1.4.32

November 21, 2012

Important changes

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

Downloads

download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.gz
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.gz.asc
- SHA256: 0765e07dac432393dea3950639d5ba646ded95a9408ad002e54b3353ab6b9645
download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.bz2
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.bz2.asc
- SHA256: 60691b2dcf3ad2472c06b23d75eb0c164bf48a08a630ed3f308f61319104701f
download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.xz
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.xz.asc
- SHA256: 1368f80069ce71f5928cad59c8e60c0b95876942ca9e02c53853e54ae24aedc1
SHA256 checksums: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.sha256sum

External references

CVE-2012-5533
- lighttpd-SA-2012-01
- lighttpd-1.4.31_fix_connection_header_dos.patch

1.4.31 - Diablo servers are down again, back to work

May 31, 2012

Important changes

Many important changes – fixed a segfault (crash on first https request), disabled mmap due to possible crash if the file is truncated while reading and more.

If you still want to use mmap you can use ./configure --enable-mmap, but check #2391 before.

Downloads

download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.gz
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.gz.asc
- SHA256: 848a15604bf358d9355bd7a48c01f448c286734dbb5f4dc1cd16acb8b05a9b52
download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.bz2
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.bz2.asc
- SHA256: 5209e7a25d3044cb21b34d6a2bb3a6f6c216ba903ea486a803d070582e5e26ac
download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.xz
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.tar.xz.asc
- SHA256: 8a0a4f1ab782c2a3554e031c7d8ad600aac9b4c0466710a6cc9aab10659fe3f2
SHA256 checksums: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.31.sha256sum

1.4.30 - Faster than santa, your first present this year!

December 18, 2011

And lighttpd 1.4 is still alive :)

Especially for ssl users this release should be important: by setting

ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"

you can mitigate BEAST attacks.
Also check your site with Qualys SSL Labs Server Test

Important changes

[mod_auth] Fix signedness error in http_auth (CVE-2011-4362)
ssl: disable client initiated renegotiations
ssl: support mitigating BEAST attack
fix connection stalls

Downloads

download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.gz.asc
- SHA256: 59ae55b0ec427c328fa74d683e00eb1bc99bcc20cd184177875e9b6865de2b8b
download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.bz2.asc
- SHA256: 0d795597e4666dbf6ffe44b4a42f388ddb44736ddfab0b1ac091e5bb35212c2d
download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz
- GPG signature: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.tar.xz.asc
- SHA256: c237692366935b19ef8a6a600b2f3c9b259a9c3107271594c081a45902bd9c9b
SHA256 checksums: download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.30.sha256sum

In the comments for 1.4.29 we were asked for a launchpad repository for ubuntu. This is not going to happen (launchpad sucks), but we have repositories for some dists on build.opensuse.org.
Checkout GetLighttpd, or server:http/lighttpd or home:stbuehler/lighttpd on build.opensuse.org.