This update for lighttpd fixes the following issues:
Security issues fixed:
- CVE-2016-1000212: don't allow requests to set the HTTP_PROXY variable. As *CGI apps might pick it
up and use it for outgoing requests (bsc#990847).
- CVE-2015-3200: log injection via malformed base64 string in Authentication header (bsc#932286).
Bugfixes:
- added su directive to logrotate file as the directory is owned by lighttpd. (bsc#981347)
- fix out of bounds read in mod_scgi (debian#857255)