Release Info¶

• Version: 1.4.76
• Previous version: 1.4.75
• Branch: 1.4
• Status: stable
• Release Purpose: bug fixes
• Release manager: gstrauss
• Released date: 2024-04-12

Important changes from 1.4.75¶

detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes

• detect VU#421644 HTTP/2 CONTINUATION Flood
  • issue trace and send GO_AWAY
  • (lighttpd not vulnerable to attack)

• avoid CVE-2024-3094 xz supply chain attack
  • use 'git archive' to replace 'make dist' to create release tarballs
    • remove excess complexity (m4 and autotools) from release process
    • now more easily verifiable that sources come from signed git release tag

FUTURE SCHEDULED BEHAVIOR CHANGES: (2025)¶

• lighttpd TLS defaults will change to MinProtocol TLSv1.3
  Other configurations will still be supported, but will not be the default.
  Proposed default: MinProtocol TLSv1.3
  Current default: MinProtocol TLSv1.2
• server.error-handler-404 will operate only on 404
  (historical error: server.error-handler-404 operated on both 404 and 403)
  Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
  to produce dynamic error pages for 4xx and 5xx responses.
  Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
  is an additional, high performance mechanism to produce dynamic error pages.
  https://wiki.lighttpd.net/mod_magnet

Downloads¶

• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.gz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.gz.asc
  • SHA256: ba14a030889518194fd88b33e419d51cc38c8fe917126d5a7a965be79b53e995
• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.xz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.tar.xz.asc
  • SHA256: 8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011
• SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.sha256sum
• SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.76.sha512sum

Changes from 1.4.75¶

• [core] add default to builtin mimetype.assign
• [core] add MPTCP support
• [core] disable MPTCP support by default
• [mod_expire] omit caching hdrs for 204 No Content
• [mod_staticfile] noinline cold func
• [core] GNU/Hurd preadv2() RWF_NOWAIT ENOTSUP
• [core] special value for Linux POLLRDHUP on SPARC
• [mod_openssl] define asn1 time w/ OPENSSL_NO_OCSP
• [h2] VU#421644 HTTP/2 CONTINUATION Flood
• [build] packdist.sh git archive; replace make dist
• [core] gw_network_backend_write_error() cold func
• [core] reduce syscalls in some backend connect
• [core] defer TCP_FIN propagate if connect()ing (fixes #3249)
• [ci] workaround some packaging issues in NetBSD 10

External references¶

• https://www.lighttpd.net/2024/4/12/1.4.76