lighttpd - fly lighthttp://www.lighttpd.net/2024-03-13T15:39:42+00:001.4.752024-03-13T00:00:00+00:002024-03-13T00:00:00+00:00http://www.lighttpd.net/2024/3/13/1.4.75//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>incrementally stronger TLS cipher defaults; bugs fixes</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz">lighttpd-1.4.75.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz">lighttpd-1.4.75.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="behavior-changes-previously-announced">Behavior Changes: (previously announced)</h2>
<ul>
<li>TLS cipher defaults have been incrementally updated to stronger defaults
New defaults are forward-secret and support authenticated encryption (AEAD)
New defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’
Previous defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’
Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
(and supported clients, i.e. those which have not already reached end-of-life).
Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/</li>
<li>mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
changed from 301 Moved Permanently to 308 Permanent Redirect
(only if url.redirect is not explicitly set in lighttpd.conf)
RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
(published almost 9 years ago)</li>
</ul>
<h2 id="future-scheduled-behavior-changes-2025">Future Scheduled Behavior Changes: (2025)</h2>
<ul>
<li>lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2</li>
<li>server.error-handler-404 will operate only on 404
(historical error: server.error-handler-404 operated on both 404 and 403)
Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
to produce dynamic error pages for 4xx and 5xx responses.
Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
is an additional, high performance mechanism to produce dynamic error pages.
https://wiki.lighttpd.net/mod_magnet
<h2 id="changes-from-1474">Changes from 1.4.74</h2>
</li>
<li>[mod_redirect] url.redirect-code = 308 new default</li>
<li>[ls-hpack] more portability fixes for sys/queue.h</li>
<li>[ls-hpack] update version to 2.3.3</li>
<li>[TLS] default to stronger ciphers w/ PFS and AEAD</li>
<li>[ci] apt-get install build-essential on Ubuntu</li>
<li>[ci] /usr/local/opt keg-only pkgs on Darwin(macOS)</li>
<li>[mod_authn_sasl] translate SASL_LOG_* to syslog</li>
<li>[build] include src/compat/sys/queue.h in tarball</li>
<li>[core] fdlog_openlog(), fdlog_closelog()</li>
<li>[mod_accesslog] fdlog_openlog() if using syslog</li>
<li>[cmake] fix LEMON_PATH with empty CMAKE_BUILD_TYPE</li>
<li>[ci] limit github ci to specific branches</li>
<li>[ci] prefer non-login shell for Cygwin CI build</li>
<li>[ci] prefer dash for Cygwin and MSYS2 builds</li>
<li>[mod_wstunnel] fix server.ping-interval w/ HTTP/2</li>
<li>[mod_dirlisting] fix suffix display of ‘/’ on file (fixes <a href="https://redmine.lighttpd.net/issues/3242">#3242</a>)</li>
<li>[mod_openssl] use internal asn1_time fn on 32-bit (fixes <a href="https://redmine.lighttpd.net/issues/3244">#3244</a>)</li>
<li>[mod_openssl] faster ASN1_TIME parse</li>
<li>[mod_wolfssl] faster ASN1_TIME parse</li>
<li>[doc] update TLS comment in sample lighttpd.conf</li>
</ul>
1.4.742024-02-19T00:00:00+00:002024-02-19T00:00:00+00:00http://www.lighttpd.net/2024/2/19/1.4.74//gstrauss<h2 id="important-changes">Important changes</h2>
<p>bugs fixes, portability, expand CI</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.74.tar.gz">lighttpd-1.4.74.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.74.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">3a82994d2afdd685c967569919cfa612dbb39bc1cc737d1b07dc4e988379ae57</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.74.tar.xz">lighttpd-1.4.74.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.74.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">5c08736e83088f7e019797159f306e88ec729abe976dc98fb3bed71b9d3e53b5</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.74.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.74.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="behavior-changes">Behavior Changes:</h2>
<ul>
<li>Some messages sent to syslog() (if enabled in lighttpd config) have been
changed to use different priorities (e.g. LOG_WARNING, LOG_DEBUG) instead
of everything being sent with LOG_ERROR priority. The change affects only
lighttpd configs which set server.errorlog-use-syslog = “enable” (not default)</li>
<li>Use sendfile() with musl libc; fix build detection of sendfile() w/ musl libc
Please report any issues, though any issues are unexpected since
lighttpd falls back to writev() if sendfile() fails.</li>
</ul>
<h2 id="future-scheduled-behavior-changes-for-the-next-lighttpd-release">Future Scheduled Behavior Changes: (for the next lighttpd release)</h2>
<ul>
<li>TLS cipher defaults will be incrementally updated to stronger defaults
Proposed defaults are forward-secret and support authenticated encryption (AEAD)
Proposed defaults: openssl ciphers ‘EECDH+AESGCM:CHACHA20:!PSK:!DHE’
Current defaults: openssl ciphers ‘EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384’
Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
(and supported clients, i.e. those which have not already reached end-of-life).
Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/</li>
<li>mod_redirect: default url.redirect-code for HTTP/1.1 and later will be
changed from 301 Moved Permanently to 308 Permanent Redirect
(only if url.redirect is not explicitly set in lighttpd.conf)
RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
(published almost 9 years ago)</li>
</ul>
<h2 id="future-scheduled-behavior-changes-2025">Future Scheduled Behavior Changes: (2025)</h2>
<ul>
<li>lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2
<h2 id="changes-from-1473">Changes from 1.4.73</h2>
</li>
<li>[mod_h2] send 500 if backend oversized resp hdrs</li>
<li>[mod_h2] h2_send_1xx() lowercase field names (fixes <a href="https://redmine.lighttpd.net/issues/3233">#3233</a>)</li>
<li>[mod_dirlisting] smaller funcs to generate listing</li>
<li>[mod_dirlisting] dir-listing.sort option (<a href="https://redmine.lighttpd.net/issues/3235">#3235</a>)</li>
<li>[mod_dirlisting] check for response stream bufmin</li>
<li>[core] skip SIGUSR1 after clock jump if chroot’ed</li>
<li>[mod_deflate] move bzip2 to end of priority list</li>
<li>[mod_deflate] deflate.allowed-encodings default</li>
<li>[core] cfg “if”,”elif”,”elsif”,”elseif”,”else if”</li>
<li>[lemon] refresh LEMON parser to SQLite maint ver</li>
<li>[core] add newlines to config parsing error trace</li>
<li>[ls-hpack] sys/queue.h portability</li>
<li>[scons] remove -std=gnu99 to use modern defaults</li>
<li>[multiple] share code for upgrade: websocket</li>
<li>[core] check for SOCK_CLOEXEC earlier in startup</li>
<li>[autotools] report if ipv6 support disabled (fixes <a href="https://redmine.lighttpd.net/issues/3237">#3237</a>)</li>
<li>[core] simpler error page header</li>
<li>[mod_status] simpler status page header</li>
<li>[h2] quicker server graceful shutdown of idle h2</li>
<li>[mod_openssl] kTLS: check for kernel tls offload</li>
<li>[mod_gnutls] kTLS: check for kernel tls offload</li>
<li>[core] quicker server graceful shutdown of websockets</li>
<li>[build] -D_LARGEFILE64_SOURCE for musl sendfile64()</li>
<li>[mod_setenv] code consistency</li>
<li>[mod_expire] resp tag check</li>
<li>[mod_expire] comment</li>
<li>[core] use SF_NODISKIO with sendfile() on FreeBSD</li>
<li>[core] chunk_file_pread_chunk()</li>
<li>[mod_deflate] prefer reusable buffer to read file</li>
<li>[core] reduce blocking I/O sending files to net</li>
<li>[core] reduce network send file fallback path</li>
<li>[core] try mmap() if not using sendfile()</li>
<li>[mod_wolfssl] mod_wolfssl_write_err()</li>
<li>[multiple] extend chunkqueue_peek_data() w/ nowait</li>
<li>[core] preadv2 RWF_NOWAIT EOPNOTSUPP on tmpfs (?!)</li>
<li>[build] type error in configure.ac sendfile probe (fixes <a href="https://redmine.lighttpd.net/issues/3238">#3238</a>)</li>
<li>[core] update ls-hpack</li>
<li>[ls-hpack] sys/queue.h STAILQ_FOREACH portability</li>
<li>[core] chunk_open_file_chunk() in chunk.h</li>
<li>[multiple] use chunk_open_file_chunk()</li>
<li>[core] remove chunkqueue_open_file_chunk()</li>
<li>[core] use sendfile() with iovecs where available</li>
<li>[scons] remove CheckFunc() incorrect header usage</li>
<li>[core] spelling in comment in network_write.c</li>
<li>[cmake] check for sendfile64 only on Linux</li>
<li>[core] quiet compiler warning for NDEBUG redefined</li>
<li>[autoconf] config test for mbedtls needs mbedx509</li>
<li>[mod_h2] add con to job queue when wr alloc used</li>
<li>[mod_h2] use different flag for disk I/O busy</li>
<li>[crypto] use evp api for truncated sha-2 with libressl</li>
<li>[mod_expire] smaller options parse func</li>
<li>[mod_expire] check modification time to cur time</li>
<li>[tests] t/test_mod_expire.c</li>
<li>[tests] add mod_expire tests to tests/request.t</li>
<li>[core] log trace with priority for syslog() (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[core] avoid preprocessor use inside macros</li>
<li>[core] log_pri() and log_pri_multiline() (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[build] remove checks for sendfile64</li>
<li>[tests] clean up memleak on test exit</li>
<li>[build] quiet compiler warnings in LEMON parser</li>
<li>[core] simplify connection_handle_write() err case</li>
<li>[core] gw_host_get shared code</li>
<li>[doc] update doc/config/conf.d/mime.conf</li>
<li>[core] combine *BSD cond handling 0-len FILE_CHUNK</li>
<li>[meson] portability improvements</li>
<li>[core] DragonflyBSD portability</li>
<li>[tests] quiet compiler warning</li>
<li>[ci] enable github CI</li>
<li>[ci] adjust .github/workflows/meson.yml</li>
<li>[ci] quiet msys-clang32 stdcall compiler warning</li>
<li>[ci] #undef _XOPEN_SOURCE on Solaris</li>
<li>[core] fix recent solaris typo; compile failure</li>
<li>[ci] _WIN32 portability</li>
<li>[cmake,meson] skip tests/* under native Windows</li>
<li>[tests] support platforms without cp -n</li>
<li>[ci] cmake did not detect inet_pton on x86 _WIN32</li>
<li>[ci] use latest GCC and clang</li>
<li>[ci] adjust .github/workflows/meson.yml</li>
<li>[ci] further simplify</li>
<li>[ci] adjust NetBSD,OpenBSD tests .github/workflows</li>
<li>[ci] add Windows-VisualStudio to .github/workflows</li>
<li>[ci] add Solaris (disabled) to .github/workflows</li>
<li>[ci] add Windows-MSYS2 to .github/workflows</li>
<li>[ci] rename .github/workflows/meson.yml to pr.yml</li>
<li>[tests] adjust shell syntax in tests/prepare.sh</li>
<li>[tests] test_mod stub funcs for static builds</li>
<li>[ci] adjust Windows tests in .github/workflows</li>
<li>[mod_authn_dbi,mod_vhostdb_dbi] check for <dbi.h></dbi.h></li>
<li>[ci] tailor scripts/ci-build.sh for FreeBSD</li>
<li>[ci] use set -e in .github/workflows run commands</li>
<li>[debug] debug.log-timeouts for all timeout logging</li>
<li>[debug] use log_debug_multiline() (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[debug] use log_debug() instead of log_error() (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[multiple] use log_warn() for config warnings (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[core] use log_warn(),log_notice(),log_info() (fixes <a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[ls-hpack] compat include of <sys/queue.h></li>
<li>[tests] skip deflate tests if zlib not available</li>
<li>[core] ignore cc -Wcpp warning for <sys/cdefs.h></li>
<li>[ci] mechanism to disable wolfssl in ci-build.sh</li>
<li>[ci] use Alpine Linux VMs to test additional arch</li>
<li>[ci] skip 32-bit builds on Windows; save resources</li>
<li>[tests] skip shutdown(SHUT_WR) in tests on s390x</li>
<li>[ci] add s390x arch</li>
<li>[meson] replace deprecated meson.build_root() use</li>
<li>[ci] x86_64 and x86 featureful builds on ubuntu</li>
<li>[ci] add x86_64 cmake ASAN build on ubuntu</li>
<li>[ci] ci-build.sh add some NO_* options</li>
<li>[ci] add Windows-Cygwin build</li>
<li>[ci] fail fast if x86 build fails on alpine</li>
<li>[ci] reduce some builds while maintaining coverage</li>
<li>[ci] remove config not actually running x86 ubuntu</li>
<li>[ci] more featureful build on macOS</li>
<li>[doc] cert-staple.sh check staple newer than cert</li>
<li>[ci] pr.yml format consistency</li>
<li>[tests] remove repeated file in prepare.sh cp</li>
<li>[wolfssl] renamed SSL_OP_NO_TICKET</li>
<li>[ci] more featureful build on NetBSD</li>
<li>[mod_authn_gssapi] ifndef GSS_KRB5_NT_PRINCIPAL_NAME</li>
<li>[build] check ‘lua54’ before other lua variants</li>
<li>[ci] OpenBSD CFLAGS LDFLAGS PKG_CONFIG_LIBDIR</li>
<li>[ci] more featureful build on OpenBSD</li>
<li>[ci] use bash on DragonflyBSD instead of csh</li>
<li>[ci] special-cases for running tests under MSYS2</li>
<li>[ci] basic build and run tests under MSYS2</li>
<li>[tests] remove stray comment from test_mod_expire</li>
<li>[ci] ci-build.sh NO_DBI option</li>
<li>[ci] ci-build.sh NO_UUID option</li>
<li>[ci] ci-build.sh NO_GNUTLS option</li>
<li>[ci] ci-build.sh NO_MYSQL option</li>
<li>[core] _WIN32 define PROT_WRITE to PAGE_READWRITE</li>
<li>[mod_authn_sasl] use HOSTNAME for fqdn on _WIN32</li>
<li>[ci] more featureful build on MSYS2</li>
<li>[mod_authn_sasl] fix typo</li>
<li>[ci] use cygwin test repos for latest packages</li>
<li>[ci] vmactions usesh: true</li>
<li>[ci] fix cmake generator path for MSVC</li>
<li>[mod_wstunnel] read and discard HTTP/1.1 req body</li>
<li>[core] use log_notice() for conn limit notice (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[core] gw_upgrade_policy() shared code</li>
<li>[mod_wstunnel] handle large kernel socket recv buf</li>
<li>[core] stat_cache.c replace assert w/ error codes</li>
<li>[core] remove dev assert in http_chunk_append_mem</li>
<li>[core] ck_static_assert()</li>
<li>[core] remove asserts from gw_status_get_counter()</li>
<li>[core] configparser.y combine assert, remove debug</li>
<li>[core] remove assert from sock_addr.c</li>
<li>[mod_fastcgi] check env w/ cond instead of assert</li>
<li>[core] shared code chunkqueue_close_tempchunk()</li>
<li>[core] buffer.c combine asserts</li>
<li>[core] array require nonnull for insert,replace</li>
<li>[core] li_tohex*() no longer adds ‘\0’</li>
<li>[core] accept 65536 in config for ushort values</li>
<li>[ci] add missing intermediate dep for Cygwin</li>
<li>[core] clarify configfile parse comment</li>
<li>[core] fix crash with invalid lighttpd.conf syntax</li>
<li>[core] lighttpd.conf detect,err if consecutive str</li>
<li>[mod_magnet] lighty.r.req_body.unspecified_len</li>
<li>[mod_proxy] handle HTTP/1.0 unspecified req len</li>
<li>[core] unset Upgrade if downgrade HTTP/1.1 to 1.0</li>
<li>[mod_magnet] interface to downgrade HTTP/1.1 to 1.0</li>
<li>[mod_magnet] expand guidance in error message (<a href="https://redmine.lighttpd.net/issues/3240">#3240</a>)</li>
<li>[debug] use log_debug() instead of log_error() (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[mod_wstunnel] use log_warn(),log_notice(),log_info() (<a href="https://redmine.lighttpd.net/issues/3239">#3239</a>)</li>
<li>[multiple] gw_backend_error_trace() (fixes <a href="https://redmine.lighttpd.net/issues/1406">#1406</a>)</li>
<li>[mod_webdav] webdav_uuid_v4() to supplant libuuid (<a href="https://redmine.lighttpd.net/issues/1056">#1056</a>)</li>
<li>[build] remove libuuid dependency (fixes <a href="https://redmine.lighttpd.net/issues/1056">#1056</a>)</li>
<li>[mod_wstunnel] quiet coverity warning</li>
<li>[doc] fix typos in doc/config/lighttpd.conf</li>
<li>[mod_h2] send 502 if backend oversized resp hdrs</li>
</ul>
1.4.732023-10-30T00:00:00+00:002023-10-30T00:00:00+00:00http://www.lighttpd.net/2023/10/30/1.4.73//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>HTTP/2 detect and log rapid reset attack</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.73.tar.gz">lighttpd-1.4.73.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.73.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">816cbec71e8d02d874f1d5c798d76d091a76d5acbeb6e017ba76aeb4263d6995</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.73.tar.xz">lighttpd-1.4.73.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.73.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">818816d0b314b0aa8728a7076513435f6d5eb227f3b61323468e1f10dbe84ca8</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.73.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.73.sha512sum">SHA512 checksums</a>
<h2 id="changes-from-1472">Changes from 1.4.72</h2>
</li>
<li>[core] add .mkv to mimetype.assign builtin defaults</li>
<li>[core] warn if out-of-range value for config short</li>
<li>[mod_openssl] set default curves for ossl < 1.1.0</li>
<li>[mod_h2] parse HEADERS flags sooner</li>
<li>[mod_h2] check send window before defer frame rd</li>
<li>[mod_h2] send GOAWAY to excessive request flood</li>
<li>[mod_h2] h2_parse_headers_frame() adjust args</li>
<li>[mod_h2] h2_recv_headers() parse trailers earlier</li>
<li>[mod_h2] send GOAWAY to excessive request flood</li>
<li>[mod_h2] discard new streams after GOAWAY sent</li>
<li>[mod_h2] h2_discard_headers() to HPACK-decode hdrs</li>
<li>[core] parse entire server.http-parseopts list</li>
<li>[mod_wstunnel] Sec-WebSocket-Protocol only if req hdr</li>
<li>[mod_h2] disable h2proto if mod_h2 was not found</li>
<li>[core] omit dlopen trace for mod_h2, mod_deflate</li>
<li>[mod_h2] defer input parsing if large output queue</li>
<li>[mod_h2] defer frame handling if stream pend close</li>
<li>[mod_h2] detect and log HTTP/2 rapid reset attack</li>
<li>[core] honor MBEDTLS_USE_PSA_CRYPTO for hash,rand</li>
<li>[mod_mbedtls] honor MBEDTLS_USE_PSA_CRYPTO for rand</li>
<li>[core] comment out li_rand_bytes() (unused)</li>
<li>[mod_mbedtls] handle mbedtls 3.x partial write</li>
<li>[mod_h2] detect and log HTTP/2 rapid reset attack</li>
<li>[mod_h2] detect and log HTTP/2 rapid reset attack</li>
<li>[mod_openssl] warn if openssl version < 3.0.0</li>
<li>[mod_openssl] include openssl/hmac.h for boringssl</li>
</ul>
1.4.722023-10-06T00:00:00+00:002023-10-06T00:00:00+00:00http://www.lighttpd.net/2023/10/6/1.4.72//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>bugfixes</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.72.tar.gz">lighttpd-1.4.72.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.72.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">c016d62d2d13a3590ea05494c61059c025447bc71d14a87ee54968b9f506c3ca</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.72.tar.xz">lighttpd-1.4.72.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.72.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.72.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.72.sha512sum">SHA512 checksums</a>
<h2 id="changes-from-1471">Changes from 1.4.71</h2>
</li>
<li>[core] save config read from stdin across restart</li>
<li>[core] warn if daemonize w/o absolute config path</li>
<li>[mod_dirlisting] send Link w/ external css or js</li>
<li>[mod_dirlisting] fix missing header/readme (fixes <a href="https://redmine.lighttpd.net/issues/3211">#3211</a>)</li>
<li>[core] ignore coverity warning</li>
<li>[core] ignore coverity warning</li>
<li>[core] reqpool.c:request_set_con()</li>
<li>[core] request_init_data() minor optim</li>
<li>[core] request.c:request_pool_{push,pop}</li>
<li>Revert “[core] h2 http_request_parse_header() tweak”</li>
<li>[core] enable config conditions on HTTP/2 PRI</li>
<li>[mod_webdav] extend symlink support (non-standard)</li>
<li>[mod_extforward] fix extforward.params config opt</li>
<li>[mod_authn_ldap] fix config auth.require group=… (fixes <a href="https://redmine.lighttpd.net/issues/3216">#3216</a>)</li>
<li>[core] set CON_STATE_READ_POST for HTTP/2 reqbody</li>
<li>[core] chunkqueue_read_squash() returns cq->first</li>
<li>[core] get body from cq at offset in chunk</li>
<li>[doc] update stbuehler address</li>
<li>[tests] use sha crypt for fastcgi auth environment tests</li>
<li>[tests] drop des-crypt and crypt-md5 auth tests - deprecated/not available on various platforms</li>
<li>[core] code size: xxhash XXH_NO_STREAM</li>
<li>[core] fdevent_sh_exec()</li>
<li>[mod_dirlisting] http_dirlist_auto_layout_early_hints()</li>
<li>[mod_dirlisting] send 103 w/ external css or js</li>
<li>[mod_dirlisting] json output for /<path>/?json</path></li>
<li>[mod_dirlisting] include ETag with cached result</li>
<li>[core] import xxHash v0.8.2</li>
<li>[tests] move %ENV modifications into forked child</li>
<li>[mod_ssi] init hctx->wq to init alt cq tempdirs</li>
<li>[tests] initialize request_st cqs in tests</li>
<li>[core] chunkqueue_env_tmpdir()</li>
<li>[core] config_set_defaults() reduce code size</li>
<li>[tests] use current perl interpreter path for env.PERL in lighttpd.conf</li>
<li>[mod_deflate] code reuse to create temp file</li>
<li>[core] skip pwrite() to temp file if 0 len write</li>
<li>[core] store cq->tempdirs in stack var</li>
<li>[core] remove tempdirs ptr from struct chunkqueue</li>
<li>[core] treat upload_temp_file_size=0 as default sz</li>
<li>[core] hide unused var on _WIN32 compiler warning</li>
<li>[mod_nss] nspr include prefix portability(attempt)</li>
<li>[CI] scripts/ci-build.sh arg consistency;add meson</li>
<li>[CI] remove wolfssl from autobuild; let rest build</li>
<li>[CI] remove NSS from autobuild; let rest build</li>
<li>[CI] remove mbedtls from autobuild; let rest build</li>
