Release Info

  • Version: 1.4.30
  • Previous version: 1.4.29
  • Branch: 1.4
  • Status: stable
  • Release Purpose: bug fixes
  • Release manager: stbuehler
  • Released date: 2011-12-18

"Faster than santa, your first present this year!"

And lighttpd 1.4 is still alive :)

Especially for ssl users this release should be important: by setting

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

you can mitigate BEAST attacks.

Important changes from 1.4.29

  • [mod_auth] Fix signedness error in http_auth (CVE-2011-4362)
  • ssl: disable client initiated renegotiations
  • ssl: support mitigating BEAST attack
  • fix connection stalls


Changes from 1.4.29

  • Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)
  • Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
  • [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
  • Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file
  • Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
  • Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351)
  • [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
  • [ssl] count renegotiations to prevent client renegotiations
  • [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
  • [core] accept dots in ipv6 addresses in host header (fixes #2359)
  • [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
  • [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324)

External references

Updated by stbuehler almost 12 years ago · 3 revisions