1.4.30 - Faster than santa, your first present this year!
December 18th, 2011
And lighttpd 1.4 is still alive :)
Especially for ssl users this release should be important: by settingssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"you can mitigate BEAST attacks.
Also check your site with Qualys SSL Labs Server Test
Important changes
- [mod_auth] Fix signedness error in http_auth (CVE-2011-4362)
- ssl: disable client initiated renegotiations
- ssl: support mitigating BEAST attack
- fix connection stalls
Downloads
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc
- SHA256: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc
- SHA256: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc
- SHA256: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b
- SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum
In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on build.opensuse.org. Checkout GetLighttpd, or server:http/lighttpd or home:stbuehler/lighttpd on build.opensuse.org.
Changes from 1.4.29
- Always use our ‘own’ md5 implementation, fixes linking issues on MacOS (fixes #2331)
- Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.
- [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
- Add static-file.disable-pathinfo option to prevent handling of urls like …/secret.php/image.jpg as static file
- Don’t overwrite 401 (auth required) with 501 (unknown method) (fixes #2341)
- Fix mod_status bug: always showed “0/0” in the “Read” column for uploads (fixes #2351)
- [mod_auth] Fix signedness error in http_auth (fixes #2370, CVE-2011-4362)
- [ssl] count renegotiations to prevent client renegotiations
- [ssl] add option to honor server cipher order (fixes #2364, BEAST attack)
- [core] accept dots in ipv6 addresses in host header (fixes #2359)
- [ssl] fix ssl connection aborts if files are larger than the MAX_WRITE_LIMIT (256kb)
- [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes #2324)
December 18th, 2011 at 08:26 PM just a typo: the checksum for the .xz file shouldn't be the same as the one of the .bz2
December 19th, 2011 at 10:47 AM Nice present :-) Thank you.
December 19th, 2011 at 11:39 AM Advent Advent, ein Server rennt. Erst 1 Punkt 4, dann 3 und 0. Mit Apache wär der RAM schon full... Frohe Weihnachten!
December 20th, 2011 at 06:56 PM Release not functional in Centos 4 :(
December 29th, 2011 at 11:33 AM It's not smart not making the Launchpad thing. Your personal feelings about if this or that sucks shouldn't interfere with the spreading of your software.
January 10th, 2012 at 02:15 AM Hey, source-code only, no 'doze binary to be seen. That's one way to ensure the windows victims all appreciate what linux lovers have to go through to make applications actually run on their particular family/distribution/version/installation/foible-number of their OS. Neat move, to make the 'doze-heads have to compile a special executable for their installation, despite their installation having the same executable-file-structure, the same libraries, the same API calls, in fact the EXACT SAME environment as EVERY other 'doze installation.. Why on *earth* leave life simple for those who chose a universally compatible (admittedly brain-dead-sheeple herding) operating system? Why on earth leave it easy for them! Nice one ;-) Just happens to be a right pain in the bum when I want to download something I can install in half an hour a hundred miles from home on someone else's box though!! Buggered if I'm installing a compiler and pratting around making it all work, not when I can just stick the same terms back into the search engine and find (several dozen) someone(s) who can do it all for me. Greg Ham.
January 10th, 2012 at 08:52 PM @gpa: sry, centos 4... isn't that like from the stoneage? and "not functional" isn't gonna get it fixed. report the problem you're having, and perhaps we can do something about it. @ruben cardenal: launchpad is way too much work to use, this is why it sucks. why would i use it when there are better alternatives? build.opensuse.org builds debian and ubuntu packages too, so stop whining smartass. @gregory hamilton: well, we really don't care about windows users. be happy if it works at all.
January 14th, 2012 at 12:48 PM Gregory Hamilton: you could be right if all Windows environments was *really* exact same. They aren't. Installers' actions *seems* to be identical on different Windows versions, in fact, there is a lot of work behind :)