Skip to content

Home

  • in releases
  • 3 min read

1.4.42

Important changes

  • new modules, expanded features, rewritten auth framework
  • fix bugs introduced in 1.4.40/1.4.41

Downloads

Highlights

  • new modules, expanded features
    • performance: use extended socket/file syscalls and flags
    • rewritten auth framework
      • updated mod_authn_ldap
      • new mod_authn_gssapi
      • new mod_authn_mysql
    • new mod_deflate
    • new mod_geoip
    • new mod_uploadprogress
    • mod_dirlisting sortable columns
    • mod_fastcgi support for authorizer, responder keyed with same path/extension
    • mod_cgi permit CGI exec of unreadable files
    • mod_scgi support for uwsgi protocol for Python WSGI backends
    • add some SSL_* variables to CGI environment
  • bug fixes
    • remove preemptive shutdown() to backend
    • fix backend socket connect issue: enforce wait for POLLWR after EINPROGRESS
    • fix crash if ready events on abandoned fd
    • fix broken digest auth
  • behavior changes
    • behavior change in mod_ssi to conform to same CGI env as CGI, FastCGI, SCGI:
      • REQUEST_URI is original client request, instead of URI modified by mod_rewrite.
      • DOCUMENT_ROOT changes if mod_alias or mod_userdir changes basedir.

1.4.41

Important changes

  • security fixes
  • fix bugs introduced in 1.4.40

Downloads

Highlights

  • security fixes
    • security: encode quoting chars in HTML and XML
    • security: ensure gid != 0 if server.username is set, but not server.groupname
    • security: disable stat_cache if server.follow-symlink = “disable”
    • security: httpoxy defense: do not emit HTTP_PROXY to CGI env
  • fix bugs introduced in 1.4.40 (sorry)
    • bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
    • bug: lighttpd 1.4.40 times out on TLS requests with POST data
    • bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
    • bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
    • bug: lighttpd 1.4.40 might trigger assert when converting to hex string
  • behavior changes
    • new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
    • new: inherit server.use-ipv6 and server.set-v6only from global scope
    • reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd \<= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

  • mod_ssi will set REQUEST_URI to original, client-requested URI
    to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml

1.4.40

Important changes

  • major bug-fix release; hundreds of issues resolved in issue tracker
  • git master lighttpd source repository (migrated from svn)

Downloads

Highlights

  • improved resource management
    • asynchronous, bidirectional streaming options to dynamic backends
    • detect client disconnects and abort request to dynamic backends
    • rework dynamic handler control flow logic for consistent clean up
    • constrained memory footprint; limit memory used by large responses
  • robustness and portability
    • fallback to traditional I/O if mmap or sendfile not available
    • update support for lua 5.2, 5.3; memcached; libressl; openssl 1.1.0
    • better cygwin support; passes tests
    • better webdav support
  • selected new features
    • lighttpd -tt performs config validation and preflight startup checks
    • lighttpd –1 process single (one) request on stdin socket (e.g. xinetd)
    • lighttpd -i <secs> graceful shutdown after <secs> of inactivity
    • config file supports include file globs (e.g. include “conf.d/*.conf”)
    • server.bsd-accept-filter (“httpready”, “dataready”)
    • server.error-handler to handle 4xx and 5xx status
    • server.http-parseopt-header-strict restrict chars allowed in HTTP headers
    • server.http-parseopt-host-strict restrict chars allowed in HTTP Host
    • server.http-parseopt-host-normalize normalize HTTP Host header
    • server.listen-backlog to configure socket listen backlog
    • server.max-request-size is now scopeable (no longer one global setting)
    • server.stream-request-body to control streaming, buffering of request
    • server.stream-response-body to control streaming, buffering of response
    • server.upload-dirs will retry in remaining dirs in list if disk full
    • accesslog.format now supports %a %A %C %D k{}t %{}T
    • evasive.location for 302 redirect option if limit reached
    • url.rewrite and url.redirect now short-circuit if replacement is blank
    • url.access-allow for explicit list of allowed suffixes; deny others
    • mod_cgi handles local redirect response if Location: /path?query
    • REDIRECT_URI is set for internal redirects (cgi, magnet, rewrite, errdoc)
    • REDIRECT_STATUS is set to http error status for error docs
    • mod_indexfile sets PATH_TRANSLATED_DIRINDEX if target URL begins w/ ‘/’
    • “listen-backlog” to configure socket listen backlog for FastCGI, SCGI
    • X-Sendfile for CGI and SCGI (in addition to FastCGI)

Future scheduled behavior changes in lighttpd 1.4.41

  • server.use-ipv6 = “enable” will be inherited from global scope if set, so if that is not what is desired, add server.use-ipv6 = “disable” to appropriate $SERVER[“socket”] blocks. Similar for server.set-v6only.
  • long-deprecated config directives will be removed. These directives are non-functional and emit a warning message if directives were renamed. After being removed, they will result in “directive unknown” warnings.
  • in releases
  • 2 min read

1.4.38

We should have released sooner (due to #2670) - let’s hope we got it right this time :)

Important changes

  • mod_secdownload now requires an algorithm option to be set
  • fix a header parse bug (#2670)
  • sendfile support for darwin (just select “sendfile” as backend)

Downloads

  • in releases
  • 2 min read

1.4.37

In good tradition every (second) release is followed by another one to fix the regressions. Sorry…\ So this release contains mostly regression fixes for 1.4.36 and other bug fixes.

