Issue HTTP Server Lighttpd 1.4.64

The release of the lightweight HTTP server LightTPD 1.4.64 . The new version contains 95 changes , including previously planned changes in default values ​​and carried out Cleaning from outdated functionality:

  • Default Timeout for Graceful Restart / Shutdown operations reduced from infinity to 8 seconds. Timeout can be configured using the “Server.graceful-shutdown-timeout” option.
  • exercised to use the assembly with the PCRE2 library (–with-pcre2), to return to the old PCRE option, you can use the “–with-PCRE” option.
  • Removed modules previously announced outdated :
    • MOD_GEOIP (you need to use mod_maxminddb),
    • mod_authn_mysql (you need to use mod_authn_dbi),
    • mod_mysql_vhost (you need to use MOD_VHOSTDB_DBI),
    • mod_cml (you need to use mod_magnet),
    • mod_flv_streaming (lost meaning after completing the lifetime of Adobe Flash),
    • mod_trigger_b4_dl (you need to use replacement on Lua).

in Lighttpd 1.4.64 Also Eliminated Vulnerability ( CVE-2022-22707 ) In the MOD_EXTFORWARD module, leading to the overflow of the buffer for 4 bytes when processing data in the HTTP header forwarded. According to developers, the problem is limited to refusal to maintain and allows you to remotely initiate the emergency completion of the background process. Operation is possible only when the FORWARDED header handler is turned on and does not appear in the default configuration.


/Media reports.