An update that solves one vulnerability and has two fixes
is now available.
Description:
This update for lighttpd fixes the following issues:
lighttpd was updated to 1.4.64:
- CVE-2022-22707: off-by-one stack overflow in the mod_extforward plugin
(boo#1194376)
- graceful restart/shutdown timeout changed from 0 (disabled) to 8
seconds. configure an alternative with: server.feature-flags +=
(���server.graceful-shutdown-timeout��� => 8)
- deprecated modules (previously announced) have been removed:
mod_authn_mysql, mod_mysql_vhost, mod_cml, mod_flv_streaming, mod_geoip,
mod_trigger_b4_dl
update to 1.4.63:
- import xxHash v0.8.1
- fix reqpool mem corruption in 1.4.62
includes changes in 1.4.62:
- [mod_alias] fix use-after-free bug
- many developer visible bug fixes
update to 1.4.61:
- mod_dirlisting: sort “…/” to top
- fix HTTP/2 upload > 64k w/ max-request-size
- code level and developer visible bug fixes
update to 1.4.60:
- HTTP/2 smoother and lower memory use (in general)
- HTTP/2 tuning to better handle aggressive client initial requests
- reduce memory footprint; workaround poor glibc behavior; jemalloc is
better
- mod_magnet lua performance improvements
- mod_dirlisting performance improvements and new caching option
- memory constraints for extreme edge cases in mod_dirlisting, mod_ssi,
mod_webdav
- connect(), write(), read() time limits on backends (separate from client
timeouts)
- lighttpd restarts if large discontinuity in time occurs (embedded
systems)
- RFC7233 Range support for all non-streaming responses, not
only static files
- connect() to backend now has default 8 second timeout (configurable)
- Added hardening to systemd service(s) (boo#1181400).
update to 1.4.59:
- HTTP/2 enabled by default
- mod_deflate zstd suppport
- new mod_ajp13
Update to 1.4.58:
- [mod_wolfssl] use wolfSSL TLS version defines
- [mod_wolfssl] compile with earlier wolfSSL vers
- [core] prefer IPv6+IPv4 func vs IPv4-specific func
- [core] reuse large mem chunks (fix mem usage) (fixes #3033)
- [core] add comment for FastCGI mem use in hctx->rb (#3033)
- [mod_proxy] fix sending of initial reqbody chunked
- [multiple] fdevent_waitpid() wrapper
- [core] sys-time.h - localtime_r,gmtime_r macros
- [core] http_date.[ch] encapsulate HTTP-date parse
- [core] specialized strptime() for HTTP date fmts
- [multiple] employ http_date.h, sys-time.h
- [core] http_date_timegm() (portable timegm())
- buffer_append_path_len() to join paths
- [core] inet_ntop_cache -> sock_addr_cache
- [multiple] etag.[ch] -> http_etag.[ch]; better imp
- [core] fix crash after specific err in config file
- [core] fix bug in FastCGI uploads (#3033)
- [core] http_response_match_if_range()
- [mod_webdav] typedef off_t loff_t for FreeBSD
- [multiple] chunkqueue_write_chunk()
- [build] add GNUMAKEFLAGS=–no-print-directory
- [core] fix bug in read retry found by coverity
- [core] attempt to quiet some coverity warnings
- [mod_webdav] compile fix for Mac OSX/11
- [core] handle U+00A0 in config parser
- [core] fix lighttpd -1 one-shot with pipes
- [core] quiet start/shutdown trace in one-shot mode
- [core] allow keep-alives in one-shot mode (#3042)
- [mod_webdav] define _ATFILE_SOURCE if AT_FDCWD
- [core] setsockopt IPV6_V6ONLY if server.v4mapped
- [core] prefer inet_aton() over inet_addr()
- [core] add missing mod_wolfssl to ssl compat list
- [mod_openssl] remove ancient preprocessor logic
- [core] SHA512_Init, SHA512_Update, SHA512_Final
- [mod_wolfssl] add complex preproc logic for SNI
- [core] wrap a macro value with parens
- [core] fix handling chunked response from backend (fixes #3044)
- [core] always set file.fd = -1 on FILE_CHUNK reset (fixes #3044)
- [core] skip some trace if backend Upgrade (#3044)
- [TLS] cert-staple.sh POSIX sh compat (fixes #3043)
- [core] portability fix if st_mtime not defined
- [mod_nss] portability fix
- [core] warn if mod_authn_file needed in conf
- [core] fix chunked decoding from backend (fixes #3044)
- [core] reject excess data after chunked encoding (#3046)
