Release-1 4 30 » History » Revision 2
Revision 1 (stbuehler, 2011-12-18 17:23) → Revision 2/3 (stbuehler, 2011-12-20 01:29)
h1. Release Info * Version: 1.4.30 * Previous version: [[Release-1.4.29|1.4.29]] * Branch: 1.4 * Status: stable * Release Purpose: bug fixes * Release manager: stbuehler * Released date: 2011-12-18 "Faster than santa, your first present this year!" And lighttpd 1.4 is still alive :) Especially for ssl users this release should be important: by setting <pre>ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"</pre> you can mitigate BEAST attacks. h1. Important changes from 1.4.29 * [mod_auth] Fix signedness error in http_auth (CVE-2011-4362) * ssl: disable client initiated renegotiations * ssl: support mitigating BEAST attack * fix connection stalls h1. Downloads * http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz ** GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc ** SHA256: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b * http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2 ** GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc ** SHA256: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d * http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz ** GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc ** SHA256: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d * SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum h1. Changes from 1.4.29 * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) * Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems. * [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled * Add static-file.disable-pathinfo option to prevent handling of urls like .../secret.php/image.jpg as static file * Don't overwrite 401 (auth required) with 501 (unknown method) (fixes #2341) * Fix mod_status bug: always showed "0/0" in the "Read" column for uploads (fixes #2351) * [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362) * [ssl] count renegotiations to prevent client renegotiations * [ssl] add option to honor server cipher order (fixes #2364, BEAST attack) * [core] accept dots in ipv6 addresses in host header (fixes #2359) * [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb) * [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324) h1. External references * http://www.lighttpd.net/2011/12/18/1-4-30-faster-than-santa-your-first-present-this-year