1.4.67

September 17, 2022

Important changes

bugfixes

Future Scheduled Behavior Changes

TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using ssl.openssl.ssl-conf-cmd, as long as the ciphers are supported by the underlying TLS libraries.
https://wiki.lighttpd.net/Docs_SSL
- new defaults:
  - "CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
  - "Options" => "-ServerPreference"
- old defaults:
  - "CipherString" => "HIGH"
  - "Options" => "ServerPreference"
Deprecated TLS options will be removed.
- ssl.honor-cipher-order
- ssl.dh-file
- ssl.ec-curve
- ssl.disable-client-renegotiation
- ssl.use-sslv2
- ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with ssl.openssl.ssl-conf-cmd, but prefer lighttpd defaults instead.
Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.
Please post on lighttpd forums to share feedback if you use these modules.
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards
Deprecated: mod_evasive will be removed.
mod_evasive can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security
Deprecated: mod_secdownload will be removed.
mod_secdownload can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available
Deprecated: mod_uploadprogress will be removed.
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress
Deprecated: mod_usertrack will be removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
mod_usertrack historically uses insecure MD5.

Downloads

lighttpd-1.4.67.tar.gz (GPG signature)
- SHA256: de3c783a0ec3459e7e36a5ef08e13482d8640b339570dd036dfd456a6f7bb312
lighttpd-1.4.67.tar.xz (GPG signature)
- SHA256: 7e04d767f51a8d824b32e2483ef2950982920d427d1272ef4667f49d6f89f358
SHA256 checksums
SHA512 checksums

Changes from 1.4.66

Update comment about TCP_INFO on OpenBSD
[mod_ajp13] fix crash with bad response headers (fixes #3170)
[core] handle RDHUP when collecting chunked body
[core] tweak streaming request body to backends
[core] handle ENOSPC with pwritev() (#3171)
[core] manually calculate off_t max (fixes #3171)
[autoconf] force large file support (#3171)
[multiple] quiet coverity warnings using casts
[meson] add license keyword to project declaration

Posted by gstrauss

Please note that we won't accept comments for posts older than 3 months! Also please use our bug tracker to reports bugs, and our irc channel #lighttpd@libera to chat.