lighttpd - Hometag:www.lighttpd.net,2012:mephisto/Mephisto Drax2011-12-20T00:28:37Zstbuehlertag:www.lighttpd.net,2011-12-18:13522011-12-18T15:59:00Z2011-12-20T00:28:37Z1.4.30 - Faster than santa, your first present this year!<p>And lighttpd 1.4 is still alive :)</p>
Especially for ssl users this release should be important: by setting
<pre>ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"</pre>
you can mitigate <a href="http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html"><span class="caps">BEAST</span></a> attacks.<br>
Also check your site with <a href="https://www.ssllabs.com/ssldb/analyze.html">Qualys <span class="caps">SSL</span> Labs Server Test</a><br><br>
<h2>Important changes</h2>
<ul>
<li>[mod_auth] Fix signedness error in http_auth (CVE-2011-4362)</li>
<li>ssl: disable client initiated renegotiations</li>
<li>ssl: support mitigating <span class="caps">BEAST</span> attack</li>
<li>fix connection stalls</li>
</ul>
<h1>Downloads</h1>
<ul>
<li><a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz</a>
<ul>
<li><span class="caps">GPG</span> signature: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc</a></li>
<li><span class="caps">SHA256</span>: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b</li>
</ul>
</li>
<li><a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2</a>
<ul>
<li><span class="caps">GPG</span> signature: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc</a></li>
<li><span class="caps">SHA256</span>: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d</li>
</ul>
</li>
<li><a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz</a>
<ul>
<li><span class="caps">GPG</span> signature: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc</a></li>
<li><span class="caps">SHA256</span>: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b</li>
</ul>
</li>
<li><span class="caps">SHA256</span> checksums: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum</a></li>
</ul>
<p>In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on <a href="https://build.opensuse.org/">build.opensuse.org</a>.
Checkout <a href="http://redmine.lighttpd.net/projects/lighttpd/wiki/GetLighttpd">GetLighttpd</a>, or <a href="https://build.opensuse.org/package/show?package=lighttpd&project=server%3Ahttp">server:http/lighttpd</a> or <a href="https://build.opensuse.org/package/show?package=lighttpd&project=home%3Astbuehler">home:stbuehler/lighttpd</a> on <a href="https://build.opensuse.org/">build.opensuse.org</a>.</p>
<p>And lighttpd 1.4 is still alive :)</p>
Especially for ssl users this release should be important: by setting
<pre>ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"</pre>
you can mitigate <a href="http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html"><span class="caps">BEAST</span></a> attacks.<br>
Also check your site with <a href="https://www.ssllabs.com/ssldb/analyze.html">Qualys <span class="caps">SSL</span> Labs Server Test</a><br><br>
<h2>Important changes</h2>
<ul>
<li>[mod_auth] Fix signedness error in http_auth (CVE-2011-4362)</li>
<li>ssl: disable client initiated renegotiations</li>
<li>ssl: support mitigating <span class="caps">BEAST</span> attack</li>
<li>fix connection stalls</li>
</ul>
<h1>Downloads</h1>
<ul>
<li><a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz</a>
<ul>
<li><span class="caps">GPG</span> signature: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc</a></li>
<li><span class="caps">SHA256</span>: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b</li>
</ul>
</li>
<li><a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2</a>
<ul>
<li><span class="caps">GPG</span> signature: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc</a></li>
<li><span class="caps">SHA256</span>: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d</li>
</ul>
</li>
<li><a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz</a>
<ul>
<li><span class="caps">GPG</span> signature: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc</a></li>
<li><span class="caps">SHA256</span>: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b</li>
</ul>
</li>
<li><span class="caps">SHA256</span> checksums: <a href="http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum">http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum</a></li>
</ul>
<p>In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on <a href="https://build.opensuse.org/">build.opensuse.org</a>.
Checkout <a href="http://redmine.lighttpd.net/projects/lighttpd/wiki/GetLighttpd">GetLighttpd</a>, or <a href="https://build.opensuse.org/package/show?package=lighttpd&project=server%3Ahttp">server:http/lighttpd</a> or <a href="https://build.opensuse.org/package/show?package=lighttpd&project=home%3Astbuehler">home:stbuehler/lighttpd</a> on <a href="https://build.opensuse.org/">build.opensuse.org</a>.</p>
<h1>Changes from 1.4.29</h1>
<ul>
<li>Always use our ‘own’ md5 implementation, fixes linking issues on MacOS (fixes <a href="http://redmine.lighttpd.net/issues/show/2331">#2331</a>)</li>
<li>Limit amount of bytes we send in one go; fixes stalling in one connection and timeouts on slow systems.</li>
<li>[ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled</li>
<li>Add static-file.disable-pathinfo option to prevent handling of urls like …/secret.php/image.jpg as static file</li>
<li>Don’t overwrite 401 (auth required) with 501 (unknown method) (fixes <a href="http://redmine.lighttpd.net/issues/show/2341">#2341</a>)</li>
<li>Fix mod_status bug: always showed “0/0” in the “Read” column for uploads (fixes <a href="http://redmine.lighttpd.net/issues/show/2351">#2351</a>)</li>
<li>[mod_auth] Fix signedness error in http_auth (fixes <a href="http://redmine.lighttpd.net/issues/show/2370">#2370</a>, <span class="caps">CVE</span>-2011-4362)</li>
<li>[ssl] count renegotiations to prevent client renegotiations</li>
<li>[ssl] add option to honor server cipher order (fixes <a href="http://redmine.lighttpd.net/issues/show/2364">#2364</a>, <span class="caps">BEAST</span> attack)</li>
<li>[core] accept dots in ipv6 addresses in host header (fixes <a href="http://redmine.lighttpd.net/issues/show/2359">#2359</a>)</li>
<li>[ssl] fix ssl connection aborts if files are larger than the <span class="caps">MAX</span>_WRITE_LIMIT (256kb)</li>
<li>[libev/cgi] fix waitpid <span class="caps">ECHILD</span> errors in cgi with libev (fixes <a href="http://redmine.lighttpd.net/issues/show/2324">#2324</a>)</li>
</ul>