- [core] track chunked encoding state from backend (fixes #3046)
- [core] li_restricted_strtoint64()
- [core] track Content-Length from backend (fixes #3046)
- [core] enhance config parsing debugging (#3047)
- [core] reorder srv->config_context to match ndx (fixes #3047)
- [mod_proxy] proxy.header = (“force-http10” => …)
- [mod_authn_ldap] fix crash (fixes #3048)
- [mod_authn_ldap, mod_vhostdb_ldap] default cafile
- [core] fix array_copy_array() sorted[]
- [multiple] replace fall through comment with attr
- [core] fix crash printing trace if backend is down
- [core] fix decoding chunked from backend (fixes #3049)
- [core] attempt to quiet some coverity warnings
- [core] perf: request processing
- [core] http_header_str_contains_token()
- [mod_flv_streaming] parse query string w/o copying
- [mod_evhost] use local array to split values
- [core] remove srv->split_vals
- [core] add User-Agent to http_header_e enum
- [core] store struct server * in struct connection
- [core] use func rc to indicate done reading header
- [core] replace connection_set_state w/ assignment
- [core] do not pass srv to http header parsing func
- [core] cold buffer_string_prepare_append_resize()
- [core] chunkqueue_compact_mem()
- [core] connection_chunkqueue_compact()
- [core] pass con around request, not srv and con
- [core] reduce use of struct parse_header_state
- [core] perf: HTTP header parsing using \n offsets
- [core] no need to pass srv to connection_set_state
- [core] perf: connection_read_header_more()
- [core] perf: connection_read_header_hoff() hot
- [core] inline connection_read_header()
- [core] pass ptr to http_request_parse()
- [core] more ‘const’ in request.c prototypes
- [core] handle common case of alnum or - field-name
- [mod_extforward] simplify code: use light_isxdigit
- [core] perf: array.c performance enhancements
- [core] mark some data_* funcs cold
- [core] http_header.c internal inline funcs
- [core] remove unused array_reset()
- [core] prefer uint32_t to size_t in base.h
- [core] uint32_t for struct buffer sizes
- [core] remove unused members of struct server
- [core] short-circuit path to clear request.headers
- [core] array keys are non-empty in key-value list
- [core] keep a->data[] sorted; remove a->sorted[]
- [core] attribute_returns_nonnull
- [core] differentiate array_get_* for ro and rw
- [core] (const buffer *) in (struct burl_parts_t)
- [core] (const buffer *) for con->server_name
- [core] perf: initialize con->conf using memcpy()
- [core] run config_setup_connection() fewer times
- [core] isolate data_config.c, vector.c
- [core] treat con->conditional_is_valid as bitfield
- [core] http_header_hkey_get() over const array
- [core] inline buffer as part of DATA_UNSET key
- [core] inline buffer key for *_patch_connection()
- [core] (data_unset *) from array_get_element_klen
- [core] inline buffer as part of data_string value
- [core] add const to callers of http_header_*_get()
- [core] inline array as part of data_array value
- [core] const char *op in data_config
- [core] buffer string in data_config
- [core] streamline config_check_cond()
- [core] keep a->data[] sorted (REVERT)
- [core] array a->sorted[] as ptrs rather than pos
- [core] inline header and env arrays into con
- [mod_accesslog] avoid alloc for parsing cookie val
- [core] simpler config_check_cond()
- [mod_redirect,mod_rewrite] store context_ndx
- [core] const char *name in struct plugin
- [core] srv->plugin_slots as compact list
- [core] rearrange server_config, server members
- [core] macros CONST_LEN_STR and CONST_STR_LEN
- [core] struct plugin_data_base
- [core] improve condition caching perf
- [core] config_plugin_values_init() new interface
- [mod_access] use config_plugin_values_init()
- [core] (const buffer *) from strftime_cache_get()
- [core] mv config_setup_connection to connections.c
- [core] use (const char *) in config file parsing
- [mod_staticfile] use config_plugin_values_init()
