2024¶

1.4.76

detect VU#421644 HTTP/2 CONTINUATION Flood, avoid CVE-2024-3094 xz supply chain attack, bug fixes

detect VU#421644 HTTP/2 CONTINUATION Flood
- issue trace and send GO_AWAY
- (lighttpd not vulnerable to attack)
avoid CVE-2024-3094 xz supply chain attack
- use ‘git archive’ to replace ‘make dist’ to create release tarballs
  - remove excess complexity (m4 and autotools) from release process
  - now more easily verifiable that sources come from signed git release tag

lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet

lighttpd-1.4.76.tar.gz (GPG signature)
- SHA256: ba14a030889518194fd88b33e419d51cc38c8fe917126d5a7a965be79b53e995
lighttpd-1.4.76.tar.xz (GPG signature)
- SHA256: 8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011
SHA256 checksums
SHA512 checksums

lighttpd-1.4.75.tar.gz (GPG signature)
- SHA256: 283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97
lighttpd-1.4.75.tar.xz (GPG signature)
- SHA256: 8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6
SHA256 checksums
SHA512 checksums

TLS cipher defaults have been incrementally updated to stronger defaults New defaults are forward-secret and support authenticated encryption (AEAD) New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
mod_redirect: default url.redirect-code for HTTP/1.1 and later has been changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2
server.error-handler-404 will operate only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet

bugs fixes, portability, expand CI

lighttpd-1.4.74.tar.gz (GPG signature)
- SHA256: 3a82994d2afdd685c967569919cfa612dbb39bc1cc737d1b07dc4e988379ae57
lighttpd-1.4.74.tar.xz (GPG signature)
- SHA256: 5c08736e83088f7e019797159f306e88ec729abe976dc98fb3bed71b9d3e53b5
SHA256 checksums
SHA512 checksums

Some messages sent to syslog() (if enabled in lighttpd config) have been changed to use different priorities (e.g. LOG_WARNING, LOG_DEBUG) instead of everything being sent with LOG_ERROR priority. The change affects only lighttpd configs which set server.errorlog-use-syslog = “enable” (not default)
Use sendfile() with musl libc; fix build detection of sendfile() w/ musl libc Please report any issues, though any issues are unexpected since lighttpd falls back to writev() if sendfile() fails.

TLS cipher defaults will be incrementally updated to stronger defaults Proposed defaults are forward-secret and support authenticated encryption (AEAD) Proposed defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’ Current defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’ Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults (and supported clients, i.e. those which have not already reached end-of-life). Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
mod_redirect: default url.redirect-code for HTTP/1.1 and later will be changed from 301 Moved Permanently to 308 Permanent Redirect (only if url.redirect is not explicitly set in lighttpd.conf) RFC7538: https://datatracker.ietf.org/doc/html/rfc7538 (published almost 9 years ago)

lighttpd TLS defaults will change to MinProtocol TLSv1.3 Other configurations will still be supported, but will not be the default. Proposed default: MinProtocol TLSv1.3 Current default: MinProtocol TLSv1.2