diff --git a/CVE-2022-22707.patch b/CVE-2022-22707.patch
deleted file mode 100644
index 9c5bbc89458c4aec58248316ed8d851cda3439a7..0000000000000000000000000000000000000000
--- a/CVE-2022-22707.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001
-From: povcfe <povcfe@qq.com>
-Date: Wed, 5 Jan 2022 11:11:09 +0000
-Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
-
-(thx povcfe)
-
-(edited: gstrauss)
-
-There is a potential remote denial of service in lighttpd mod_extforward
-under specific, non-default and uncommon 32-bit lighttpd mod_extforward
-configurations.
-
-Under specific, non-default and uncommon lighttpd mod_extforward
-configurations, a remote attacker can trigger a 4-byte out-of-bounds
-write of value '-1' to the stack. This is not believed to be exploitable
-in any way beyond triggering a crash of the lighttpd server on systems
-where the lighttpd server has been built 32-bit and with compiler flags
-which enable a stack canary -- gcc/clang -fstack-protector-strong or
--fstack-protector-all, but bug not visible with only -fstack-protector.
-
-With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
-this bug has not been observed to cause adverse behavior, even with
-gcc/clang -fstack-protector-strong.
-
-For the bug to be reachable, the user must be using a non-default
-lighttpd configuration which enables mod_extforward and configures
-mod_extforward to accept and parse the "Forwarded" header from a trusted
-proxy. At this time, support for RFC7239 Forwarded is not common in CDN
-providers or popular web server reverse proxies. It bears repeating that
-for the user to desire to configure lighttpd mod_extforward to accept
-"Forwarded", the user must also be using a trusted proxy (in front of
-lighttpd) which understands and actively modifies the "Forwarded" header
-sent to lighttpd.
-
-lighttpd natively supports RFC7239 "Forwarded"
-hiawatha natively supports RFC7239 "Forwarded"
-
-nginx can be manually configured to add a "Forwarded" header
-https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
-
-A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
-in front of another 32-bit lighttpd will detect and reject a malicious
-"Forwarded" request header, thereby thwarting an attempt to trigger
-this bug in an upstream 32-bit lighttpd.
-
-The following servers currently do not natively support RFC7239 Forwarded:
-nginx
-apache2
-caddy
-node.js
-haproxy
-squid
-varnish-cache
-litespeed
-
-Given the general dearth of support for RFC7239 Forwarded in popular
-CDNs and web server reverse proxies, and given the prerequisites in
-lighttpd mod_extforward needed to reach this bug, the number of lighttpd
-servers vulnerable to this bug is estimated to be vanishingly small.
-Large systems using reverse proxies are likely running 64-bit lighttpd,
-which is not known to be adversely affected by this bug.
-
-In the future, it is desirable for more servers to implement RFC7239
-Forwarded.  lighttpd developers would like to thank povcfe for reporting
-this bug so that it can be fixed before more CDNs and web servers
-implement RFC7239 Forwarded.
-
-x-ref:
-  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
-  https://redmine.lighttpd.net/issues/3134
-  (not yet written or published)
-  CVE-2022-22707
----
- src/mod_extforward.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/mod_extforward.c b/src/mod_extforward.c
-index 733231fd2..1a04befa6 100644
---- a/src/mod_extforward.c
-+++ b/src/mod_extforward.c
-@@ -673,7 +673,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
-         while (s[i] == ' ' || s[i] == '\t') ++i;
-         if (s[i] == ';') { ++i; continue; }
-         if (s[i] == ',') {
--            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
-+            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
-             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
-             ++i;
-             continue;
diff --git a/CVE-2022-37797.patch b/CVE-2022-37797.patch
deleted file mode 100644
index d5cc1975f1356800215e38da3090a8162747ca59..0000000000000000000000000000000000000000
--- a/CVE-2022-37797.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001
-From: Glenn Strauss <gstrauss@gluelogic.com>
-Date: Tue, 13 Sep 2022 05:51:02 +0000
-Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
-
-x-ref:
-  "mod_wstunnel null pointer dereference"
-  https://redmine.lighttpd.net/issues/3165
----
- src/mod_wstunnel.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
-index 6d17d4d..97b89f0 100644
---- a/src/mod_wstunnel.c
-+++ b/src/mod_wstunnel.c
-@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
-     hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
-     hctx->conf = p->conf; /*(copies struct)*/
-     hybivers = wstunnel_check_request(r, hctx);
--    if (hybivers < 0) return HANDLER_FINISHED;
-+    if (hybivers < 0) {
-+        r->handler_module = NULL;
-+        return HANDLER_FINISHED;
-+    }
-     hctx->hybivers = hybivers;
-     if (0 == hybivers) {
-         DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
--- 
-2.33.0
-
diff --git a/lighttpd-1.4.56-defaultconf.patch b/lighttpd-1.4.56-defaultconf.patch
deleted file mode 100644
index 1b3eaf03b32f5cafccaf495156ee36d1b0800d32..0000000000000000000000000000000000000000
--- a/lighttpd-1.4.56-defaultconf.patch
+++ /dev/null
@@ -1,68 +0,0 @@
---- doc/config/lighttpd.conf.orig	2016-07-19 09:09:39.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-07-19 09:25:40.282577966 -0500