<li>[mod_nss] nspr include prefix portability(attempt)</li>
<li>[CI] ci-build.sh: adjust meson; add pam, maxminddb</li>
<li>[CI] ci-build.sh: fix typo –with-pam</li>
<li>[CI] remove maxminddb from autobuild,cmake; let rest build</li>
<li>[CI] ci-build.sh re-enable additional dependencies</li>
<li>[core] optimize for non-Range requests</li>
<li>[core] allow larger number of Ranges if sorted</li>
<li>[tests] test_http_range.c</li>
<li>[core] attempt to quiet coverity warning</li>
<li>[build] packdist.sh now produces .md for www.l.n</li>
<li>[core] disable keep-alive if HTTP/1.1 CL and TE</li>
<li>[core] reject empty Content-Length for HTTP/1.x</li>
<li>[core] reject uppercase in unrecognized HTTP/2 hdr</li>
<li>[core] warn dynamic mods listed before staticfile</li>
<li>[core] dev-only internal request state debugging</li>
<li>[core] short-circuit connection_state_machine_loop</li>
<li>[core] reset connection-level state at con level</li>
<li>[core] optim for non-throttle writes</li>
<li>[core] remove connection_handle_write HTTP/1.x opt</li>
<li>[core] yield writing large HTTP/1.x on slow device</li>
<li>[core] tighten h2_process_streams()</li>
<li>[core] h2_process_streams() simpler loop to retire</li>
<li>[core] http_response_physical_pathinfo()</li>
<li>[core] http_response_prepare() tweaks</li>
<li>[meson] Fix ‘getoption’ meson typo</li>
<li>[core] use different getxattr() prototype on MacOS</li>
<li>[mod_deflate] do not compress any 1xx status</li>
<li>[core] http_response_304(), http_response_412()</li>
<li>[core] add config option to reject pathinfo</li>
<li>[core] expand mimetype.assign builtin defaults</li>
<li>[core] mark some cold routines noinline</li>
<li>[core] add config opt to send GOAWAY for bad auth</li>
<li>[core] show_features() show inotify or kqueue</li>
<li>[core] stat_cache_refresh_entry()</li>
<li>[core] splaytree: use all 32-bits of hash value</li>
<li>[core] splaytree: compare keys directly</li>
<li>[core] splaytree: splaytree_splay_nonnull()</li>
<li>[core] stat_cache: stat_cache_sptree_ndx()</li>
<li>[multiple] use splaytree_splay_nonnull()</li>
<li>[h2] comment struct h2con h2_sid member is unused</li>
<li>[mod_openssl] disable DH auto if DHParameters set</li>
<li>[mod_openssl] replace deprecated openssl funcs</li>
<li>[core] splaytree: splaytree_delete_splayed_node()</li>
<li>[multiple] use splaytree_delete_splayed_node()</li>
<li>[core] splaytree: splaytree_insert_splayed()</li>
<li>[multiple] use splaytree_insert_splayed()</li>
<li>[core] _WIN32 fs_win32_readlinkUTF8() (<a href="https://redmine.lighttpd.net/issues/3223">#3223</a>)</li>
<li>[mod_magnet] lighty.c.readlink() (fixes <a href="https://redmine.lighttpd.net/issues/3223">#3223</a>)</li>
<li>[core] add config option to reject pathinfo</li>
<li>[mod_dirlisting] send 103 Early Hints only for h2+</li>
<li>[mod_webdav] reject non-identity Content-Encoding</li>
<li>[scons] include mod_h2 in static builds (fixes <a href="https://redmine.lighttpd.net/issues/3224">#3224</a>)</li>
<li>[core] http_request_validate_pseudohdrs comment</li>
<li>[core] comment out redundant code</li>
<li>[core] reset addtl state b4 dynamic error handler</li>
<li>[core] reject Connection hdr in h2 as soon as seen</li>
<li>[mod_h2] process headers for debug</li>
<li>[mod_h2] comments and behavior for h2spec tests</li>
<li>[multiple] mark func __attribute_returns_nonnull__</li>
<li>[core] expand mimetype.assign builtin defaults</li>
<li>[core] warn if IPv6 socket not supported</li>
<li>[mod_simple_vhost,mod_evhost] check host strict</li>
<li>[mod_simple_vhost,mod_evhost] minor code transform</li>
<li>[mod_magnet] quiet 32-bit compiler warning</li>
</ul>
1.4.712023-05-27T00:00:00+00:002023-05-27T00:00:00+00:00http://www.lighttpd.net/2023/5/27/1.4.71//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>bugfixes and portability; HTTP/2 support separated to mod_h2 module</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.71.tar.gz">lighttpd-1.4.71.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.71.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">3855dfed5ce7a4b006e3d434b00985852b5a91c2abc56d92071f98bfe79f9d80</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.71.tar.xz">lighttpd-1.4.71.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.71.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">b8b6915da20396fdc354df3324d5e440169b2e5ea7859e3a775213841325afac</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.71.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.71.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="behavior-changes-previously-announced">Behavior Changes (previously announced):</h2>
<ul>
<li>http/2 support will be split out into optional separate module (mod_h2)<br />
(static builds will need to list mod_h2 in plugin-static.h to include mod_h2)</li>
</ul>
<h2 id="changes-from-1470">Changes from 1.4.70</h2>
<ul>
<li>[mod_h2] HTTP/2 separate module; no longer builtin</li>
<li>[mod_magnet] fix static build using autoconf (fixes <a href="https://redmine.lighttpd.net/issues/3203">#3203</a>)</li>
<li>[core] fix new use of posix_spawn with some glibc (fixes <a href="https://redmine.lighttpd.net/issues/3201">#3201</a>)</li>
<li>[core] _WIN32 quiet compiler warnings 32-bit build</li>
<li>[core] check getaddrinfo EAI_ADDRFAMILY w/ glibc</li>
<li>[core] quiet lemon.c clang C2x warnings</li>
<li>[core] compile w/o posix_spawn() on iOS</li>
<li>[core] fix crash due to missing initialization (fixes <a href="https://redmine.lighttpd.net/issues/3207">#3207</a>)</li>
<li>[core] request_init() separate static func</li>
<li>[multiple] remove some unused/redundant includes</li>
<li>[core] server.modules s/mod_compress/mod_deflate/</li>
<li>[core] preproc consistency #pragma GCC diagnostic</li>
<li>[core] update ls-hpack</li>
<li>[core] use empty value in srvconf.config_touched</li>
<li>[core] provide mimetype.assign default if unset</li>
<li>[mod_vhostdb_mysql] MySQL missing mysql_get_socket (fixes <a href="https://redmine.lighttpd.net/issues/3208">#3208</a>)</li>
<li>[core] clarify comment</li>
</ul>
1.4.702023-05-10T00:00:00+00:002023-05-10T00:00:00+00:00http://www.lighttpd.net/2023/5/10/1.4.70//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>speed up CGI spawning</li>
<li>native Windows build (experimental) (not packaged; no installer)</li>
<li>support HTTP/2 downstream proxy serving multiple clients on single connection (mod_extforward, mod_maxminddb)</li>
<li>restructure code to isolate HTTP/2</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.70.tar.gz">lighttpd-1.4.70.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.70.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">bc96e5571d937279aa7cfdc9c9de95bcc457ab6feafff6264aa8832d026068bc</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.70.tar.xz">lighttpd-1.4.70.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.70.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">921ebe1cf4b6b9897e03779ab7a23a31f4ba40a1abe2067525c33cd3ce61fe85</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.70.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.70.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="behavior-changes-previously-announced">Behavior Changes (previously announced):</h2>
<ul>
<li>no longer building separate modules for built-in modules<br />
lighttpd 1.4.70 omits building separate (unused) modules for:<br />
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile<br />
mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile</li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes:</h2>
<ul>
<li>HTTP/2 support will be split out into optional separate module (mod_h2)<br />
(static builds will need to list mod_h2 in plugin-static.h to include mod_h2)</li>
</ul>
<h2 id="changes-from-1469">Changes from 1.4.69</h2>
<ul>
<li>[autotools] chmod u+w configparser.c for lemon</li>
<li>[build] skip build separate modules for built-ins</li>
<li>[core] cache format secs for high prec errlog</li>
<li>[mod_maxminddb] check remote IP each request (fixes <a href="https://redmine.lighttpd.net/issues/3191">#3191</a>)</li>
<li>[multiple] store ptrs to remote addr in request_st (<a href="https://redmine.lighttpd.net/issues/3192">#3192</a>)</li>
<li>[mod_extforward] manage remote addr per request (fixes <a href="https://redmine.lighttpd.net/issues/3192">#3192</a>)</li>
<li>[core] use C23 memset_explicit() were available</li>
<li>[mod_accesslog] %{mask}a to mask/anonymize IP</li>
<li>[core] cast to fix compiler error in prior commit</li>
<li>[scons] fix static build to include builtin_mods</li>
<li>[core] h2_recv_headers() tweak to reduce code size</li>
<li>[core] h2_get_stream_req() code reuse</li>
<li>[core] h2: remove obsolete comment</li>
<li>[core] h2 mark :status matching lsxpack enum value</li>
<li>[core] h2 match w/ lsxpack pseudo-header key only</li>
<li>[core] limit server.max-request-field-size <=65535</li>
<li>[core] permit shell HERE docs to specify config</li>
<li>[core] add members to http_header_parse_ctx</li>
<li>[mod_extforward] typo in comment</li>
<li>[mod_openssl] SSL_CTX_set_options() takes uint64_t</li>
<li>[core] reorder enum handler_t</li>
<li>[core] connection_handle_request_start_state()</li>
<li>[core] check chunk file open early in mmap viewadj (fixes <a href="https://redmine.lighttpd.net/issues/3197">#3197</a>)</li>
<li>[core] h2 http_request_parse_header() tweak</li>
<li>[mod_extforward] recognize unix domain sockets (fixes <a href="https://redmine.lighttpd.net/issues/3198">#3198</a>)</li>
<li>[mod_magnet] support ./configure —with-lua=luajit (<a href="https://redmine.lighttpd.net/issues/3199">#3199</a>)</li>
<li>[core] remove instance of devel debug code</li>
<li>[core] quiet coverity warning</li>
<li>[core] connection_check_upgrade() h2_upgrade_h2c()</li>
<li>[core] CON_STATE_REQUEST_END transient state</li>
<li>[core] expose request_set_state() for internal use</li>
<li>[core] h2_send_goaway_graceful()</li>
<li>[core] h2_check_timeout()</li>
<li>[core] h2_process_streams()</li>
<li>[core] h2_recv_reqbody()</li>
<li>[core] HTTP_VERSION_3 enum value</li>
<li>[core] r<del>[x union w/ structs for r]{style=”text-align:right;”}</del>>x.{h1}</li>
<li>[core] r<del>[x union w/ structs for r]{style=”text-align:right;”}</del>>x.{h1,h2}</li>
<li>[core] http_dispatch[] tables for HTTP proto vers</li>
<li>[core] hxcon “base class” for h2con</li>
<li>[mod_h2] HTTP/2 module: mod_h2</li>
<li>[multiple] optimistic client read only if HTTP/1.x</li>
<li>[core] _WIN32 port compatibility headers</li>
<li>[core] _WIN32 impl of setenv(), unsetenv()</li>
<li>[multiple] _WIN32 protect code w/ HAVE_SYSLOG_H</li>
<li>[multiple] _WIN32 protect code w/ HAVE_FORK</li>
<li>[core] _WIN32 protect code w/ HAVE_IPV6</li>
<li>[multiple] _WIN32 protect code w/ HAVE_SYS_UN_H</li>
<li>[multiple] _WIN32 stat() compat sys-stat.h</li>
<li>[core] _WIN32 uid, gid compat</li>
<li>[core] _WIN32 signal-related compat</li>
<li>[multiple] _WIN32 misc compat</li>
<li>[core] _WIN32 minimal glob() impl for configfile.c</li>
<li>[core] _WIN32 use gmtime_s(), localtime_s()</li>
<li>[mod_dirlisting] _WIN32 Find*File()</li>
<li>[multiple] _WIN32 Find*File() sys-dirent.h</li>
<li>[core] _WIN32 sys-unistd.h to wrap <unistd.h></li>
<li>[core] _WIN32 sys-wait.h to wrap <sys/wait.h></li>
<li>[core] _WIN32 implementation of socketpair()</li>
<li>[core] _WIN32 fdevent_createprocess()</li>
<li>[core] _WIN32 socket-compat, filesystem-compat</li>
<li>[core] _WIN32 check WSAGetLastError() w/ sockets</li>
<li>[mod_cgi] _WIN32 use socketpair instead of pipe</li>
<li>[core] _WIN32 clock ticks and time</li>
<li>[core] _WIN32 alternative fdarray for Windows</li>
<li>[core] _WIN32 basic (very limited) getopt() impl</li>
<li>[tests] _WIN32 fcgi-responder.c, scgi-responder.c</li>
<li>[core] <em>WIN32 rename</em>_WIN32 to _WIN32</li>
<li>[core] _WIN32 casts to quiet some VS warnings</li>
<li>[tests] _WIN32 use TMPDIR (or TEMP) for test files</li>
<li>[build] _WIN32 mingw build</li>
<li>[multiple] <em>MINGW32</em> missing strftime() “%F %T”</li>
<li>[tests] _WIN32 adjustments in LightyTest.pm</li>
<li>[core] _WIN32 reset std streams at startup</li>
<li>[core] _WIN32 log_perror() with GetLastError()</li>
<li>[core] _WIN32 log_serror() for WSAGetLastError()</li>
<li>[core] _WIN32 use log_serror() for WSAGetLastError</li>
<li>[core] _WIN32 use rand_s() to init pseudo RNG</li>
<li>[core] _WIN32 fdevent_kill()</li>
<li>[multiple] _WIN32 use fdevent_kill()</li>
<li>[core] _WIN32 stat(), ‘/’ and ‘\\’ adjustments</li>
<li>[tests] _WIN32 cygwin test support</li>
<li>[mod_deflate] _WIN32 disable deflate.cache-dir</li>
<li>[mod_dirlisting] _WIN32 close files before unlink</li>
<li>[tests] _WIN32 close files before unlink</li>
<li>[core] _WIN32 close chunk temp files before unlink</li>
<li>[core] _WIN32 prefer WSAPoll()</li>
<li>[core] _WIN32 lighttpd winsvc</li>
<li>[core] _WIN32 custom fs funcs on UTF-8 paths</li>
<li>[core] _WIN32 scream UTF-8 at MS (does not matter)</li>
<li>[cmake] _WIN32 build more mods with BUILD_STATIC</li>
<li>[cmake] _WIN32 remove older build config</li>
<li>[core] _WIN32 use WSASend for writev-equiv on sock</li>
<li>[meson] static build option under cygwin</li>
<li>[build] <em>WIN32</em>_declspec(dllexport) *_plugin_init</li>
<li>[build] _WIN32 shared dll build (autotools, cmake)</li>
<li>[tests] _WIN32 skip time-sensitive tests during CI</li>
<li>[core] use posix_spawn() where available</li>
<li>[mod_cgi] comment about caching target dirname</li>
<li>[meson] update comment with build flags</li>
<li>[meson] check FORCE_{WOLFSSL,MBEDTLS}_CRYPTO</li>
<li>[mod_auth] warn if auth.require path never matches</li>
<li>[core] h1.[ch] collect some HTTP/1.x specific code</li>
<li>[core] noinline connection shutdown, reset</li>
<li>[TLS] $SERVER[“socket”] inherit global ssl.engine</li>
<li>[mod_proxy] match “map-host-response” “-“ w/ Host</li>
<li>[core] noinline stat_cache_sptree_find()</li>
<li>[core] rename http_kv funcs, reorder http_versions</li>
<li>[mod_cgi] move fd count to cgi_create_env()</li>
<li>[mod_cgi] reduce code size</li>
<li>[mod_cgi] do not issue trace if CGI closes input</li>
<li>[mod_cgi] cgi_create_err() cold err handling func</li>
<li>[core] always decr fd count upon socket close()</li>
<li>[mod_mbedtls] check MBEDTLS_DEBUG_C for debug func</li>
<li>[core] return pid_t from fdevent_waitpid()</li>
<li>[core] _WIN32 compile fix</li>
<li>[meson] build fix for builtin_mods</li>
<li>[core] move some shared funcs to call from modules</li>
<li>[build] move some files to call from modules</li>
<li>[mod_cgi] doubly-linked list of CGI pids</li>
<li>[mod_cgi] reuse fd already opened to /dev/null</li>
<li>[mod_cgi] reset upload_temp_file_size in CGI close</li>
<li>[tests] copy confs for running tests in alt dir</li>
<li>[scons] avoid dup mod_h2 module in static build</li>
<li>[autoconf] include fs_win32.h in hdrs for dpkg</li>
<li>[build] ifdef _WIN32 before include fs_win32.h</li>
<li>[mod_openssl] SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE</li>
<li>[mod_dirlisting] _WIN32 fix fstat() after close()</li>
<li>[core] quiet coverity warning</li>
<li>[mod_openssl] FreeBSD: check “kern.ipc.tls.enable”</li>
<li>[core] fix HTTP/2 use of http_response_loop()</li>
<li>[mod_openssl] check kernel support for KTLS</li>
<li>[core] posix_spawnattr_setcwd_np() on QNX</li>
<li>[core] posix_spawn_file_actions_addclosefrom_np()</li>
<li>[core] Mac OS POSIX_SPAWN_CLOEXEC_DEFAULT</li>
<li>[core] modify use of posix_spawnattr_setsigdefault</li>
<li>[mod_dirlisting] _WIN32 compile fix</li>
<li>[core] fdevent_load_file() check if limit exceeded</li>
<li>[tests] tests/prepare.sh comment w/ alt build root</li>
<li>[core] treat mod_h2 as built-in module (for now)</li>
</ul>
1.4.692023-02-10T00:00:00+00:002023-02-10T00:00:00+00:00http://www.lighttpd.net/2023/2/10/1.4.69//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>bugfixes, portability</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.69.tar.gz">lighttpd-1.4.69.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.69.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">657010184c4c470ad98944abbf0a8e2281800fa2bb1836c7a2cd4a8874e97b28</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.69.tar.xz">lighttpd-1.4.69.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.69.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">16ac8db95e719629ba61949b99f8a26feba946a81d185215b28379bb4116b0b4</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.69.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.69.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes:</h2>
<ul>
<li>lighttpd 1.4.68 builds common modules into the lighttpd base executable.<br />
Separate dynamic modules are still built for the benefit of existing<br />
packaging scripts in various distributions, but those modules are not used.<br />
A future version of lighttpd will omit building separate modules for:<br />
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile<br />
mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile</li>
</ul>
<h2 id="changes-from-1468">Changes from 1.4.68</h2>
<ul>
<li>[meson] remove t/test_mod_evasive.c</li>
<li>[doc] remove references to removed modules</li>
<li>[cmake] add doc/CMakeLists.txt to dist tar ball (<a href="https://redmine.lighttpd.net/issues/3181">#3181</a>)</li>
<li>[meson] add meson.build to install man pages (fixes <a href="https://redmine.lighttpd.net/issues/3181">#3181</a>)</li>
<li>[meson] fix typo in sbindir</li>
<li>[core] update ls-hpack</li>
<li>[cmake] remove -I/usr/include/mysql for mysql.h (<a href="https://redmine.lighttpd.net/issues/3181">#3181</a>)</li>
<li>[cmake] add -DWITH_LUA_VERSION= to specify lua ver (<a href="https://redmine.lighttpd.net/issues/3181">#3181</a>)</li>
<li>[cmake] use mysql_config cflags and ldflags (<a href="https://redmine.lighttpd.net/issues/3181">#3181</a>)</li>
<li>[cmake] do not link with fam if inotify or kqueue</li>
<li>[TLS] fix spurious warning trace (fixes <a href="https://redmine.lighttpd.net/issues/3182">#3182</a>)</li>
<li>[multiple] codespell: correct spelling in comments</li>
<li>[multiple] spelling: github action check-spelling</li>
<li>[lemon] upgrade LEMON parser to SQLite maint ver</li>
<li>[build] modify arguments to updated LEMON parser</li>
<li>[core] build configparser.y w/ -Werror workarounds</li>
<li>[lemon] fix -Wpendantic warnings for bad casts</li>
<li>[core] avoid accept4() on ARM unless detected</li>
<li>[cmake] use CMAKE_CURRENT_SOURCE_DIR</li>
<li>[cmake] SERVER_SRC variable</li>
<li>[multiple] quiet some coverity false positives</li>
<li>[cmake] use LIGHTTPD_MODULES_DIR as relative path (fixes <a href="https://redmine.lighttpd.net/issues/3185">#3185</a>)</li>
<li>[core] add missed h2 state transition (fixes <a href="https://redmine.lighttpd.net/issues/3186">#3186</a>)</li>
<li>[core] remove cygwin O_NOFOLLOW workaround</li>
<li>[multiple] clang -Wstrict-prototypes for C2x</li>
<li>[core] reset SIGUSR1 to SIG_DFL before execve()</li>
<li>[mod_webdav] modify OPTIONS response if no db cfg</li>
<li>[mod_webdav] MOD_WEBDAV_BUILD_MINIMAL preproc opt</li>
<li>[core] pass fdn to fdevent_sched_close,_unregister</li>
<li>[core] disable sendfile() on TARGET_OS_IPHONE</li>
<li>[core] iOS does not provide netinet/tcp_fsm.h</li>
<li>[core] move headers to help isolate fdevent layer</li>
<li>[core] avoid select() FD_ISSET repeat on active fds</li>
<li>[core] gw_backend more precise backend env alloc</li>
<li>[core] fdevent_poll_poll avoid potential race</li>
<li>[tests] quickly exit tests/request.t if GET / fail</li>
<li>[tests] adjust outdated opt in tests/lighttpd.conf</li>
<li>[autotools] add mod_evhost to static build list</li>
<li>[autotools] skip modules build if LIGHTTPD_STATIC</li>
<li>[mod_cgi] cygwin supports CGI file I/O redirection</li>
<li>[mod_dirlisting] use fdevent_rename() wrapper</li>
<li>[core] path-info in debug trace may be unset</li>
<li>[core] reset path-info for cgi.local-redir</li>
<li>[autotools] fix typo in -I used —with-pcre2=/path (fixes <a href="https://redmine.lighttpd.net/issues/3190">#3190</a>)</li>
<li>[mod_webdav] send 409 Conflict if PUT miss parent</li>
<li>[core] fix HTTP/2 HEADERS frame parsing bug</li>
<li>[core] remove extra HTTP/2 HEADERS frame len check</li>
</ul>
1.4.682023-01-03T00:00:00+00:002023-01-03T00:00:00+00:00http://www.lighttpd.net/2023/1/3/1.4.68//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>stronger TLS defaults (as previously announced)</li>
<li>KTLS sendfile in mod_openssl and mod_gnutls, if available and enabled</li>
<li>removal of deprecated modules</li>
</ul>
<h2 id="behavior-changes-previously-announced">Behavior Changes (previously announced)</h2>
<ul>
<li>TLS modules now default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers.<br />
Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration.<br />
Legacy ciphers can still be configured in lighttpd.conf using `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by the underlying TLS libraries. <br />
Also see https://wiki.lighttpd.net/Docs_SSL
<ul>
<li>new defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "-ServerPreference"</code></li>
</ul>
</li>
<li>old defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "HIGH"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "ServerPreference"</code></li>
</ul>
</li>
</ul>
</li>
<li>Deprecated TLS options have been removed.
