lighttpd 1.4.75 released

To: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Subject: lighttpd 1.4.75 released
From: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Date: Wed, 13 Mar 2024 21:27:28 -0400

Dear package maintainers:

lighttpd 1.4.75 has been released!
https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_75

Please package and publish lighttpd 1.4.75.

Important changes from 1.4.75

* incrementally stronger TLS cipher defaults; bugs fixes

This release fixes a regression in mod_dirlisting in lighttpd 1.4.74
and adds missing file src/compat/sys/queue.h to the release tarball.

If your distro package requires any other patches that might be
upstreamed into lighttpd, please let me know.

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn


Downloads

* https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz
** GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz.asc
** SHA256: @283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97@
* https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz
** GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz.asc
** SHA256: @8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6@
* SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha256sum
* SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha512sum

Behavior Changes (previously announced)

* TLS cipher defaults have been incrementally updated to stronger defaults
  New defaults are forward-secret and support authenticated encryption (AEAD)
  New defaults: openssl ciphers 'EECDH+AESGCM:CHACHA20:!PSK:!DHE'
  Previous defaults: openssl ciphers 'EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384'
  Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
  (and supported clients, i.e. those which have not already reached end-of-life).
  Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
* mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
  changed from 301 Moved Permanently to 308 Permanent Redirect
  (only if url.redirect is not explicitly set in lighttpd.conf)
  RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
  (published almost 9 years ago)

Future Scheduled Behavior Changes (2025)

* lighttpd TLS defaults will change to MinProtocol TLSv1.3
  Other configurations will still be supported, but will not be the default.
  Proposed default: MinProtocol TLSv1.3
  Current default: MinProtocol TLSv1.2
* server.error-handler-404 will operate only on 404
  (historical error: server.error-handler-404 operated on both 404 and 403)
  Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
  to produce dynamic error pages for 4xx and 5xx responses.
  Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
  is an additional, high performance mechanism to produce dynamic error pages.
  https://wiki.lighttpd.net/mod_magnet

Prev by Date: Comitter Request -- wip/newsraft 0.23
Next by Date: Re: Comitter Request -- wip/newsraft 0.23
Previous by Thread: Comitter Request -- wip/newsraft 0.23
Next by Thread: "net/netatalk22" fails w/pam option
Indexes:

Home | Main Index | Thread Index | Old Index