lighttpd 1.4.80 released

To: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Subject: lighttpd 1.4.80 released
From: Glenn Strauss <gstrauss%gluelogic.com@localhost>
Date: Thu, 14 Aug 2025 02:54:45 -0400

Dear package maintainers:

lighttpd 1.4.80 has been released!
https://wiki.lighttpd.net/Release-1_4_80

Please package and publish lighttpd 1.4.80.

Important changes

* detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671
* stricter HTTP request/response header, trailer, and chunked validation/parsing
* support HTTP response trailers
* support HTTP request trailers merge to headers (if not streaming request body)
* bug fixes

BEHAVIOR CHANGES

* extend TLS error log messages to include client addr if error caused by client
  (Please review TLS error string matching in log watchers)
* extend TLS error log messages for HTTP/2 attack detection
  (Please review TLS error string matching in log watchers)
* reject path info on static files by default (prior default allowed path info)
  (For prior behavior, configure static-file.disable-pathinfo = "disable")


If your distro package requires any other patches that might be
upstreamed into lighttpd, please let me know.

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn

Prev by Date: Re: Can't build net/libcmis due to missing Boost headers version >= 1.36.0
Next by Date: Re: audio/musescore update from 3.6.2 to 4.5.2 in wip/musescore
Previous by Thread: Can't build net/libcmis due to missing Boost headers version >= 1.36.0
Next by Thread: lang/wasi-libc fails to build
Indexes:

Home | Main Index | Thread Index | Old Index