diff --git a/CVE-2022-22707.patch b/CVE-2022-22707.patch
index 9c5bbc89458c4aec58248316ed8d851cda3439a7..c1bc180e61c5a3b74c55760c4c13423020e0f20e 100644
--- a/CVE-2022-22707.patch
+++ b/CVE-2022-22707.patch
@@ -79,7 +79,7 @@ diff --git a/src/mod_extforward.c b/src/mod_extforward.c
 index 733231fd2..1a04befa6 100644
 --- a/src/mod_extforward.c
 +++ b/src/mod_extforward.c
-@@ -673,7 +673,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
+@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
          while (s[i] == ' ' || s[i] == '\t') ++i;
          if (s[i] == ';') { ++i; continue; }
          if (s[i] == ',') {
diff --git a/CVE-2022-37797.patch b/CVE-2022-37797.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d5cc1975f1356800215e38da3090a8162747ca59
--- /dev/null
+++ b/CVE-2022-37797.patch
@@ -0,0 +1,31 @@
+From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 13 Sep 2022 05:51:02 +0000
+Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
+
+x-ref:
+  "mod_wstunnel null pointer dereference"
+  https://redmine.lighttpd.net/issues/3165
+---
+ src/mod_wstunnel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index 6d17d4d..97b89f0 100644
+--- a/src/mod_wstunnel.c
++++ b/src/mod_wstunnel.c
+@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
+     hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
+     hctx->conf = p->conf; /*(copies struct)*/
+     hybivers = wstunnel_check_request(r, hctx);
+-    if (hybivers < 0) return HANDLER_FINISHED;
++    if (hybivers < 0) {
++        r->handler_module = NULL;
++        return HANDLER_FINISHED;
++    }
+     hctx->hybivers = hybivers;
+     if (0 == hybivers) {
+         DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
+-- 
+2.33.0
+
diff --git a/fix-loading-mod_auth-after-dynamic-modules.patch b/fix-loading-mod_auth-after-dynamic-modules.patch
new file mode 100644
index 0000000000000000000000000000000000000000..06cee0df6fbbd1882a04c90d33a4c3ff2ed81a2b
--- /dev/null
+++ b/fix-loading-mod_auth-after-dynamic-modules.patch
@@ -0,0 +1,62 @@
+From 492773a20f8a1deb1c94e25d40023970dd9608a1 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 5 Dec 2021 07:50:17 -0500
+Subject: [PATCH] [core] fix trace issued for loading mod_auth (fixes #3121)
+
+Origin:https://github.com/lighttpd/lighttpd1.4/commit/492773a20f8a1deb1c94e25d40023970dd9608a1
+
+fix trace issued for loading mod_auth after dynamic modules
+
+x-ref:
+  "Curious message on startup with version 1.4.63"
+  https://redmine.lighttpd.net/boards/2/topics/10182
+  "mod_auth warning on startup"
+  https://redmine.lighttpd.net/issues/3121
+---
+ src/configfile.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/configfile.c b/src/configfile.c
+index 5760bb43..033f2c46 100644
+--- a/src/configfile.c
++++ b/src/configfile.c
+@@ -369,6 +369,7 @@ static void config_compat_module_load (server *srv) {
+     int contains_mod_auth      = 0;
+     int prepend_mod_auth       = 0;
+     int prepend_mod_vhostdb    = 0;
++    const char *dyn_name = NULL;
+ 
+     for (uint32_t i = 0; i < srv->srvconf.modules->used; ++i) {
+         buffer *m = &((data_string *)srv->srvconf.modules->data[i])->value;
+@@ -390,8 +391,15 @@ static void config_compat_module_load (server *srv) {
+         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_wolfssl")))
+             append_mod_openssl = 0;
+         else if (0 == strncmp(m->ptr, "mod_auth", sizeof("mod_auth")-1)) {
+-            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth")))
+-                contains_mod_auth = 1;
++            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth"))) {
++                if (!contains_mod_auth) {
++                    contains_mod_auth = 1;
++                    if (dyn_name)
++                        log_error(srv->errh, __FILE__, __LINE__,
++                          "Warning: mod_auth should be listed in server.modules"
++                          " before dynamic backends such as %s", dyn_name);
++                }
++            }
+             else if (!contains_mod_auth)
+                 prepend_mod_auth = 1;
+ 
+@@ -422,11 +430,8 @@ static void config_compat_module_load (server *srv) {
+                                          sizeof("mod_sockproxy")-1)
+                  || 0 == strncmp(m->ptr, "mod_wstunnel",
+                                          sizeof("mod_wstunnel")-1)) {
+-            if (!contains_mod_auth) {
+-                log_error(srv->errh, __FILE__, __LINE__,
+-                  "Warning: mod_auth should be listed in server.modules before "
+-                  "dynamic backends such as %s", m->ptr);
+-            }
++            if (NULL == dyn_name)
++                dyn_name = m->ptr;
+         }
+     }
+ 
diff --git a/lighttpd-1.4.45-defaultconf.patch b/lighttpd-1.4.45-defaultconf.patch
deleted file mode 100644
index 97d48ad836f782736c6a5a587c5db9dc944c698d..0000000000000000000000000000000000000000
--- a/lighttpd-1.4.45-defaultconf.patch
+++ /dev/null
@@ -1,57 +0,0 @@
---- doc/config/lighttpd.conf~	2014-03-12 11:40:36.000000000 -0500
-+++ doc/config/lighttpd.conf	2014-07-07 08:22:46.934838985 -0500
-@@ -417,7 +417,7 @@
- ##     # Check your cipher list with: openssl ciphers -v '...' (use single quotes as your shell won't like ! in double quotes)
- ##     #
- ##     # If you know you have RSA keys (standard), you can use:
--##     ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"
-+##     ssl.cipher-list             = "PROFILE=SYSTEM"
- ##     # The more generic version (without the restriction to RSA keys) is
- ##     # ssl.cipher-list           = "HIGH !aNULL !3DES +kEDH +kRSA !kSRP !kPSK"
- ##     #
---- doc/config/lighttpd.conf~	2016-03-01 10:14:50.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-03-01 10:17:59.194568947 -0500
-@@ -14,7 +14,7 @@
- ## chroot example aswell.
- ##
- var.log_root    = "/var/log/lighttpd"
--var.server_root = "/srv/www"
-+var.server_root = "/var/www"
- var.state_dir   = "/var/run"
- var.home_dir    = "/var/lib/lighttpd"
- var.conf_dir    = "/etc/lighttpd"
---- doc/config/lighttpd.conf.orig	2016-07-19 09:09:39.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-07-19 09:25:40.282577966 -0500
-@@ -204,7 +204,9 @@
- ## By default lighttpd would not change the operation system default.
- ## But setting it to 2048 is a better default for busy servers.
- ##
--server.max-fds = 2048
-+## With SELinux enabled, this is denied by default and needs to be allowed
-+## by running the following once : setsebool -P httpd_setrlimit on  
-+#server.max-fds = 2048
- 
- ##
- ## listen-backlog is the size of the listen() backlog queue requested when
---- doc/config/lighttpd.conf~	2016-08-05 08:24:07.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-08-05 08:26:43.914683962 -0500
-@@ -112,7 +112,7 @@
- ##
- ## Document root
- ##
--server.document-root = server_root + "/htdocs"
-+server.document-root = server_root + "/lighttpd"
- 
- ##
- ## The value for the "Server:" response field.
---- doc/config/lighttpd.conf~	2016-06-28 12:32:10.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-06-28 12:41:50.478761160 -0500
-@@ -67,7 +67,7 @@
- ## conf.d/fastcgi.conf
- ## conf.d/scgi.conf
- ##
--var.socket_dir  = home_dir + "/sockets"
-+var.socket_dir  = state_dir + "/sockets"
- 
- ##
- #######################################################################
diff --git a/lighttpd-1.4.53.tar.gz b/lighttpd-1.4.53.tar.gz
deleted file mode 100644
index cbe7e36cf8572a92386ea3aac362bd5859f5e99e..0000000000000000000000000000000000000000
Binary files a/lighttpd-1.4.53.tar.gz and /dev/null differ
diff --git a/lighttpd-1.4.62-defaultconf.patch b/lighttpd-1.4.62-defaultconf.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9139242d029c6660e48f49ffcfcae7ba7a24a01e
--- /dev/null
+++ b/lighttpd-1.4.62-defaultconf.patch
@@ -0,0 +1,22 @@
+--- doc/config/lighttpd.conf~	2021-12-02 09:34:06.450352761 -0600
++++ doc/config/lighttpd.conf	2021-12-02 09:36:04.345770602 -0600
+@@ -14,8 +14,8 @@
+ ## chroot example as well.
+ ##
+ var.log_root    = "/var/log/lighttpd"
+-var.server_root = "/srv/www"
+-var.state_dir   = "/run"
++var.server_root = "/var/www"
++var.state_dir   = "/var/run"
+ var.home_dir    = "/var/lib/lighttpd"
+ var.conf_dir    = "/etc/lighttpd"
+ 
+@@ -436,7 +436,7 @@
+ ##   # Check your cipher list with: openssl ciphers -v '...'
+ ##   # (use single quotes with: openssl ciphers -v '...'
+ ##   #  as your shell won't like ! in double quotes)
+-##   #ssl.cipher-list            = "HIGH"   # default
++##   #ssl.cipher-list            = "PROFILE=SYSTEM"
+ ##
+ ##   # (recommended to accept only TLSv1.2 and TLSv1.3)
+ ##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
diff --git a/lighttpd-1.4.63.tar.gz b/lighttpd-1.4.63.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..4bcde1aba12ef1e889a09bf44850679c6638f9a3
Binary files /dev/null and b/lighttpd-1.4.63.tar.gz differ
diff --git a/lighttpd.init b/lighttpd.init
index e489fdc6e03a00c4781bc6696b36eb74a257ecaf..56fd3da01dfbb5a56edd6e9c8548fab011ebecd4 100644
--- a/lighttpd.init
+++ b/lighttpd.init
@@ -61,7 +61,7 @@ restart() {
 
