|
|
|
|
Changelog for lighttpd-1.4.76-35.1.x86_64.rpm :
* Sat Apr 13 2024 Andreas Stieger - update to 1.4.76: * detect VU#421644 HTTP/2 CONTINUATION Flood * issue trace and send GO_AWAY * tarball is now more reproducible and verifiable * Sat Mar 23 2024 Andreas Stieger - update to 1.4.75: * incrementally stronger TLS cipher defaults * fix a regression in mod_dirlisting in lighttpd 1.4.74 * add missing file src/compat/sys/queue.h to the release tarball- packaging changes upon notes by the upstream developers: * drop usage of lightytest.sh and PHP dependencies * drop unneeeded build dependencies and build options * drop non-default BZIP2 support * update description of -mod_webdav * Fri Mar 01 2024 Andreas Stieger - update to 1.4.74: * Some messages sent to syslog() (if enabled in lighttpd config) have been changed to use different priorities (e.g. LOG_WARNING, LOG_DEBUG) instead of everything being sent with LOG_ERROR priority. The change affects only lighttpd configs which set server.errorlog-use-syslog = “enable” (not default) * Other bug fixes * Mon Feb 05 2024 Andreas Stieger - fix user/group with rpm 4.19 (boo#1219549) * Tue Oct 31 2023 Andreas Stieger - update to 1.4.73: * CVE-2023-44487: HTTP/2 detect and log rapid reset attack (boo#1216123) * Sat Oct 07 2023 Andreas Stieger - update to 1.4.72: * a number of buf fixes and developer visible changes * Sun May 28 2023 Andreas Stieger - update to 1.4.71: * HTTP/2 support separated to mod_h2 module * Fri May 12 2023 Andreas Stieger - update to 1.4.70: * speed up CGI spawning * support HTTP/2 downstream proxy serving multiple clients on single connection (mod_extforward, mod_maxminddb) * no longer building separate modules for built-in modules lighttpd omits building separate (unused) modules for: mod_access mod_alias mod_evhost mod_expire mod_fastcgi mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv mod_simple_vhost mod_staticfile * Sat Feb 11 2023 Andreas Stieger - update to 1.4.69: * bug fixes and portability fixes * Sat Jan 21 2023 Andreas Stieger - update to 1.4.68: * TLS modules now default to using stronger, modern ciphers and will default to allow client preference in selecting ciphers. Allowing client preference in selecting ciphers is safe to do along with restrictions to use modern ciphers supporting PFS, and is better for mobile users without AES hardware acceleration. Legacy ciphers can still be configured in lighttpd.conf using `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL new defaults: “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”, “Options” => “-ServerPreference” old defaults: “CipherString” => “HIGH”, “Options” => “ServerPreference” * Deprecated TLS options have been removed. – ssl.honor-cipher-order – ssl.dh-file – ssl.ec-curve – ssl.disable-client-renegotiation – ssl.use-sslv2 – ssl.use-sslv3 See https://wiki.lighttpd.net/Docs_SSL for replacements with `ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead. * Deprecated: mod_evasive has been removed * Deprecated: mod_secdownload has been removed * Deprecated: mod_uploadprogress has been removed * Deprecated: mod_usertrack has been removed These four modules can be replaced with a few lines of LUA. * Wed Nov 16 2022 Andreas Stieger - package license file * Tue Nov 15 2022 pgajdosAATTsuse.com- build with php8 on current releases * Fri Sep 23 2022 Dirk Müller - update to 1.4.67: * Update comment about TCP_INFO on OpenBSD * [mod_ajp13] fix crash with bad response headers (fixes #3170) * [core] handle RDHUP when collecting chunked body CVE-2022-41556 boo#1203872 * [core] tweak streaming request body to backends * [core] handle ENOSPC with pwritev() (#3171) * [core] manually calculate off_t max (fixes #3171) * [autoconf] force large file support (#3171) * [multiple] quiet coverity warnings using casts * [meson] add license keyword to project declaration * Tue Sep 13 2022 Andreas Stieger - update to 1.4.66: * a number of bug fixes * Fix HTTP/2 downloads >= 4GiB * Fix SIGUSR1 graceful restart with TLS * futher bug fixes * CVE-2022-37797: null pointer dereference in mod_wstunnel, possibly a remotely triggerable crash (boo#1203358) * In an upcoming release the TLS modules will default to using stronger, modern chiphers and will default to allow client preference in selecting ciphers. “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”, “Options” => “-ServerPreference” old defaults: “CipherString” => “HIGH”, “Options” => “ServerPreference” * A number of TLS options are how deprecated and will be removed in a future release: – ssl.honor-cipher-order – ssl.dh-file – ssl.ec-curve – ssl.disable-client-renegotiation – ssl.use-sslv2 – ssl.use-sslv3 The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd defaults should be prefered * A number of modules are now deprecated and will be removed in a future release: mod_evasive, mod_secdownload, mod_uploadprogress, mod_usertrack can be replaced by mod_magnet and a few lines of lua. * Tue Jun 21 2022 Dirk Müller - update to 1.4.65: * WebSockets over HTTP/2 * RFC 8441 Bootstrapping WebSockets with HTTP/2 * HTTP/2 PRIORITY_UPDATE * RFC 9218 Extensible Prioritization Scheme for HTTP * prefix/suffix conditions in lighttpd.conf * mod_webdav safe partial-PUT * webdav.opts += (“partial-put-copy-modify” => “enable”) * mod_accesslog option: accesslog.escaping = “json” * mod_deflate libdeflate build option * speed up request body uploads via HTTP/2 * Behavior Changes * change default server.max-keep-alive-requests = 1000 to adjust * to increasing HTTP/2 usage and to web2/web3 application usage * (prior default was 100) * mod_status HTML now includes HTTP/2 control stream id 0 in the output * which contains aggregate counts for the HTTP/2 connection * (These lines can be identified with URL ‘ *’, part of “PRI *” preface) * alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status * MIME type application/javascript is translated to text/javascript (RFC 9239) * Thu Feb 03 2022 Johannes Segitz - Set ProtectHome to read-only, otherwise access to the users public_html can break (bsc#1195465) * Sat Jan 22 2022 Andreas Stieger - update to 1.4.64: * CVE-2022-22707: off-by-one stack overflow in the mod_extforward plugin (boo#1194376) * graceful restart/shutdown timeout changed from 0 (disabled) to 8 seconds. configure an alternative with: server.feature-flags += (“server.graceful-shutdown-timeout” => 8) * deprecated modules (previously announced) have been removed: mod_authn_mysql, mod_mysql_vhost, mod_cml, mod_flv_streaming, mod_geoip, mod_trigger_b4_dl * Sat Dec 04 2021 Andreas Stieger - update to 1.4.63: * import xxHash v0.8.1 * fix reqpool mem corruption in 1.4.62- includes changes in 1.4.62: * [mod_alias] fix use-after-free bug * many developer visible bug fixes- build with pcre2 and without libev, as per upcoming deprecation * Sun Nov 21 2021 Andreas Stieger - update to 1.4.61: * mod_dirlisting: sort \"../\" to top * fix HTTP/2 upload > 64k w/ max-request-size * code level and developer visible bug fixes * Sun Oct 24 2021 Andreas Stieger - update to 1.4.60: * HTTP/2 smoother and lower memory use (in general) * HTTP/2 tuning to better handle aggressive client initial requests * reduce memory footprint; workaround poor glibc behavior; jemalloc is better * mod_magnet lua performance improvements * mod_dirlisting performance improvements and new caching option * memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav * connect(), write(), read() time limits on backends (separate from client timeouts) * lighttpd restarts if large discontinuity in time occurs (embedded systems) * RFC7233 Range support for all non-streaming responses, not only static files * connect() to backend now has default 8 second timeout (configurable) * Tue Oct 05 2021 Johannes Segitz - Added hardening to systemd service(s) (bsc#1181400). Added patch(es): * harden_lighttpd.service.patch * Tue Sep 21 2021 Jan Engelhardt - Fix squatted descriptions. * Sun Jul 18 2021 Andreas Stieger - update to 1.4.59: * HTTP/2 enabled by default * mod_deflate zstd suppport * new mod_ajp13
|
|
|