1.4.30 - Faster than santa, your first present this year!

December 18th, 2011

And lighttpd 1.4 is still alive :)

Especially for ssl users this release should be important: by setting

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

you can mitigate BEAST attacks.
Also check your site with Qualys SSL Labs Server Test

Important changes

[mod_auth] Fix signedness error in http_auth (CVE-2011-4362) ssl: disable client initiated renegotiations ssl: support mitigating BEAST attack fix connection stalls

Downloads

http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz

GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc SHA256: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b

http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2

GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc SHA256: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d

http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz

GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc SHA256: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b

SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum

In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on build.opensuse.org. Checkout GetLighttpd, or server:http/lighttpd or home:stbuehler/lighttpd on build.opensuse.org.

Read the rest of this entry

8 comments »

1.4.29

July 3rd, 2011

Important changes

solve name conflict of md5 functions with OpenSSL lib mod_proxy, mod_cgi and other mod_*cgi fixes ssl improvements Native solaris ports fdevent handler “solaris-eventports”