The release of the lightweight http server lighttpd 1.4.76 has been published, focused on a combination of high performance, security, compliance with standards and configuration flexibility. Lighttpd is suitable for use on highly loaded systems and is aimed at low memory and CPU consumption. The project code is written in C and distributed under the BSD license.
In the new version:
- Detection of a “Continuation flood” attack carried out by sending a continuous stream of CONTINUATION frames to the HTTP/2 server without setting the END_HEADERS flag is provided. It is stated that this attack does not result in a denial of service to lighttpd, but as an additional measure it is added to detect it and send a GO_AWAY response.
- The incident involving the introduction of a backdoor into the xz package has been taken into account. When creating releases for assembling dependencies, code is now retrieved from Git using the “git archive” command with verification using release tags and without downloading ready-made archives with code.
- By default, a built-in mimetype.assign file is provided.
- Added support for the MPTCP (MultiPath TCP) extension, which is not enabled by default.
- Improved support for GNU/Hurd and NetBSD 10 platforms.
- The number of system calls made when connecting to the backend has been reduced.
- In future releases, it is planned to set TLSv1.3 as the default minimum supported version of the TLS protocol (currently the MinProtocol parameter is set to TLSv1.2). In the future, the server.error-handler-404 handler will be limited to only handling 404 errors (currently it handles both 404 and 403).
You can also note the release of the Apache HTTP server 2.4.59, which introduced 21 changes and fixed three vulnerabilities:
- CVE-2024-27316 is a vulnerability that leads to the exhaustion of free memory during a “Continuation flood” attack.
- CVE-2024-24795, CVE-2023-38709 - the possibility of carrying out an HTTP response splitting attack on front-end-back-end systems, allowing for the substitution of additional response headers or splitting of responses in order to wedge the contents of responses to other users processed in the same thread between frontend and backend.
- The CGIScriptTimeout parameter has been added to the mod_cgi module to set the script execution timeout.
- mod_xml2enc provides compatibility with libxml2 2.12.0 and later releases.
- In mod_ssl, standard OpenSSL functions are used to assemble lists of names of certification authorities when processing the SSLCACertificatePath and SSLCADNRequestPath directives.
- mod_xml2enc provides XML processing for any text/* and XML MIME types to prevent data corruption in Microsoft OOXML formats.
- In the htcacheclean utility, when specifying the -a/-A options, it is possible to enumerate all files for each subdirectory.
- In mod_ssl, the SSLProxyMachineCertificateFile/Path directives allow reference to files containing certification authority certificates.
- The documentation for the htpasswd, htdbm and dbmmanage utilities clarifies that they use hashing, not password encryption.
- htpasswd has added support for processing password hashes using the SHA-2 algorithm.
- Mod_env allows overriding of system environment variables.
- mod_ldap implements HTML escaping in the ldap-status header.
- mod_ssl improves compatibility with OpenSSL 3 and ensures that freed memory is returned to the system.
- mod_proxy allows setting a TTL to configure the lifetime of an entry in the DNS response cache.
- In mod_proxy, support for a third argument has been added to the ProxyRemote parameter, through which you can configure the credentials for Basic authentication transmitted to the external proxy.
Source: opennet.ru