-@@ -204,7 +204,9 @@
- ## By default lighttpd would not change the operation system default.
- ## But setting it to 2048 is a better default for busy servers.
- ##
--server.max-fds = 2048
-+## With SELinux enabled, this is denied by default and needs to be allowed
-+## by running the following once : setsebool -P httpd_setrlimit on  
-+#server.max-fds = 2048
- 
- ##
- ## listen-backlog is the size of the listen() backlog queue requested when
---- doc/config/lighttpd.conf~	2016-08-05 08:24:07.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-08-05 08:26:43.914683962 -0500
-@@ -112,7 +112,7 @@
- ##
- ## Document root
- ##
--server.document-root = server_root + "/htdocs"
-+server.document-root = server_root + "/lighttpd"
- 
- ##
- ## The value for the "Server:" response field.
---- doc/config/lighttpd.conf~	2016-06-28 12:32:10.000000000 -0500
-+++ doc/config/lighttpd.conf	2016-06-28 12:41:50.478761160 -0500
-@@ -67,7 +67,7 @@
- ## conf.d/fastcgi.conf
- ## conf.d/scgi.conf
- ##
--var.socket_dir  = home_dir + "/sockets"
-+var.socket_dir  = state_dir + "/sockets"
- 
- ##
- #######################################################################
---- doc/config/lighttpd.conf~	2020-04-27 10:48:12.000000000 -0500
-+++ doc/config/lighttpd.conf	2020-04-27 10:55:12.145316446 -0500
-@@ -90,7 +90,7 @@
- ##
- ## Use IPv6?
- ##
--server.use-ipv6 = "enable"
-+#server.use-ipv6 = "enable"
- 
- ##
- ## bind to a specific IP
---- doc/config/lighttpd.conf~	2020-10-26 14:23:23.000000000 -0500
-+++ doc/config/lighttpd.conf	2020-10-26 14:27:55.577840608 -0500
-@@ -14,8 +14,8 @@
- ## chroot example aswell.
- ##
- var.log_root    = "/var/log/lighttpd"
--var.server_root = "/srv/www"
--var.state_dir   = "/run"
-+var.server_root = "/var/www"
-+var.state_dir   = "/var/run"
- var.home_dir    = "/var/lib/lighttpd"
- var.conf_dir    = "/etc/lighttpd"
- 
-@@ -438,7 +438,7 @@
- ##
- ##     # Check your cipher list with: openssl ciphers -v '...'
- ##     # (use single quotes as your shell won't like ! in double quotes)
--##     #ssl.cipher-list             = "HIGH"   # default
-+##     #ssl.cipher-list             = "PROFILE=SYSTEM"
- ##
- ##     # (recommended to accept only TLSv1.2 and TLSv1.3)
- ##     #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
diff --git a/lighttpd-1.4.56.tar.gz b/lighttpd-1.4.56.tar.gz
deleted file mode 100644
index 0c893e19f7f8d688d6f1633938bda7849a7d4a90..0000000000000000000000000000000000000000
Binary files a/lighttpd-1.4.56.tar.gz and /dev/null differ
diff --git a/lighttpd-1.4.65-defaultconf.patch b/lighttpd-1.4.65-defaultconf.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5981e3974ba31a2c50194e4cdf9a1b88b64198a5
--- /dev/null
+++ b/lighttpd-1.4.65-defaultconf.patch
@@ -0,0 +1,33 @@
+--- doc/config/lighttpd.conf~	2021-12-02 09:34:06.450352761 -0600
++++ doc/config/lighttpd.conf	2021-12-02 09:36:04.345770602 -0600
+@@ -14,8 +14,8 @@
+ ## chroot example as well.
+ ##
+ var.log_root    = "/var/log/lighttpd"
+-var.server_root = "/srv/www"
+-var.state_dir   = "/run"
++var.server_root = "/var/www"
++var.state_dir   = "/var/run"
+ var.home_dir    = "/var/lib/lighttpd"
+ var.conf_dir    = "/etc/lighttpd"
+ 
+@@ -436,7 +436,7 @@
+ ##   # Check your cipher list with: openssl ciphers -v '...'
+ ##   # (use single quotes with: openssl ciphers -v '...'
+ ##   #  as your shell won't like ! in double quotes)
+-##   #ssl.cipher-list            = "HIGH"   # default
++##   #ssl.cipher-list            = "PROFILE=SYSTEM"
+ ##
+ ##   # (recommended to accept only TLSv1.2 and TLSv1.3)
+ ##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
+--- doc/config/lighttpd.conf~	2022-07-28 10:49:14.928564535 -0500
++++ doc/config/lighttpd.conf	2022-07-28 10:49:47.161444622 -0500
+@@ -118,7 +118,7 @@
+ ##
+ ## Document root
+ ##
+-server.document-root = server_root + "/htdocs"
++server.document-root = server_root + "/lighttpd"
+ 
+ ##
+ ## The value for the "Server:" response field.
diff --git a/lighttpd-1.4.67.tar.xz b/lighttpd-1.4.67.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..014642aea1771074e8a0e7a1976a70c537cef9b5
Binary files /dev/null and b/lighttpd-1.4.67.tar.xz differ
diff --git a/lighttpd.spec b/lighttpd.spec
index 51b6b047564ff44ab94787c686cb6291d63eb058..86cb41a2e92f95cd0da0ec59a64e93f212d908f6 100644
--- a/lighttpd.spec
+++ b/lighttpd.spec
@@ -7,7 +7,7 @@
 %bcond_without openssl
 %bcond_without kerberos5
 %bcond_without pcre
-%bcond_without fam
+%bcond_with fam
 %bcond_without lua
 %bcond_without krb5
 %bcond_without pam
@@ -19,18 +19,16 @@
 %bcond_without systemd
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
-Version:             1.4.56
-Release:             2
+Version:             1.4.67
+Release:             1
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
-Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz
 Source1:             lighttpd.logrotate
 Source2:             php.d-lighttpd.ini
 Source3:             lighttpd.init
 Source4:             lighttpd.service
-Patch0:              lighttpd-1.4.56-defaultconf.patch
-Patch1:              CVE-2022-22707.patch
-Patch2:              CVE-2022-37797.patch
+Patch0:              lighttpd-1.4.65-defaultconf.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@@ -53,6 +51,12 @@ BuildRequires:       /usr/bin/awk, libattr-devel
 %{?with_memcache:BuildRequires: memcached-devel}
 %{?with_lua:BuildRequires: lua-devel}
 