- [mod_skeleton] use config_plugin_values_init()
- [mod_setenv] use config_plugin_values_init()
- [mod_alias] use config_plugin_values_init()
- [mod_indexfile] use config_plugin_values_init()
- [mod_expire] use config_plugin_values_init()
- [mod_flv_streaming] use config_plugin_values_init()
- [mod_magnet] use config_plugin_values_init()
- [mod_usertrack] use config_plugin_values_init()
- [mod_userdir] split policy from userdir path build
- [mod_userdir] use config_plugin_values_init()
- [mod_ssi] use config_plugin_values_init()
- [mod_uploadprogress] use config_plugin_values_init()
- [mod_status] use config_plugin_values_init()
- [mod_cml] use config_plugin_values_init()
- [mod_secdownload] use config_plugin_values_init()
- [mod_geoip] use config_plugin_values_init()
- [mod_evasive] use config_plugin_values_init()
- [mod_trigger_b4_dl] use config_plugin_values_init()
- [mod_accesslog] use config_plugin_values_init()
- [mod_simple_vhost] use config_plugin_values_init()
- [mod_evhost] use config_plugin_values_init()
- [mod_vhostdb*] use config_plugin_values_init()
- [mod_mysql_vhost] use config_plugin_values_init()
- [mod_maxminddb] use config_plugin_values_init()
- [mod_auth*] use config_plugin_values_init()
- [mod_deflate] use config_plugin_values_init()
- [mod_compress] use config_plugin_values_init()
- [core] add xsendfile* check if xdocroot is NULL
- [mod_cgi] use config_plugin_values_init()
- [mod_dirlisting] use config_plugin_values_init()
- [mod_extforward] use config_plugin_values_init()
- [mod_webdav] use config_plugin_values_init()
- [core] store addtl data in pcre_keyvalue_buffer
- [mod_redirect] use config_plugin_values_init()
- [mod_rewrite] use config_plugin_values_init()
- [mod_rrdtool] use config_plugin_values_init()
- [multiple] gw_backends config_plugin_values_init()
- [core] config_get_config_cond_info()
- [mod_openssl] use config_plugin_values_init()
- [core] use config_plugin_values_init()
- [core] collect more config logic into configfile.c
- [core] config_plugin_values_init_block()
- [core] gw_backend config_plugin_values_init_block
- [core] remove old config_insert_values_*() funcs
- [multiple] plugin.c handles common FREE_FUNC code
- [core] run all trigger and sighup handlers
- [mod_wstunnel] change DEBUG_LOG to use log_error()
- [core] stat_cache_path_contains_symlink use errh
- [core] isolate use of data_config, configfile.h
- [core] split cond cache from cond matches
- [mod_auth] inline arrays in http_auth_require_t
- [core] array_init() arg for initial size
- [core] gw_exts_clear_check_local()
- [core] gw_backend less pointer chasing
- [core] connection_handle_errdoc() separate func
- [multiple] prefer (connection *) to (srv *)
- [core] create http chunk header on the stack
- [multiple] connection hooks no longer get (srv *)
- [multiple] plugin_stats array
- [core] read up-to fixed size chunk before fionread
- [core] default chunk size 8k (was 4k)
- [core] pass con around gw_backend instead of srv
- [core] log_error_multiline_buffer()
- [multiple] reduce direct use of srv->cur_ts
- [multiple] extern log_epoch_secs
- [multiple] reduce direct use of srv->errh
- [multiple] stat_cache singleton
- [mod_expire] parse config into structured data
- [multiple] generic config array type checking
- [multiple] rename r to rc rv rd wr to be different
- [core] (minor) config_plugin_keys_t data packing
- [core] inline buffer in log_error_st errh
- [multiple] store srv->tmp_buf in tb var
- [multiple] quiet clang compiler warnings
- [core] http_status_set_error_close()
- [core] http_request_host_policy w/ http_parseopts
- [multiple] con->proto_default_port
- [core] store log filename in (log_error_st *)
- [core] separate log_error_open* funcs
- [core] fdevent uses uint32_t instead of size_t
- [mod_webdav] large buffer reuse
- [mod_accesslog] flush file log buffer at 8k size
- [core] include settings.h where used
- [core] static buffers for mtime_cache
- [core] convenience macros to check req methods
- [core] support multiple error logs
