Important changes

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

Downloads

• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.gz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.gz.asc
  • SHA256: 0765e07dac432393dea3950639d5ba646ded95a9408ad002e54b3353ab6b9645
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.bz2
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.bz2.asc
  • SHA256: 60691b2dcf3ad2472c06b23d75eb0c164bf48a08a630ed3f308f61319104701f
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.xz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.xz.asc
  • SHA256: 1368f80069ce71f5928cad59c8e60c0b95876942ca9e02c53853e54ae24aedc1
• SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.sha256sum

External references

• CVE-2012-5533
  • lighttpd-SA-2012-01
  • lighttpd-1.4.31_fix_connection_header_dos.patch

Important changes

Many important changes – fixed a segfault (crash on first https request), disabled mmap due to possible crash if the file is truncated while reading and more.

If you still want to use mmap you can use ./configure --enable-mmap, but check #2391 before.

Downloads

• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.gz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.gz.asc
  • SHA256: 848a15604bf358d9355bd7a48c01f448c286734dbb5f4dc1cd16acb8b05a9b52
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.bz2
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.bz2.asc
  • SHA256: 5209e7a25d3044cb21b34d6a2bb3a6f6c216ba903ea486a803d070582e5e26ac
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.xz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.xz.asc
  • SHA256: 8a0a4f1ab782c2a3554e031c7d8ad600aac9b4c0466710a6cc9aab10659fe3f2
• SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.sha256sum

And lighttpd 1.4 is still alive :)

Especially for ssl users this release should be important: by setting

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

you can mitigate BEAST attacks.
Also check your site with Qualys SSL Labs Server Test

Important changes

• [mod_auth] Fix signedness error in http_auth (CVE-2011-4362)
• ssl: disable client initiated renegotiations
• ssl: support mitigating BEAST attack
• fix connection stalls

Downloads

• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc
  • SHA256: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc
  • SHA256: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc
  • SHA256: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b
• SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum

In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on build.opensuse.org.
Checkout GetLighttpd, or server:http/lighttpd or home:stbuehler/lighttpd on build.opensuse.org.