+Provides: %{name}-mod_authn_mysql = %{version}-%{release}
+Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1
+ 
+Provides: %{name}-mod_mysql_vhost = %{version}-%{release}
+Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1
+
 %description
 Secure, fast, compliant and very flexible web-server which has been optimized
 for high-performance environments. It has a very low memory footprint compared
@@ -108,8 +112,6 @@ for the directories.
 %prep
 %setup -q
 %patch0 -p0 -b .defaultconf
-%patch1 -p1
-%patch2 -p1
 
 %build
 autoreconf -if
@@ -195,7 +197,6 @@ fi
 %config(noreplace) %{_sysconfdir}/lighttpd/*.conf
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf
 %exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
-%exclude %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
 %config %{_sysconfdir}/lighttpd/conf.d/mod.template
 %config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template
 %config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd
@@ -212,8 +213,6 @@ fi
 %{_libdir}/lighttpd/
 %exclude %{_libdir}/lighttpd/*.la
 %exclude %{_libdir}/lighttpd/mod_fastcgi.so
-%exclude %{_libdir}/lighttpd/mod_mysql_vhost.so
-%exclude %{_libdir}/lighttpd/mod_authn_mysql.so
 %exclude %{_libdir}/lighttpd/mod_authn_gssapi.so
 %{_mandir}/man8/lighttpd*8*
 
@@ -225,14 +224,10 @@ fi
 %{_libdir}/lighttpd/mod_fastcgi.so
 
 %files mod_mysql_vhost
-%doc doc/outdated/mysqlvhost.txt
-%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
 %dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_mysql_vhost.so
 
 %files mod_authn_mysql
 %dir %{_libdir}/lighttpd/
-%{_libdir}/lighttpd/mod_authn_mysql.so
 
 %files mod_authn_gssapi
 %dir %{_libdir}/lighttpd/
@@ -256,6 +251,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
+* Wed Oct 12 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1.4.67-1
+- update to 1.4.67 to fix CVE-2022-41556
+
 * Fri Sep 30 2022 yaoxin <yaoxin30@h-partners.com> - 1.4.56-2
 - Fix excuting systemctl start lighttpd.service error