What's new in lighttpd 1.4.54
May 28, 2019
- behavior change: strict URL parsing and normalization (configurable)
- performance enhancements, bug fixes
New in lighttpd 1.4.53 (Jan 28, 2019)
- Important changes:
- TLS-ALPN-01, systemd socket activation, bug fixes
- Future scheduled behavior change (Q1 2019):
- Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.
- Since lighttpd 1.4.50, this URL normalization is available with server.http-parseopts . The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”) unless server.http-parseopts is explicitly set in the lighttpd config. Enabling URL normalization by default will provide more consistent behavior for mod_redirect and mod_rewrite, which match against the (url-encoded) URL request. However, decoding / by default, while generally desirable for consistency, is potentially a breaking change for those encoding URLs in the url-path and relying on the literal ‘/’ as a delimiter. For those uses, “url-path-2f-decode” => “disable” will need to be explicitly set in the lighttpd config.
- https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
- The recommended settings for server.http-parseopts are the following, unless specific use requires looser settings:
- server.http-parseopts = (
- "header-strict" => "enable",
- "host-strict" => "enable",
- "host-normalize" => "enable",
- "url-normalize" => "enable",
- "url-normalize-unreserved" => "enable",
- "url-normalize-required" => "enable",
- "url-ctrls-reject" => "enable",
- "url-path-2f-decode" => "enable",
- "url-path-dotseg-remove" => "enable",
- "url-query-20-plus" => "enable"
New in lighttpd 1.4.52 (Nov 29, 2018)
- Performance enhancements, bug fixes.
New in lighttpd 1.4.51 (Oct 15, 2018)
- security fixes
- bug fixes
- new module: mod_authn_pam
- support for wolfSSL
New in lighttpd 1.4.50 (Aug 15, 2018)
New in lighttpd 1.4.49 (Mar 12, 2018)
- [core] adjust offset if response header blank line
- [mod_accesslog] %{canonical,local,remote}p (fixes #2840)
- [core] support POLLRDHUP, where available (#2743)
- [mod_proxy] basic support for HTTP CONNECT method (#2060)
- [mod_deflate] fix deflate of file > 2MB w/o mmap
- [core] fix segfault if tempdirs fill up (fixes #2843)
- [mod_compress,mod_deflate] try mmap MAP_PRIVATE
- [core] discard from socket using recv MSG_TRUNC
- [core] report to stderr if errorlog path ENOENT (fixes #2847)
- [core] fix base64 decode when char is unsigned (fixes #2848)
- [mod_authn_ldap] fix mem leak when ldap auth fails (fixes #2849)
- [core] warn if mod_indexfile after dynamic handler
- [core] do not reparse request if async cb
- [core] non-blocking write() to piped loggers
- [mod_openssl] minor code cleanup; reduce var scope
- [mod_openssl] elliptic curve auto selection (fixes #2833)
- [core] check for path-info forward down path
- [mod_authn_ldap] auth with ldap referrals (fixes #2846)
- [core] code cleanup: separate physical path sub
- [core] merge redirect/rewrite pattern substitution
- [core] fix POST with chunked request body (fixes #2854)
- [core] remove unused func
- [doc] minor update to outdated doc
- [mod_wstunnel] fix for frames larger than 64k (fixes #2858)
- [core] fix 32-bit compile POST w/ chunked request body (#2854)
- [core] add include sys/poll.h on Solaris (fixes #2859)
- [core] fix path-info calculation in git master (fixes #2861)
- [core] pass array_get_element_klen() const array *
- [core] increase stat_cache abstraction
- [core] open additional fds O_CLOEXEC
- [core] fix CONNECT w strict header parsing enabled
- [mod_extforward] CIDR support for trusted proxies (fixes #2860)
- [core] re-enable overloaded backends w/ multi wkrs
- [autoconf] reduce minimum automake version to 1.13
- [mod_auth] constant time compare plain passwords
- [mod_auth] check that digest realm matches config
- [core] fix incorrect hash algorithm impl
New in lighttpd 1.4.47 (Oct 29, 2017)
- bug fixes: fix two regressions in 1.4.46
New in lighttpd 1.4.45 (Jan 15, 2017)
- bug fixes (bug-fix-only release)
New in lighttpd 1.4.44 (Dec 29, 2016)