<ul>
<li>ssl.honor-cipher-order</li>
<li>ssl.dh-file</li>
<li>ssl.ec-curve</li>
<li>ssl.disable-client-renegotiation</li>
<li>ssl.use-sslv2</li>
<li>ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, but prefer lighttpd defaults instead.</li>
</ul>
</li>
<li>Continue gradual deprecation of “mini-application” lighttpd modules
for which mod_magnet lua implementations are better and more flexible.<br />
Please post on lighttpd forums to share feedback if you use these modules.<br />
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards</li>
<li>Deprecated: mod_evasive has been removed.<br />
mod_evasive can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security</li>
<li>Deprecated: mod_secdownload has been removed.<br />
mod_secdownload can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload <br />
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available</li>
<li>Deprecated: mod_uploadprogress has been removed.<br />
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress</li>
<li>Deprecated: mod_usertrack has been removed.
mod_usertrack can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack <br />
mod_usertrack historically uses insecure MD5.</li>
</ul>
<h2 id="behavior-changes-not-previously-announced">Behavior Changes (not previously announced)</h2>
<ul>
<li>meson build: some opts have changed from type: ‘boolean’ to type: ‘feature’;
build scripts using -D with_example=true or =false need to change some opts<br />
to =enabled, =disabled, or =auto</li>
<li>mod_magnet: removed experimental lighty.r.req_attr[“response.*”] accessors
(added in lighttpd 1.4.56 (2020) and replaced in lighttpd 1.4.65 (2022))
(see lighty.r.req_item.http_status and lighty.r.resp_body.* replacements)</li>
<li>remove libev fdevent option (ignore)<br />
lighttpd directly uses native OS event handlers</li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>lighttpd 1.4.68 builds common modules into the lighttpd base executable.<br />
Separate dynamic modules are still built for the benefit of existing packaging scripts in various distributions, but those modules are not used.<br />
A future version of lighttpd will omit building separate modules for:<br />
mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.68.tar.gz">lighttpd-1.4.68.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.68.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">fa8515297cfa7273cf84be8c8d312d26ec272e28b41022f7dcb8ccef02a99c78</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.68.tar.xz">lighttpd-1.4.68.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.68.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">e56f37ae52b63e1ada4d76ce78005affb6e56eea2f6bdb0ce17d6d36e9583384</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.68.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.68.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="changes-from-1467">Changes from 1.4.67</h2>
<ul>
<li>[cmake] compile lemon with native cc for x-compile</li>
<li>[cmake] install man pages with CMake</li>
<li>[cmake] let CMake handle the version number</li>
<li>[cmake] set LIGHTTPD_VERSION_ID per version</li>
<li>[meson] set LIGHTTPD_VERSION_ID per version</li>
<li>[meson] add missing meson_version</li>
<li>[meson] use feature options</li>
<li>[meson] turn pcre into a combo option</li>
<li>[meson] simplify header checking</li>
<li>[meson] add wrapdb instructions</li>
<li>[lighttpd-angel] waitpid after HUP before restart</li>
<li>[core] use inotify_init() if missing IN_* defines</li>
<li>[core] keep sockets w/ server.graceful-restart-bg</li>
<li>[TLS] ssl.openssl.ssl-conf-cmd “DHParameters”</li>
<li>[mod_wolfssl] check for cert must_staple</li>
<li>[mod_mbedtls] config renegotiation;not recommended</li>
<li>[mod_alias] fix typo in config error message</li>
<li>[mod_proxy,mod_cgi] fix dummy Sec-WebSocket-Key</li>
<li>[mod_wolfssl] cast to fix compile error</li>
<li>[TLS] try DER format if reading PEM format fails</li>
<li>[mod_openssl] libressl 3.6.0 ASN1_TIME_cmp_time_t</li>
<li>[mod_deflate] skip cache for Cache-Control: private,no-store</li>
<li>[mod_webdav] minor cleanups and adjustments</li>
<li>[core] http_response_body_clear clears body flags</li>
<li>[core] ignore server.max-worker = 1</li>
<li>[doc/scripts/cert-staple.sh] *BSD date portability</li>
<li>[doc/scripts/cert-staple.sh] short-circuit checks</li>
<li>[doc/scripts/cert-staple.sh] add copyright header</li>
<li>[meson] fix wrong array</li>
<li>[meson] replace most has_function calls with loop</li>
<li>[meson] use non string true/false</li>
<li>[meson] use files()</li>
<li>[meson] remove use of non-existent win32 xgetopt.c</li>
<li>[meson] update comment for opts w/ type ‘feature’</li>
<li>[core] fix crash for invalid lighttpd.conf (fixes <a href="https://redmine.lighttpd.net/issues/3175">#3175</a>)</li>
<li>[build] do not check for pthread.h</li>
<li>[cmake] use find_package() to include the PkgConfig module</li>
<li>[cmake] use GNUInstallDirs to set defaults for several directories</li>
<li>[cmake] use FindOpenSSL cmake module to search for OpenSSL</li>
<li>[cmake] remove wolfssl code that would already be handled by CMake</li>
<li>[cmake] improve searching for PostgreSQL</li>
<li>[cmake] remove needless arguments from xconfig macro</li>
<li>[cmake] prefer libpcre.pc over pcre-config</li>
<li>[cmake] use CMake’s provided FindZLIB</li>
<li>[cmake] use CMake’s provided FindBZip2</li>
<li>[cmake] remove path hints where CMake searches by default</li>
<li>[cmake] remove use of non-existent win32 xgetopt.c</li>
<li>[mod_openssl] mod_openssl_write_err() shared code</li>
<li>[mod_openssl] use SSL_sendfile() if KTLS available</li>
<li>[mod_gnutls] use gnutls_record_send_file() if KTLS</li>
<li>[TLS] handle ‘+’ on ssl-conf-cmd “Options”</li>
<li>[TLS] upgrade default cipher list to stronger set</li>
<li>[TLS] simplify TLS config; remove deprecated opts</li>
<li>[multiple] remove deprecated modules</li>
<li>[mod_magnet] remove lighty.r.req_attr[“response.*”]</li>
<li>[core] remove libev fdevent option (ignore)</li>
<li>[core] _WIN32 impl of plugins_load()</li>
<li>[core] check for built-in plugins before dlopen</li>
<li>[core] build core modules into lighttpd executable</li>
<li>[core] reduce M_TOP_PAD to default on small system</li>
<li>[multiple] mark mod_*_plugin_init() funcs cold</li>
<li>[core] check ifndef NDEBUG before setting NDEBUG</li>
<li>[core] server_main_setup_signals() separate func</li>
<li>[core] server_main_setup_workers() separate func</li>
<li>[core] server_main_setup() variable scoping</li>
<li>[core] ck_calloc() ck_malloc() ck_realloc_u32()</li>
<li>[multiple] employ ck_realloc_u32() shared code</li>
<li>[core] mark gw_proc_free() cold</li>
<li>[core] use data_config_list for config</li>
<li>[build] omit unused vector.[ch] from build</li>
<li>[mod_wstunnel] store value in tmp before byteswap</li>
<li>[core] log_buffer_vsprintf tweaks</li>
<li>[multiple] employ ck_calloc, ck_malloc shared code</li>
<li>[core] create non-inlined vector_resize()</li>
<li>[lighttpd-angel] remove unused includes</li>
<li>[core] chunk.c tweaks</li>
<li>[core] config_check_cond_nocache_eval() tweak</li>
<li>[mod_openssl] CLOSE_NOTIFY handling with KTLS</li>
<li>[mod_wolfssl] match mod_openssl CLOSE_NOTIFY</li>
<li>[core] ignore config dir-listing.* if not enabled</li>
<li>[doc] default lighttpd.conf: omit server.use-ipv6</li>
<li>[lighttpd-angel] simplify</li>
<li>[tests] disable auth.delay-invalid-creds for tests</li>
<li>[mod_deflate] “deflate” should include zlib header</li>
<li>[tests] fix “deflate” tests for added zlib header</li>
<li>[tests] disable Nagle on client, remove sleeps</li>
<li>[core] save ptr to avoid static analyzer realloc warn</li>
<li>[core] wrap server_main_setup_workers w/ HAVE_FORK</li>
<li>[core] temporarily disable O_NOFOLLOW on Cygwin</li>
</ul>
1.4.672022-09-17T00:00:00+00:002022-09-17T00:00:00+00:00http://www.lighttpd.net/2022/9/17/1.4.67//gstrauss
<h2 id="important-changes">Important changes</h2>
<p>bugfixes</p>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, as long as the ciphers are supported by the underlying TLS libraries.<br />
https://wiki.lighttpd.net/Docs_SSL
<ul>
<li>new defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "-ServerPreference"</code></li>
</ul>
</li>
<li>old defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "HIGH"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "ServerPreference"</code></li>
</ul>
</li>
</ul>
</li>
<li>Deprecated TLS options will be removed.
<ul>
<li>ssl.honor-cipher-order</li>
<li>ssl.dh-file</li>
<li>ssl.ec-curve</li>
<li>ssl.disable-client-renegotiation</li>
<li>ssl.use-sslv2</li>
<li>ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, but prefer lighttpd defaults instead.</li>
</ul>
</li>
<li>Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.<br />
Please post on lighttpd forums to share feedback if you use these modules.<br />
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards</li>
<li>Deprecated: mod_evasive will be removed.<br />
mod_evasive can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive <br />
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS <br />
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security</li>
<li>Deprecated: mod_secdownload will be removed.<br />
mod_secdownload can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload <br />
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available</li>
<li>Deprecated: mod_uploadprogress will be removed.<br />
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress</li>
<li>Deprecated: mod_usertrack will be removed.<br />
mod_usertrack can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack <br />
mod_usertrack historically uses insecure MD5.</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.67.tar.gz">lighttpd-1.4.67.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.67.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">de3c783a0ec3459e7e36a5ef08e13482d8640b339570dd036dfd456a6f7bb312</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.67.tar.xz">lighttpd-1.4.67.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.67.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">7e04d767f51a8d824b32e2483ef2950982920d427d1272ef4667f49d6f89f358</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.67.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.67.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="changes-from-1466">Changes from 1.4.66</h2>
<ul>
<li>Update comment about TCP_INFO on OpenBSD</li>
<li>[mod_ajp13] fix crash with bad response headers (fixes <a href="https://redmine.lighttpd.net/issues/3170">#3170</a>)</li>
<li>[core] handle RDHUP when collecting chunked body</li>
<li>[core] tweak streaming request body to backends</li>
<li>[core] handle ENOSPC with pwritev() (<a href="https://redmine.lighttpd.net/issues/3171">#3171</a>)</li>
<li>[core] manually calculate off_t max (fixes <a href="https://redmine.lighttpd.net/issues/3171">#3171</a>)</li>
<li>[autoconf] force large file support (<a href="https://redmine.lighttpd.net/issues/3171">#3171</a>)</li>
<li>[multiple] quiet coverity warnings using casts</li>
<li>[meson] add license keyword to project declaration</li>
</ul>
1.4.662022-08-07T00:00:00+00:002022-08-07T00:00:00+00:00http://www.lighttpd.net/2022/8/7/1.4.66//gstrauss<h2 id="important-changes">Important changes</h2>
<p>bugfixes</p>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
<ul>
<li>new defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "-ServerPreference"</code></li>
</ul>
</li>
<li>old defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "HIGH"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "ServerPreference"</code></li>
</ul>
</li>
</ul>
</li>
<li>Deprecated TLS options will be removed.
<ul>
<li>ssl.honor-cipher-order</li>
<li>ssl.dh-file</li>
<li>ssl.ec-curve</li>
<li>ssl.disable-client-renegotiation</li>
<li>ssl.use-sslv2</li>
<li>ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, but prefer lighttpd defaults instead.</li>
</ul>
</li>
<li>Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.<br />
Please post on lighttpd forums to share feedback if you use these modules.<br />
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards</li>
<li>Deprecated: mod_evasive will be removed.<br />
mod_evasive can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive <br />
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS <br />
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security</li>
<li>Deprecated: mod_secdownload will be removed.<br />
mod_secdownload can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload <br />
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available</li>
<li>Deprecated: mod_uploadprogress will be removed.<br />
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress</li>
<li>Deprecated: mod_usertrack will be removed.<br />
mod_usertrack can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack <br />
mod_usertrack historically uses insecure MD5.</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz">lighttpd-1.4.66.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">d919c3f9031e2580b94b311a3749eaa1e3b4a6a57b2d5c4cbcad40c0a73a7200</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.xz">lighttpd-1.4.66.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="changes-from-1465">Changes from 1.4.65</h2>
<ul>
<li>[core] h2: optim: send window update in 16k units</li>
<li>[mod_magnet] reset for http-response-send-file</li>
<li>[multiple] fix json encoding</li>
<li>[core] buffer_append_bs_escaped_json()</li>
<li>[autoconf] update ax_prog_cc_for_build.m4</li>
<li>[doc] add libdeflate to INSTALL</li>
<li>[mod_webdav] cold func if xml reqbody w/o db conf</li>
<li>[mod_webdav] check reqbody Content-Type is XML</li>
<li>[doc] more consistent use of vars in examples</li>
<li>[core] do not load indexfile, dirlisting if unused</li>
<li>[mod_dirlisting] send ETag, Cache-Control w/ cache</li>
<li>[mod_openssl] compile compat w/ openssl < 1.1.0</li>
<li>[mod_webdav] webdav_reqbody_type_xml() fixes</li>
<li>[core] clarify server.username = “root” error msg</li>
<li>[mod_wolfssl] compat with older wolfssl versions</li>
<li>[core] fix li_base64_dec() on whitespace</li>
<li>[core] perf tweak buffer_eq_icase_ssn()</li>
<li>[mod_deflate] fix use of libdeflate for files>128k (fixes <a href="https://redmine.lighttpd.net/issues/3161">#3161</a>)</li>
<li>[core] fix buffer_substr_replace() extend (fixes <a href="https://redmine.lighttpd.net/issues/3160">#3160</a>)</li>
<li>[mod_webdav] build with Android NDK</li>
<li>[core] check r->http_status before handling Range</li>
<li>[core] preprocessor option to force crypto lib</li>
<li>[core] fix SIGUSR1 graceful restart w/ TLS (fixes <a href="https://redmine.lighttpd.net/issues/3164">#3164</a>)</li>
<li>[mod_authn_gssapi] warn if no confidentiality flag (fixes <a href="https://redmine.lighttpd.net/issues/3163">#3163</a>)</li>
<li>[mod_wstunnel] fix crash with bad hybivers (fixes <a href="https://redmine.lighttpd.net/issues/3165">#3165</a>)</li>
<li>[core] perf: adjust max h2 stream send increment</li>
<li>[core] fix HTTP/2 downloads >= 4GiB (fixes <a href="https://redmine.lighttpd.net/issues/3166">#3166</a>)</li>
</ul>
1.4.652022-06-07T00:00:00+00:002022-06-07T00:00:00+00:00http://www.lighttpd.net/2022/6/7/1.4.65//gstrauss<h2 id="important-changes">Important changes</h2>
<p>WebSockets over HTTP/2, bugfixes</p>
<h2 id="highlights">Highlights</h2>
<ul>
<li>WebSockets over HTTP/2<br />
RFC 8441 Bootstrapping WebSockets with HTTP/2</li>
<li>HTTP/2 PRIORITY_UPDATE<br />
RFC 9218 Extensible Prioritization Scheme for HTTP</li>
<li>prefix/suffix conditions in lighttpd.conf</li>
<li>mod_webdav safe partial-PUT<br />
webdav.opts += (“partial-put-copy-modify” => “enable”)</li>
<li>mod_accesslog option: accesslog.escaping = “json”</li>
<li>mod_deflate libdeflate build option</li>
<li>speed up request body uploads via HTTP/2</li>
</ul>
<h2 id="behavior-changes">Behavior Changes</h2>
<ul>
<li>change default server.max-keep-alive-requests = 1000 to adjust to increasing HTTP/2 usage and to web2/web3 application usage (prior default was 100)</li>
<li>mod_status HTML now includes HTTP/2 control stream id 0 in the output which contains aggregate counts for the HTTP/2 connection<br />
(These lines can be identified with URL ‘*’, part of “PRI *” preface)<br />
alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status</li>
<li>MIME type application/javascript is translated to text/javascript (RFC 9239)</li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>TLS modules will default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
<ul>
<li>new defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "-ServerPreference"</code></li>
</ul>
</li>
<li>old defaults:
<ul>
<li><code class="language-plaintext highlighter-rouge">"CipherString" => "HIGH"</code></li>
<li><code class="language-plaintext highlighter-rouge">"Options" => "ServerPreference"</code></li>
</ul>
</li>
</ul>
</li>
<li>Deprecated TLS options will be removed.
<ul>
<li>ssl.honor-cipher-order</li>
<li>ssl.dh-file</li>
<li>ssl.ec-curve</li>
<li>ssl.disable-client-renegotiation</li>
<li>ssl.use-sslv2</li>
<li>ssl.use-sslv3
See https://wiki.lighttpd.net/Docs_SSL for replacements with <code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd</code>, but prefer lighttpd defaults instead.</li>
</ul>
</li>
<li>Continue gradual deprecation of “mini-application” lighttpd modules for which mod_magnet lua implementations are better and more flexible.<br />
Please post on lighttpd forums to share feedback if you use these modules.<br />
Forums: https://redmine.lighttpd.net/projects/lighttpd/boards</li>
<li>Deprecated: mod_evasive will be removed.<br />
mod_evasive can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive <br />
https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS <br />
https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security</li>
<li>Deprecated: mod_secdownload will be removed.<br />
mod_secdownload can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload <br />
mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available</li>
<li>Deprecated: mod_uploadprogress will be removed.<br />
mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress</li>
<li>Deprecated: mod_usertrack will be removed.<br />
mod_usertrack can be replaced by mod_magnet and a few lines of lua:<br />
Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack <br />
mod_usertrack historically uses insecure MD5.</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.tar.gz">lighttpd-1.4.65.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">396bdbe28e77cf68ffbc914e0280e4f3c6b42574277ccb7f776d572fdddea6d0</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.tar.xz">lighttpd-1.4.65.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">bf0fa68a629fbc404023a912b377e70049331d6797bcbb4b3e8df4c3b42328be</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.65.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="changes-from-1464">Changes from 1.4.64</h2>
<ul>
<li>[build] meson: fix typo in variable name</li>
<li>[build] autoconf: report if building with zstd</li>
<li>[build] meson -Dlua_version=… to specify lua ver</li>
<li>[core] avoid CCRandomGenerateBytes on MacOS <10.12 (fixes <a href="https://redmine.lighttpd.net/issues/3140">#3140</a>)</li>
<li>[core] use diff var name w/ CCRandomGenerateBytes (fixes <a href="https://redmine.lighttpd.net/issues/3141">#3141</a>)</li>
<li>[core] parse conf cmds with SHELL or /bin/sh</li>
<li>[core] fix HMAC with openssl 3.0</li>
<li>[mod_webdav] no COPYFILE_CLONE_FORCE on OSX <10.12 (fixes <a href="https://redmine.lighttpd.net/issues/3142">#3142</a>)</li>
<li>[mod_deflate] fix to return 304 with If-None-Match (fixes <a href="https://redmine.lighttpd.net/issues/3143">#3143</a>)</li>
<li>[core] Illumos epoll incompatible w/ lighttpd impl</li>
<li>[core] feature flag to allow Range w/ HTTP/1.0</li>
<li>[mod_mbedtls] set usekeysize for mbedtls 3.2.0+</li>
<li>[mod_deflate] collect mmap code</li>
<li>[mod_deflate] prototype using libdeflate w/ mmap</li>
<li>[mod_deflate] —with-libdeflate to use libdeflate</li>
<li>[mod_deflate] mark input bytes const</li>
<li>[core] sys-setjmp.[ch]</li>
<li>[mod_magnet] check lighty.result.content b4 setjmp</li>
<li>[core] include guard consistency in sys-time.h</li>
<li>[core] network_write_file_chunk_remap separate fn</li>
<li>[multiple] use new sys_setjmp_eval3() interface</li>
<li>[multiple] pedantic chunk.c checks for 0-len chunk</li>
<li>[multiple] shared code for struct chunk and mmap</li>
<li>[mod_deflate] use pread if available</li>
<li>[mod_deflate] improve loop compressing file chunk</li>
<li>[core] prep server_tag at startup for h2 resp hdr</li>
<li>[mod_magnet] defer req_env init unless needed</li>
<li>[mod_magnet] reset after error attaching content</li>
<li>[mod_magnet] lua_tointegerx() avoids raising error</li>
<li>[mod_mbedtls] use newer mbedtls 3.2.0+ interfaces</li>
<li>[mod_magnet] adjust hot path for more inlining</li>
<li>[mod_magnet] collect chk for magnet lua_State init</li>
<li>[mod_magnet] use type returned from lua_getfield()</li>
<li>[core] chunk_file_pread() to wrap pread()</li>
<li>[core] disable keep-alive if forcing HTTP/1.0 resp</li>
<li>[mod_magnet] use lua_getextraspace() to store r</li>
<li>[core] fall back to getauxval(AT_RANDOM), if avail</li>
<li>[mod_magnet] keep message handler on stack</li>
<li>[doc] update external links</li>
<li>[mod_magnet] pass lighty table index, defer pops</li>
<li>[mod_magnet] clear and reuse script-env table</li>
<li>[mod_magnet] clear stack when reloading script</li>
<li>[mod_magnet] use lua_isnoneornil() in interfaces</li>
<li>[mod_magnet] fix lighty.c.cookie_tokens()</li>
<li>[mod_magnet] fix lighty.c.urldec_query()</li>
<li>[mod_magnet] remove duplicated NULL checks</li>
<li>[mod_magnet] adjust magnet_lighty_result_get()</li>
<li>[mod_magnet] magnet_tmpbuf_acquire(),release()</li>
<li>[mod_magnet] lighty.c.quotedenc(),dec() funcs</li>
<li>[mod_magnet] fix header,content legacy table clear</li>
<li>[mod_cgi] cgi.local-redir request_reset thru fnptr</li>
