Actions
Release Info¶
- Version: 1.4.66
- Previous version: 1.4.65
- Branch: 1.4
- Status: stable
- Release Purpose: bug fixes
- Release manager: gstrauss
- Released date: 2022-08-07
Important changes from 1.4.65¶
bugfixes
Future Scheduled Behavior Changes¶
- TLS modules will default to using stronger, modern ciphers and
will default to allow client preference in selecting ciphers.
Allowing client preference in selecting ciphers is safe to do along
with restrictions to use modern ciphers supporting PFS, and is
better for mobile users without AES hardware acceleration.
Legacy ciphers can still be configured in lighttpd.conf using
`ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
new defaults:
"CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384",
"Options" => "-ServerPreference"
old defaults:
"CipherString" => "HIGH",
"Options" => "ServerPreference"
- Deprecated TLS options will be removed.
- ssl.honor-cipher-order
- ssl.dh-file
- ssl.ec-curve
- ssl.disable-client-renegotiation
- ssl.use-sslv2
- ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with
`ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
- Continue gradual deprecation of "mini-application" lighttpd modules
for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
- Deprecated: mod_evasive will be removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
- Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
- Deprecated: mod_uploadprogress will be removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
- Deprecated: mod_usertrack will be removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.
Downloads¶
- https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz
- GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz.asc
- SHA256:
d919c3f9031e2580b94b311a3749eaa1e3b4a6a57b2d5c4cbcad40c0a73a7200
- https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.xz
- GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.xz.asc
- SHA256:
47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b
- SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.sha256sum
- SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.sha512sum
Changes from 1.4.65¶
- [core] h2: optim: send window update in 16k units
- [mod_magnet] reset for http-response-send-file
- [multiple] fix json encoding
- [core] buffer_append_bs_escaped_json()
- [autoconf] update ax_prog_cc_for_build.m4
- [doc] add libdeflate to INSTALL
- [mod_webdav] cold func if xml reqbody w/o db conf
- [mod_webdav] check reqbody Content-Type is XML
- [doc] more consistent use of vars in examples
- [core] do not load indexfile, dirlisting if unused
- [mod_dirlisting] send ETag, Cache-Control w/ cache
- [mod_openssl] compile compat w/ openssl < 1.1.0
- [mod_webdav] webdav_reqbody_type_xml() fixes
- [core] clarify server.username = "root" error msg
- [mod_wolfssl] compat with older wolfssl versions
- [core] fix li_base64_dec() on whitespace
- [core] perf tweak buffer_eq_icase_ssn()
- [mod_deflate] fix use of libdeflate for files>128k (fixes #3161)
- [core] fix buffer_substr_replace() extend (fixes #3160)
- [mod_webdav] build with Android NDK
- [core] check r->http_status before handling Range
- [core] preprocessor option to force crypto lib
- [core] fix SIGUSR1 graceful restart w/ TLS (fixes #3164)
- [mod_authn_gssapi] warn if no confidentiality flag (fixes #3163)
- [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
- [core] perf: adjust max h2 stream send increment
- [core] fix HTTP/2 downloads >= 4GiB (fixes #3166)
External references¶
Updated by gstrauss about 2 years ago · 1 revisions