The lighttpd 1.4.64 lightweight http server has been released. The new version introduces 95 changes, including applying previously planned changes to defaults and cleaning up deprecated functionality:
- The default timeout for graceful restart/shutdown operations has been reduced from infinity to 8 seconds. The timeout can be configured using the "server.graceful-shutdown-timeout" option.
- The transition to the use of assembly with the PCRE2 library (--with-pcre2) has been made, to return to the old version of PCRE, you can use the "--with-pcre" option.
- Removed modules previously deprecated:
- mod_geoip (must use mod_maxminddb),
- mod_authn_mysql (must use mod_authn_dbi),
- mod_mysql_vhost (must use mod_vhostdb_dbi),
- mod_cml (must use mod_magnet),
- mod_flv_streaming (lost meaning after Adobe Flash expired),
- mod_trigger_b4_dl (must use Lua replacement).
Lighttpd 1.4.64 also fixes a vulnerability (CVE-2022-22707) in the mod_extforward module that causes a 4-byte buffer overflow when processing data in the Forwarded HTTP header. According to the developers, the problem is limited to a denial of service and allows you to remotely initiate an abnormal termination of a background process. Operation is only possible when the Forwarded header handler is enabled and does not appear in the default configuration.
Source: opennet.ru