 reload() {
     echo -n $"Reloading $prog: "
-    killproc $prog -HUP
+    killproc $prog -USR1
     retval=$?
     echo
     return $retval
diff --git a/lighttpd.logrotate b/lighttpd.logrotate
index 8ab2dc1c6f8be0c3310ff9e199898075078b993e..28bb9018c70965b4e7318dc5a3c64553228b7222 100644
--- a/lighttpd.logrotate
+++ b/lighttpd.logrotate
@@ -1,3 +1,10 @@
+
+# Warning: Using logrotate together with `max-workers` Lighty option is
+# a pretty complicated thing:
+# https://redmine.lighttpd.net/projects/1/wiki/Docs_ModAccesslog
+# If you use max-workers, you probably want cronolog, which in turn means
+# you shouldn't be using logrotate at all.
+
 /var/log/lighttpd/*log {
     missingok
     notifempty
diff --git a/lighttpd.service b/lighttpd.service
index 1f6fa467f1f99bfb15010be7a7db61b565fd18b3..3e563cd59134b3eb3e3e02b8552a04e97338d976 100644
--- a/lighttpd.service
+++ b/lighttpd.service
@@ -6,6 +6,7 @@ After=syslog.target network.target
 PIDFile=/var/run/lighttpd.pid
 EnvironmentFile=-/etc/sysconfig/lighttpd
 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
+ExecReload=/bin/kill -USR1 $MAINPID
 