- [multiple] omit passing srv to fdevent_handler
- [core] remove unused arg to fdevent_fcntl_set_nb*
- [core] slightly simpify server_(over)load_check()
- [core] isolate fdevent subsystem
- [core] isolate stat_cache subsystem
- [core] remove include base.h where unused
- [core] restart dead piped loggers every 64 sec
- [mod_webdav] use copy_file_range() if available
- [core] perf: buffer copy and append
- [core] copy some srv->srvconf into con->conf
- [core] move keep_alive flag into request_st
- [core] pass scheme port to http_request_parse()
- [core] pass http_parseopts around request.c
- [core] rename specific_config to request_config
- [core] move request_st,request_config to request.h
- [core] pass (request_st *) to request.c funcs
- [core] remove unused request_st member ‘request’
- [core] rename content_length to reqbody_length
- [core] t/test_request.c using (request_st *)
- [core] (const connection ) in http_header__get()
- [mod_accesslog] log_access_record() fmt log record
- [core] move request start ts into (request_st *)
- [core] move addtl request-specific struct members
- [core] move addtl request-specific struct members
- [core] move plugin_ctx into (request_st *)
- [core] move addtl request-specific struct members
- [core] move request state into (request_st *)
- [core] store (plugin *) in p->data
- [core] store subrequest_handler instead of mode
- [multiple] copy small struct instead of memcpy()
- [multiple] split con, request (very large change)
- [core] r->uri.path always set, though might be “”
- [core] C99 restrict on some base funcs
- [core] dispatch handler in handle_request func
- [core] http_request_parse_target()
- [mod_magnet] modify r->target with “uri.path-raw”
- [core] remove r->uri.path_raw; generate as needed
- [core] http_response_comeback()
- [core] http_response_config()
- [tests] use buffer_eq_slen() for str comparison
- [core] http_status_append() short-circuit 200 OK
- [core] mark some chunk.c funcs as pure
- [core] use uint32_t in http_header.[ch]
- [core] perf: tighten some code in some hot paths
- [core] parse header label before end of line
- [mod_auth] “nonce_secret” option to validate nonce (fixes #2976)
- [build] fix build on MacOS X Tiger
- [doc] lighttpd.conf: lighttpd choose event-handler
- [config] blank server.tag if whitespace-only
- [mod_proxy] stream request using HTTP/1.1 chunked (fixes #3006)
- [multiple] correct misspellings in comments
- [multiple] fix some cc warnings in 32-bit, powerpc
- [tests] fix skip count in mod-fastcgi w/o php-cgi
- [multiple] ./configure --with-nettle to use Nettle
- [core] skip excess close() when FD_CLOEXEC defined
- [mod_cgi] remove redundant calls to set FD_CLOEXEC
- [core] return EINVAL if stat_cache_get_entry w/o /
- [mod_webdav] define PATH_MAX if not defined
- [mod_accesslog] process backslash-escapes in fmt
- [mod_openssl] disable cert vrfy if ALPN acme-tls/1
- [core] add seed before openssl RAND_pseudo_bytes()
- [mod_mbedtls] mbedTLS option for TLS
- [core] prefer getxattr() instead of get_attr()
- [multiple] use *(unsigned char *) with ctypes
- [mod_openssl] do not log ECONNRESET unless debug
- [mod_openssl] SSL_R_UNEXPECTED_EOF_WHILE_READING
- [mod_gnutls] GnuTLS option for TLS (fixes #109)
- [mod_openssl] rotate session ticket encryption key
- [mod_openssl] set cert from callback in 1.0.2+ (fixes #2842)
- [mod_openssl] set chains from callback in 1.0.2+ (#2842)
- [core] RFC-strict parse of Content-Length
- [build] point ./configure --help to support forum
- [core] stricter parse of numerical digits
- [multiple] add summaries to top of some modules
- [core] sys-crypto-md.h w/ inline message digest fn
- [mod_openssl] enable read-ahead, if set, after SNI
- [mod_openssl] issue warning for deprecated options
- [mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail
- [mod_openssl] use openssl feature define for ALPN
- [mod_openssl] update default DH params
- [core] SecureZeroMemory() on _WIN32
