SUSE-SU-2017:0728-1

Description of the patch:

This update for lighttpd fixes the following issues:

Security issues fixed:

• CVE-2016-1000212: don't allow requests to set the HTTP_PROXY variable. As *CGI apps might pick it up and use it for outgoing requests (bsc#990847).
• CVE-2015-3200: log injection via malformed base64 string in Authentication header (bsc#932286).

Bugfixes:

• added su directive to logrotate file as the directory is owned by lighttpd. (bsc#981347)
• fix out of bounds read in mod_scgi (debian#857255)