpd from Entware ... all in under /opt because lot of libraries are updated libc for ex. is 2.27 when libc on the NAS is 2.22
... so it's not for REPLACING NAS software but for adding in parallel same software but with updated version in lot of cases.

It's what I write :
... replacing NAS lighttpd or assume security for it ... is Asustor responsibility
... using lighttpd for your own application with updated version is possible with Entware but don't change the included lighttpd from Asustor

I have not tested, and don't know if it's possible to stop the Asustor lighttpd, replace original exec ... by a link to new httpd then restart ... but in all case (if it's possible) all will be lost at next reboot.

Philippe.

huffie · Post by **huffie** » Mon Feb 08, 2021 2:44 pm

Hi Philippe,
Once again thanks for your advise and now I understand what you mean.

ASUSTOR Community Forum

Update lighttpd to latest version to include all security fixes

Update lighttpd to latest version to include all security fixes

Re: Update lighttpd to latest version to include all security fixes

Re: Update lighttpd to latest version to include all security fixes

Re: Update lighttpd to latest version to include all security fixes

Re: Update lighttpd to latest version to include all security fixes

Re: Update lighttpd to latest version to include all security fixes