<li>[core] isolate plugins_*() funcs to main server</li>
<li>[mod_wolfssl] wolfssl v5.0.0 defines DH_set0_pqg()</li>
<li>[mod_auth] save letter-case diff in require config</li>
<li>[mod_magnet] magnet_push_quoted_string shared code</li>
<li>[mod_magnet] lighty.c.header_tokens convenience fn</li>
<li>[core] fill in un.sun_path after accept() (fixes <a href="https://redmine.lighttpd.net/issues/3147">#3147</a>)</li>
<li>[mod_extforward] adjust trust check for HTTP/2</li>
<li>[mod_proxy] adjust handling of legacy X-* headers</li>
<li>[core] permit env w/ blank value (fix regression)</li>
<li>[TLS] consistent debug.log-ssl-noise config type</li>
<li>[mod_magnet] allow removal of req_env elt via nil</li>
<li>[core] compiler workarounds for very old gcc,glibc</li>
<li>[mod_mbedtls] use newer mbedtls 3.2.0+ interfaces</li>
<li>[mod_ssi] check http_chunk_transfer_cqlen for err</li>
<li>[core] chunkqueue_steal() handle unexpected 0 len</li>
<li>[core] discard DATA from REFUSED_STREAM at h2 init</li>
<li>[multiple] WebSockets over HTTP/2 (fixes <a href="https://redmine.lighttpd.net/issues/3151">#3151</a>)</li>
<li>[multiple] immed connect to backend for streaming</li>
<li>[core] ensure socket ready before checking connect</li>
<li>[core] reduce trace on Upgrade backend connection</li>
<li>[core] adjust when TCP_CORK used on TLS connection</li>
<li>[mod_cgi] disable input optim if might Upgrade</li>
<li>[mod_cgi] immed start CGI if Upgrade</li>
<li>[mod_wolfssl] wolfssl v5.0.0 adds ASN1_TIME_diff()</li>
<li>[mod_openssl] libressl v3.5.0 adds ASN1_TIME_diff</li>
<li>[TLS] warn if leaf cert read is inactive/expired</li>
<li>[core] stricter conformance w/ upcoming HTTP/2 rev</li>
<li>[build] -D_DEFAULT_SOURCE consistency in builds</li>
<li>[mod_extforward] support addtl IPv6 syntax w/ “[]”</li>
<li>[core] build fix for cygwin and lmingw</li>
<li>[core] short-circuit earlier parsing h2 trailers</li>
<li>[core] reformat h2.h for cleaner enum additions</li>
<li>[core] consolidate trace for log-state-handling</li>
<li>[core] request_config bitmasks for smaller struct</li>
<li>[core] prefix (=\^), suffix (=$) config conditions (fixes <a href="https://redmine.lighttpd.net/issues/3153">#3153</a>)</li>
<li>[core] tighten config parsing loop</li>
<li>[core] convert simple config cond regex to pre/sfx</li>
<li>[tests] able to run tests when built w/o pcre</li>
<li>[core] allow redirect,rewrite ext subst w/o pcre</li>
<li>[mod_sockproxy] reset http vers, avoid rare crash (fixes <a href="https://redmine.lighttpd.net/issues/3152">#3152</a>)</li>
<li>[core] HTTP/2 PRIORITY_UPDATE frame (experimental)</li>
<li>[core] send HTTP/2 SETTINGS_NO_RFC7540_PRIORITIES</li>
<li>[core] stricter check of HTTP/2 GOAWAY frame size</li>
<li>[mod_mbedtls] use newer mbedtls 3.2.0+ interfaces</li>
<li>[mod_webdav] opt for partial PUT via copy/rename</li>
<li>[core] quiet compiler warning</li>
<li>[multiple] recognize HTTP QUERY method</li>
<li>[multiple] limit scope of socket config options</li>
<li>[core] fix config typo reading large int from str</li>
<li>[core] h2 prio sort urgency, incr, then stream id</li>
<li>[core] send Priority resp hdr w/ .css, .js re-prio</li>
<li>[multiple] reset http vers, avoid rare crash (fixes <a href="https://redmine.lighttpd.net/issues/3152">#3152</a>)</li>
<li>[core] delay response to http auth invalid creds</li>
<li>[core] connection_state_machine_h2 only if con->h2</li>
<li>[core] default server.max-keep-alive-requests 1000</li>
<li>[mod_magnet] set script env in func first upvalue</li>
<li>[mod_magnet] rewrite lighty.r as table of userdata</li>
<li>[mod_status] con<del>[h2 instead of r]{style=”text-align:right;”}</del>>http_version</li>
<li>[mod_setenv] cleanup user-provided hdr sloppiness</li>
<li>[core] remove func decls duplicated in plugin.h</li>
<li>[mod_status] fix counting of HTTP/2 bytes written</li>
<li>[mod_magnet] no local server port on unix domain</li>
<li>[mod_extforward] unix domain socket pedantic chks</li>
<li>[core] sketch support for abstract sockets</li>
<li>[mod_magnet] magnet_plugin_stats_table() fn</li>
<li>[mod_magnet] magnet_script_setup_global_state() fn</li>
<li>[mod_magnet] lighty.server.* table w/ new function</li>
<li>[mod_accesslog] do not double-count hdr len in %I</li>
<li>[mod_magnet] reduce magnet_env_get_id() scanning</li>
<li>[mod_magnet] tighten magnet_env_get_buffer_by_id()</li>
<li>[mod_status] reusable code for r->state strings</li>
<li>[core] reusable code for r->state strings</li>
<li>[mod_magnet] expose r->state to lua scripts</li>
<li>[mod_magnet] tighten magnet_env_set()</li>
<li>[mod_magnet] lighty.r.req_item[] accessors</li>
<li>[mod_magnet] expose r->keep_alive to lua scripts</li>
<li>[mod_magnet] lighty.c.hrtime high-resolution time</li>
<li>[mod_magnet] lighty.r.resp_body.get</li>
<li>[mod_magnet] deprecate r.req_attr[“response.*]</li>
<li>[mod_magnet] separate funcs for uri_path_raw</li>
<li>[mod_magnet] lighty.c.stat high precision time</li>
<li>[mod_magnet] format multiline err traceback</li>
<li>[mod_magnet] adjust p->conf.stage checks</li>
<li>[mod_magnet] further isolate legacy API result tbl</li>
<li>[core] buffer_append_char() convenience func</li>
<li>[mod_accesslog] accesslog.escaping = “json”</li>
<li>[multiple] use buffer_append_char()</li>
<li>[mod_accesslog] remove begin/end tags from %{}t</li>
<li>[core] fix configparser_simplify_regex() comment</li>
<li>[multiple] simplify bytes_in/bytes_out accounting</li>
<li>[mod_accesslog] reorder fields in switch()</li>
<li>[core] remove unused srv->con_* counters</li>
<li>[mod_magnet] read-only access to r->server_name</li>
<li>[core] buffer_append_bs_escaped()</li>
<li>[core] buffer_append_string_c_escaped ASCII optim</li>
<li>[mod_magnet] backspace-escape encode/decode</li>
<li>[mod_status] display HTTP/2 control stream w/ reqs</li>
<li>[multiple] use preferred syntax for Content-Type</li>
<li>[doc] regenerate doc/config/conf.d/mime.conf</li>
<li>[multiple] rename status_counter -> plugin_stats</li>
<li>[core] feature-flag server.metrics-high-precision</li>
<li>[mod_magnet] quiet coverity false positive</li>
<li>[mod_wolfssl] compile fix for OpenWRT</li>
<li>[mod_webdav] If-None-Match: * on non-existent</li>
<li>[mod_magnet] r.req_body .collect .get .set .add</li>
<li>[mod_cgi] fix detection of failing error handler (fixes <a href="https://redmine.lighttpd.net/issues/3157">#3157</a>)</li>
<li>[core] “url-invalid-utf8-reject” normalization opt</li>
<li>[mod_magnet] skip req body collect warn if modsec3</li>
<li>[build] update descriptions to remove old lua ver</li>
<li>[core] use current dir if context->basedir blank</li>
<li>[multiple] application/javascript text/javascript</li>
<li>[core] reset internal flags after graceful restart</li>
<li>[TLS] inherit ssl.engine from global scope</li>
<li>[core] avoid server.use-ipv6 warning after SIGUSR1</li>
<li>[mod_webdav] alt handling PROPFIND on collection</li>
<li>[mod_mbedtls] fix crt chain construction logic</li>
<li>[core] h2 SETTINGS_INITIAL_WINDOW_SIZE 64k (fixes <a href="https://redmine.lighttpd.net/issues/3089">#3089</a>)</li>
<li>[core] increase session window size to 256k</li>
<li>[core] h2: avoid sending small WINDOW_UPDATE frames</li>
<li>[core] h2: avoid sending tiny DATA frames</li>
<li>[core] update cached tables with Priority header</li>
<li>[tests] test stubs for http_header.c and http_kv.c</li>
</ul>
1.4.642022-01-19T00:00:00+00:002022-01-19T00:00:00+00:00http://www.lighttpd.net/2022/1/19/1.4.64//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>remove deprecated modules, bugfixes, CVE-2022-22707 (rare configs)</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.tar.gz">lighttpd-1.4.64.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">71e46403fb28371a06b23ef1cceffd75285140c6f62a879c777ee5af0d248801</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.tar.xz">lighttpd-1.4.64.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">e1489d9fa7496fbf2e071c338b593b2300d38c23f1e5967e52c9ef482e1b0e26</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.sha256sum">SHA256 checksums</a></li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.64.sha512sum">SHA512 checksums</a></li>
</ul>
<h2 id="behavior-changes">Behavior Changes</h2>
<p>(previously announced and scheduled)</p>
<ul>
<li>graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds<br />
configure an alternative with:<br />
server.feature-flags += (“server.graceful-shutdown-timeout” => 8)</li>
<li>build: lighttpd defaults to —with-pcre2 instead of —with-pcre<br />
pcre2 is current. pcre is no longer maintained.<br />
Explicitly specify —with-pcre in build to use pcre instead of pcre2.</li>
<li>deprecated modules (previously announced) have been removed
<ul>
<li>mod_authn_mysql</li>
<li>mod_mysql_vhost</li>
<li>mod_cml</li>
<li>mod_flv_streaming</li>
<li>mod_geoip</li>
<li>mod_trigger_b4_dl<br />
https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated suggests migration steps for replacements, if needed</li>
</ul>
</li>
</ul>
<h2 id="changes-from-1463">Changes from 1.4.63</h2>
<ul>
<li>[core] fix trace issued for loading mod_auth (fixes <a href="https://redmine.lighttpd.net/issues/3121">#3121</a>)</li>
<li>[meson] need -lrt with glibc < 2.17 (fixes <a href="https://redmine.lighttpd.net/issues/3120">#3120</a>)</li>
<li>[core] adjust time jump detection (fixes <a href="https://redmine.lighttpd.net/issues/3123">#3123</a>)</li>
<li>[core] make setrlimit() warn, not fatal</li>
<li>[core] add remote IP to some error msgs (fixes <a href="https://redmine.lighttpd.net/issues/3122">#3122</a>)</li>
<li>[mod_webdav] If-None-Match on non-existent entity</li>
<li>[build] check getxattr before attr_get and -lattr</li>
<li>[doc] SELinux: setsebool -P httpd_setrlimit on</li>
<li>[build] create sha512sum file with release</li>
<li>[build] CI builds now use make -j 2</li>
<li>[core] http_response_send_file() takes const path</li>
<li>[core] use ETag response header to check cachable</li>
<li>[core] add more const to stat_cache_update_entry()</li>
<li>[multiple] remove r->physical.etag</li>
<li>[mod_magnet] interface to http_response_send_file</li>
<li>[build] add headers for sendfile() detect on MacOS</li>
<li>[core] http_response_write_prepare optimization</li>
<li>[core] define static_assert for uClibc (fixes <a href="https://redmine.lighttpd.net/issues/3127">#3127</a>)</li>
<li>[build] -Wno-implicit-fallthrough for ls-hpack</li>
<li>[core] ignore pcre2 “bad JIT option” warning</li>
<li>[build] pcre2: use pkg-config before pcre2-config</li>
<li>[core] http_response_has_error_handler()</li>
<li>[core] consolidate request restart loop check</li>
<li>[core] defer retrieving Last-Modified until needed</li>
<li>[mod_dirlisting] fix logic inversion in cache</li>
<li>[core] mark expect cond in http_response_send_file</li>
<li>[core] connection_handle_read_state() tweak</li>
<li>[core] connection_state_machine_loop() tweaks</li>
<li>[core] connection_state_machine_h2() tweaks</li>
<li>[core] quiet coverity noise</li>
<li>[core] use lower limit for max-fds if !setrlimit</li>
<li>[build] do not check for prctl; HAVE_PRCTL unused</li>
<li>[core] server.core-files support on FreeBSD (fixes <a href="https://redmine.lighttpd.net/issues/3128">#3128</a>)</li>
<li>[mod_extforward] support longer PROXY v2 TLV vec</li>
<li>[mod_webdav] detect truncated copy_file_range()</li>
<li>[mod_webdav] copy_file_range() new in FreeBSD 13</li>
<li>[mod_webdav] copy_file_range() new in FreeBSD 13</li>
<li>[build] feature consistency between build types</li>
<li>[build] cmake build now defaults to C11</li>
<li>[core] CCRandomGenerateBytes() for rand on macOS (fixes <a href="https://redmine.lighttpd.net/issues/3129">#3129</a>)</li>
<li>[multiple] remove long-deprecated modules</li>
<li>[build] default —with-pcre2 unless —with-pcre</li>
<li>[core] “server.graceful-shutdown-timeout” => 8</li>
<li>[build] adjust trace for regex-conditionals</li>
<li>[build] update tests/SConscript</li>
<li>[core] errno_t detection on Illumos</li>
<li>[build] cmake build now defaults to C11</li>
<li>[build] meson: find pcre2 w/o pkg-config</li>
<li>[core] define <em>EXTENSIONS</em> on Illumos</li>
<li>[build] cmake,meson socket libs for win32, Illumos (fixes <a href="https://redmine.lighttpd.net/issues/3130">#3130</a>)</li>
<li>[core] hide bsd_accept_filter code on OpenBSD (fixes <a href="https://redmine.lighttpd.net/issues/3131">#3131</a>)</li>
<li>[core] errno_t and rsize_t detection on Illumos</li>
<li>[mod_webdav] copy acceleration</li>
<li>[mod_webdav] define HAVE_RENAMEAT2 earlier</li>
<li>[build] meson misdetects mempcpy on some platforms</li>
<li>[build] cmake: skip “-Wl,-export-dynamic” Illumos</li>
<li>[build] adjust .gitignore for macOS</li>
<li>[build] meson crypt and dl detection on *BSD (fixes <a href="https://redmine.lighttpd.net/issues/3133">#3133</a>)</li>
<li>[core] /dev/null is a symlink on Illumos (fixes <a href="https://redmine.lighttpd.net/issues/3132">#3132</a>)</li>
<li>[core] server.core-files support for solaris (fixes <a href="https://redmine.lighttpd.net/issues/3135">#3135</a>)</li>
<li>[build] feature consistency between build types</li>
<li>[build] Haiku build fix (fixes <a href="https://redmine.lighttpd.net/issues/3136">#3136</a>)</li>
<li>[lemon] silence coverity warnings</li>
<li>[cmake] raise minimum version to 3.7</li>
<li>[cmake] add address/undefined sanitize compile options</li>
<li>[asan tests] fix memory leaks</li>
<li>[array] use speaking names for array “fn” vtables for better debugging experience</li>
<li>[ci] add cmake-asan build type</li>
<li>[core] buffer_copy_string() use “” if s is NULL</li>
<li>[mod_authn_gssapi] code reuse: fdevent_mkostemp()</li>
<li>[mod_authn_gssapi] reduce KRB5CCNAME mem alloc</li>
<li>[build] adjust help strings for pcre2 default</li>
<li>[core] (const char *) for srvconf.modules_dir</li>
<li>[multiple] remove buffer_init_string()</li>
<li>[multiple] remove buffer_init_buffer()</li>
<li>[mod_extforward] fix out-of-bounds (OOB) write (fixes <a href="https://redmine.lighttpd.net/issues/3134">#3134</a>)</li>
<li>[build] use -fstack-protector-strong w/ extra warn</li>
<li>[build] collect Sun-specific headers and funcs</li>
<li>[build] collect Sun-specific headers and funcs</li>
<li>[build] rm redundant check for -lnetwork on Haiku</li>
<li>[build] check headers before some funcs</li>
<li>[core] allow LISTEN_PID to be ppid if TRACEME (fixes <a href="https://redmine.lighttpd.net/issues/3137">#3137</a>)</li>
<li>[core] allow tests/tmp/bind.conf override (<a href="https://redmine.lighttpd.net/issues/3137">#3137</a>)</li>
<li>[mod_webdav] no sys/ioctl.h on _WIN32</li>
<li>[tests] _WIN32 adjustments in LightyTest.pm</li>
<li>[tests] revert _WIN32 adjustments in LightyTest.pm</li>
<li>[mod_gnutls] lift size check out of DN loop</li>
<li>[mod_mbedtls] lift size check out of DN loop</li>
<li>[mbedtls] save (mbedtls_ssl_config *) in hctx</li>
<li>[multiple] permit UTF-8 in SSL_CLIENT_S_DN_*</li>
<li>[mod_openssl] do not esc UTF-8 in cert subject</li>
<li>[mod_mbedtls] reconstruct SSL_CLIENT_S_DN</li>
<li>[mod_mbedtls] changes to build with mbedtls 3.0.0</li>
<li>[mod_mbedtls] remove use of out_left in mbedtls 3</li>
<li>[mod_mbedtls] mbedtls_ssl_conf_groups for 3.1.0</li>
</ul>
1.4.632021-12-04T00:00:00+00:002021-12-04T00:00:00+00:00http://www.lighttpd.net/2021/12/4/1.4.63//gstrauss<h2 id="important-changes">Important changes</h2>
<p>bugfixes</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.tar.gz">lighttpd-1.4.63.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">6d706d55d2e11de8d28a2044afae70b3847ec0b9688f84bc5362d4d7df1ad386</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.tar.xz">lighttpd-1.4.63.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">2aef7f0102ebf54a1241a1c3ea8976892f8684bfb21697c9fffb8de0e2d6eab9</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.63.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="future-scheduled-behavior-changes-estimated-jan-2022">FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):</h2>
<ul>
<li>graceful restart/shutdown default timeout will change from 0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
server.feature-flags += (“server.graceful-shutdown-timeout” => 5)</li>
<li>lighttpd (optional) dependencies on libev and on FAM are deprecated.<br />
lighttpd event loop and file monitoring use native OS interfaces<br />
except on obscure platforms. FAM and gamin appear to be abandoned.<br />
Package maintainers on Linux and *BSD: please remove —with-libev and —with-fam from package builds<br />
lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.<br />
lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.</li>
<li>lighttpd will default to —with-pcre2 instead of —with-pcre<br />
pcre2 is current. pcre is no longer maintained.<br />
Explicitly specify —with-pcre in build to use pcre instead of pcre2.</li>
</ul>
<p>https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated</p>
<ul>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
<li>mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))<br />
Note: mod_flv_streaming will be removed from a future lighttpd release<br />
(Note: can be replaced with a few lines of lua code and mod_magnet)<br />
(sample script flv-streaming.lua is posted at<br />
https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )<br />
Adobe Flash is deprecated and support has been removed from modern clients</li>
<li>mod_trigger_b4_dl is DEPRECATED; use mod_magnet<br />
Note: mod_trigger_b4_dl will be removed from a future lighttpd release<br />
(Note: can be replaced with a few lines of lua code and mod_magnet)<br />
(sample script mod_trigger_b4_dl.lua is posted at<br />
https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )</li>
</ul>
<h2 id="changes-from-1462">Changes from 1.4.62</h2>
<ul>
<li>[core] import xxHash v0.8.1</li>
<li>[core] isolate use of sys/filio.h</li>
<li>[core] fix reqpool mem corruption in 1.4.62 (fixes <a href="https://redmine.lighttpd.net/issues/3118">#3118</a>)</li>
</ul>
1.4.622021-12-01T00:00:00+00:002021-12-01T00:00:00+00:00http://www.lighttpd.net/2021/12/1/1.4.62//gstrauss<h2 id="important-changes">Important changes</h2>
<p>support pcre2; HTTP Digest auth userhash; bugfixes</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.62.tar.gz">lighttpd-1.4.62.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.62.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">aa695d506a87c6aa7b54a66bdb5a07653e800c95da9af3188661430e65a15c4f</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.62.tar.xz">lighttpd-1.4.62.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.62.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">36cf483cf34a06f7c75c724a4237d8779b0d88ce208a1742763793d317114ab7</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.62.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="future-scheduled-behavior-changes-estimated-jan-2022">FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2022):</h2>
<ul>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
server.feature-flags += (“server.graceful-shutdown-timeout” => 5)</li>
<li>lighttpd (optional) dependencies on libev and on FAM are deprecated.<br />
lighttpd event loop and file monitoring use native OS interfaces<br />
except on obscure platforms. FAM and gamin appear to be abandoned.<br />
Package maintainers on Linux and *BSD:<br />
please remove —with-libev and —with-fam from package builds<br />
lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.<br />
lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.</li>
<li>lighttpd will default to —with-pcre2 instead of —with-pcre<br />
pcre2 is current. pcre is no longer maintained.<br />
Explicitly specify —with-pcre in build to use pcre instead of pcre2.</li>
</ul>
<p>https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated</p>
<ul>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
<li>mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))<br />
Note: mod_flv_streaming will be removed from a future lighttpd release<br />
(Note: can be replaced with a few lines of lua code and mod_magnet)<br />
(sample script flv-streaming.lua is posted at<br />
https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )<br />
Adobe Flash is deprecated and support has been removed from modern clients</li>
<li>mod_trigger_b4_dl is DEPRECATED; use mod_magnet<br />
Note: mod_trigger_b4_dl will be removed from a future lighttpd release<br />
(Note: can be replaced with a few lines of lua code and mod_magnet)<br />
(sample script mod_trigger_b4_dl.lua is posted at<br />
https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )</li>
</ul>
<h2 id="changes-from-1461">Changes from 1.4.61</h2>
<ul>
<li>[mod_alias] fix use-after-free bug (fixes <a href="https://redmine.lighttpd.net/issues/3114">#3114</a>)</li>
<li>[core] clean up fdlog_st and log_error_st decls</li>
<li>[core] ‘struct log_error_st’ -> ‘log_error_st’</li>
<li>[core] remove redundant asserts</li>
<li>[core] explicitly include sys/cdefs.h</li>
<li>[tests] t/test_mod_ssi</li>
<li>[core] fdevent_socket_nb_cloexec_init()</li>
<li>[core] fdevent_impl.c separate from fdevent.c</li>
<li>[core] merge fdevent impls into fdevent_impl.c</li>
<li>[core] fdevent_fdnode.c separate from fdevent.c</li>
<li>[core] close backend socket fds more quickly</li>
<li>[core] use TCP_CORK w/ TLS if cq length > 16k</li>
<li>[core] warn if dynamic modules before mod_auth</li>
<li>[mod_cgi] check fd-to-cgi not –1 before close</li>
<li>[core] libev EV_ERROR conflicts with kqueue</li>
<li>[tests] disable test_mod_ssi in cmake (temporary)</li>
<li>[tests] disable test_mod_ssi in cmake (temporary)</li>
<li>[tests] reenable test_mod_ssi in cmake</li>
<li>[core] run plugin cleanup hooks in reverse</li>
<li>[core] fix removal of server.pid-file when testing (fixes <a href="https://redmine.lighttpd.net/issues/3115">#3115</a>)</li>
<li>[doc] improve sample configs</li>
<li>[doc] expand vhosts.template</li>
<li>[doc] improve sample configs</li>
<li>[core] use ck_assert() in vector.[ch]</li>
<li>[tests] mod_ssi tests moved to src/t/test_mod_ssi</li>
<li>[mod_ssi] 0-init ssi_val_t in ssi_ctx_t</li>
<li>[mod_ssi] fix ancient bugs; replace cond parser</li>