- [core] safe memset calls memset() through volatile
- [doc] update comments in doc/config/modules.conf
- [core] more precise check for request stream flags
- [mod_openssl] rotate session ticket encryption key
- [mod_openssl] ssl.stek-file to specify encrypt key
- [mod_mbedtls] ssl.stek-file to specify encrypt key
- [mod_gnutls] ssl.stek-file to specify encrypt key
- [mod_openssl] disable session cache; prefer ticket
- [mod_openssl] compat with LibreSSL
- [mod_openssl] compat with WolfSSL
- [mod_openssl] set SSL_OP_PRIORITIZE_CHACHA
- [mod_openssl] move SSL_CTX curve conf to new func
- [mod_openssl] basic SSL_CONF_cmd for alt TLS libs
- [mod_openssl] OCSP stapling (fixes #2469)
- [TLS] cert-staple.sh - refresh OCSP responses (#2469)
- [mod_openssl] compat with BoringSSL
- [mod_gnutls] option to override GnuTLS priority
- [mod_gnutls] OCSP stapling (#2469)
- [mod_extforward] config warning for module order
- [mod_webdav] store webdav.opts as bitflags
- [mod_webdav] limit webdav_propfind_dir() recursion
- [mod_webdav] unsafe-propfind-follow-symlink option
- [mod_webdav] webdav.opts “propfind-depth-infinity”
- [mod_openssl] detect certs marked OCSP Must-Staple
- [mod_gnutls] detect certs marked OCSP Must-Staple
- [mod_openssl] default to set MinProtocol TLSv1.2
- [mod_nss] NSS option for TLS (fixes #1218)
- [core] fdevent_load_file() shared code
- [mod_openssl,mbedtls,gnutls,nss] fdevent_load_file
- [core] error if s->socket_perms chmod() fails
- [mod_openssl] prefer some WolfSSL native APIs
- quiet clang analyzer scan-build warnings
- [core] uint32_t is plenty large for path names
- [mod_mysql_vhost] deprecated; use mod_vhostdb_mysql
- [core] splaytree_djbhash() in splaytree.h (reuse)
- [cmake] update deps for src/t/test_*
- [cmake] update deps for src/t/test_*
- [build] remove tests/mod-userdir.t from builds
- [build] fix typo in src/Makefile.am EXTRA_DIST
- [core] remove unused mbedtls_enabled flag
- [core] store fd in srv->stdin_fd during setup
- [multiple] address coverity warnings
- [mod_webdav] fix theoretical NULL dereference
- [mod_webdav] update rc for PROPFIND allprop
- [mod_webdav] build fix: ifdef live_properties
- [multiple] address coverity warnings
- [meson] fix libmariadb dependency
- [meson] add missing libmaxminddb section
- [mod_auth,mod_vhostdb] add caching option (fixes #2805)
- [mod_authn_ldap,mod_vhostdb_ldap] add timeout opt (#2805)
- [mod_auth] accept “nonce-secret” & “nonce_secret”
- [mod_openssl] fix build warnings on MacOS X
- [core] Nettle assert()s if buffer len > digest sz
- [mod_authn_dbi] authn backend employing DBI
- [mod_authn_mysql,file] use crypt() to save stack
- [mod_vhostdb_dbi] allow strings and ints in config
- add ci-build.sh
- move ci-build.sh to scripts
- [build] build fixes for AIX
- [mod_deflate] Brotli support
- [build] bzip2 default to not-enabled in build
- [mod_deflate] fix typo in config option
- [mod_deflate] propagate errs from internal funcs
- [mod_deflate] deflate.cache-dir compressed cache
- [mod_deflate] mod_deflate subsumes mod_compress
- [doc] mod_compress -> mod_deflate
- [tests] mod_compress -> mod_deflate
- [mod_compress] remove mod_compress
- [build] add --with-brotli to CI build
- [core] server.feature-flags extensible config
- [core] con layer plugin_ctx separate from request
- [multiple] con hooks store ctx in con->plugin_ctx
- [core] separate funcs to reset (request_st *)
- [multiple] rename connection_reset hook to request
- [mod_nss] func renames for consistency
- [core] detect and reject TLS connect to cleartext
- [mod_deflate] quicker check for Content-Encoding
- [mod_openssl] read secret data w/ BIO_new_mem_buf
- [core] decode Transfer-Encoding: chunked from gw
- [mod_fastcgi] decode Transfer-Encoding: chunked
- [core] stricter parsing of POST chunked block hdr
- [mod_proxy] send HTTP/1.1 requests to backends
- [tests] test_base64.c clear buf vs reset
- [core] http_header_remove_token()
- [mod_webdav] fix inadvertent string truncation
- [core] add some missing standard includes
