Important changes

• security fixes
• bug fixes
• new module: mod_authn_pam
• support for wolfSSL

Downloads

• lighttpd-1.4.51.tar.gz (GPG signature)
  • SHA256: 4301fe64136c7030d63cccc96996c6603dcbe82cca9a72e0aca29ce88284c978
• lighttpd-1.4.51.tar.xz (GPG signature)
  • SHA256: 2af9fdb265d1f025bfa634e13770239712ecbd585e4975b8226edf1df74e9c82
• SHA256 checksums

Changes from 1.4.50

• [core] split parsing header line into separate function
• [core] explicitly return 0 instead of constant result
• [core] header parsing: use goto for error handling
• [core,security] process headers after combining folded headers
• [core] replace folding whitespace with a single space
• [buffer] fix duplicate assert and comment
• [core] redo HTTP header line folding
• [core] parse header line strings before copying
• [core] abstraction to insert/modify response hdrs
• [core] code reuse with array_insert_key_value()
• [core] simplify parsing hdr key whitespace then :
• [core] http_request_parse_reqline() separate func
• [core] abstraction layer for HTTP header manip
• [core] code reuse with http_response_body_clear()
• [mod_proxy] fix proxy.forwarded and proxy.replace-http-host (fixes #2902)
• [mod_rewrite] fix url.rewrite-repeat and url.rewrite-if-not-file (fixes #2908)
• [core] fastcgi.h link to Open Market License (OML) (fixes #2901)
• [mod_proxy,mod_wstunnel] copy full plugin_config (fixes #2903)
• [mod_fastcgi,mod_scgi] error on oversized request (fixes #2905)
• [mod_auth] send 401 for mismatch HTTP auth scheme (fixes #2906)
• [core] code reuse array_match_*() routines
• [mod_skeleton] review and simplify
• [multiple] code reuse: employ array_match_*()
• [doc] lighttpd.service uses network-online.target
• [mod_flv_streaming] code simplifications
• [mod_authn_pam] mod_auth PAM support (fixes #688)
• [mod_sockproxy] add to build
• [core] fix include_shell on inline shell commands (fixes #2910)
• [multiple] code reuse: using array_*() funcs
• [tests] t/test_array.c
• [core] array_get_int_ptr()
• [core] more memory-efficient fn table for data_*
• [tests] #undef NDEBUG before assert.h in t/test_*
• [core] inline status_counter routines
• [core] log_failed_assert() attribute((cold))
• [core] http_status_append()
• [core] http_method_append()
• [core] prefer buffer_append_string_len()
• [build] fix SCons build for mod_authn_pam
• [mod_userdir] security: skip username “.” and “..”
• [mod_deflate] null-check to quiet coverity warning
• [core] quiet coverity false positive
• [multiple] quiet compiler warnings —without-pcre
• [mod_secdownload] support if HMAC() is a macro
• [TLS] sys-crypto.h abstraction
• [TLS] sys-crypto.h abstraction
• [build] put request.c in common src
• [meson] build fixes for libmariadb and libsasl2
• [core] PATH_INFO calculation when basedir is “/” (fixes #2911)
• [core] better consistency in buffer_is_equal*()
• [core] fix missing param from prev commit
• [mod_openssl] no renegotiation in TLS 1.3 (fixes #2912)
• [core] reject Transfer-Encoding from proxy (#2913)
• [mod_auth] use SHA1_Init,Update,Final
• [mod_openssl] add support for wolfSSL
• [build] automake support for wolfSSL
• [build] SCons support for wolfSSL
• [build] meson support for wolfSSL
• [build] CMake support for wolfSSL
• [core] perf: buffer.c internal inlines
• [mod_openssl] wolfSSL does not support SSLv2
• [core] perf: buffer_string_append_len()
• [core] permit server.error_handler to static file