Comment 5 for bug 2058045

I am a lighttpd developer and have prepared patches for Ubuntu updates/backports.

lighttpd 1.4.76 is the current stable lighttpd release and is the best available version of lighttpd.

Added in lighttpd 1.4.76:
  * Detect VU#421644 HTTP/2 CONTINUATION Flood
  * Avoid CVE-2024-3094 xz supply chain attack

Noble should upgrade lighttpd 1.4.74 to lighttpd 1.4.76

The Mantic Minotaur should upgrade lighttpd 1.4.69 to lighttpd 1.4.76 and needs a single patch for behavior compatibility to revert the upgrade to stronger TLS defaults. (revert lighttpd commit 87b3a9cab8d964330aef12db9f78aae66eaf0968) While I consider incremental improvement of secure defaults something that should be backported for best security practices, I understand that Ubuntu policy differs.
0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch

The Jammy Jellyfish should upgrade lighttpd 1.4.63 to lighttpd 1.4.76 and needs a few patches for behavior compatibility -- again to downgrade stronger lighttpd TLS defaults to weaker defaults in lighttpd 1.4.63 -- and to restore deprecated TLS directives, and to restore deprecated modules.
0001-Revert-TLS-default-to-stronger-ciphers-w-PFS-and-AEA.patch
0002-Revert-TLS-simplify-TLS-config-remove-deprecated-opt.patch
0003-Revert-TLS-upgrade-default-cipher-list-to-stronger-s.patch
0004-Revert-multiple-remove-deprecated-modules.patch
0005-Revert-multiple-remove-long-deprecated-modules.patch

lighttpd 1.4.73 contains detection for HTTP/2 Rapid Reset attacks, which The Manic Minotaur and The Jammy Jellyfish ought to have in security and/or updates.