<li>[mod_ssi] remove mod_ssi parser generator file</li>
<li>[mod_ssi] merge mod_ssi_expr.c into mod_ssi.c</li>
<li>[core] uint_fast32_t tweaks</li>
<li>[core] better asm for binary num to ascii string</li>
<li>[tests] t/test_mod now runs all t/test_mod_*.c</li>
<li>[tests] t/test_mod_alias.c</li>
<li>[tests] remove unused mod from tests/lighttpd.conf</li>
<li>[mod_evasive] smaller funcs for testing</li>
<li>[tests] t/test_mod_evasive.c</li>
<li>[mod_evasive] update comment to add references</li>
<li>[tests] combine tests into test_common.c</li>
<li>[core] get_http_method_key() tweak</li>
<li>[mod_dirlisting] check for disabled cache at start</li>
<li>[core] buffer_append_string_encoded_json()</li>
<li>[mod_dirlisting] (experimental) json (disabled)</li>
<li>[tests] t/test_mod needs -ldl on Debian</li>
<li>[core] save config regex captures only if used</li>
<li>[core] save pcre result state in config_pcre_match</li>
<li>[core] use stack w/ pcre_exec unless save captures</li>
<li>[core] extend pcre_keyvalue_ctx to pass more state</li>
<li>[core] pcre2 support (—with-pcre2)</li>
<li>[core] allocate one fewer cond_match_t, if needed</li>
<li>[core] allocate pcre output vector on demand</li>
<li>[build] configure.ac with AC_PROG_CC_C99 (fixes <a href="https://redmine.lighttpd.net/issues/3116">#3116</a>)</li>
<li>[build] CI builds now use pcre2 (upgrade pcre)</li>
<li>[core] fix compiler warning in 32-bit build</li>
<li>[build] fix CMake pcre2 detection</li>
<li>[mod_auth] RFC7616 HTTP Digest username* userhash</li>
<li>[mod_dirlisting] fix bug not showing HEADER.txt</li>
<li>[tests] t/test_mod_ssi adjust to follow symlinks</li>
<li>[mod_auth] quiet coverity warning</li>
<li>[doc] refresh/update dependency lists in doc</li>
<li>[core] fix crash when using lighttpd –1 with pipes (fixes <a href="https://redmine.lighttpd.net/issues/3117">#3117</a>)</li>
</ul>
1.4.612021-10-28T00:00:00+00:002021-10-28T00:00:00+00:00http://www.lighttpd.net/2021/10/28/1.4.61//gstrauss<h2 id="important-changes">Important changes</h2>
<p>bugfixes</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.gz">lighttpd-1.4.61.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">7697a4eb517ff7e438b148552c4ddbcc4c3fe79d8b79c3200441edc58787abb0</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.xz">lighttpd-1.4.61.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">43f0d63d04a1b7c5b8aab07e0612e44ccad0afc0614bab784c5b019872363432</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.61.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="future-scheduled-behavior-changes-estimated-early-2022">Future Scheduled Behavior Changes (estimated early 2022)</h2>
<ul>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
server.feature-flags += (“server.graceful-shutdown-timeout” => 5)</li>
<li>lighttpd (optional) dependencies on libev and on FAM are deprecated.<br />
lighttpd event loop and file monitoring use native OS interfaces<br />
except on obscure platforms. FAM and gamin appear to be abandoned.<br />
Package maintainers on Linux and *BSD:<br />
please remove —with-libev and —with-fam from package builds<br />
lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.<br />
lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.</li>
</ul>
<p>https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated</p>
<ul>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
<li>mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))<br />
(Note: can be replaced with a few lines of lua code and mod_magnet)<br />
(sample script flv-streaming.lua is posted at<br />
https://redmine.lighttpd.net/projects/lighttpd/wiki/ModMagnetExamples )<br />
Adobe Flash is deprecated and support has been removed from modern clients</li>
</ul>
<h2 id="changes-from-1460">Changes from 1.4.60</h2>
<ul>
<li>[core] define _<em>BEGIN_DECLS,</em>_END_DECLS if needed</li>
<li>[core] Y2038: error log high-precision timestamps</li>
<li>[multiple] <em>attribute_nonnull</em> now takes params</li>
<li>[core] bounds check while url-decoding</li>
<li>[mod_magnet] prefer lua_newuserdatauv() w/ lua 5.4</li>
<li>[core] earlier macOS need define for errno_t (fixes <a href="https://redmine.lighttpd.net/issues/3107">#3107</a>)</li>
<li>[tests] force POSIX::WNOHANG() autovivification (fixes <a href="https://redmine.lighttpd.net/issues/3110">#3110</a>)</li>
<li>[mod_dirlisting] sort “../” to top (fixes <a href="https://redmine.lighttpd.net/issues/3109">#3109</a>)</li>
<li>[tests] force Fcntl::F_SETFD() autovivification (<a href="https://redmine.lighttpd.net/issues/3110">#3110</a>)</li>
<li>[core] avoid repeated typedef for fdlog_st</li>
<li>[doc] update INSTALL</li>
<li>[mod_extforward] keep remote IP thru request reset</li>
<li>[core] fix HTTP/2 upload > 64k w/ max-request-size (fixes <a href="https://redmine.lighttpd.net/issues/3108">#3108</a>)</li>
<li>[mod_auth] fix Basic auth passwd cache (fixes <a href="https://redmine.lighttpd.net/issues/3112">#3112</a>)</li>
<li>[mod_ajp13,mod_fastcgi] comment: no response body</li>
<li>[mod_webdav] ignore PROPFIND Depth for files</li>
<li>[core] add comment to ck_memeq_const_time()</li>
<li>[core] accept up to 5 digit port num in host cond</li>
<li>[core] expose chunkqueue_remove_empty_chunks()</li>
<li>[core] short-circuit if response body recv w/ hdrs (fixes <a href="https://redmine.lighttpd.net/issues/3111">#3111</a>)</li>
<li>[core] resched HTTP/2 streams w/ pending data (<a href="https://redmine.lighttpd.net/issues/3111">#3111</a>)</li>
<li>[core] separate func for gw_authorizer_ok()</li>
<li>[core] make ck_memeq_const_time() more generic (<a href="https://redmine.lighttpd.net/issues/3112">#3112</a>)</li>
<li>[mod_auth] revert adjustment to auth passwd cache (<a href="https://redmine.lighttpd.net/issues/3112">#3112</a>)</li>
<li>[core] thwart h2c smuggling when Upgrade enabled</li>
<li>[core] separate funcs to check for valid chars</li>
<li>[core] thwart h2 request tunnelling</li>
<li>[core] clear shared log buffer after writes</li>
<li>[mod_nss] quiet trace for PR_END_OF_FILE_ERROR</li>
<li>[core] allow debug.log-state-handling in condition</li>
<li>[core] combine more dup header processing code</li>
<li>[mod_ajp13,mod_fastcgi] check resp w/ content len</li>
<li>[mod_proxy] Length Req if proxy forcing HTTP/1.0</li>
<li>[core] restart dead proc on connect error if local</li>
<li>[mod_ajp13,mod_fastcgi] recv_parse smaller funcs</li>
<li>[multiple] warn deprecated mods slated for removal</li>
<li>[core] remove redundant checks in same context</li>
<li>[core] tighten chunkqueue_steal* code; better asm</li>
<li>[build] check for preadv(), pwritev()</li>
<li>[core] pwritev w/ chunkqueue_steal_with_tempfiles</li>
<li>[core] tighten chunkqueue_mark_written; better asm</li>
<li>[doc] uncomment mod_auth load in conf.d/auth.conf</li>
<li>[core] tighten chunkqueue_small_resp_optim()</li>
<li>[core] chunkqueue_small_resp_optim if resp < 16k</li>
<li>[mod_auth] clear crypt() output if len >= 13</li>
<li>[multiple] add assert after malloc in two spots</li>
<li>[core] add HTTP/2 check resp finished w/ empty cq (<a href="https://redmine.lighttpd.net/issues/3111">#3111</a>)</li>
<li>[core] chunkqueue_small_resp_optim() comment</li>
</ul>
1.4.602021-10-03T00:00:00+00:002021-10-03T00:00:00+00:00http://www.lighttpd.net/2021/10/3/1.4.60//gstrauss<h2 id="important-changes">Important changes</h2>
<ul>
<li>improve performance, reduce memory use, bugfixes</li>
</ul>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.60.tar.gz">lighttpd-1.4.60.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.60.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">9c284107f8ed7dd3a8a25b06c6acfcf49ae2f19e66e384ebe51f7bc4dc57621c</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.60.tar.xz">lighttpd-1.4.60.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.60.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">4bb1dd859e541a3131e5be101557d2e1195b4129d3a849a3a6fbd21fe1c946f0</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.60.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="highlights">Highlights</h2>
<ul>
<li>HTTP/2 smoother and lower memory use (in general)</li>
<li>HTTP/2 tuning to better handle aggressive client initial requests</li>
<li>reduce memory footprint; workaround poor glibc behavior; jemalloc is better</li>
<li>mod_magnet lua performance improvements</li>
<li>mod_dirlisting performance improvements and new caching option</li>
<li>memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav</li>
<li>connect(), write(), read() time limits on backends (separate from client timeouts)</li>
<li>lighttpd restarts if large discontinuity in time occurs (embedded systems)</li>
<li>RFC7233 Range support for all non-streaming responses, not only static files</li>
</ul>
<h2 id="behavior-changes">Behavior Changes</h2>
<ul>
<li>connect() to backend now has default 8 second timeout (configurable)</li>
</ul>
<h2 id="future-scheduled-behavior-changes-estimated-early-2022">Future Scheduled Behavior Changes (estimated early 2022)</h2>
<ul>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
server.feature-flags += (“server.graceful-shutdown-timeout” => 5)</li>
<li>lighttpd (optional) dependencies on libev and on FAM are deprecated.<br />
lighttpd event loop and file monitoring use native OS interfaces<br />
except on obscure platforms. FAM and gamin appear to be abandoned.<br />
Package maintainers on Linux and *BSD:<br />
please remove —with-libev and —with-fam from package builds<br />
lighttpd uses epoll() on Linux, kqueue() on *BSD for event notification.<br />
lighttpd uses inotify() on Linux, kqueue() on *BSD for file monitoring.</li>
</ul>
<p>https://wiki.lighttpd.net/Docs_ConfigurationOptions#Deprecated</p>
<ul>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
<li>mod_flv_streaming is DEPRECATED; (Adobe Flash Video (.flv))<br />
(Note: can be replaced with a few lines of lua code and mod_magnet)<br />
(sample script flv-streaming.lua is posted at<br />
https://redmine.lighttpd.net/projects/lighttpd/wiki/AbsoLUAtion )<br />
Adobe Flash is deprecated and support has been removed from modern clients</li>
</ul>
<h2 id="changes-from-1459">Changes from 1.4.59</h2>
<ul>
<li>[meson] add with_zstd to meson_options.txt</li>
<li>[mod_magnet] reject stat() of empty string (fixes <a href="https://redmine.lighttpd.net/issues/3064">#3064</a>)</li>
<li>[mod_magnet] avoid infinite loop in atpanic (fixes <a href="https://redmine.lighttpd.net/issues/3065">#3065</a>)</li>
<li>[mod_magnet] do not call luaL_error outside pcall (<a href="https://redmine.lighttpd.net/issues/3065">#3065</a>)</li>
<li>[core] 101 upgrade fails if Content-Length incl (fixes <a href="https://redmine.lighttpd.net/issues/3063">#3063</a>)</li>
<li>[mod_gnutls,mod_mbedtls] recog common cipherstring</li>
<li>[tests] remove stray option in test lighttpd.conf</li>
<li>[mod_auth] close HTTP/2 connection after bad pass</li>
<li>[build] fix SCons pkg-config err handling (fixes <a href="https://redmine.lighttpd.net/issues/3066">#3066</a>)</li>
<li>[core] inline funcs to decode h2 framing nums (fixes <a href="https://redmine.lighttpd.net/issues/3067">#3067</a>)</li>
<li>[build] use -pipe with gcc and clang</li>
<li>[mod_mbedtls] preproc wrap ssl_parse_client_hello</li>
<li>[build] augment configure.ac msgs to remove FAM (<a href="https://redmine.lighttpd.net/issues/3068">#3068</a>)</li>
<li>[core] allow ‘*’ in “*:80” socket spec</li>
<li>[core] rename local var</li>
<li>[core] mark config registration funcs cold</li>
<li>[core] fix -fsanitize=undefined pedantic warning (fixes <a href="https://redmine.lighttpd.net/issues/3069">#3069</a>)</li>
<li>[core] algo_hmac.[ch] wrapper (portability)</li>
<li>[mod_secdownload] use algo_hmac.[ch]</li>
<li>[mod_secdownload] use http_auth_const_time_memeq()</li>
<li>[autoconf] add ajp13 to build msgs</li>
<li>[mod_auth] send 401 if digest algo not supported</li>
<li>[mod_deflate] do not cache 206 Partial Content</li>
<li>[core] chunkqueue_append_cq_range()</li>
<li>[core] http_range.[ch] RFC 7233 Range handling</li>
<li>[core] RFC 7233 Range handling for non-streaming</li>
<li>[TLS] fix crash for (broken) nested $SERVER[] cfg</li>
<li>[core] ignore server.event-handler = “libev”</li>
<li>[mod_openssl] use newer openssl 3.0.0 interfaces</li>
<li>[core] quiet coverity warning</li>
<li>[core] http_cgi_local_redir() rename</li>
<li>[core] http_cgi.[ch] CGI interfaces (RFC 3875)</li>
<li>[core] save parsed listen addrs at startup</li>
<li>[core] http_cgi_encode_varname()</li>
<li>[core] add some ifdefs in algo_hmac.c</li>
<li>[core] use epoll_create1() if available</li>
<li>[core] adjust stat_cache_get_entry() conditions</li>
<li>[core] _WIN32 impl of read-only mmap(), munmap()</li>
<li>[core] remove stream.[ch]</li>
<li>[multiple] use binary ‘|’ to reconstruct ts</li>
<li>[core] check EAGAIN if unix socket connect() delay</li>
<li>[multiple] prefer monotonic time for internal use</li>
<li>[core] optimize buffer_urldecode_path()</li>
<li>[mod_openssl] skip cert chain build if self-issued</li>
<li>[mod_nss] avoid NSS crash w/ config file error</li>
<li>[multiple] prefer monotonic time for internal use</li>
<li>[core] http_response_handle_cachable() optim</li>
<li>[core] fix chunkqueue_small_resp_optim partial rd</li>
<li>[core] defer pcre_compile until after config parse</li>
<li>[multiple] PCRE w/ PCRE_STUDY_JIT_COMPILE (fixes <a href="https://redmine.lighttpd.net/issues/2361">#2361</a>)</li>
<li>[mod_dirlisting, mod_trigger_b4_dl] use keyvalue</li>
<li>[multiple] add attrs from gcc -Wsuggest-attribute=</li>
<li>[mod_gnutls] quiet clang warning</li>
<li>[core] http_response_physical_path_error()</li>
<li>[multiple] buffer_has_slash_suffix()</li>
<li>[core] modify path in-place checking for path-info</li>
<li>[multiple] optimize primitives, buffer_extend()</li>
<li>[multiple] do not clear physical.path if finished</li>
<li>[core] http_kv.[ch] perf tuning</li>
<li>[core] remove bad prototype from algo_splaytree.h</li>
<li>[multiple] mark addtl funcs attr returns_nonnull</li>
<li>[TLS] init STEK even if time is 1970 (fixes <a href="https://redmine.lighttpd.net/issues/3075">#3075</a>)</li>
<li>[core] restart if large large clock jump detected (<a href="https://redmine.lighttpd.net/issues/3075">#3075</a>)</li>
<li>[core] copy string and len directly from tmp_buf</li>
<li>[core] move special case for Content-Type CGI hdr</li>
<li>[mod_ssi] inline some buffers in ssi plugin_data</li>
<li>[core] use monotonic secs for piped loggers start</li>
<li>[mod_cml] use cached time from log_epoch_secs</li>
<li>[mod_dirlisting] limit buffer use for large dirs</li>
<li>[multiple] http_header APIs to reduce str copies</li>
<li>[mod_userdir] use stat_cache_path_isdir()</li>
<li>[mod_indexfile] reduce copying of base path</li>
<li>[TLS] https_add_ssl_client_verify_err()</li>
<li>[TLS] use stack for SSL_CLIENT_S_DN_* tag</li>
<li>[core] buffer_append_strftime() perf annotations</li>
<li>[mod_userdir] use 2-element cache</li>
<li>[mod_magnet] use http_chunk_* APIs</li>
<li>[mod_accesslog] reformat numeric timestamp</li>
<li>[mod_accesslog] strftime %z for numeric timestamp</li>
<li>[mod_accesslog] reformat numeric timestamp code</li>
<li>[multiple] strftime %F and %T</li>
<li>[mod_trigger_b4_dl] gdbm_reorganize once a day</li>
<li>[mod_status] double-buffer large output to tmpfile</li>
<li>[mod_ssi] shared code to wrap strftime()</li>
<li>[mod_ssi] use intermediate chunkqueue to aggregate</li>
<li>[multiple] pass len when copying constant strings</li>
<li>[core] short-circuit encoding if nothing to encode</li>
<li>[build] check for mempcpy()</li>
<li>[core] buffer_append_* aggregates</li>
<li>[core] config_vars_init()</li>
<li>[multiple] use buffer_append_* aggregates</li>
<li>[core] define <em>attribute_nonnull</em></li>
<li>[core] mark select buffer.[ch] funcs attr nonnull</li>
<li>[core] mark select http_kv.[ch] funcs attr nonnull</li>
<li>[core] mark some chunk.h funcs attr cold</li>
<li>[core] remove an excess check</li>
<li>[core] mark debug path unlikely</li>
<li>[core] ignore empty headers unless pseudo-headers</li>
<li>[multiple] buffer_copy_path_len2() aggregate</li>
<li>[mod_dirlisting] process dir in subrequest handler</li>
<li>[mod_dirlisting] restructure and keep state</li>
<li>[mod_dirlisting] read dir in pieces; less blocking</li>
<li>[mod_dirlisting] upper limit on parallel dirlist</li>
<li>[mod_dirlisting] parse query string in javascript</li>
<li>[mod_dirlisting] dir-listing.cache option</li>
<li>[mod_webdav] webdav_log_xml_response()</li>
<li>[mod_webdav] limit mem use under extreme condition</li>
<li>[core] vector.h tweaks</li>
<li>[mod_proxy] send HTTP/1.0 to backend if no Host</li>
<li>[build] fix zstd option in meson (fixes <a href="https://redmine.lighttpd.net/issues/3076">#3076</a>)</li>
<li>[multiple] more reuse of http_date_time_to_str()</li>
<li>[TLS] rename ssl.verifyclient.ca-*file options</li>
<li>[mod_openssl] issue error trace if < openssl 1.1.1</li>
<li>[mod_webdav] always define webdav_mmap_file_chunk</li>
<li>[mod_dirlisting] ignore error if include file fail</li>
<li>[multiple] quiet coverity warnings</li>
<li>[scons] link lighttpd with pcre for fullstatic</li>
<li>[scons] link lighttpd with pcre for static build</li>
<li>[core] exit 0 upon shutdown if no connections open</li>
<li>[mod_nss] define TLSv1_3 as bitflag</li>
<li>[core] update ls-hpack</li>
<li>[core] discard some HTTP/2 DATA after response (fixes <a href="https://redmine.lighttpd.net/issues/3078">#3078</a>)</li>
<li>[mod_expires,mod_webdav] fix truncated date string</li>
<li>[mod_expire] accept time labels without plural ‘s’</li>
<li>[mod_webdav] accept alt syntax in webdav.opts</li>
<li>[core] recognize “enabled”/”disabled” for bool</li>
<li>[mod_expire] check for default if mime not found</li>
<li>[core] move timegm() impl inline in sys-time.h</li>
<li>[mod_expire] send only Cache-Control to >=HTTP/1.1</li>
<li>[mod_webdav] quiet pedantic compiler warning</li>
<li>[core] reuse code to parse backend response</li>
<li>[core] consistent inclusion of sys-time.h</li>
<li>[mod_authn_file] wipe password/digest after use</li>
<li>[TLS] ALPN h2 policy</li>
<li>[core] tolerate dup array config values if match</li>
<li>[multiple] static file optimization; reuse cache</li>
<li>[mod_staticfile] move cold paths to separate func</li>
<li>[build] —with-nss add test for /usr/include/nspr4</li>
<li>[core] li_base64_decode similar to li_to_base64</li>
<li>[core] li_base64_decode mark cold code path</li>
<li>[core] li_to_base64 alt code to add padding</li>
<li>[core] buffer_append_base64_encode_opt()</li>
<li>[core] base64_charset enum supports only 2 tables</li>
<li>[core] consolidate overflow checks in li_to_base64</li>
<li>[mod_auth] include unistd.h for crypt() on Mac OS</li>
<li>[core] tighten code in request_check_hostname()</li>
<li>[core] merge http_response_send_file 0-size case</li>
<li>[mod_extforward] shared mod_extforward_bad_request</li>
<li>[core] http_response_send_file() mark cold paths</li>
<li>[core] improve HTTP/2 behavior w/ max-request-size</li>
<li>[tests] disable secdownload HMAC tests for NSS</li>
<li>[core] check for Upgrade before h2 upgrade check</li>
<li>[core] remove buffer_is_equal_right_len()</li>
<li>[core] buffer_is_equal_string -> buffer_eq_slen</li>
<li>[core] mark cold paths in http_response_config</li>
<li>[core] http_response_prepare() OPTIONS *, CONNECT</li>
<li>[core] mark some likely hot paths (better asm)</li>
<li>[core] simplify buffer_path_simplify()</li>
<li>[core] remove excess assertions in buffer_commit()</li>
<li>[core] quiet coverity noise</li>
<li>[mod_auth] include unistd.h for crypt() on *nix</li>
<li>[cmake] improve cmake detection of timegm</li>
<li>[cmake] update src/config.h.cmake</li>
<li>[core] adjust r->http_host ptr caching</li>
<li>[core] merge uri_raw and uri_clean hooks</li>
<li>[core] reorder hook enum for better mem locality</li>
<li>[core] remove redundant check for max_conns</li>
<li>[multiple] mark con->srv_socket a const ptr</li>
<li>[core] accept in network_server_handle_fdevent()</li>
<li>[mod_*_dbi] fix sqlite3_dbdir spelling in comments</li>
<li>[core] remove HANDLER_UNSET enum value</li>
<li>[core] add option to read config file from stdin</li>
<li>[mod_flv_streaming] check range before sending FLV</li>
<li>[mod_magnet] use http_chunk_append_file_ref_range</li>
<li>[core] range chk http_chunk_append_file_ref_range</li>
<li>[core] remove some (now) unused http_chunk APIs</li>
<li>[core] document error edge case for HTTP/1.0</li>
<li>[core] fix kill workers and shutdown by signal</li>
<li>[core] store int* ptr to common gw status counters</li>
<li>[tests] quite coverity warning in test_request.c</li>
<li>[core] tighter OS event poll loops (better asm)</li>
<li>[core] omit fdevent select() code if poll() avail</li>
<li>[core] adjust some array code (better asm)</li>
<li>[core] base64 encode round-up for required space</li>
<li>[core] base64 encode w/ reduced data dependencies</li>
<li>[core] merge base64 encoding to li_base64_enc()</li>
<li>[core] li_base64_dec() on 4 bytes at a time</li>
<li>[core] load padding char from base64_table</li>
<li>[core] remove size maint in algo_splaytree</li>
<li>[core] remove excess counts from print config</li>
<li>[core] consolidate config printing code</li>
<li>[core] move data_{array,integer,string} to array.c</li>
<li>[core] define <em>attribute_unused</em> if needed</li>
<li>[core] ck.[ch] - C11 Annex K wrappers</li>
<li>[multiple] use thread-safe strerror where avail</li>
<li>[multiple] move const time cmp funcs to ck.[ch]</li>
<li>[multiple] rename safe_memclear() -> ck_memzero()</li>
<li>[multiple] http_auth_digest_hex2bin -> li_hex2bin</li>
<li>[mod_auth,mod_vhostdb] move helper funcs to mods</li>
<li>[mod_auth<strong>] rename http_auth.</strong> -> mod_auth_api.*</li>
<li>[mod_vhostdb*] rename http_vhostdb->mod_vhostdb_api</li>
<li>[core] comment out ck_getenv_s() (unused)</li>
<li>[mod_secdownload] include algo_hmac.c in mod</li>
<li>[core] make insert_dup an optional array method</li>
<li>[core] return entry from array_insert_data_at_pos</li>
<li>[core] network_write optimizations</li>