- support HTTP/1.1 ‘Transfer-Encoding: chunked’ request body
- bug fixes
New in lighttpd 1.4.43 (Nov 1, 2016)
- [autobuild] remove mod_authn_gssapi dep on resolv
- [mod_deflate] ignore ‘*’ in deflate.mimetypes
- [autobuild] omit module stubs when missing deps
- [TLS] openssl 1.1.0 hides struct bignum_st
- [autobuild] move http_cgi_ssl_env() for Mac OS X (fixes #2757)
- [core] use paccept() on NetBSD (replace accept4())
- [TLS] remote IP conditions are valid for TLS SNI (fixes #2272)
- [doc] lighttpd-angel.8 (fixes #2254)
- [cmake] build fcgi-auth, fcgi-responder for tests
- [mod_accesslog] %{ratio}n logs compression ratio (fixes #2133)
- [mod_deflate] skip deflate if loadavg too high (fixes #1505)
- [mod_expire] expire by mimetype (fixes #423)
- [mod_evhost] partial matching patterns (fixes #1194)
- build: use CC_FOR_BUILD for lemon when cross-compiling
- [mod_dirlisting] config header and readme files
- [config] warn if mod_authn_ldap,mysql not listed
- fix FastCGI, SCGI, proxy reconnect on failure
- [core] network_open_file_chunk() temp file opt
- [mod_rewrite] add more info in error log msg
- [core] fix fd leak when using libev (fixes #2761)
- [core] fix potential streaming tempfile corruption (fixes #2760)
- [mod_scgi] fix prefix matching to always match url
- [autobuild] adjust Makefile.am for FreeBSD
New in lighttpd 1.4.42 (Oct 16, 2016)
- new modules, expanded features, rewritten auth framework
- fix bugs introduced in 1.4.40/1.4.41
New in lighttpd 1.4.41 (Jul 31, 2016)
- security fixes
- fix bugs introduced in 1.4.40
New in lighttpd 1.4.40 (Jul 21, 2016)
- Important changes:
- major bug-fix release; hundreds of issues resolved in issue tracker
- git master lighttpd source repository (migrated from svn)
- Highlights:
- improved resource management
- asynchronous, bidirectional streaming options to dynamic backends
- detect client disconnects and abort request to dynamic backends
- rework dynamic handler control flow logic for consistent clean up
- constrained memory footprint; limit memory used by large responses
- robustness and portability
- fallback to traditional I/O if mmap or sendfile not available
- update support for lua 5.2, 5.3; memcached; libressl; openssl 1.1.0
- better cygwin support; passes tests
- better webdav support
- selected new features
- lighttpd -tt performs config validation and preflight startup checks
- lighttpd -1 process single (one) request on stdin socket (e.g. xinetd)
- lighttpd -i graceful shutdown after of inactivity
- config file supports include file globs (e.g. include “conf.d/*.conf”)
- server.bsd-accept-filter (“httpready”, “dataready”)
- server.error-handler to handle 4xx and 5xx status
- server.http-parseopt-header-strict restrict chars allowed in HTTP headers
- server.http-parseopt-host-strict restrict chars allowed in HTTP Host
- server.http-parseopt-host-normalize normalize HTTP Host header
- server.listen-backlog to configure socket listen backlog
- server.max-request-size is now scopeable (no longer one global setting)
- server.stream-request-body to control streaming, buffering of request
- server.stream-response-body to control streaming, buffering of response
- server.upload-dirs will retry in remaining dirs in list if disk full
- accesslog.format now supports %a %A %C %D %k %{}t %{}T
- evasive.location for 302 redirect option if limit reached
- url.rewrite and url.redirect now short-circuit if replacement is blank
- url.access-allow for explicit list of allowed suffixes; deny others
- mod_cgi handles local redirect response if Location: /path?query
- REDIRECT_URI is set for internal redirects (cgi, magnet, rewrite, errdoc)
- REDIRECT_STATUS is set to http error status for error docs
- mod_indexfile sets PATH_TRANSLATED_DIRINDEX if target URL begins w/ ‘/’
- “listen-backlog” to configure socket listen backlog for FastCGI, SCGI
- X-Sendfile for CGI and SCGI (in addition to FastCGI)
New in lighttpd 1.4.39 (Jan 4, 2016)
- This release fixes crashes resulting from a use after free (#2700) and was introduced in 1.4.36.