- [mod_extforward] attempt to quiet Coverity warning
- [mod_authn_dbi,mod_authn_mysql] fix coverity issue
- scons: fix check environment
- Add avahi service file under doc/avahi/
- [mod_webdav] fix fallback if linkat() fails
- [mod_proxy] do not forward Expect: 100-continue
- [core] chunkqueue_compact_mem() must upd cq->last
- [core] dlsym for FAMNoExists() for compat w/ fam
- [core] disperse settings.h to appropriate headers
- [core] inline buffer_reset()
- [mod_extforward] save proto per connection
- [mod_extforward] skip after HANDLER_COMEBACK
- [core] server.feature-flags to enable h2
- [core] HTTP_VERSION_2
- [multiple] allow TLS ALPN “h2” if “server.h2proto”
- [mod_extforward] preserve changed addr for h2 con
- [core] do not send Connection: close if h2
- [core] lowercase response hdr field names for h2
- [core] recognize status: 421 Misdirected Request
- [core] parse h2 pseudo-headers
- [core] request_headers_process()
- [core] connection_state_machine_loop()
- [core] reset connection counters per connection
- [mod_accesslog,mod_rrdtool] HTTP/2 basic accounting
- [core] connection_set_fdevent_interest()
- [core] HTTP2-Settings
- [core] adjust http_request_headers_process()
- [core] http_header_parse_hoff()
- [core] move http_request_headers_process()
- [core] reqpool.[ch] for (request_st *)
- [multiple] modules read reqbody via fn ptr
- [multiple] isolate more con code in connections.c
- [core] isolate more resp code in response.c
- [core] h2.[ch] with stub funcs (incomplete)
- [core] alternate between two joblists
- [core] connection transition to HTTP/2; incomplete
- [core] mark some error paths with attribute cold
- [core] discard 100 102 103 responses from backend
- [core] skip write throttle for 100 Continue
- [core] adjust (disabled) debug code
- [core] update comment
- [core] link in ls-hpack (EXPERIMENTAL)
- [core] HTTP/2 HPACK using LiteSpeed ls-hpack
- [core] h2_send_headers() specialized for resp hdrs
- [core] http_request_parse_header() specialized
- [core] comment possible future ls-hpack optimize
- [mod_status] separate funcs to print request table
- [mod_status] adjust to print HTTP/2 requests
- [core] redirect to dir using relative-path
- [core] ignore empty field-name from backends
- [mod_auth] fix crash if auth.require misconfigured (fixes #3023)
- [core] fix 1-char trunc of default server.tag
- [core] request_acquire(), request_release()
- [core] keep pool of (request_st *) for HTTP/2
- [mod_status] dedicated funcs for r->state labels
- [core] move connections_get_state to connections.c
- [core] fix crash on master after graceful restart
- [core] defer optimization to read small files
- [core] do not require ‘\0’ term for k,v hdr parse
- [scripts] cert-staple.sh enhancements
- [core] document algorithm used in lighttpd etag
- [core] ls-hpack optimizations
- [core] fix crash on master if blank line request
- [core] use djbhash in gw_backend to choose host
- [core] rename md5.[ch] to algo_md5.[ch]
- [core] move djbhash(), dekhash() to algo_md.h
- [core] rename splaytree.[ch] to algo_splaytree.[ch]
- [core] import xxHash v0.8.0
- [build] modify build, includes for xxHash v0.8.0
- [build] remove ls-hpack/deps
- [core] xxhash no inline hints; let compiler choose
- [mod_dirlisting] fix config parsing crash
- [mod_openssl] clarify trace w/ deprecated options
- [doc] refresh doc/config//
- [core] code size: disable XXH64(), XXH3()
- [doc] update README and INSTALL
- [core] combine Cookie request headers with ‘;’
- [core] log stream id with debug.log-state-handling
- [core] set r->state in h2.c
- [mod_ssi] update chunk after shell output redirect
- [mod_webdav] preserve bytes_out when chunks merged
- [multiple] inline chunkqueue_length()
- [core] cold h2_log_response_header*() funcs
- [core] update HTTP status codes list from IANA
- [mod_wolfssl] standalone module
- [core] Content-Length in http_response_send_file()
- [core] adjust response header prep for common case