<li>[core] network_write prefer writev() over write()</li>
<li>[core] connection_handle_read_state mark hot case</li>
<li>[core] buffer_commit() optim; better asm</li>
<li>[TLS] write_cq_ssl defer remove_finished_chunks</li>
<li>[core] compare entire “/bin/sh” “-c” after execve</li>
<li>[core] reduce repeated work in http_cgi_headers()</li>
<li>[core] code reuse with array_match_value_prefix()</li>
<li>[build] adjustments for autotools on Mac OS X</li>
<li>[build] autoupdate; still autoconf 2.60 compatible</li>
<li>[build] MacOS linker compat</li>
<li>[core] http_header_hkey_get() perf (better asm)</li>
<li>[TLS] reset stek_rotate_ts if clock moves backward</li>
<li>[core] sock_addr_from_buffer_hints_numeric unused</li>
<li>[core] tweaks writing response header (better asm)</li>
<li>[core] adjust buffer use for hdr name for lshpack</li>
<li>[core] comment out unused part of http_etag_remix</li>
<li>[core] inline fam_dir_entry buffer ‘name’ member</li>
<li>[multiple] reduce redundant NULL buffer checks</li>
<li>[core] calculate backend host gw_hash at startup</li>
<li>[core] gw_host_get() comment out devel debugging</li>
<li>[core] request_config_reset()</li>
<li>[mod_magnet] inline name and etag buffers in cache</li>
<li>[mod_magnet] sync script load w/ stat_cache</li>
<li>[core] clear etag in stat_cache_get_entry_open()</li>
<li>[mod_auth] merge some repeated code; code reuse</li>
<li>[core] add iovec wrappers to sys-crypto-md.h</li>
<li>[core] li_base64_dec()</li>
<li>[multiple] use <code class="language-plaintext highlighter-rouge"><algo>_iov()</code> digest funcs</li>
<li>[mod_auth] mod_auth_digest_get()</li>
<li>[mod_auth] mod_auth_algorithm_parse() w/ algo len</li>
<li>[mod_authn_dbi] copy strings before escaping</li>
<li>[mod_auth] refactor mod_auth_check_digest()</li>
<li>[mod_auth] refactor mod_auth_check_basic()</li>
<li>[build] look for memcpy and define HAVE_MEMCPY</li>
<li>[core] buffer_path_simplify() quick(er) path</li>
<li>[core] reduce memcmp in http_request_parse_header</li>
<li>[build] look for port.h on Solaris, not sys/port.h</li>
<li>[core] buffer_realloc() using power-2 realloc</li>
<li>[core] lowercase r<del>[http_host, r]{style=”text-align:right;”}</del>>uri.authority</li>
<li>[multiple] buffer_copy_string_len_lc()</li>
<li>[mod_magnet] cache script objects at config time</li>
<li>[core] move backtrace and assert macros to ck.[ch]</li>
<li>[core] allocate initial request pool w/ srv->conns</li>
<li>[mod_extforward] inline some more data structures</li>
<li>[mod_access] remove excess trace</li>
<li>[multiple] reduce use of BUFFER_INTLEN_PTR</li>
<li>[multiple] inline struct in con->dst_addr_buf</li>
<li>[core] reset large path buffers from long URLs</li>
<li>[core] construct file path after docroot hook</li>
<li>[core] avoid inlining buffer_eq_icase_ssn()</li>
<li>[core] order gw_proc members for packing and usage</li>
<li>[core] order gw_host members for packing and usage</li>
<li>[mod_proxy] proxy_response_headers load v earlier</li>
<li>[core] proxy_create_env() tweaks</li>
<li>[core] write_all() simpler loop; better asm</li>
<li>[core] http_date_time_append() convenience macro</li>
<li>[core] reduce excess cc inlining in http_chunk.c</li>
<li>[core] const buffer * in config_check_cond_nocache</li>
<li>[core] parse $HTTP[“remote-ip”] CIDR mask at start</li>
<li>[core] reduce $HTTP[“host”] compare str scanning</li>
<li>[multiple] http_method_buf()</li>
<li>[core] config_check_cond_nocache() xor return code</li>
<li>[core] refactor config_check_cond_nocache() flow</li>
<li>[mod_deflate] use deflate.allowed-encodings order</li>
<li>[mod_deflate] use ZSTD_c_strategy w/ compress lvl</li>
<li>[mod_deflate] deflate.params per-encoder params</li>
<li>[mod_deflate] use brotli quality 5 by default</li>
<li>[mod_deflate] improve compress.<strong>->deflate.</strong> remap</li>
<li>[mod_auth] detect and skip BWS (bad whitespace)</li>
<li>[core] better trace if TLS received on clear port</li>
<li>[core] replace strncasecmp w/ buffer_eq_icase_ssn</li>
<li>[tests] use generated date in HTTP If conditionals</li>
<li>[tests] update t/test_request.c</li>
<li>[tests] mv tests from request.t to test_request.c</li>
<li>[tests] t/test_mod_staticfile</li>
<li>[tests] combine *.t using tests/lighttpd.conf</li>
<li>[tests] combine *.t using tests/condition.conf</li>
<li>[tests] speed up mod-fastcgi and mod-scgi tests</li>
<li>[core] report Y2038 support in lighttpd -V</li>
<li>[autoconf] add AC_SYS_LARGEFILE for lfs</li>
<li>[multiple] Y2038 32-bit signed time_t mitigations</li>
<li>[mod_deflate] use http_header_str_contains_token</li>
<li>[core] tune http_response_process_headers()</li>
<li>[core] use CLOCK_MONOTONIC_COARSE where available</li>
<li>[core] log_clock_gettime->clock_gettime for 64-bit</li>
<li>[core] Y2038: use _TIME_BITS=64 on 32-bit glibc</li>
<li>[core] define _DEFAULT_SOURCE in first.h</li>
<li>[build] check for sys/filio.h in CMake and meson</li>
<li>[core] quiet compiler warnings</li>
<li>[mod_openssl] no ALPN fatal error w/ mod_sockproxy (fixes <a href="https://redmine.lighttpd.net/issues/3081">#3081</a>)</li>
<li>[core] make missing mod_deflate not a fatal error</li>
<li>[core] store time for last r/w to a backend socket</li>
<li>[core] gw_backend_error() shared code</li>
<li>[core] connect, write, read timeouts on backends (fixes <a href="https://redmine.lighttpd.net/issues/3086">#3086</a>)</li>
<li>[doc] <a href="https://wiki.lighttpd.net/Docs_Performance">https://wiki.lighttpd.net/Docs_Performance</a></li>
<li>[core] tweak buffer merging to reduce mem</li>
<li>[core] chunkqueue_append_buffer always clears buf</li>
<li>[core] http_response_append_{buffer,mem}()</li>
<li>[core] improve handling of suboptimal backend wr</li>
<li>[core] http_response_read() indicate resp finished</li>
<li>[mod_cgi] cgi.limits “read-timeout” “write-timeout” (<a href="https://redmine.lighttpd.net/issues/3086">#3086</a>)</li>
<li>[core] clarify error message in gw_backend.c</li>
<li>[core] set min srv->max_fds = 32 (sanity check)</li>
<li>[core] adjust server overload check</li>
<li>[core] free fdwaitqueue list when empty</li>
<li>[core] adjust srv->srvconf.max_conns at startup</li>
<li>[core] conns_pool separate from conns list (<a href="https://redmine.lighttpd.net/issues/3084">#3084</a>)</li>
<li>[build] update ax_prog_cc_for_build.m4</li>
<li>[core] add wolfssl-specific include</li>
<li>[core] rename srv<del>[max_conns]{style=”text-align:right;”}</del>> srv->lim_conns</li>
<li>[core] change srv->conns to doubly-linked-list</li>
<li>[core] change con joblist to singly-linked-list</li>
<li>[core] remove connection_list_append()</li>
<li>[core] clear request,connection pools every 64 sec (<a href="https://redmine.lighttpd.net/issues/3084">#3084</a>)</li>
<li>[mod_wolfssl] wolfSSL_sk_X509_NAME_push change</li>
<li>[core] clarify an error message</li>
<li>[core] reduce optim inline of cold funcs</li>
<li>[core] remove HANDLER_WAIT_FOR_FD</li>
<li>[mod_cgi] reuse chunk buffers</li>
<li>[mod_cgi] use linked list for process list</li>
<li>[mod_uploadprogress] use splay_tree for req list</li>
<li>[multiple] remove base.h include where not used</li>
<li>[mod_indexfile] section into subroutines</li>
<li>[mod_extforward] HAProxy PROXY env PP2_UNIQUE_ID</li>
<li>[mod_magnet] reuse lighty lua table</li>
<li>[core] li_hmac_sha512()</li>
<li>[mod_magnet] expose md and hmac funcs to lua</li>
<li>[mod_magnet] allow modification of request headers</li>
<li>[mod_magnet] lighty.stat now returns userdata obj</li>
<li>[mod_magnet] protect and control lighty table mod</li>
<li>[mod_magnet] expose enc/dec str funcs to lua</li>
<li>[mod_magnet] look up env id by strlen, then strcmp</li>
<li>[core] reuse some cold duplicate hdr match code</li>
<li>[core] use mod name in trace instead of mod_gw</li>
<li>[mod_magnet] lighty.r.* interfaces to request</li>
<li>[core] refuse excess h2 streams at con start (fixes <a href="https://redmine.lighttpd.net/issues/3093">#3093</a>)</li>
<li>[mod_magnet] lighty.c.cookie_tokens</li>
<li>[mod_magnet] lighty.c.readdir</li>
<li>[mod_magnet] use blank str for nil (do not panic)</li>
<li>[mod_magnet] rename magnet_cgi_ to magnet_envvar_</li>
<li>[mod_magnet] reset config cache for uri components</li>
<li>[mod_magnet] reset config cache for remote addr</li>
<li>[core] sock_addr_set_port()</li>
<li>[mod_magnet] attrs for remote port and server port</li>
<li>[mod_magnet] detect MAGNET_RESTART_REQUEST loops</li>
<li>[mod_magnet] ignore 1xx return in response start</li>
<li>[mod_echo] test module to echo request as response</li>
<li>[core] base64url pad char is ‘=’; change from ‘.’</li>
<li>[mod_cgi] improve CGI offloading</li>
<li>[mod_openssl] default disable client renegotiation</li>
<li>[core] log_error_multiline()</li>
<li>[tests] t/test_mod_indexfile</li>
<li>[tests] IO::Socket::INET->new( Timeout => 1 )</li>
<li>[mod_indexfile] update path with buffer path funcs</li>
<li>[tests] move tests/docroot/www contents up 1 level</li>
<li>[build] look for malloc.h and mallopt()</li>
<li>[core] config mallopt(M_ARENA_MAX, 2) (<a href="https://redmine.lighttpd.net/issues/3084">#3084</a>)</li>
<li>[core] periodically malloc_trim() to release mem (fixes <a href="https://redmine.lighttpd.net/issues/3084">#3084</a>)</li>
<li>[build] propagate HAVE_DLFCN_H in builds</li>
<li>[core] cfg server.bindhost after $SERVER[“socket”]</li>
<li>[core] TCP_CORK w/ MEM_CHUNK then FILE_CHUNK</li>
<li>[core] remove server.upload-temp-file-size limit</li>
<li>[core] expose ck_bt() for debugging</li>
<li>[core] change backtrace format to put addr first</li>
<li>[core] reduce stack use in main()</li>
<li>[core] write all cq MEM_CHUNK if spill to tempfile</li>
<li>[core] realloc buffer power-2 size + 1 for ‘\0’</li>
<li>[mod_cgi] cgi.limits “tcp-fin-propagate” => “SIG”</li>
<li>[core] consolidate more gw_host, gw_proc init code</li>
<li>[core] mark cold more gateway maintenance code</li>
<li>[core] reduce wait time in gw_spawn_connection()</li>
<li>[core] remove redundant waitpid() on each backend</li>
<li>[multiple] quiet coverity warnings</li>
<li>[build] define rsize_t on FreeBSD</li>
<li>[core] quiet coverity warnings</li>
<li>[tests] skip time-sensitive test during CI testing</li>
<li>[core] clear buffer after backend dechunk</li>
<li>[core] update comment about server.max-write-idle</li>
<li>[core] fdlog.[ch]; fdevent<strong>**logger</strong>* -> fdlog**</li>
<li>[multiple] de-dup file and piped loggers (fixes <a href="https://redmine.lighttpd.net/issues/3101">#3101</a>)</li>
<li>[multiple] prefer r<del>[tmp_buf to p]{style=”text-align:right;”}</del>>tmp_buf</li>
<li>[core] shared temp buffer for log_<strong>error</strong>()</li>
<li>[core] refuse excess initial streams only if block (fixes <a href="https://redmine.lighttpd.net/issues/3100">#3100</a>)</li>
<li>[core] quiet coverity warnings</li>
<li>[core] reject HTTP/2 pseudo-header in trailers (<a href="https://redmine.lighttpd.net/issues/3102">#3102</a>)</li>
<li>[core] remove redundant check in h2_recv_headers()</li>
<li>[core] reduce oversized mem alloc for backends</li>
<li>[core] HTTP/2 GOAWAY after timeout before read (fixes <a href="https://redmine.lighttpd.net/issues/3102">#3102</a>)</li>
<li>[core] default backend “connect-timeout” to 8 (<a href="https://redmine.lighttpd.net/issues/3086">#3086</a>)</li>
<li>[core] HTTP/2 GOAWAY after timeout before read (<a href="https://redmine.lighttpd.net/issues/3102">#3102</a>)</li>
<li>[core] mark attr malloc, returns nonnull</li>
<li>[core] separate mem pool for FILE_CHUNK reuse</li>
<li>[core] retain largest chunk on oversized chunk lst</li>
<li>[core] improve chunk buffer reuse from backends</li>
<li>[multiple] internal control for backend read bytes</li>
<li>[core] option: errorlog high precision timestamps</li>
<li>[core] create temp file name in chunk buffer</li>
<li>[core] chunkqueue_get_append_newtempfile()</li>
<li>[core] remove redundant checks for tempfile chunk</li>
<li>[multiple] fdevent_mkostemp()</li>
<li>[build] check for pread(), pwrite(), splice()</li>
<li>[multiple] _WIN32 fdevent_pipe_cloexec()</li>
<li>[core] _WIN32 impl of fdevent_mkostemp()</li>
<li>[multiple] check feature flags funcs; code reuse</li>
<li>[multiple] avoid empty chunks in chunkqueue</li>
<li>[core] splice() data from backends to tempfiles</li>
<li>[core] fix chunked decoding from backend (<a href="https://redmine.lighttpd.net/issues/3044">#3044</a>, <a href="https://redmine.lighttpd.net/issues/3046">#3046</a>)</li>
<li>[core] remove obsolete comment about r->gw_dechunk</li>
<li>[core] improve chunk buffer reuse from backends</li>
<li>[mod_cgi] improve chunk buffer reuse from backends</li>
<li>[core] disable streaming response with authorizer (fixes <a href="https://redmine.lighttpd.net/issues/3106">#3106</a>)</li>
<li>[multiple] clarify error msg when no cert avail</li>
<li>[core] disable server.graceful-restart-bg if spawn</li>
<li>[tests] ignore SIGINT, SIGUSR1 in fcgi-responder</li>
<li>[core] cap size of data framed for HTTP/2 response</li>
<li>[core] fix typo in h2_send_cqdata()</li>
<li>[core] use pread() to skip lseek()</li>
<li>[core] h2_send_cqdata() returns how much data sent</li>
<li>[core] allow up to 32k of data frames per stream</li>
<li>[core] limit initial response header backend read</li>
<li>[core] read files into mem when framed for HTTP/2</li>
<li>[core] chunkqueue_mmap_chunk_len() for code reuse</li>
<li>[core] chunkqueue_peek_data() mmap experiment</li>
<li>[core] quiet coverity warnings</li>
<li>[core] portability tweaks for various platforms/cc</li>
<li>[core] fix chunked decoding from backend (<a href="https://redmine.lighttpd.net/issues/3044">#3044</a>, <a href="https://redmine.lighttpd.net/issues/3046">#3046</a>)</li>
<li>[doc] update config files</li>
<li>[mod_openssl] boringssl compat</li>
<li>[core] adjust indent for clarity</li>
</ul>
1.4.592021-02-02T00:00:00+00:002021-02-02T00:00:00+00:00http://www.lighttpd.net/2021/2/2/1.4.59//gstrauss<h2 id="important-changes">Important changes</h2>
<p>HTTP/2 enabled by default, mod_deflate zstd support, mod_ajp13 (new), bugfixes</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.tar.gz">lighttpd-1.4.59.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">e266e389ddb79bf17b8e8d9022aec95ae839c6f3159822f402df8d8df8a13f65</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.tar.xz">lighttpd-1.4.59.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">fb953db273daef08edb6e202556cae8a3d07eed6081c96bd9903db957d1084d5</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.59.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="behavior-changes">Behavior Changes</h2>
<ul>
<li>HTTP/2 enabled by default</li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
server.feature-flags += (“server.graceful-shutdown-timeout” => 5)</li>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
</ul>
<h2 id="changes-from-1458">Changes from 1.4.58</h2>
<ul>
<li>[mod_webdav] hide unused funcs depending on build</li>
<li>[mod_mbedtls] include mbedtls/platform_util.h</li>
<li>[mod_mbedtls] use local strncmp_const()</li>
<li>[mod_gnutls] use local strncmp_const()</li>
<li>[mod_dirlisting] place vars closer to where used</li>
<li>[autotools] autoupdate; subst deprecated/obsolete</li>
<li>[autoconf] update ax_prog_cc_for_build.m4</li>
<li>[core] fix crash at shutdown w/ certain config</li>
<li>[tests] use ephemeral ports in tests</li>
<li>[mod_wolfssl] minor updates for wolfSSL v4.6.0</li>
<li>[doc] create-mime.conf.pl improve case handling</li>
<li>[mod_openssl] extend ssl.openssl.ssl-conf-cmd</li>
<li>[mod_extforward] config warning for module order</li>
<li>[mod_extforward] fix extforward.headers defaults (fixes <a href="https://redmine.lighttpd.net/issues/3051">#3051</a>)</li>
<li>[multiple] use HTTP_HEADER_* enum before strcmp</li>
<li>[multiple] replace buffer_is_equal_caseless_string</li>
<li>[mod_dirlisting] quiet coverity false positive</li>
<li>[doc] create-mime.conf.pl improve case handling</li>
<li>[autoconf] fix LT_INIT syntax</li>
<li>[doc] create-mime.conf.pl -v for warnings</li>
<li>[core] fix crash in error trace if backend is down (fixes <a href="https://redmine.lighttpd.net/issues/3052">#3052</a>)</li>
<li>[doc] create-mime.conf.pl -v silent for mult vnd</li>
<li>[mod_openssl] update LIBRESSL_VERSION_NUMBER check</li>
<li>[multiple] fix: honor CipherString for alt TLS lib</li>
<li>[mod_openssl] set Ciphersuites once API available</li>
<li>[mod_dirlisting] use fdopendir(), fstatat()</li>
<li>[mod_deflate] support Accept-Encoding: zstd</li>
<li>[mod_deflate] use zstd streaming API</li>
<li>[mod_dirlisting] hide unused variable on MacOS</li>
<li>[doc] add —with-zstd to INSTALL</li>
<li>[mod_access] mark mod_access_check attribute pure</li>
<li>[core] add decls in connections.h</li>
<li>[build] update scripts/ci-build.sh</li>
<li>[core] check ifdef WOLFSSL_SHA512 for SHA512 avail</li>
<li>[build] scripts/ci-build.sh —with-nettle</li>
<li>[mod_openssl] update LIBRESSL_VERSION_NUMBER check</li>
<li>[build] scripts/ci-build.sh w/o —with-wolfssl</li>
<li>[build] scripts/ci-build.sh adjustments</li>
<li>[build] fix typo in src/CMakeLists.txt</li>
<li>[build] adjust mbedtls vars in src/CMakeLists.txt</li>
<li>[build] scripts/ci-build.sh adjustments</li>
<li>[build] adjust crypto vars in src/CMakeLists.txt</li>
<li>[core] avoid multiple definition of SHA512_CTX</li>
<li>[build] adjust crypto vars in src/CMakeLists.txt</li>
<li>[mod_alias] modify r->physical.path in place</li>
<li>[build] scripts/ci-build.sh add —with-maxminddb</li>
<li>build] scripts/ci-build.sh remove —with-maxminddb</li>
<li>[mod_deflate] use zstd typedefs (minor cleanup)</li>
<li>[mod_deflate] compat with zstd < v1.4.0</li>
<li>[multiple] fix coverity warnings</li>
<li>[multiple] fix TLS config string parsing</li>
<li>[mod_gnutls] fix ssl.ca_dn_file data access</li>
<li>[mod_wolfssl] wipe ssl_pemfile_pkey before free()</li>
<li>[mod_wolfssl] fix syntax errors</li>
<li>[multiple] fix TLS config string parsing</li>
<li>[mod_gnutls] fix alt code for coverity</li>
<li>[core] check more carefully after SSL_WANT_WRITE</li>
<li>[core] fix 100% CPU spin if traffic limit hit</li>
<li>[core] skip interest in POLLRDHUP after POLLRDHUP (<a href="https://redmine.lighttpd.net/issues/3059">#3059</a>)</li>
<li>[TLS] detect expired stapling file at startup (fixes <a href="https://redmine.lighttpd.net/issues/3056">#3056</a>)</li>
<li>[multiple] avoid duplicate parsing in trigger func (<a href="https://redmine.lighttpd.net/issues/3056">#3056</a>)</li>
<li>[multiple] quiet some clang-analyzer warnings</li>
<li>[core] enable HTTP/2 by default</li>
<li>[mod_ajp13] AJPv13 Tomcat connector for lighttpd</li>
<li>[core] const data_unset *array_get_element_klen()</li>
<li>[core] tighten struct data_config and related code</li>
<li>[core] fix merging large headers across mult reads (fixes <a href="https://redmine.lighttpd.net/issues/3059">#3059</a>)</li>
<li>[mod_gnutls,mod_mbedtls] recog common cipherstring</li>
<li>[build] fix typo in SConstruct (fixes <a href="https://redmine.lighttpd.net/issues/3061">#3061</a>)</li>
<li>[mod_wolfssl] wolfSSL might repeat SNI_Callback()</li>
<li>[TLS] fix invalid cfg warning</li>
<li>[mod_openssl] fix acme-tls/1 challenge bootstrap</li>
<li>[TLS] set r->uri.authority empty str upon accept()</li>
<li>[mod_gnutls] fix acme-tls/1 challenge bootstrap</li>
<li>[mod_nss] fix acme-tls/1 challenge bootstrap</li>
<li>[mod_wolfssl] copy stapling buf for OCSP resp</li>
<li>[mod_mbedtls] fix acme-tls/1 challenge bootstrap</li>
<li>[mod_mbedtls] fix acme-tls/1 challenge bootstrap</li>
<li>[mod_cgi] fix assert if empty X-Sendfile path (fixes <a href="https://redmine.lighttpd.net/issues/3062">#3062</a>)</li>
<li>[mod_mbedtls] restore ALPN chk after client hello</li>
<li>[core] re-validate h2 CONTINUATION frame len in cq</li>
<li>[mod_mbedtls] remove redundant condition check</li>
<li>[core] quiet coverity warning</li>
</ul>
1.4.582020-12-27T00:00:00+00:002020-12-27T00:00:00+00:00http://www.lighttpd.net/2020/12/27/1.4.58//gstrauss<h2 id="important-changes">Important changes</h2>
<p>bugfixes, portability</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.58.tar.gz">lighttpd-1.4.58.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.58.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">49c03789876f6ee5bee82bae0aee375d45bd508a6dd016da0b55e80d15f2b5a3</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.58.tar.xz">lighttpd-1.4.58.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.58.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">267feffda13a190ebdce7b15172d8be16da98008457f30fddecd72832d126d0e</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.58.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>HTTP/2 support will be enabled by default in a future release</li>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
<code class="language-plaintext highlighter-rouge">server.feature-flags += ("server.graceful-shutdown-timeout" => 5)</code></li>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
</ul>
<h2 id="changes-from-1457">Changes from 1.4.57</h2>
<ul>
<li>[mod_wolfssl] use wolfSSL TLS version defines</li>
<li>[mod_wolfssl] compile with earlier wolfSSL vers</li>
<li>[tests] collect code for “die-at-end” tests</li>
<li>[tests] remove FastCGI test dependency on libfcgi</li>
<li>[core] prefer IPv6+IPv4 func vs IPv4-specific func</li>
<li>[tests] remove FastCGI test dependency on PHP</li>
<li>[core] reuse large mem chunks (fix mem usage) (fixes <a href="https://redmine.lighttpd.net/issues/3033">#3033</a>)</li>
<li>[core] add comment for FastCGI mem use in hctx->rb (<a href="https://redmine.lighttpd.net/issues/3033">#3033</a>)</li>
<li>[mod_proxy] fix sending of initial reqbody chunked</li>
<li>[multiple] fdevent_waitpid() wrapper</li>
<li>[core] sys-time.h - localtime_r,gmtime_r macros</li>
<li>[core] http_date.[ch] encapsulate HTTP-date parse</li>
<li>[core] specialized strptime() for HTTP date fmts</li>
<li>[multiple] employ http_date.h, sys-time.h</li>
<li>[core] http_date_timegm() (portable timegm())</li>
<li>buffer_append_path_len() to join paths</li>
<li>[core] inet_ntop_cache -> sock_addr_cache</li>
