pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
lighttpd 1.4.75 released
Dear package maintainers:
lighttpd 1.4.75 has been released!
https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_75
Please package and publish lighttpd 1.4.75.
Important changes from 1.4.75
* incrementally stronger TLS cipher defaults; bugs fixes
This release fixes a regression in mod_dirlisting in lighttpd 1.4.74
and adds missing file src/compat/sys/queue.h to the release tarball.
If your distro package requires any other patches that might be
upstreamed into lighttpd, please let me know.
Please let me know if you have any questions or issues. Thank you!
Cheers, Glenn
Downloads
* https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz
** GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.gz.asc
** SHA256: @283aa8cba5534979f987c2a652948c241a94683a21e06e2a7109f632bbcdda97@
* https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz
** GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.tar.xz.asc
** SHA256: @8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6@
* SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha256sum
* SHA512 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.75.sha512sum
Behavior Changes (previously announced)
* TLS cipher defaults have been incrementally updated to stronger defaults
New defaults are forward-secret and support authenticated encryption (AEAD)
New defaults: openssl ciphers 'EECDH+AESGCM:CHACHA20:!PSK:!DHE'
Previous defaults: openssl ciphers 'EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384'
Little or no impact is expected for lighttpd configs already using lighttpd TLS defaults
(and supported clients, i.e. those which have not already reached end-of-life).
Reference: https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/
* mod_redirect: default url.redirect-code for HTTP/1.1 and later has been
changed from 301 Moved Permanently to 308 Permanent Redirect
(only if url.redirect is not explicitly set in lighttpd.conf)
RFC7538: https://datatracker.ietf.org/doc/html/rfc7538
(published almost 9 years ago)
Future Scheduled Behavior Changes (2025)
* lighttpd TLS defaults will change to MinProtocol TLSv1.3
Other configurations will still be supported, but will not be the default.
Proposed default: MinProtocol TLSv1.3
Current default: MinProtocol TLSv1.2
* server.error-handler-404 will operate only on 404
(historical error: server.error-handler-404 operated on both 404 and 403)
Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
to produce dynamic error pages for 4xx and 5xx responses.
Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
is an additional, high performance mechanism to produce dynamic error pages.
https://wiki.lighttpd.net/mod_magnet
Home |
Main Index |
Thread Index |
Old Index