- [core] light_isupper(), light_islower()
- [core] tst,set,clr macros for r->{rqst,resp}_htags
- [core] separate http_header_e from _htags bitmask
- [core] http_header_hkey_get_lc() for HTTP/2
- [core] array.[ch] using uint32_t instead of size_t
- [core] extend (data_string *) to store header id
- [multiple] extend enum http_header_e list
- [core] http_header_e <=> lshpack_static_hdr_idx
- [core] skip ls-hpack decode work unused by lighttpd
- [TLS] error if inherit empty TLS cfg from globals
- [core] connection_check_expect_100()
- [core] support multiple 1xx responses from backend
- [core] reload c after chunkqueue_compact_mem()
- [core] relay 1xx from backend over HTTP/2
- [core] relay 1xx from backend over HTTP/1.1
- [core] chunkqueue_{peek,read}_data(), squash
- [multiple] TLS modules use chunkqueue_peek_data()
- [mod_magnet] magnet.attract-response-start-to
- [multiple] code reuse chunkqueue_peek_data()
- [core] reuse r->start_hp.tv_sec for r->start_ts
- [core] config_plugin_value_tobool() accept “0”,“1”
- [core] graceful and immediate restart option
- [mod_ssi] init status var before waitpid()
- [core] graceful shutdown timeout option
- [core] lighttpd -1 supports pipes (e.g. netcat)
- [core] perf adjustments to avoid load miss
- [multiple] use sock_addr_get_family in more places
- [multiple] inline chunkqueue where always alloc’d
- [core] propagate state after writing
- [core] server_run_con_queue()
- [core] defer handling FDEVENT_HUP and FDEVENT_ERR
- [core] handle unexpected EOF reading FILE_CHUNK
- [core] short-circuit connection_write_throttle()
- [core] walk queue in connection_write_chunkqueue()
- [core] connection_joblist global
- [core] be more precise checking streaming flags
- [core] fdevent_load_file_bytes()
- [TLS] use fdevent_load_file_bytes() for STEK file
- [core] allow symlinks under /dev for rand devices
- [multiple] use light_btst() for hdr existence chk
- [mod_deflate] fix potential NULL deref in err case
- [core] save errno around close() if fstat() fails
- [mod_ssi] use stat_cache_open_rdonly_fstat()
- [core] fdevent_dup_cloexec()
- [core] dup FILE_CHUNK fd when splitting FILE_CHUNK
- [core] stat_cache_path_isdir()
- [multiple] use stat_cache_path_isdir()
- [mod_mbedtls] quiet CLOSE_NOTIFY after conn reset
- [mod_gnutls] quiet CLOSE_NOTIFY after conn reset
- [core] limit num ranges in Range requests
- [core] remove unused r->content_length
- [core] http_response_parse_range() const file sz
- [core] pass open fd to http_response_parse_range
- [core] stat_cache_get_entry_open()
- [core,mod_deflate] leverage cache of open fd
- [doc] comment out config disabling Range for .pdf
- [core] coalesce nearby ranges in Range requests
- [mod_fastcgi] decode chunked is cold code path
- [core] fix chunkqueue_compact_mem w/ partial chunk
- [core] alloc optim reading file, sending chunked
- [core] reuse chunkqueue_compact_mem*()
- [mod_cgi] use splice() to send input to CGI
- [multiple] ignore openssl 3.0.0 deprecation warns
- [mod_openssl] migrate ticket cb to openssl 3.0.0
- [mod_openssl] construct OSSL_PARAM on stack
- [mod_openssl] merge ssl_tlsext_ticket_key_cb impls
- [multiple] openssl 3.0.0 digest interface migrate
- [tests] detect multiple SSL/TLS/crypto providers
- [core] sys-crypto-md.h consistent interfaces
- [wolfssl] wolfSSL_CTX_set_mode differs from others
- [multiple] use NSS crypto if no other crypto avail
- [multiple] stat_cache_path_stat() for struct st
- [TLS] ignore empty “CipherString” in ssl-conf-cmd
- [multiple] remove chunk file.start member
- [core] modify use of getrlimit() to not be fatal
- [mod_webdav] add missing update to cq accounting
- [mod_webdav] update defaults after worker_init
- [mod_openssl] use newer openssl 3.0.0 func
- [core] config_plugin_value_to_int32()
- [core] minimize pause during graceful restart
- [mod_deflate] use large mmap chunks to compress
- [core] stat_cache_entry reference counting
- [core] FILE_CHUNK can hold stat_cache_entry ref
- [core] http_chunk_append_file_ref_range()
