Actions
Release Info¶
- Version: 1.4.76
- Previous version: 1.4.75
- Branch: 1.4
- Status: stable
- Release Purpose: bug fixes
- Release manager: gstrauss
- Released date: 2024-04-12
Important changes from 1.4.75¶
detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes
- detect VU#421644 HTTP/2 CONTINUATION Flood
- issue trace and send GO_AWAY
- (lighttpd not vulnerable to attack)
- avoid CVE-2024-3094 xz supply chain attack
- use 'git archive' to replace 'make dist' to create release tarballs
- remove excess complexity (m4 and autotools) from release process
- now more easily verifiable that sources come from signed git release tag
- use 'git archive' to replace 'make dist' to create release tarballs
FUTURE SCHEDULED BEHAVIOR CHANGES: (2025)¶
- lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2 - server.error-handler-404 will operate only on 404
(historical error: server.error-handler-404 operated on both 404 and 403)
Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
to produce dynamic error pages for 4xx and 5xx responses.
Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
is an additional, high performance mechanism to produce dynamic error pages.
https://wiki.lighttpd.net/mod_magnet
Downloads¶
- https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.gz
- GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.gz.asc
- SHA256:
ba14a030889518194fd88b33e419d51cc38c8fe917126d5a7a965be79b53e995
- https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.xz
- GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.xz.asc
- SHA256:
8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011
- SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.sha256sum
- SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.sha512sum
Changes from 1.4.75¶
- [core] add default to builtin mimetype.assign
- [core] add MPTCP support
- [core] disable MPTCP support by default
- [mod_expire] omit caching hdrs for 204 No Content
- [mod_staticfile] noinline cold func
- [core] GNU/Hurd preadv2() RWF_NOWAIT ENOTSUP
- [core] special value for Linux POLLRDHUP on SPARC
- [mod_openssl] define asn1 time w/ OPENSSL_NO_OCSP
- [h2] VU#421644 HTTP/2 CONTINUATION Flood
- [build] packdist.sh git archive; replace make dist
- [core] gw_network_backend_write_error() cold func
- [core] reduce syscalls in some backend connect
- [core] defer TCP_FIN propagate if connect()ing (fixes #3249)
- [ci] workaround some packaging issues in NetBSD 10
External references¶
Updated by gstrauss 8 months ago · 1 revisions