Important changes

1.4.37 contains some regression fixes for 1.4.36, and cmake, scons and FreeBSD (and maybe other BSDs) related fixes. Static builds (for now scons only) have been improved. mmap handling in mod_cgi was improved, also the network mmap backend now handles SIGBUS (SIGBUS is triggered if a file gets smaller while reading; there are still some other places this can happen).

The internal API changed again, so please be careful with 3rd party plugins.

The test suite on our jenkins instance is now also run for scons (including static and fullstatic builds) and FreeBSD, hopefully preventing the kind of regressions especially FreeBSD had with 1.4.36 in future releases.

Downloads

1.4.36

This release contains mostly bug fixes.

Important changes

  • [ssl] disable SSL3.0 by default
  • escape all strings for logging
  • fix segfault when temp file for upload couldn’t be created (found by coverity)
  • changes to the internal API for buffers, chunks and more; 3rd party plugins are likely to break

Downloads

1.4.35

Important changes

This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.

Security fixes

Downloads

  • in releases
  • 3 min read

1.4.34

Important changes

There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).

We updated the “standard” ssl cipher string recommendation to ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see below for the detailed reasons.

Regression warning

The fix for lighttpd SA-2013-01 (CVE-2013-4508, “Using possibly vulnerable cipher suites with SNI”) includes a regression:

Each SSL_CTX also gets loaded with all values for ssl.ca-file from all blocks in the config.

This means that your ssl.ca-files must not contain cyclic chains and should use unique subject names.

See Debian Bug - #729555 for more details.

Security fixes

OpenSSL cipher string recommendation

The cipher string recommendation is based on ssllabs’ SSL/TLS Deployment Best Practices 1.3 / 17 September 2013:

  • BEAST is considered mitigated on client side now and new weaknesses have been found in RC4, so it is strongly advised to disable RC4 ciphers (HIGH doesn’t include RC4)
  • It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, so you might want to support 3DES for now - just remove the !3DES parts below; replace it with +3DES !MD5 at the end to prefer AES128 over 3DES and to disable the 3DES variant with MD5).
  • It prefers ciphersuites with “Forward Secrecy” and ECDHE over DHE (alias EDH); remove +kEDH +kRSA if you don’t want that.
  • SRP and PSK are not supported anyway, excluding those (!kSRP !kPSK) just keeps the list smaller (easier to review)
  • As almost all keys these days are RSA limiting to aRSA+HIGH make the lists even smaller. Use HIGH instead of aRSA+HIGH for a more generic version.
  • If you want to enforce “Forward Secrecy” (breaks some clients) replace +kRSA with -kRSA.

Not included on purpose:

  • STRENGTH: the list from HIGH is already ordered, reordering is not required. STRENGTH also prefers 3DES over AES128.
  • !SSLv2, !EXPORT, !eNULL, !DES, !RC4, !LOW: HIGH shouldn’t include those ciphers in recent openssl versions, no need to remove them. If you are using an old version, appending !RC4 !NULL should fix it (and does no harm in recent versions). Consider upgrading too - you probably are missing TLS1.2.
  • !MD5: HIGH might include a 3DES cipher with MD5 on old systems; !3DES should remove MD5 too.
  • !aNULL, !ADH: doesn’t matter on server side, and clients should always verify the server certificate, which fails when the server doesn’t have one.

You can check the cipher list with: openssl ciphers -v 'aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK' | column -t (use single quotes as your shell won’t like ! in double quotes).

The default DH-parameters included in lighttpd are only 1024-bit; some implementations out there can’t handle more, and you can’t negotiate them. To fix this you have two options:

  • Remove the DH ciphers: replace +kEDH with -kEDH.
  • Use 4096-bit paramters and break clients with which you would negotiate DH but only support 1024-bit paramters. Put the following (in gnutls included) parameters in a file and set them with the ssl.dh-file option:
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQU=
-----END DH PARAMETERS-----

Downloads

  • in releases
  • 2 min read

1.4.33

Time to get some fixes out; nothing special, just many small fixes - and some new features.

Downloads