Skip to content

2025

  • in releases
  • 1 min read

1.4.82

Important changes

  • restrict request trailers to configured list; bugfixes

BEHAVIOR CHANGES:

  • trailers in request headers will be ignored unless allowed field names are explicitly configured in a comma-separated list containing no spaces:

    server.feature-flags += ("request.trailer-whitelist" => "...")

    This changes behavior from lighttpd 1.4.80, which added support for request trailers and header merging, but did not restrict request trailers.

Downloads

  • in releases
  • 3 min read

1.4.80

Important changes

  • detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671

Highlights

  • detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671
  • stricter HTTP request/response header, trailer, and chunked validation/parsing
  • support HTTP response trailers
  • support HTTP request trailers merge to headers (if not streaming request body)
  • bug fixes

BEHAVIOR CHANGES

  • extend TLS error log messages to include client addr if error caused by client (Please review TLS error string matching in log watchers)
  • extend TLS error log messages for HTTP/2 attack detection (Please review TLS error string matching in log watchers)
  • reject path info on static files by default (prior default allowed path info) (For prior behavior, configure static-file.disable-pathinfo = “disable”)

Downloads

1.4.79

Important changes

  • hardened systemd lighttpd.service
  • bug fix for mod_openssl using both ECDSA and RSA certs

BEHAVIOR CHANGES

  • lighttpd-provided hardened systemd lighttpd.service may need admin-overrides on non-typical systems (less popular distros) using lighttpd-provided systemd lighttpd.service and which also run lighttpd as root, or run CGI scripts as root, to manage the system. To create overrides, systemctl edit lighttpd and edit /etc/systemd/system/lighttpd.service.d/override.conf . In contrast, many popular distros configure lighttpd to drop privileges from root and to run as an unprivileged user, e.g. ‘lighttpd’ or ‘www-data’. These systems are unlikely to be affected by the hardened and more secure systemd lighttpd.service configuration.

Downloads

  • in releases
  • 4 min read

1.4.77

Important changes

  • stronger TLS defaults: MinProtocol TLSv1.3; experimental TLS ECH support

Behavior Changes

  • lighttpd TLS defaults: MinProtocol TLSv1.3 Other configurations are still supported, but are not the default. Previous default: MinProtocol TLSv1.2 Current default: MinProtocol TLSv1.3
  • lighttpd TLS defaults now limit TLSv1.3 Groups to the IANA “Recommended” set: “X25519:P-256:P-384:X448” (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8) Configure Groups/Curves using ssl.openssl.ssl-conf-cmd += (“Groups” => “…”)
  • server.error-handler-404 operates only on 404 (historical error: server.error-handler-404 operated on both 404 and 403) Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available to produce dynamic error pages for 4xx and 5xx responses. Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to is an additional, high performance mechanism to produce dynamic error pages. https://wiki.lighttpd.net/mod_magnet
  • doc/config/lighttpd.conf has been renamed doc/config/lighttpd.annotated.conf and doc/config/lighttpd.conf is now a simpler header which includes lighttpd.annotated.conf. lighttpd package maintainers must review their packaging scripts and include both lighttpd.conf and lighttpd.annotated.conf (e.g. doc/config/.conf) along with doc/config/conf.d/.conf.

Downloads