Project

General

Profile

Actions

Release Info

  • Version: 1.4.76
  • Previous version: 1.4.75
  • Branch: 1.4
  • Status: stable
  • Release Purpose: bug fixes
  • Release manager: gstrauss
  • Released date: 2024-04-12

Important changes from 1.4.75

detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes

  • detect VU#421644 HTTP/2 CONTINUATION Flood
    • issue trace and send GO_AWAY
    • (lighttpd not vulnerable to attack)
  • avoid CVE-2024-3094 xz supply chain attack
    • use 'git archive' to replace 'make dist' to create release tarballs
      • remove excess complexity (m4 and autotools) from release process
      • now more easily verifiable that sources come from signed git release tag

FUTURE SCHEDULED BEHAVIOR CHANGES: (2025)

  • lighttpd TLS defaults will change to MinProtocol TLSv1.3
    Other configurations will still be supported, but will not be the default.
    Proposed default: MinProtocol TLSv1.3
    Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404
    (historical error: server.error-handler-404 operated on both 404 and 403)
    Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
    to produce dynamic error pages for 4xx and 5xx responses.
    Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
    is an additional, high performance mechanism to produce dynamic error pages.
    https://wiki.lighttpd.net/mod_magnet

Downloads

Changes from 1.4.75

  • [core] add default to builtin mimetype.assign
  • [core] add MPTCP support
  • [core] disable MPTCP support by default
  • [mod_expire] omit caching hdrs for 204 No Content
  • [mod_staticfile] noinline cold func
  • [core] GNU/Hurd preadv2() RWF_NOWAIT ENOTSUP
  • [core] special value for Linux POLLRDHUP on SPARC
  • [mod_openssl] define asn1 time w/ OPENSSL_NO_OCSP
  • [h2] VU#421644 HTTP/2 CONTINUATION Flood
  • [build] packdist.sh git archive; replace make dist
  • [core] gw_network_backend_write_error() cold func
  • [core] reduce syscalls in some backend connect
  • [core] defer TCP_FIN propagate if connect()ing (fixes #3249)
  • [ci] workaround some packaging issues in NetBSD 10

External references

Updated by gstrauss 8 months ago · 1 revisions