- [multiple] use http_chunk_append_file_ref()
- [core] always lseek() with shared fd
- [core] silence coverity warnings (false positives)
- [core] silence coverity warnings in ls-hpack
- [core] silence coverity warnings (another try)
- [core] fix fd sharing when splitting file chunk
- [mod_mbedtls] quiet unused variable warning
- [core] use inline funcs in sys-crypto-md.h
- [core] add missing declaration for NSS rand
- [core] init NSS lib for basic crypto algorithms
- [doc] change mod_compress refs to mod_deflate
- [doc] replace bzip2 refs with brotli
- [build] remove svnversion from versionstamp rule
- [doc] /var/run -> /run
- [multiple] test for nss includes
- [mod_nss] more nss includes fixes
- [mod_webdav] define _NETBSD_SOURCE on NetBSD
- [core] silence coverity warnings (another try)
- [mod_mbedtls] newer mbedTLS vers support TLSv1.3
- [mod_accesslog] update defaults after cycling log
- [multiple] add some missing config cleanup
- [core] fix (startup) mem leaks in configparser.y
- [core] STAILQ_* -> SIMPLEQ_* on OpenBSD
- [mod_wolfssl] use more wolfssl/options.h defines
- [mod_wolfssl] cripple SNI if not built OPENSSL_ALL
- [mod_wolfssl] need to build --enable-alpn for ALPN
- [mod_secdownload] fix compile w/ NSS on FreeBSD
- [mod_mbedtls] wrap addtl code in preproc defines
- [TLS] server.feature-flags “ssl.session-cache”
- [core] workaround fragile code in wolfssl types.h
- [core] move misplaced error trace to match option
- [core] adjust wolfssl workaround for another case
- [multiple] consistent order for crypto lib select
- [multiple] include mbedtls/config.h after select
- [multiple] include wolfssl/options.h after select
- [core] set NSS_VER_INCLUDE after crypto lib select
- [core] use system xxhash lib if available
- [doc] refresh doc/config/conf.d/mime.conf
- [meson] add matching -I for lua lib version
- [build] prepend search for lua version 5.4
- [core] use inotify in stat_cache.[ch] on Linux
- [build] detect inotify header <sys/inotify.h>
- [mod_nss] update session ticket NSS devel comment
- [core] set last_used on rd/wr from backend (fixes #3029)
- [core] cold func for gw_recv_response error case
- [core] use kqueue() instead of FAM/gamin on *BSD
- [core] no graceful-restart-bg on OpenBSD, NetBSD
- [mod_openssl] add LIBRESSL_VERSION_NUMBER checks
- [core] use struct kevent on stack in stat_cache
- [core] stat_cache preprocessor paranoia
- [mod_openssl] adjust LIBRESSL_VERSION_NUMBER check
- [mod_maxminddb] fix config validation typo
- [tests] allow LIGHTTPD_EXE_PATH override
- [multiple] handle NULL val as empty in *_env_add (fixes #3030)
- [core] accept “HTTP/2.0”, “HTTP/3.0” from backends (fixes #3031)
- [build] check for xxhash in more ways
- [core] accept “HTTP/2.0”, “HTTP/3.0” from backends (#3031)
- [core] http_response_buffer_append_authority()
- [core] define SHA*_DIGEST_LENGTH macros if missing
- [doc] update optional pkg dependencies in INSTALL
- [mod_alias] validate given order, not sorted order
- [core] filter out duplicate modules
- [mod_cgi] fix crash if initial write to CGI fails
- [mod_cgi] ensure tmp file open() before splice()
- [multiple] add back-pressure gw data pump (fixes #3033)
- [core] fix bug when HTTP/2 frames span chunks
- [multiple] more forgiving config str to boolean (fixes #3036)
- [core] check for __builtin_expect() availability
- [core] quiet more request parse errs unless debug
- [core] consolidate chunk size checks
- [mod_flv_streaming] use stat_cache_get_entry_open
- [mod_webdav] pass full path to webdav_unlinkat()
- [mod_webdav] fallbacks if _ATFILE_SOURCE not avail
- [mod_fastcgi] move src/fastcgi.h into src/compat/
- [mod_status] add additional HTML-encoding
- [core] server.v4mapped option
- [mod_webdav] workaround for gvfs dir redir bug
-
Remove SuSEfirewall2 service files, SuSEfirewall2 does not exist anymore
-
Changed /etc/logrotate.d/lighttpd from init.d to systemd fix boo#1146452.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product: