1.4.32

November 21, 2012

Important changes

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

Downloads

External references

Important changes

Many important changes – fixed a segfault (crash on first https request), disabled mmap due to possible crash if the file is truncated while reading and more.

If you still want to use mmap you can use ./configure --enable-mmap, but check #2391 before.

Downloads

And lighttpd 1.4 is still alive :)

Especially for ssl users this release should be important: by setting

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

you can mitigate BEAST attacks.
Also check your site with Qualys SSL Labs Server Test

Important changes

  • [mod_auth] Fix signedness error in http_auth (CVE-2011-4362)
  • ssl: disable client initiated renegotiations
  • ssl: support mitigating BEAST attack
  • fix connection stalls

Downloads

In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on build.opensuse.org.
Checkout GetLighttpd, or server:http/lighttpd or home:stbuehler/lighttpd on build.opensuse.org.