New in lighttpd 1.4.38 (Dec 6, 2015)
- mod_secdownload now requires an algorithm option to be set
- fix a header parse bug (#2670)
- sendfile support for darwin (just select “sendfile” as backend)
New in lighttpd 1.4.37 (Aug 31, 2015)
- This release contains mostly regression fixes for 1.4.36 and other bug fixes.
New in lighttpd 1.4.36 (Jul 26, 2015)
- [ssl] disable SSL3.0 by default
- escape all strings for logging
- fix segfault when temp file for upload couldn’t be created (found by coverity)
- changes to the internal API for buffers, chunks and more; 3rd party plugins are likely to break
New in lighttpd 1.4.35 (Nov 13, 2014)
- This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.
New in lighttpd 1.4.34 (Jan 20, 2014)
- Important changes:
- There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).
- We updated the “standard” ssl cipher string recommendation to ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see below for the detailed reasons.
- Regression warning:
- The fix for lighttpd SA-2013-01 (CVE-2013-4508, “Using possibly vulnerable cipher suites with SNI”) includes a regression:
- Each SSL_CTX also gets loaded with all values for ssl.ca-file from all blocks in the config.
- This means that your ssl.ca-files must not contain cyclic chains and should use unique subject names.
- See Debian Bug – #729555 for more details.
- Security fixes:
- lighttpd SA-2013-01 (CVE-2013-4508)
- lighttpd SA-2013-02 (CVE-2013-4559)
- lighttpd SA-2013-03 (CVE-2013-4560)
- OpenSSL cipher string recommendation:
- The cipher string recommendation is based on ssllabs’ SSL/TLS Deployment Best Practices 1.3 / 17 September 2013:
- BEAST is considered mitigated on client side now and new weaknesses have been found in RC4, so it is strongly advised to disable RC4 ciphers (HIGH doesn’t include RC4)
- It is recommended to disable 3DES too (although disabling RC4 and 3DES breaks IE6+8 on Windows XP, so you might want to support 3DES for now – just remove the !3DES parts below; replace it with +3DES !MD5 at the end to prefer AES128 over 3DES and to disable the 3DES variant with MD5).
- The examples below prefer ciphersuites with “Forward Secrecy” and ECDHE over DHE (alias EDH); remove +kEDH +kRSA if you don’t want that.
- SRP and PSK are not supported anyway, excluding those (!kSRP !kPSK) just keeps the list smaller (easier to review)
- As almost all keys these days are RSA limiting to aRSA+HIGH make the lists even smaller. Use HIGH instead of aRSA+HIGH for a more generic version.
- Not included on purpose:
- STRENGTH: the list from HIGH is already ordered, reordering is not required. STRENGTH also prefers 3DES over AES128.
- !SSLv2, !EXPORT, !eNULL, !DES, !RC4, !LOW: HIGH shouldn’t include those ciphers, no need to remove them.
- !MD5: HIGH might include a 3DES cipher with MD5 on old systems; !3DES should remove MD5 too.
- !aNULL, !ADH: doesn’t matter on server side, and clients should always verify the server certificate, which fails when the server doesn’t have one.
- You can check the cipher list with: openssl ciphers -v 'aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK' | column -t (use single quotes as your shell won’t like ! in double quotes).
New in lighttpd 1.4.33 (Sep 28, 2013)
- Time to get some fixes out; nothing special, just many small fixes – and some new features.
New in lighttpd 1.4.26 (Feb 8, 2010)
- There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability).