diff -Nru lighttpd-1.4.55/debian/changelog lighttpd-1.4.55/debian/changelog
--- lighttpd-1.4.55/debian/changelog	2020-02-26 13:44:09.000000000 +0000
+++ lighttpd-1.4.55/debian/changelog	2023-02-17 02:09:14.000000000 +0000
@@ -1,3 +1,22 @@
+lighttpd (1.4.55-1ubuntu1.20.04.2) focal-security; urgency=medium
+
+  * SECURITY UPDATE: Out-of-bounds Write
+    - debian/patches/CVE-2022-22707.patch: mod_extforward_Forwarded function
+      of the mod_extforward plugin has a stack-based buffer overflow.
+      (LP: #1994989)
+    - CVE-2022-22707
+
+ -- Jack Fewx <jack@fewx.com>  Thu, 16 Feb 2023 20:09:14 -0600
+
+lighttpd (1.4.55-1ubuntu1.20.04.1) focal; urgency=medium
+
+  * d/control: Depend on libgamin to fix missing symbol errors (LP: #1453463)
+  * d/test/control: introduce regression test for libgamin/libfam
+  * d/test/libfam-libgamin-conflict-regression: check for libgamin/libfam
+    conflict regressions
+
+ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Mon, 14 Jun 2021 18:34:03 -0300
+
 lighttpd (1.4.55-1ubuntu1) focal; urgency=low
 
   * Merge from Debian unstable.  Remaining changes:
diff -Nru lighttpd-1.4.55/debian/control lighttpd-1.4.55/debian/control
--- lighttpd-1.4.55/debian/control	2020-02-24 21:21:49.000000000 +0000
+++ lighttpd-1.4.55/debian/control	2021-06-14 21:34:03.000000000 +0000
@@ -1,7 +1,8 @@
 Source: lighttpd
 Section: httpd
 Priority: optional
-Maintainer: Debian lighttpd maintainers <team+lighttpd@tracker.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian lighttpd maintainers <team+lighttpd@tracker.debian.org>
 Uploaders: Helmut Grohne <helmut.grohne@intenta.de>, Glenn Strauss <gstrauss@gluelogic.com>, Stefan Bühler <stbuehler@web.de>
 Homepage: https://www.lighttpd.net/
 Build-Depends:
@@ -13,11 +14,11 @@
  libbz2-dev,
  libattr1-dev,
  libpcre3-dev,
- libgamin-dev,
  default-libmysqlclient-dev | libmysqlclient-dev,
  libdbi-dev,
  libldap2-dev,
  libfcgi-dev,
+ libgamin-dev,
  libgdbm-dev,
  libgeoip-dev,
  liblua5.1-0-dev,
@@ -50,6 +51,7 @@
  ${shlibs:Depends},
  mime-support,
  lsb-base (>= 3.0-6),
+ libgamin0,
 Recommends:
  spawn-fcgi,
  perl:any,
diff -Nru lighttpd-1.4.55/debian/patches/CVE-2022-22707.patch lighttpd-1.4.55/debian/patches/CVE-2022-22707.patch
--- lighttpd-1.4.55/debian/patches/CVE-2022-22707.patch	1970-01-01 00:00:00.000000000 +0000
+++ lighttpd-1.4.55/debian/patches/CVE-2022-22707.patch	2023-02-17 02:09:14.000000000 +0000
@@ -0,0 +1,28 @@
+Description: Security backport of CVE-2022-22707
+  From: povcfe <povcfe@qq.com>
+  Date: Wed, 5 Jan 2022 11:11:09 +0000
+  Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
+
+  There is a potential remote denial of service in lighttpd mod_extforward
+  under specific, non-default and uncommon 32-bit lighttpd mod_extforward
+  configurations.
+
+Origin: upstream, https://github.com/lighttpd/lighttpd1.4/commit/8c62a890e23f5853b1a562b03fe3e1bccc6e7664
+Bug: https://redmine.lighttpd.net/issues/3134
+Bug: https://nvd.nist.gov/vuln/detail/CVE-2022-22707
+
+Reviewed-by: Jack Fewx <jack@fewx.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1994989
+
+---
+--- lighttpd-1.4.55.orig/src/mod_extforward.c
++++ lighttpd-1.4.55/src/mod_extforward.c
+@@ -673,7 +673,7 @@ static handler_t mod_extforward_Forwarde
+         while (s[i] == ' ' || s[i] == '\t') ++i;
+         if (s[i] == ';') { ++i; continue; }
+         if (s[i] == ',') {
+-            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
++            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
+             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+             ++i;
+             continue;
diff -Nru lighttpd-1.4.55/debian/patches/series lighttpd-1.4.55/debian/patches/series
--- lighttpd-1.4.55/debian/patches/series	2020-02-26 13:43:59.000000000 +0000
+++ lighttpd-1.4.55/debian/patches/series	2023-02-17 02:09:14.000000000 +0000
@@ -1,3 +1,4 @@
 var-run-929203.patch
 build-dev-package.patch
 add-lighttpd.pc-configure.patch
+CVE-2022-22707.patch
diff -Nru lighttpd-1.4.55/debian/tests/control lighttpd-1.4.55/debian/tests/control
--- lighttpd-1.4.55/debian/tests/control	2020-02-24 21:21:50.000000000 +0000
+++ lighttpd-1.4.55/debian/tests/control	2021-06-14 21:34:03.000000000 +0000
@@ -8,3 +8,6 @@
 Tests: serve-static-file
 Depends: lighttpd, curl
 Restrictions: allow-stderr
+
+Tests: libfam-libgamin-conflict-regression
+Restrictions: needs-root
diff -Nru lighttpd-1.4.55/debian/tests/libfam-libgamin-conflict-regression lighttpd-1.4.55/debian/tests/libfam-libgamin-conflict-regression
--- lighttpd-1.4.55/debian/tests/libfam-libgamin-conflict-regression	1970-01-01 00:00:00.000000000 +0000
+++ lighttpd-1.4.55/debian/tests/libfam-libgamin-conflict-regression	2021-06-14 21:34:03.000000000 +0000
@@ -0,0 +1,19 @@
+#!/bin/sh
+# This test checks for regressions on lighttpd fam dependencies,
+# which could either be satisfied by libgamin or libfam, whereas the latter
+# does not provide all the needed symbols for the package to work properly
+# https://bugs.launchpad.net/ubuntu/+source/lighttpd/+bug/1453463
+
+test_dep_regression() {
+  apt-get purge -y libfam0 libgamin0 lighttpd
+  apt-get install -y $1
+  apt-get install -y lighttpd
+  if ! /usr/sbin/lighttpd -v; then
+    echo "Err: possible libfam-libgamin conflict regression"
+    exit 1
+  fi
+}
+
+apt-get update
+test_dep_regression libfam0
+test_dep_regression libgamin0