lighttpd 1.4.66 released

To: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Subject: lighttpd 1.4.66 released
From: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Date: Mon, 8 Aug 2022 00:27:44 -0400

Dear package maintainers:

lighttpd 1.4.66 has been released!

Please package and publish lighttpd 1.4.66.  This is a bugfix release.

Please review the below behavior changes scheduled next year in 2023.

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn

https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_66

FUTURE SCHEDULED BEHAVIOR CHANGES (estimated Jan 2023):

* TLS modules will default to using stronger, modern ciphers and
  will default to allow client preference in selecting ciphers.
  Allowing client preference in selecting ciphers is safe to do along
  with restrictions to use modern ciphers supporting PFS, and is
  better for mobile users without AES hardware acceleration.
  Legacy ciphers can still be configured in lighttpd.conf using
  `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
  the underlying TLS libraries.  https://wiki.lighttpd.net/Docs_SSL
  new defaults:
    "CipherString" =>
+"EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384",
    "Options" => "-ServerPreference"
  old defaults:
    "CipherString" => "HIGH",
    "Options" => "ServerPreference"

* Deprecated TLS options will be removed.
  - ssl.honor-cipher-order
  - ssl.dh-file
  - ssl.ec-curve
  - ssl.disable-client-renegotiation
  - ssl.use-sslv2
  - ssl.use-sslv3
  See https://wiki.lighttpd.net/Docs_SSL for replacements with
  `ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.

* Continue gradual deprecation of "mini-application" lighttpd modules
  for which mod_magnet lua implementations are better and more flexible.
  Please post on lighttpd forums to share feedback if you use these modules.
  Forums: https://redmine.lighttpd.net/projects/lighttpd/boards

* Deprecated: mod_evasive will be removed.
  mod_evasive can be replaced by mod_magnet and a few lines of lua:
  Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_evasive
  https://wiki.lighttpd.net/AbsoLUAtion#Fight-DDoS
  https://wiki.lighttpd.net/AbsoLUAtion#Mod_Security

* Deprecated: mod_secdownload will be removed.
  mod_secdownload can be replaced by mod_magnet and a few lines of lua:
  Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_secdownload
  mod_secdownload historically uses insecure MD5 though SHA1, SHA256 available

* Deprecated: mod_uploadprogress will be removed.
  mod_uploadprogress can be replaced by mod_magnet and a few lines of lua:
  Replacement:
+https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_uploadprogress

* Deprecated: mod_usertrack will be removed.
  mod_usertrack can be replaced by mod_magnet and a few lines of lua:
  Replacement: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_usertrack
  mod_usertrack historically uses insecure MD5.

DOWNLOADS:

https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.xz
https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.xz.asc

https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz
https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.tar.gz.asc

https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.sha256sum
https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.66.sha512sum

Prev by Date: diff from 2022-08-02 03:13 to 2022-08-06 12:10
Next by Date: Spotify issues
Previous by Thread: [update] shells/ksh93: update ksh93 to version 1.0.1
Next by Thread: Spotify issues
Indexes:

Home | Main Index | Thread Index | Old Index