<li>[tests] slight speed up checking for server ready</li>
<li>[tests] load required modules in alt .conf tests</li>
<li>[multiple] etag.[ch] -> http_etag.[ch]; better imp</li>
<li>[core] fix crash after specific err in config file</li>
<li>[core] fix bug in FastCGI uploads (<a href="https://redmine.lighttpd.net/issues/3033">#3033</a>)</li>
<li>[tests] OpenBSD crypt() support limited to bcrypt</li>
<li>[core] http_response_match_if_range()</li>
<li>[mod_webdav] typedef off_t loff_t for FreeBSD</li>
<li>[multiple] chunkqueue_write_chunk()</li>
<li>[build] add GNUMAKEFLAGS=—no-print-directory</li>
<li>[tests] consolidate some tests/ content</li>
<li>[core] fix bug in read retry found by coverity</li>
</ul>
1.4.572020-12-17T00:00:00+00:002020-12-17T00:00:00+00:00http://www.lighttpd.net/2020/12/17/1.4.57//gstrauss<h2 id="important-changes">Important changes</h2>
<p>bugfixes</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.57.tar.gz">lighttpd-1.4.57.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.57.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">4a6e3afe91bbe8d4aa052fb745d81ff48b788bbf66054a29df202d7669a0e2d0</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.57.tar.xz">lighttpd-1.4.57.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.57.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">52ca961b89c12f7ecbb2e4e0c5a9e79b2863c64e33c42832a165e7f894d6217f</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.57.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>HTTP/2 support will be enabled by default in a future release</li>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
<code class="language-plaintext highlighter-rouge">server.feature-flags += ("server.graceful-shutdown-timeout" => 5)</code></li>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
</ul>
<h2 id="changes-from-1456">Changes from 1.4.56</h2>
<ul>
<li>[core] attempt to quiet some coverity warnings</li>
<li>[mod_webdav] compile fix for Mac OSX/11</li>
<li>[core] handle U+00A0 in config parser</li>
<li>[core] fix lighttpd –1 one-shot with pipes</li>
<li>[core] quiet start/shutdown trace in one-shot mode</li>
<li>[core] allow keep-alives in one-shot mode (<a href="https://redmine.lighttpd.net/issues/3042">#3042</a>)</li>
<li>[mod_webdav] define _ATFILE_SOURCE if AT_FDCWD</li>
<li>[core] setsockopt IPV6_V6ONLY if server.v4mapped</li>
<li>[build] fix meson.build when building all TLS mods</li>
<li>[core] prefer inet_aton() over inet_addr()</li>
<li>[build] fix SCons build when building all TLS mods</li>
<li>[core] add missing mod_wolfssl to ssl compat list</li>
<li>[mod_openssl] remove ancient preprocessor logic</li>
<li>[core] SHA512_Init, SHA512_Update, SHA512_Final</li>
<li>[mod_wolfssl] add complex preproc logic for SNI</li>
<li>[core] wrap a macro value with parens</li>
<li>[core] fix handling chunked response from backend (fixes <a href="https://redmine.lighttpd.net/issues/3044">#3044</a>)</li>
<li>[core] always set file.fd = –1 on FILE_CHUNK reset (fixes <a href="https://redmine.lighttpd.net/issues/3044">#3044</a>)</li>
<li>[core] skip some trace if backend Upgrade (<a href="https://redmine.lighttpd.net/issues/3044">#3044</a>)</li>
<li>[TLS] cert-staple.sh POSIX sh compat (fixes <a href="https://redmine.lighttpd.net/issues/3043">#3043</a>)</li>
<li>[core] portability fix if st_mtime not defined</li>
<li>[mod_nss] portability fix</li>
<li>[core] warn if mod_authn_file needed in conf</li>
<li>[core] fix chunked decoding from backend (fixes <a href="https://redmine.lighttpd.net/issues/3044">#3044</a>)</li>
<li>[core] reject excess data after chunked encoding (<a href="https://redmine.lighttpd.net/issues/3046">#3046</a>)</li>
<li>[core] track chunked encoding state from backend (fixes <a href="https://redmine.lighttpd.net/issues/3046">#3046</a>)</li>
<li>[core] li_restricted_strtoint64()</li>
<li>[core] track Content-Length from backend (fixes <a href="https://redmine.lighttpd.net/issues/3046">#3046</a>)</li>
<li>[core] enhance config parsing debugging (<a href="https://redmine.lighttpd.net/issues/3047">#3047</a>)</li>
<li>[core] reorder srv->config_context to match ndx (fixes <a href="https://redmine.lighttpd.net/issues/3047">#3047</a>)</li>
<li>[mod_proxy] proxy.header = (“force-http10” => …)</li>
<li>[mod_authn_ldap] fix crash (fixes <a href="https://redmine.lighttpd.net/issues/3048">#3048</a>)</li>
<li>[mod_authn_ldap, mod_vhostdb_ldap] default cafile</li>
<li>[core] fix array_copy_array() sorted[]</li>
<li>[multiple] replace fall through comment with attr</li>
<li>[core] fix crash printing trace if backend is down</li>
<li>[core] fix decoding chunked from backend (fixes <a href="https://redmine.lighttpd.net/issues/3049">#3049</a>)</li>
<li>[core] attempt to quiet some coverity warnings</li>
</ul>
1.4.562020-11-29T00:00:00+00:002020-11-29T00:00:00+00:00http://www.lighttpd.net/2020/11/29/1.4.56//gstrauss<h2 id="important-changes">Important changes</h2>
<p>HTTP/2, TLS library options, brotli, bugfixes</p>
<h2 id="downloads">Downloads</h2>
<ul>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.56.tar.gz">lighttpd-1.4.56.tar.gz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.56.tar.gz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">bcb477cc06aa22246f540a02f946529ad03ba7c4d60d9bff142fb213b43307f9</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.56.tar.xz">lighttpd-1.4.56.tar.xz</a> (<a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.56.tar.xz.asc">GPG signature</a>)
<ul>
<li>SHA256: <code class="language-plaintext highlighter-rouge">e4ce84cd79e8ae8ba193c7a7cc79c4afba9a076b443ef9f8d4bcd13a3354df77</code></li>
</ul>
</li>
<li><a href="https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.56.sha256sum">SHA256 checksums</a></li>
</ul>
<h2 id="highlights">Highlights</h2>
<ul>
<li>HTTP/2 support
<ul>
<li>must be enabled in lighttpd.conf in lighttpd 1.4.56;<br />
may be enabled by default in a future release</li>
<li><code class="language-plaintext highlighter-rouge">server.feature-flags += ("server.h2proto" => "enable", "server.h2c" => "enable")</code></li>
</ul>
</li>
<li>TLS library options: OpenSSL, mbedTLS, wolfSSL, GnuTLS, NSS
<ul>
<li>mod_openssl (existing)</li>
<li>mod_mbedtls (experimental)</li>
<li>mod_wolfssl (experimental)</li>
<li>mod_gnutls (experimental)</li>
<li>mod_nss (experimental)</li>
</ul>
</li>
<li>TLS OCSP stapling<br />
(except mbedTLS; not currently supported by mbedTLS)</li>
<li>TLS session ticket key rotation control<br />
(except NSS; API limitation in NSS)</li>
<li>mod_deflate brotli support</li>
<li>mod_proxy makes HTTP/1.1 requests to backends (change from HTTP/1.0)</li>
<li>RFC 8297 support for 103 Early Hints produced by backends (scripts)</li>
<li>graceful restart option to transfer listen fds (minimal pause)
<ul>
<li><code class="language-plaintext highlighter-rouge">server.systemd-socket-activation = "enable"</code></li>
<li><code class="language-plaintext highlighter-rouge">server.feature-flags += ("server.graceful-restart-bg" => "enable", "server.graceful-shutdown-timeout" => "15")</code></li>
</ul>
</li>
</ul>
<h2 id="behavior-changes">Behavior Changes</h2>
<ul>
<li>mod_openssl
<ul>
<li>default MinProtocol TLSv1.2<br />
TLSv1 and TLSv1.1 are deprecated and no longer supported by major browsers.<br />
https://news.netcraft.com/archives/2020/03/03/browsers-on-track-to-block-850000-tls-1-0-sites.html<br />
If prior behavior is required, configure:<br />
<code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1")</code><br />
If using openssl <= 1.0.2 (end-of-life)<br />
<code class="language-plaintext highlighter-rouge">ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1, TLSv1.1, TLSv1.2")</code></li>
<li>(internal) TLS session cache is disabled by default,<br />
replaced by lighttpd robust TLSv1.2 session ticket support<br />
If backward compatibility is needed:<br />
<code class="language-plaintext highlighter-rouge">server.feature-flags += ("ssl.session-cache" => "enable")</code></li>
<li>(internal) openssl creates a session ticket encryption key per SSL_CTX.<br />
lighttpd 1.4.56 and later assigns a single session ticket encryption key<br />
for the lighttpd server (across all SSL_CTX) for consistency.</li>
<li>behavior change with ssl.ca-dn-file (uncommon); applies to client<br />
certificate verification and ssl.ca-dn-file (uncommon)<br />
If client certificate verification is enabled<br />
(ssl.verifyclient.activate = “enable”),<br />
all CAs used for client certificate verification must be present in<br />
ssl.ca-file. This is the typical use case when client certificate<br />
verification is enabled. Certificates in (optional) ssl.ca-dn-file<br />
are used to send issuer names to client when the server sends a<br />
client certificate request. These names are use by the client<br />
during certificate selection, and the server requires that the<br />
certificate sent by the client be issued by one of the subjects<br />
in ssl.ca-dn-file.<br />
(Prior behavior merged ssl.ca-file and ssl.ca-dn-file for trusted CAs.<br />
New behavior requires all trusted CAs be listed in ssl.ca-file,<br />
and a subset be duplicated into ssl.ca-dn-file to specify allowed<br />
client cert issuer.)</li>
</ul>
</li>
<li>mod_deflate: support for bzip2 is now disabled by default in the build<br />
(enable using <code class="language-plaintext highlighter-rouge">./configure --with-bzip2</code>)<br />
bzip2 Content-Encoding is not widely supported<br />
Prefer to build <code class="language-plaintext highlighter-rouge">--with-brotli</code><br />
brotli Content-Encoding is more widely supported than bzip2</li>
</ul>
<h2 id="future-scheduled-behavior-changes">Future Scheduled Behavior Changes</h2>
<ul>
<li>HTTP/2 support will be enabled by default in a future release</li>
<li>graceful restart/shutdown default timeout will change from<br />
0 (infinite/no timeout) to 5 seconds (or some similar non-zero period)<br />
configure an alternative with:<br />
<code class="language-plaintext highlighter-rouge">server.feature-flags += ("server.graceful-shutdown-timeout" => 5)</code></li>
<li>mod_compress is DEPRECATED; use mod_deflate<br />
mod_compress has been subsumed by mod_deflate<br />
Note: mod_compress config options may be removed in a future release</li>
<li>mod_geoip is DEPRECATED; use mod_maxminddb<br />
Note: mod_geoip will be removed from a future lighttpd release</li>
<li>mod_authn_mysql is DEPRECATED; use mod_authn_dbi<br />
Note: mod_authn_mysql will be removed from a future lighttpd release</li>
<li>mod_mysql_vhost is DEPRECATED; use mod_vhostdb_dbi or mod_vhostdb_mysql<br />
Note: mod_mysql_vhost will be removed from a future lighttpd release</li>
<li>mod_cml is DEPRECATED; use mod_magnet<br />
Note: mod_cml will be removed from a future lighttpd release</li>
</ul>
<h2 id="changes-from-1455">Changes from 1.4.55</h2>
<ul>
<li>[core] perf: request processing</li>
<li>[core] http_header_str_contains_token()</li>
<li>[mod_flv_streaming] parse query string w/o copying</li>
<li>[mod_evhost] use local array to split values</li>
<li>[core] remove srv->split_vals</li>
<li>[core] add User-Agent to http_header_e enum</li>
<li>[core] store struct server * in struct connection</li>
<li>[core] use func rc to indicate done reading header</li>
<li>[core] replace connection_set_state w/ assignment</li>
<li>[core] do not pass srv to http header parsing func</li>
<li>[core] cold buffer_string_prepare_append_resize()</li>
<li>[core] chunkqueue_compact_mem()</li>
<li>[core] connection_chunkqueue_compact()</li>
<li>[core] pass con around request, not srv and con</li>
<li>[core] reduce use of struct parse_header_state</li>
<li>[core] perf: HTTP header parsing using \n offsets</li>
<li>[core] no need to pass srv to connection_set_state</li>
<li>[core] perf: connection_read_header_more()</li>
<li>[core] perf: connection_read_header_hoff() hot</li>
<li>[core] inline connection_read_header()</li>
<li>[core] pass ptr to http_request_parse()</li>
<li>[core] more ‘const’ in request.c prototypes</li>
<li>[core] handle common case of alnum or - field-name</li>
<li>[mod_extforward] simplify code: use light_isxdigit</li>
<li>[core] perf: array.c performance enhancements</li>
<li>[core] mark some data_* funcs cold</li>
<li>[core] http_header.c internal inline funcs</li>
<li>[core] remove unused array_reset()</li>
<li>[core] prefer uint32_t to size_t in base.h</li>
<li>[core] uint32_t for struct buffer sizes</li>
<li>[core] remove unused members of struct server</li>
<li>[core] short-circuit path to clear request.headers</li>
<li>[core] array keys are non-empty in key-value list</li>
<li>[core] keep a<del>[data[] sorted; remove a]{style=”text-align:right;”}</del>>sorted[]</li>
<li>[core] <em>attribute_returns_nonnull</em></li>
<li>[core] differentiate array_get_* for ro and rw</li>
<li>[core] (const buffer *) in (struct burl_parts_t)</li>
<li>[core] (const buffer *) for con->server_name</li>
<li>[core] perf: initialize con->conf using memcpy()</li>
<li>[core] run config_setup_connection() fewer times</li>
<li>[core] isolate data_config.c, vector.c</li>
<li>[core] treat con->conditional_is_valid as bitfield</li>
<li>[core] http_header_hkey_get() over const array</li>
<li>[core] inline buffer as part of DATA_UNSET key</li>
<li>[core] inline buffer key for *_patch_connection()</li>
<li>[core] (data_unset *) from array_get_element_klen</li>
<li>[core] inline buffer as part of data_string value</li>
<li>[core] add const to callers of http_header_*_get()</li>
<li>[core] inline array as part of data_array value</li>
<li>[core] const char *op in data_config</li>
<li>[core] buffer string in data_config</li>
<li>[core] streamline config_check_cond()</li>
<li>[core] keep a->data[] sorted (REVERT)</li>
<li>[core] array a->sorted[] as ptrs rather than pos</li>
<li>[core] inline header and env arrays into con</li>
<li>[mod_accesslog] avoid alloc for parsing cookie val</li>
<li>[core] simpler config_check_cond()</li>
<li>[mod_redirect,mod_rewrite] store context_ndx</li>
<li>[core] const char *name in struct plugin</li>
<li>[core] srv->plugin_slots as compact list</li>
<li>[core] rearrange server_config, server members</li>
<li>[core] macros CONST_LEN_STR and CONST_STR_LEN</li>
<li>[core] struct plugin_data_base</li>
<li>[core] improve condition caching perf</li>
<li>[core] config_plugin_values_init() new interface</li>
<li>[mod_access] use config_plugin_values_init()</li>
<li>[core] (const buffer *) from strftime_cache_get()</li>
<li>[core] mv config_setup_connection to connections.c</li>
<li>[core] use (const char *) in config file parsing</li>
<li>[mod_staticfile] use config_plugin_values_init()</li>
<li>[mod_skeleton] use config_plugin_values_init()</li>
<li>[mod_setenv] use config_plugin_values_init()</li>
<li>[mod_alias] use config_plugin_values_init()</li>
<li>[mod_indexfile] use config_plugin_values_init()</li>
<li>[mod_expire] use config_plugin_values_init()</li>
<li>[mod_flv_streaming] use config_plugin_values_init()</li>
<li>[mod_magnet] use config_plugin_values_init()</li>
<li>[mod_usertrack] use config_plugin_values_init()</li>
<li>[mod_userdir] split policy from userdir path build</li>
<li>[mod_userdir] use config_plugin_values_init()</li>
<li>[mod_ssi] use config_plugin_values_init()</li>
<li>[mod_uploadprogress] use config_plugin_values_init()</li>
<li>[mod_status] use config_plugin_values_init()</li>
<li>[mod_cml] use config_plugin_values_init()</li>
<li>[mod_secdownload] use config_plugin_values_init()</li>
<li>[mod_geoip] use config_plugin_values_init()</li>
<li>[mod_evasive] use config_plugin_values_init()</li>
<li>[mod_trigger_b4_dl] use config_plugin_values_init()</li>
<li>[mod_accesslog] use config_plugin_values_init()</li>
<li>[mod_simple_vhost] use config_plugin_values_init()</li>
<li>[mod_evhost] use config_plugin_values_init()</li>
<li>[mod_vhostdb*] use config_plugin_values_init()</li>
<li>[mod_mysql_vhost] use config_plugin_values_init()</li>
<li>[mod_maxminddb] use config_plugin_values_init()</li>
<li>[mod_auth*] use config_plugin_values_init()</li>
<li>[mod_deflate] use config_plugin_values_init()</li>
<li>[mod_compress] use config_plugin_values_init()</li>
<li>[core] add xsendfile* check if xdocroot is NULL</li>
<li>[mod_cgi] use config_plugin_values_init()</li>
<li>[mod_dirlisting] use config_plugin_values_init()</li>
<li>[mod_extforward] use config_plugin_values_init()</li>
<li>[mod_webdav] use config_plugin_values_init()</li>
<li>[core] store addtl data in pcre_keyvalue_buffer</li>
<li>[mod_redirect] use config_plugin_values_init()</li>
<li>[mod_rewrite] use config_plugin_values_init()</li>
<li>[mod_rrdtool] use config_plugin_values_init()</li>
<li>[multiple] gw_backends config_plugin_values_init()</li>
<li>[core] config_get_config_cond_info()</li>
<li>[mod_openssl] use config_plugin_values_init()</li>
<li>[core] use config_plugin_values_init()</li>
<li>[core] collect more config logic into configfile.c</li>
<li>[core] config_plugin_values_init_block()</li>
<li>[core] gw_backend config_plugin_values_init_block</li>
<li>[core] remove old config_insert_values_*() funcs</li>
<li>[multiple] plugin.c handles common FREE_FUNC code</li>
<li>[core] run all trigger and sighup handlers</li>
<li>[mod_wstunnel] change DEBUG_LOG to use log_error()</li>
<li>[core] stat_cache_path_contains_symlink use errh</li>
<li>[core] isolate use of data_config, configfile.h</li>
<li>[core] split cond cache from cond matches</li>
<li>[mod_auth] inline arrays in http_auth_require_t</li>
<li>[core] array_init() arg for initial size</li>
<li>[core] gw_exts_clear_check_local()</li>
<li>[core] gw_backend less pointer chasing</li>
<li>[core] connection_handle_errdoc() separate func</li>
<li>[multiple] prefer (connection <strong>) to (srv</strong>)</li>
<li>[core] create http chunk header on the stack</li>
<li>[multiple] connection hooks no longer get (srv *)</li>
<li>[multiple] plugin_stats array</li>
<li>[core] read up-to fixed size chunk before fionread</li>
<li>[core] default chunk size 8k (was 4k)</li>
<li>[core] pass con around gw_backend instead of srv</li>
<li>[core] log_error_multiline_buffer()</li>
<li>[multiple] reduce direct use of srv->cur_ts</li>
<li>[multiple] extern log_epoch_secs</li>
<li>[multiple] reduce direct use of srv->errh</li>
<li>[multiple] stat_cache singleton</li>
<li>[mod_expire] parse config into structured data</li>
<li>[multiple] generic config array type checking</li>
<li>[multiple] rename r to rc rv rd wr to be different</li>
<li>[core] (minor) config_plugin_keys_t data packing</li>
<li>[core] inline buffer in log_error_st errh</li>
<li>[multiple] store srv->tmp_buf in tb var</li>
<li>[multiple] quiet clang compiler warnings</li>
<li>[core] http_status_set_error_close()</li>
<li>[core] http_request_host_policy w/ http_parseopts</li>
<li>[multiple] con->proto_default_port</li>
<li>[core] store log filename in (log_error_st *)</li>
<li>[core] separate log_error_open* funcs</li>
<li>[core] fdevent uses uint32_t instead of size_t</li>
<li>[mod_webdav] large buffer reuse</li>
<li>[mod_accesslog] flush file log buffer at 8k size</li>
<li>[core] include settings.h where used</li>
<li>[core] static buffers for mtime_cache</li>
<li>[core] convenience macros to check req methods</li>
<li>[core] support multiple error logs</li>
<li>[multiple] omit passing srv to fdevent_handler</li>
<li>[core] remove unused arg to fdevent_fcntl_set_nb*</li>
<li>[core] slightly simpify server_(over)load_check()</li>
<li>[core] isolate fdevent subsystem</li>
<li>[core] isolate stat_cache subsystem</li>
<li>[core] remove include base.h where unused</li>
<li>[core] restart dead piped loggers every 64 sec</li>
<li>[mod_webdav] use copy_file_range() if available</li>
<li>[core] perf: buffer copy and append</li>
<li>[core] copy some srv<del>[srvconf into con]{style=”text-align:right;”}</del>>conf</li>
<li>[core] move keep_alive flag into request_st</li>
<li>[core] pass scheme port to http_request_parse()</li>
<li>[core] pass http_parseopts around request.c</li>
<li>[core] rename specific_config to request_config</li>
<li>[core] move request_st,request_config to request.h</li>
<li>[core] pass (request_st *) to request.c funcs</li>
<li>[core] remove unused request_st member ‘request’</li>
<li>[core] rename content_length to reqbody_length</li>
<li>[core] t/test_request.c using (request_st *)</li>
<li>[core] (const connection <strong>) in http_header_</strong>_get()</li>
<li>[mod_accesslog] log_access_record() fmt log record</li>
<li>[core] move request start ts into (request_st *)</li>
<li>[core] move addtl request-specific struct members</li>
<li>[core] move addtl request-specific struct members</li>
<li>[core] move plugin_ctx into (request_st *)</li>
<li>[core] move addtl request-specific struct members</li>
<li>[core] move request state into (request_st *)</li>
<li>[core] store (plugin *) in p->data</li>
<li>[core] store subrequest_handler instead of mode</li>
<li>[multiple] copy small struct instead of memcpy()</li>
<li>[multiple] split con, request (very large change)</li>
<li>[core] r->uri.path always set, though might be “”</li>
<li>[core] C99 restrict on some base funcs</li>
<li>[tests] stub out config funcs in test_mod_*</li>
<li>[tests] t/test_mod_userdir</li>
<li>[core] dispatch handler in handle_request func</li>
<li>[core] http_request_parse_target()</li>
<li>[mod_magnet] modify r->target with “uri.path-raw”</li>
<li>[core] remove r->uri.path_raw; generate as needed</li>
<li>[core] http_response_comeback()</li>
<li>[core] http_response_config()</li>
<li>[tests] use buffer_eq_slen() for str comparison</li>
<li>[core] http_status_append() short-circuit 200 OK</li>
<li>[core] mark some chunk.c funcs as pure</li>
<li>[core] use uint32_t in http_header.[ch]</li>
<li>[core] perf: tighten some code in some hot paths</li>
<li>[core] parse header label before end of line</li>
<li>[doc] add link to wiki in doc/outdated/ssl.txt</li>
<li>[doc] src/t/README</li>
<li>[mod_auth] “nonce_secret” option to validate nonce (fixes <a href="https://redmine.lighttpd.net/issues/2976">#2976</a>)</li>
<li>[build] fix build on MacOS X Tiger</li>
<li>[doc] lighttpd.conf: lighttpd choose event-handler</li>
<li>[config] blank server.tag if whitespace-only</li>
