1.4.80

August 13, 2025

Important changes

  • detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671

Highlights

  • detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671
  • stricter HTTP request/response header, trailer, and chunked validation/parsing
  • support HTTP response trailers
  • support HTTP request trailers merge to headers (if not streaming request body)
  • bug fixes

BEHAVIOR CHANGES

  • extend TLS error log messages to include client addr if error caused by client (Please review TLS error string matching in log watchers)
  • extend TLS error log messages for HTTP/2 attack detection (Please review TLS error string matching in log watchers)
  • reject path info on static files by default (prior default allowed path info) (For prior behavior, configure static-file.disable-pathinfo = “disable”)

Downloads

  • lighttpd-1.4.80.tar.gz (GPG signature)
    • SHA256: 30d5bbbcbeaf8e52a7bdde614248dd932d63753d87fed79307547312012b4c01
  • lighttpd-1.4.80.tar.xz (GPG signature)
    • SHA256: cc5f0f71e8b2ee6bad545d1e91dfc3f954716c9174e7b352c2147add44f25bf3
  • SHA256 checksums
  • SHA512 checksums

    Changes from 1.4.79

  • [doc] move comments in systemd lighttpd.service
  • [doc] refresh INSTALL
  • [core] adjust malloc_top_pad after srv->srvconf.max_conns
  • [build] remove references to libev; no longer used
  • [multiple] stricter string init without trail ‘\0’
  • workaround unsupported PR_CAP_AMBIENT_CLEAR_ALL on Cloud Run
  • [TLS] 0-init plugin_ssl_ctx (fixes #3281)
  • [autotools] LIGHTTPD_STATIC in config.h if static build
  • [doc] systemd lighttpd.service SystemCallFilter
  • [core] reject stray \r in chunked headers
  • [tests] reject stray \r or \n in chunked headers
  • [core] http_chunk_decode_append_error()
  • [core] h1_chunked_400_bad_request()
  • [mod_webdav] log trace for EACCES on PUT
  • [build] check for C23 memset_explicit()
  • [mod_ssi] set tmp file length if ssi exec fails
  • [ci] set SHELL=/bin/sh for builds on alpine
  • [mod_openssl] avoid BoringSSL/AWS-LC compiler warn
  • [mod_openssl] AWS-LC limitations/compatibility (#3282)
  • [ci] use actions/cache@v3 to cache Cygwin install
  • [mod_openssl] use BoringSSL APIs w/ SSL_CREDENTIAL
  • [mod_boringssl] cp mod_openssl.c mod_boringssl.c
  • [build] build support for mod_boringssl
  • [mod_boringssl] rename plugin init func
  • [mod_boringssl] remove openssl/libressl code
  • [mod_openssl] remove code specific to boringssl
  • [mod_boringssl] ignore ssl.read-ahead
  • [mod_boringssl] TLS_with_buffers_method() optim
  • [mod_boringssl] init/enable CRYPTO_BUFFER_POOL
  • [mod_boringssl] use SSL_get0_peer_certificates()
  • [mod_boringssl] using AWS-LC does not build
  • [mod_boringssl] code reuse
  • [mod_boringssl] more CRYPTO_BUFFER code, less X509
  • [mod_boringssl] elide excess time() calls
  • [mod_boringssl] alt callbacks for client cert vfy
  • [mod_boringssl] remove verify_callback (replaced)
  • [ci] bump actions/cache from 3 to 4
  • [ci] add package for SCONS “fullstatic” build
  • [mod_boringssl] load CRLs into STACK_OF(X509_CRL)
  • [mod_openssl] revert commits; re-support AWS-LC
  • [mod_boringssl] skip BIO copy if pkey already DER
  • [mod_boringssl] shared code for parsing PEM files
  • [mod_boringssl] typo
  • [mod_boringssl] wipe tmp_buf used to decode pkey
  • [mod_boringssl] more generic pkey read from PEM
  • [mod_wolfssl] more generic pkey read from PEM
  • [mod_nss] more generic pkey read from PEM
  • [core] http_chunk_decode_append_* code reuse
  • [h2] h2_send_headers_hoff() to reduce stack use
  • [core] stricter validate of trailers from backends
  • [core] check Transfer-Encoding: chunked from backends
  • [core] remove deprecated Expect-CT from enum
  • [core] http_header_str_contains_token() comment
  • [core] http_request_field_check_value() code reuse
  • [core] http_request_field_check_name() code reuse
  • [core] stricter validation of backend response
  • [mod_magnet] stricter validation of request/response
  • [h2] fill in hoff[] for “:status: XXX\r\n\r\n”
  • [core] simplify hoff[] access when hoff[1] == 0
  • [core] check HTTP/1.x field block fully consumed
  • [core] unfold fields in http_header_parse_hoff()
  • [h2] stricter validation of HTTP/2 trailers
  • [core] validate BACKEND_PROXY headers end w/ CRLF
  • [core] strict validate request headers end w/ CRLF
  • [core] fix stat_cache inotify for files in rootdir
  • [core] merge request trailers into request headers
  • [mod_staticfile] reject pathinfo on static files
  • [mod_setenv] warn if setenv.* incl invalid chars
  • [tests] trailers
  • [mod_proxy] sketch out streaming and trailers
  • [mod_setenv] quiet coverity noise
  • [core] disable mmap for < QNX 8.0.0
  • [core] connections_pool_clear() unless in jobqueue
  • [ci] run apt-get update on github ubuntu workflows
  • [ci] explicit compiler install on github ubuntu workflows
  • [mod_openssl] build against ancient openssl libs
  • [TLS] SSL error handling improvements
  • [mod_openssl] update lib version EOL warning
  • [mod_openssl] workaround OpenSSL 3 SSL_sendfile bug
  • [mod_wolfssl] check for WOLFSSL_SHUTDOWN_NOT_DONE
  • [TLS] skip SSL_shutdown after non-recoverable error
  • [mod_wolfssl] handle additional wolfssl socket err
  • [mod_mbedtls] mbedtls 4.x removes MBEDTLS_DHM_C
  • [mod_mbedtls] mbedtls 4.x PSA crypto handles RNG
  • [mod_mbedtls] mbedtls 4.x removes RSA key exch
  • [mod_mbedtls] mbedtls 4.x curve_info,list private
  • [mod_mbedtls] mbedtls 4.x makes oid private
  • [doc] command line -f - to read config from stdin (fixes #3286)
  • [h2] attempt to detect HTTP/2 MadeYouReset DoS
Posted by gstrauss