Release Info¶

• Version: 1.4.61
• Previous version: 1.4.60
• Branch: 1.4
• Status: stable
• Release Purpose: bug fixes
• Release manager: gstrauss
• Released date: 2021-10-28

Important changes from 1.4.60¶

bugfixes

Downloads¶

• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.gz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.gz.asc
  • SHA256: 7697a4eb517ff7e438b148552c4ddbcc4c3fe79d8b79c3200441edc58787abb0
• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.xz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.xz.asc
  • SHA256: 43f0d63d04a1b7c5b8aab07e0612e44ccad0afc0614bab784c5b019872363432
• SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.sha256sum

Future Scheduled Behavior Changes (estimated early 2022)¶

• graceful restart/shutdown default timeout will change from
  0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)
  configure an alternative with:
  server.feature-flags += ("server.graceful-shutdown-timeout" => 5)
• lighttpd (optional) dependencies on libev and on FAM are deprecated.
  lighttpd event loop and file monitoring use native OS interfaces
  except on obscure platforms. FAM and gamin appear to be abandoned.
  Package maintainers on Linux and *BSD:
  please remove --with-libev and --with-fam from package builds
  lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.
  lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.

https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated

• mod_compress is DEPRECATED; use mod_deflate
  mod_compress has been subsumed by mod_deflate
  Note: mod_compress config options may be removed in a future release
• mod_geoip is DEPRECATED; use mod_maxminddb
  Note: mod_geoip will be removed from a future lighttpd release
• mod_authn_mysql is DEPRECATED; use mod_authn_dbi
  Note: mod_authn_mysql will be removed from a future lighttpd release
• mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql
  Note: mod_mysql_vhost will be removed from a future lighttpd release
• mod_cml is DEPRECATED; use mod_magnet
  Note: mod_cml will be removed from a future lighttpd release
• mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))
  (Note: can be replaced with a few lines of lua code and mod_magnet)
  (sample script flv-streaming.lua is posted at
  https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )
  Adobe Flash is deprecated and support has been removed from modern clients

Changes from 1.4.60¶

• [core] define __BEGIN_DECLS, __END_DECLS if needed
• [core] Y2038: error log high-precision timestamps
• [multiple] attribute_nonnull now takes params
• [core] bounds check while url-decoding
• [mod_magnet] prefer lua_newuserdatauv() w/ lua 5.4
• [core] earlier macOS need define for errno_t (fixes #3107)
• [tests] force POSIX::WNOHANG autovivification (fixes #3110)
• [mod_dirlisting] sort "../" to top (fixes #3109)
• [tests] force Fcntl::F_SETFD() autovivification (#3110)
• [core] avoid repeated typedef for fdlog_st
• [doc] update INSTALL
• [mod_extforward] keep remote IP thru request reset
• [core] fix HTTP/2 upload > 64k w/ max-request-size (fixes #3108)
• [mod_auth] fix Basic auth passwd cache (fixes #3112)
• [mod_ajp13,mod_fastcgi] comment: no response body
• [mod_webdav] ignore PROPFIND Depth for files
• [core] add comment to ck_memeq_const_time()
• [core] accept up to 5 digit port num in host cond
• [core] expose chunkqueue_remove_empty_chunks()
• [core] short-circuit if response body recv w/ hdrs (fixes #3111)
• [core] resched HTTP/2 streams w/ pending data (#3111)
• [core] separate func for gw_authorizer_ok()
• [core] make ck_memeq_const_time() more generic (#3112)
• [mod_auth] revert adjustment to auth passwd cache (#3112)
• [core] thwart h2c smuggling when Upgrade enabled
• [core] separate funcs to check for valid chars
• [core] thwart h2 request tunnelling
• [core] clear shared log buffer after writes
• [mod_nss] quiet trace for PR_END_OF_FILE_ERROR
• [core] allow debug.log-state-handling in condition
• [core] combine more dup header processing code
• [mod_ajp13,mod_fastcgi] check resp w/ content len
• [mod_proxy] Length Req if proxy forcing HTTP/1.0
• [core] restart dead proc on connect error if local
• [mod_ajp13,mod_fastcgi] recv_parse smaller funcs
• [multiple] warn deprecated mods slated for removal
• [core] remove redundant checks in same context
• [core] tighten chunkqueue_steal* code; better asm
• [build] check for preadv(), pwritev()
• [core] pwritev w/ chunkqueue_steal_with_tempfiles
• [core] tighten chunkqueue_mark_written; better asm
• [doc] uncomment mod_auth load in conf.d/auth.conf
• [core] tighten chunkqueue_small_resp_optim()
• [core] chunkqueue_small_resp_optim if resp < 16k
• [mod_auth] clear crypt() output if len >= 13
• [multiple] add assert after malloc in two spots
• [core] add HTTP/2 check resp finished w/ empty cq (#3111)
• [core] chunkqueue_small_resp_optim() comment

External references¶

• https://www.lighttpd.net/2021/10/28/1.4.61