 [Install]
 WantedBy=multi-user.target
diff --git a/lighttpd.spec b/lighttpd.spec
index 65afeed7035c5ebc90159e5c2b465c8fc2998717..fc95933ff2b5dd84878fa7454a8e34a6ccd8858b 100644
--- a/lighttpd.spec
+++ b/lighttpd.spec
@@ -7,7 +7,7 @@
 %bcond_without openssl
 %bcond_without kerberos5
 %bcond_without pcre
-%bcond_without fam
+%bcond_with    fam
 %bcond_without lua
 %bcond_without krb5
 %bcond_without pam
@@ -19,17 +19,20 @@
 %bcond_without systemd
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
-Version:             1.4.53
-Release:             2
+Version:             1.4.63
+Release:             1
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
-Source0:             https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.53.tar.gz
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
 Source1:             lighttpd.logrotate
 Source2:             php.d-lighttpd.ini
 Source3:             lighttpd.init
 Source4:             lighttpd.service
-Patch0:              lighttpd-1.4.45-defaultconf.patch
-Patch1:              CVE-2022-22707.patch
+Patch0:              lighttpd-1.4.62-defaultconf.patch
+Patch1:              make-setrlimit-warn-not-fatal.patch
+Patch2:              fix-loading-mod_auth-after-dynamic-modules.patch
+Patch3:              CVE-2022-22707.patch
+Patch4:              CVE-2022-37797.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@@ -105,9 +108,12 @@ for the lighttpd server including the correct permissions
 for the directories.
 
 %prep
-%setup -q -n lighttpd1.4-%{name}-%{version}
+%setup -q
 %patch0 -p0 -b .defaultconf
-%patch1 -p1
+%patch1 -p1 -b .setrlimit
+%patch2 -p1 -b .fixtrace
+%patch3 -p1
+%patch4 -p1
 
 %build
 autoreconf -if
@@ -254,6 +260,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
+* Mon Sep 19 2022 mayp <mayanping@ncti-gba.cn> - 1.4.63-1
+- Update to 1.4.63
+
 * Fri Jan 14 2022 yaoxin <yaoxin30@huawei.com> - 1.4.53-2
 - Fix CVE-2022-22707
 
diff --git a/make-setrlimit-warn-not-fatal.patch b/make-setrlimit-warn-not-fatal.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5fde870862fd81d77586169c5e4e2e2c8cbb096c
--- /dev/null
+++ b/make-setrlimit-warn-not-fatal.patch
@@ -0,0 +1,29 @@
+From 5a257fab511225bbfa56b4f1a8b2bb7085f96478 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Wed, 8 Dec 2021 18:42:31 -0500
+Subject: [PATCH] [core] make setrlimit() warn, not fatal
+
+Origin:https://github.com/lighttpd/lighttpd1.4/commit/5a257fab511225bbfa56b4f1a8b2bb7085f96478
+
+(thx limb)
+
+make setrlimit() issue warning on error, not fatal,
+and add suggesting to configure SELinux permissions
+---
+ src/server.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/server.c b/src/server.c
+index f2ff7b73..beca364a 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -1357,7 +1357,8 @@ static int server_main_setup (server * const srv, int argc, char **argv) {
+ 
+ 			if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) {
+ 				log_perror(srv->errh, __FILE__, __LINE__, "setrlimit()");
+-				return -1;
++				log_error(srv->errh, __FILE__, __LINE__, "setrlimit() may need root to run once: setsebool -P httpd_setrlimit on");
++				use_rlimit = 0;
+ 			}
+ 		}
+