<li>[mod_proxy] stream request using HTTP/1.1 chunked (fixes <a href="https://redmine.lighttpd.net/issues/3006">#3006</a>)</li>
<li>[multiple] correct misspellings in comments</li>
<li>[multiple] fix some cc warnings in 32-bit, powerpc</li>
<li>[tests] fix skip count in mod-fastcgi w/o php-cgi</li>
<li>[multiple] ./configure —with-nettle to use Nettle</li>
<li>[core] skip excess close() when FD_CLOEXEC defined</li>
<li>[mod_cgi] remove redundant calls to set FD_CLOEXEC</li>
<li>[core] return EINVAL if stat_cache_get_entry w/o /</li>
<li>[mod_webdav] define PATH_MAX if not defined</li>
<li>[mod_accesslog] process backslash-escapes in fmt</li>
<li>[mod_openssl] disable cert vrfy if ALPN acme-tls/1</li>
<li>[core] add seed before openssl RAND_pseudo_bytes()</li>
<li>[mod_mbedtls] mbedTLS option for TLS</li>
<li>[core] prefer getxattr() instead of get_attr()</li>
<li>[multiple] use <strong>(unsigned char</strong>) with ctypes</li>
<li>[mod_openssl] do not log ECONNRESET unless debug</li>
<li>[mod_openssl] SSL_R_UNEXPECTED_EOF_WHILE_READING</li>
<li>[mod_gnutls] GnuTLS option for TLS (fixes <a href="https://redmine.lighttpd.net/issues/109">#109</a>)</li>
<li>[mod_openssl] rotate session ticket encryption key</li>
<li>[mod_openssl] set cert from callback in 1.0.2+ (fixes <a href="https://redmine.lighttpd.net/issues/2842">#2842</a>)</li>
<li>[mod_openssl] set chains from callback in 1.0.2+ (<a href="https://redmine.lighttpd.net/issues/2842">#2842</a>)</li>
<li>[core] RFC-strict parse of Content-Length</li>
<li>[build] point ./configure —help to support forum</li>
<li>[core] stricter parse of numerical digits</li>
<li>[multiple] add summaries to top of some modules</li>
<li>[core] sys-crypto-md.h w/ inline message digest fn</li>
<li>[mod_openssl] enable read-ahead, if set, after SNI</li>
<li>[mod_openssl] issue warning for deprecated options</li>
<li>[mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail</li>
<li>[mod_openssl] use openssl feature define for ALPN</li>
<li>[mod_openssl] update default DH params</li>
<li>[core] SecureZeroMemory() on _WIN32</li>
<li>[core] safe memset calls memset() through volatile</li>
<li>[doc] update comments in doc/config/modules.conf</li>
<li>[core] more precise check for request stream flags</li>
<li>[mod_openssl] rotate session ticket encryption key</li>
<li>[mod_openssl] ssl.stek-file to specify encrypt key</li>
<li>[mod_mbedtls] ssl.stek-file to specify encrypt key</li>
<li>[mod_gnutls] ssl.stek-file to specify encrypt key</li>
<li>[mod_openssl] disable session cache; prefer ticket</li>
<li>[mod_openssl] compat with LibreSSL</li>
<li>[mod_openssl] compat with WolfSSL</li>
<li>[mod_openssl] set SSL_OP_PRIORITIZE_CHACHA</li>
<li>[mod_openssl] move SSL_CTX curve conf to new func</li>
<li>[mod_openssl] basic SSL_CONF_cmd for alt TLS libs</li>
<li>[mod_openssl] OCSP stapling (fixes <a href="https://redmine.lighttpd.net/issues/2469">#2469</a>)</li>
<li>[TLS] cert-staple.sh - refresh OCSP responses (<a href="https://redmine.lighttpd.net/issues/2469">#2469</a>)</li>
<li>[mod_openssl] compat with BoringSSL</li>
<li>[mod_gnutls] option to override GnuTLS priority</li>
<li>[mod_gnutls] OCSP stapling (<a href="https://redmine.lighttpd.net/issues/2469">#2469</a>)</li>
<li>[mod_extforward] config warning for module order</li>
<li>[mod_webdav] store webdav.opts as bitflags</li>
<li>[mod_webdav] limit webdav_propfind_dir() recursion</li>
<li>[mod_webdav] unsafe-propfind-follow-symlink option</li>
<li>[mod_webdav] webdav.opts “propfind-depth-infinity”</li>
<li>[mod_openssl] detect certs marked OCSP Must-Staple</li>
<li>[mod_gnutls] detect certs marked OCSP Must-Staple</li>
<li>[mod_openssl] default to set MinProtocol TLSv1.2</li>
<li>[mod_nss] NSS option for TLS (fixes <a href="https://redmine.lighttpd.net/issues/1218">#1218</a>)</li>
<li>[core] fdevent_load_file() shared code</li>
<li>[mod_openssl,mbedtls,gnutls,nss] fdevent_load_file</li>
<li>[core] error if s->socket_perms chmod() fails</li>
<li>[mod_openssl] prefer some WolfSSL native APIs</li>
<li>quiet clang analyzer scan-build warnings</li>
<li>[core] uint32_t is plenty large for path names</li>
<li>[mod_mysql_vhost] deprecated; use mod_vhostdb_mysql</li>
<li>[core] splaytree_djbhash() in splaytree.h (reuse)</li>
<li>[cmake] update deps for src/t/test_*</li>
<li>[cmake] update deps for src/t/test_*</li>
<li>[build] remove tests/mod-userdir.t from builds</li>
<li>[build] fix typo in src/Makefile.am EXTRA_DIST</li>
<li>[core] remove unused mbedtls_enabled flag</li>
<li>[core] store fd in srv->stdin_fd during setup</li>
<li>[multiple] address coverity warnings</li>
<li>[mod_webdav] fix theoretical NULL dereference</li>
<li>[mod_webdav] update rc for PROPFIND allprop</li>
<li>[mod_webdav] build fix: ifdef live_properties</li>
<li>[multiple] address coverity warnings</li>
<li>[meson] fix libmariadb dependency</li>
<li>[meson] add missing libmaxminddb section</li>
<li>[mod_auth,mod_vhostdb] add caching option (fixes <a href="https://redmine.lighttpd.net/issues/2805">#2805</a>)</li>
<li>[mod_authn_ldap,mod_vhostdb_ldap] add timeout opt (<a href="https://redmine.lighttpd.net/issues/2805">#2805</a>)</li>
<li>[mod_auth] accept “nonce-secret” & “nonce_secret”</li>
<li>[mod_openssl] fix build warnings on MacOS X</li>
<li>[core] Nettle assert()s if buffer len > digest sz</li>
<li>[mod_authn_dbi] authn backend employing DBI</li>
<li>[mod_authn_mysql,file] use crypt() to save stack</li>
<li>[mod_vhostdb_dbi] allow strings and ints in config</li>
<li>add ci-build.sh</li>
<li>move ci-build.sh to scripts</li>
<li>[build] build fixes for AIX</li>
<li>[mod_deflate] Brotli support</li>
<li>[build] bzip2 default to not-enabled in build</li>
<li>[mod_deflate] fix typo in config option</li>
<li>[mod_deflate] propagate errs from internal funcs</li>
<li>[mod_deflate] deflate.cache-dir compressed cache</li>
<li>[mod_deflate] mod_deflate subsumes mod_compress</li>
<li>[doc] mod_compress -> mod_deflate</li>
<li>[tests] mod_compress -> mod_deflate</li>
<li>[mod_compress] remove mod_compress</li>
<li>[build] add —with-brotli to CI build</li>
<li>[core] server.feature-flags extensible config</li>
<li>[core] con layer plugin_ctx separate from request</li>
<li>[multiple] con hooks store ctx in con->plugin_ctx</li>
<li>[core] separate funcs to reset (request_st *)</li>
<li>[multiple] rename connection_reset hook to request</li>
<li>[mod_nss] func renames for consistency</li>
<li>[core] detect and reject TLS connect to cleartext</li>
<li>[mod_deflate] quicker check for Content-Encoding</li>
<li>[mod_openssl] read secret data w/ BIO_new_mem_buf</li>
<li>[core] decode Transfer-Encoding: chunked from gw</li>
<li>[mod_fastcgi] decode Transfer-Encoding: chunked</li>
<li>[core] stricter parsing of POST chunked block hdr</li>
<li>[mod_proxy] send HTTP/1.1 requests to backends</li>
<li>[tests] test_base64.c clear buf vs reset</li>
<li>[core] http_header_remove_token()</li>
<li>[mod_webdav] fix inadvertent string truncation</li>
<li>[core] add some missing standard includes</li>
<li>[mod_extforward] attempt to quiet Coverity warning</li>
<li>[mod_authn_dbi,mod_authn_mysql] fix coverity issue</li>
<li>[build] fix SCons build for detection of brotli</li>
<li>[build] SCons build with brotli needs -lm on *BSD</li>
<li>[build] SCons build mod_deflate w/ libm for brotli</li>
<li>[build] SCons brotli needs pkg-config —static</li>
<li>[build] avoid accept_filter_arg compiler warning</li>
<li>[build] SCons fix space/tabs inconsistency</li>
<li>scons: fix check environment</li>
<li>Add avahi service file under doc/avahi/</li>
<li>[mod_webdav] fix fallback if linkat() fails</li>
<li>[mod_proxy] do not forward Expect: 100-continue</li>
<li>[core] chunkqueue_compact_mem() must upd cq->last</li>
<li>[core] dlsym for FAMNoExists() for compat w/ fam</li>
<li>[core] disperse settings.h to appropriate headers</li>
<li>[core] inline buffer_reset()</li>
<li>[mod_extforward] save proto per connection</li>
<li>[mod_extforward] skip after HANDLER_COMEBACK</li>
<li>[core] server.feature-flags to enable h2</li>
<li>[core] HTTP_VERSION_2</li>
<li>[multiple] allow TLS ALPN “h2” if “server.h2proto”</li>
<li>[mod_extforward] preserve changed addr for h2 con</li>
<li>[core] do not send Connection: close if h2</li>
<li>[core] lowercase response hdr field names for h2</li>
<li>[core] recognize status: 421 Misdirected Request</li>
<li>[core] parse h2 pseudo-headers</li>
<li>[core] request_headers_process()</li>
<li>[core] connection_state_machine_loop()</li>
<li>[core] reset connection counters per connection</li>
<li>[mod_accesslog,mod_rrdtool] HTTP/2 basic accounting</li>
<li>[core] connection_set_fdevent_interest()</li>
<li>[core] HTTP2-Settings</li>
<li>[core] adjust http_request_headers_process()</li>
<li>[core] http_header_parse_hoff()</li>
<li>[core] move http_request_headers_process()</li>
<li>[core] reqpool.[ch] for (request_st *)</li>
<li>[multiple] modules read reqbody via fn ptr</li>
<li>[multiple] isolate more con code in connections.c</li>
<li>[core] isolate more resp code in response.c</li>
<li>[core] h2.[ch] with stub funcs (incomplete)</li>
<li>[core] alternate between two joblists</li>
<li>[core] connection transition to HTTP/2; incomplete</li>
<li>[core] mark some error paths with attribute cold</li>
<li>[core] discard 100 102 103 responses from backend</li>
<li>[core] skip write throttle for 100 Continue</li>
<li>[core] adjust (disabled) debug code</li>
<li>[core] update comment</li>
<li>[core] link in ls-hpack (EXPERIMENTAL)</li>
<li>[core] HTTP/2 HPACK using LiteSpeed ls-hpack</li>
<li>[core] h2_send_headers() specialized for resp hdrs</li>
<li>[core] http_request_parse_header() specialized</li>
<li>[core] comment possible future ls-hpack optimize</li>
<li>[mod_status] separate funcs to print request table</li>
<li>[mod_status] adjust to print HTTP/2 requests</li>
<li>[core] redirect to dir using relative-path</li>
<li>[core] ignore empty field-name from backends</li>
<li>[build] fix meson build</li>
<li>[mod_auth] fix crash if auth.require misconfigured (fixes <a href="https://redmine.lighttpd.net/issues/3023">#3023</a>)</li>
<li>[core] fix 1-char trunc of default server.tag</li>
<li>[core] request_acquire(), request_release()</li>
<li>[core] keep pool of (request_st *) for HTTP/2</li>
<li>[mod_status] dedicated funcs for r->state labels</li>
<li>[core] move connections_get_state to connections.c</li>
<li>[core] fix crash on master after graceful restart</li>
<li>[core] defer optimization to read small files</li>
<li>[core] do not require ‘\0’ term for k,v hdr parse</li>
<li>[scripts] cert-staple.sh enhancements</li>
<li>[core] document algorithm used in lighttpd etag</li>
<li>[core] ls-hpack optimizations</li>
<li>[core] fix crash on master if blank line request</li>
<li>[build] fix typo in option description for wolfSSL</li>
<li>[core] use djbhash in gw_backend to choose host</li>
<li>[core] rename md5.[ch] to algo_md5.[ch]</li>
<li>[core] move djbhash(), dekhash() to algo_md.h</li>
<li>[core] rename splaytree.[ch] to algo_splaytree.[ch]</li>
<li>[core] import xxHash v0.8.0</li>
<li>[build] modify build, includes for xxHash v0.8.0</li>
<li>[build] remove ls-hpack/deps</li>
<li>[core] xxhash no inline hints; let compiler choose</li>
<li>[mod_dirlisting] fix config parsing crash</li>
<li>[mod_openssl] clarify trace w/ deprecated options</li>
<li>[doc] refresh doc/config/*/*</li>
<li>[core] code size: disable XXH64(), XXH3()</li>
<li>[doc] update README and INSTALL</li>
<li>[build] add to autogen.sh hint listing reqd pkgs</li>
<li>[core] combine Cookie request headers with ‘;’</li>
<li>[core] log stream id with debug.log-state-handling</li>
<li>[core] set r->state in h2.c</li>
<li>[mod_ssi] update chunk after shell output redirect</li>
<li>[mod_webdav] preserve bytes_out when chunks merged</li>
<li>[multiple] inline chunkqueue_length()</li>
<li>[core] cold h2_log_response_header*() funcs</li>
<li>[core] update HTTP status codes list from IANA</li>
<li>[mod_wolfssl] standalone module</li>
<li>[core] Content-Length in http_response_send_file()</li>
<li>[core] adjust response header prep for common case</li>
<li>[core] light_isupper(), light_islower()</li>
<li>[core] tst,set,clr macros for r->{rqst,resp}_htags</li>
<li>[core] separate http_header_e from _htags bitmask</li>
<li>[core] http_header_hkey_get_lc() for HTTP/2</li>
<li>[core] array.[ch] using uint32_t instead of size_t</li>
<li>[core] extend (data_string *) to store header id</li>
<li>[multiple] extend enum http_header_e list</li>
<li>[core] http_header_e <=> lshpack_static_hdr_idx</li>
<li>[core] skip ls-hpack decode work unused by lighttpd</li>
<li>[TLS] error if inherit empty TLS cfg from globals</li>
<li>[core] connection_check_expect_100()</li>
<li>[core] support multiple 1xx responses from backend</li>
<li>[core] reload c after chunkqueue_compact_mem()</li>
<li>[core] relay 1xx from backend over HTTP/2</li>
<li>[core] relay 1xx from backend over HTTP/1.1</li>
<li>[core] chunkqueue_{peek,read}_data(), squash</li>
<li>[multiple] TLS modules use chunkqueue_peek_data()</li>
<li>[mod_magnet] magnet.attract-response-start-to</li>
<li>[multiple] code reuse chunkqueue_peek_data()</li>
<li>[core] reuse r<del>[start_hp.tv_sec for r]{style=”text-align:right;”}</del>>start_ts</li>
<li>[core] config_plugin_value_tobool() accept “0”,”1”</li>
<li>[core] graceful and immediate restart option</li>
<li>[mod_ssi] init status var before waitpid()</li>
<li>[core] graceful shutdown timeout option</li>
<li>[core] lighttpd –1 supports pipes (e.g. netcat)</li>
<li>[core] perf adjustments to avoid load miss</li>
<li>[multiple] use sock_addr_get_family in more places</li>
<li>[multiple] inline chunkqueue where always alloc’d</li>
<li>[core] propagate state after writing</li>
<li>[core] server_run_con_queue()</li>
<li>[core] defer handling FDEVENT_HUP and FDEVENT_ERR</li>
<li>[core] handle unexpected EOF reading FILE_CHUNK</li>
<li>[core] short-circuit connection_write_throttle()</li>
<li>[core] walk queue in connection_write_chunkqueue()</li>
<li>[core] connection_joblist global</li>
<li>[core] be more precise checking streaming flags</li>
<li>[core] fdevent_load_file_bytes()</li>
<li>[TLS] use fdevent_load_file_bytes() for STEK file</li>
<li>[core] allow symlinks under /dev for rand devices</li>
<li>[multiple] use light_btst() for hdr existence chk</li>
<li>[mod_deflate] fix potential NULL deref in err case</li>
<li>[core] save errno around close() if fstat() fails</li>
<li>[mod_ssi] use stat_cache_open_rdonly_fstat()</li>
<li>[core] fdevent_dup_cloexec()</li>
<li>[core] dup FILE_CHUNK fd when splitting FILE_CHUNK</li>
<li>[core] stat_cache_path_isdir()</li>
<li>[multiple] use stat_cache_path_isdir()</li>
<li>[mod_mbedtls] quiet CLOSE_NOTIFY after conn reset</li>
<li>[mod_gnutls] quiet CLOSE_NOTIFY after conn reset</li>
<li>[core] limit num ranges in Range requests</li>
<li>[core] remove unused r->content_length</li>
<li>[core] http_response_parse_range() const file sz</li>
<li>[core] pass open fd to http_response_parse_range</li>
<li>[core] stat_cache_get_entry_open()</li>
<li>[core,mod_deflate] leverage cache of open fd</li>
<li>[doc] comment out config disabling Range for .pdf</li>
<li>[core] coalesce nearby ranges in Range requests</li>
<li>[tests] simulate slow, small packets more quickly</li>
<li>[mod_fastcgi] decode chunked is cold code path</li>
<li>[core] fix chunkqueue_compact_mem w/ partial chunk</li>
<li>[core] alloc optim reading file, sending chunked</li>
<li>[core] reuse chunkqueue_compact_mem*()</li>
<li>[mod_cgi] use splice() to send input to CGI</li>
<li>[multiple] ignore openssl 3.0.0 deprecation warns</li>
<li>[mod_openssl] migrate ticket cb to openssl 3.0.0</li>
<li>[mod_openssl] construct OSSL_PARAM on stack</li>
<li>[mod_openssl] merge ssl_tlsext_ticket_key_cb impls</li>
<li>[multiple] openssl 3.0.0 digest interface migrate</li>
<li>[tests] detect multiple SSL/TLS/crypto providers</li>
<li>[core] sys-crypto-md.h consistent interfaces</li>
<li>[wolfssl] wolfSSL_CTX_set_mode differs from others</li>
<li>[multiple] use NSS crypto if no other crypto avail</li>
<li>[multiple] stat_cache_path_stat() for struct st</li>
<li>[TLS] ignore empty “CipherString” in ssl-conf-cmd</li>
<li>[multiple] remove chunk file.start member</li>
<li>[core] modify use of getrlimit() to not be fatal</li>
<li>[mod_webdav] add missing update to cq accounting</li>
<li>[mod_webdav] update defaults after worker_init</li>
<li>[mod_openssl] use newer openssl 3.0.0 func</li>
<li>[core] config_plugin_value_to_int32()</li>
<li>[core] minimize pause during graceful restart</li>
<li>[mod_deflate] use large mmap chunks to compress</li>
<li>[core] stat_cache_entry reference counting</li>
<li>[core] FILE_CHUNK can hold stat_cache_entry ref</li>
<li>[core] http_chunk_append_file_ref_range()</li>
<li>[multiple] use http_chunk_append_file_ref()</li>
<li>[core] always lseek() with shared fd</li>
<li>[core] silence coverity warnings (false positives)</li>
<li>[core] silence coverity warnings in ls-hpack</li>
<li>[core] silence coverity warnings (another try)</li>
<li>[core] fix fd sharing when splitting file chunk</li>
<li>[mod_mbedtls] quiet unused variable warning</li>
<li>[core] use inline funcs in sys-crypto-md.h</li>
<li>[core] add missing declaration for NSS rand</li>
<li>[core] init NSS lib for basic crypto algorithms</li>
<li>[doc] change mod_compress refs to mod_deflate</li>
<li>[doc] replace bzip2 refs with brotli</li>
<li>[build] remove svnversion from versionstamp rule</li>
<li>[doc] /var/run -> /run</li>
<li>[multiple] test for nss includes</li>
<li>[mod_nss] more nss includes fixes</li>
<li>[build] more portable autogen.sh shell script</li>
<li>[mod_webdav] define _NETBSD_SOURCE on NetBSD</li>
<li>[core] silence coverity warnings (another try)</li>
<li>[mod_mbedtls] newer mbedTLS vers support TLSv1.3</li>
<li>[mod_accesslog] update defaults after cycling log</li>
<li>[multiple] add some missing config cleanup</li>
<li>[core] fix (startup) mem leaks in configparser.y</li>
<li>[core] STAILQ<em>* -> SIMPLEQ</em>* on OpenBSD</li>
<li>[tests] OpenBSD crypt() support limited to bcrypt</li>
<li>[build] mark dependencies on crypto lib for MD5()</li>
<li>[build] use pkg-config with wolfssl</li>
<li>[mod_wolfssl] use more wolfssl/options.h defines</li>
<li>[mod_wolfssl] cripple SNI if not built OPENSSL_ALL</li>
<li>[mod_wolfssl] need to build —enable-alpn for ALPN</li>
<li>[mod_secdownload] fix compile w/ NSS on FreeBSD</li>
<li>[build] fix lib paths for GnuTLS, NSS</li>
<li>[build] add —with-brotli to meson.build</li>
<li>[build] CMake mod_openssl, mod_wolfssl can coexist</li>
<li>[build] CMake use pkg_check_modules() w/ wolfssl</li>
<li>[build] detect nss3/nss.h or nss/nss.h for NSS</li>
<li>[build] WITHOUT_LIB_CRYPTO option in code</li>
<li>[build] adjust meson.build for use by OpenWRT</li>
<li>[mod_mbedtls] wrap addtl code in preproc defines</li>
<li>[TLS] server.feature-flags “ssl.session-cache”</li>
<li>[core] workaround fragile code in wolfssl types.h</li>
<li>[core] move misplaced error trace to match option</li>
<li>[core] adjust wolfssl workaround for another case</li>
<li>[multiple] consistent order for crypto lib select</li>
<li>[multiple] include mbedtls/config.h after select</li>
<li>[multiple] include wolfssl/options.h after select</li>
<li>[core] set NSS_VER_INCLUDE after crypto lib select</li>
<li>[core] use system xxhash lib if available</li>
<li>[build] fix typo in configure.ac</li>
<li>[build] option to use system-provided libxxhash</li>
<li>[build] meson —with-xxhash option</li>
<li>[doc] refresh doc/config/conf.d/mime.conf</li>
<li>[meson] add matching -I for lua lib version</li>
<li>[build] prepend search for lua version 5.4</li>
<li>[core] use inotify in stat_cache.[ch] on Linux</li>
<li>[build] detect inotify header <sys/inotify.h></li>
<li>[mod_nss] update session ticket NSS devel comment</li>
<li>[core] set last_used on rd/wr from backend (fixes <a href="https://redmine.lighttpd.net/issues/3029">#3029</a>)</li>
<li>[core] cold func for gw_recv_response error case</li>
<li>[core] use kqueue() instead of FAM/gamin on *BSD</li>
<li>[core] no graceful-restart-bg on OpenBSD, NetBSD</li>
<li>[mod_openssl] add LIBRESSL_VERSION_NUMBER checks</li>
<li>[core] use struct kevent on stack in stat_cache</li>
<li>[core] stat_cache preprocessor paranoia</li>
<li>[mod_openssl] adjust LIBRESSL_VERSION_NUMBER check</li>
<li>[mod_maxminddb] fix config validation typo</li>
<li>[tests] allow LIGHTTPD_EXE_PATH override</li>
<li>[multiple] handle NULL val as empty in *_env_add (fixes <a href="https://redmine.lighttpd.net/issues/3030">#3030</a>)</li>
<li>[core] accept “HTTP/2.0”, “HTTP/3.0” from backends (fixes <a href="https://redmine.lighttpd.net/issues/3031">#3031</a>)</li>
<li>[build] check for xxhash in more ways</li>
<li>[core] accept “HTTP/2.0”, “HTTP/3.0” from backends (<a href="https://redmine.lighttpd.net/issues/3031">#3031</a>)</li>
<li>[core] http_response_buffer_append_authority()</li>
<li>[core] define SHA*_DIGEST_LENGTH macros if missing</li>
<li>[doc] update optional pkg dependencies in INSTALL</li>
<li>[mod_alias] validate given order, not sorted order</li>
<li>[core] filter out duplicate modules</li>
<li>[mod_cgi] fix crash if initial write to CGI fails</li>
<li>[mod_cgi] ensure tmp file open() before splice()</li>
<li>[multiple] add back-pressure gw data pump (fixes <a href="https://redmine.lighttpd.net/issues/3033">#3033</a>)</li>
<li>[core] fix bug when HTTP/2 frames span chunks</li>
<li>[multiple] more forgiving config str to boolean (fixes <a href="https://redmine.lighttpd.net/issues/3036">#3036</a>)</li>
<li>[core] check for __builtin_expect() availability</li>
<li>[core] quiet more request parse errs unless debug</li>
<li>[core] consolidate chunk size checks</li>
<li>[mod_flv_streaming] use stat_cache_get_entry_open</li>
<li>[mod_webdav] pass full path to webdav_unlinkat()</li>
<li>[mod_webdav] fallbacks if _ATFILE_SOURCE not avail</li>
<li>[mod_fastcgi] move src/fastcgi.h into src/compat/</li>
<li>[mod_status] add additional HTML-encoding</li>
<li>[core] server.v4mapped option</li>
<li>[mod_webdav] workaround for gvfs dir redir bug</li>
</ul>