April 12, 2024

Important changes

detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes

  • detect VU#421644 HTTP/2 CONTINUATION Flood
    • issue trace and send GO_AWAY
    • (lighttpd not vulnerable to attack)
  • avoid CVE-2024-3094 xz supply chain attack
    • use ‘git archive’ to replace ‘make dist’ to create release tarballs
      • remove excess complexity (m4 and autotools) from release process
      • now more easily verifiable that sources come from signed git release tag


  • lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
  • server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet


  • lighttpd-1.4.76.tar.gz (GPG signature)
    • SHA256: ba14a030889518194fd88b33e419d51cc38c8fe917126d5a7a965be79b53e995
  • lighttpd-1.4.76.tar.xz (GPG signature)
    • SHA256: 8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011
  • SHA256 checksums
  • SHA512 checksums

    Changes from 1.4.75

  • [core] add default to builtin mimetype.assign
  • [core] add MPTCP support
  • [core] disable MPTCP support by default
  • [mod_expire] omit caching hdrs for 204 No Content
  • [mod_staticfile] noinline cold func
  • [core] GNU/Hurd preadv2() RWF_NOWAIT ENOTSUP
  • [core] special value for Linux POLLRDHUP on SPARC
  • [mod_openssl] define asn1 time w/ OPENSSL_NO_OCSP
  • [h2] VU#421644 HTTP/2 CONTINUATION Flood
  • [build] packdist.sh git archive; replace make dist
  • [core] gw_network_backend_write_error() cold func
  • [core] reduce syscalls in some backend connect
  • [core] defer TCP_FIN propagate if connect()ing (fixes #3249)
  • [ci] workaround some packaging issues in NetBSD 10