lighttpd (1.4.56~rc7-0+exp2) experimental; urgency=medium This version changes the way binary packages are laid out. lighttpd-1.4.56 provides multiple modules for TLS. Therefore mod_openssl got moved out of the main lighttpd package, along with the dependency on openssl libraries. A new package was created for each TLS module. * lighttpd-mod-openssl * lighttpd-mod-mbedtls * lighttpd-mod-wolfssl * lighttpd-mod-nss If you use Recommends, lighttpd-mod-openssl will be installed automatically in bullseye to ease upgrading. After that, the recommendation will be dropped. The compression module was renamed from mod_compress to mod_deflate. Compression library dependencies have been moved out of the main lighttpd package and into a new package lighttpd-mod-deflate. If you use Recommends, lighttpd-mod-deflate will be installed automatically in bullseye to ease upgrading. In any case, the new default configuration cannot enable mod_deflate due to the split. To keep the module active you should run: lighty-enable-mod deflate Modules are coalesced to reduce the binary package count and runtime dependencies. * mod_authn_dbi (new) -> lighttpd-modules-dbi * mod_vhostdb_dbi -> lighttpd-modules-dbi * mod_magnet -> lighttpd-modules-lua * mod_cml -> lighttpd-modules-lua Do not depend on lighttpd-modules-* or lighttpd for using specific modules. Do depend on virtual packages lighttpd-mod-* instead. -- Glenn Strauss Mon, 26 Oct 2020 12:50:09 +0000 lighttpd (1.4.52-4) unstable; urgency=medium If mod_cgi is enabled, an alias is now configured: alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" ) whereas an alias was previously not specified. "/usr/lib/cgi-bin" is the Debian standard location for CGI. If an existing installation placed cgi-bin/ in the document tree, then the alias.url directive in 10-cgi.conf will need to be commented out, or the cgi-bin/ moved to /usr/lib/cgi-bin/ For consistency and security, this version also changes lighttpd.conf to default to strict parsing and normalization of request URLs. Most websites will be unaffected by these more secure defaults. Some sites may need to comment out or to disable some of the strict options in server.http-parseopts, e.g. if a site encodes URLs in the url-path and requires "%2F" to be preserved as "%2F" instead of being decoded to "/". -- Glenn Strauss Sun, 13 Jan 2019 15:58:07 +0000 lighttpd (1.4.52-2+exp1) experimental; urgency=medium This version changes the way binary packages are laid out. Modules are coalesced to reduce the binary package count and runtime dependencies. Therefore two modules got moved out of the main lighttpd package: * mod_vhostdb_ldap -> lighttpd-modules-ldap * mod_vhostdb_mysql -> lighttpd-modules-mysql If you use Recommends, these packages will be installed automatically in buster to ease upgrading. After that, the recommendation will be dropped. Do not depend on lighttpd-modules-* or lighttpd for using specific modules. Do depend on virtual packages lighttpd-mod-* instead. -- Helmut Grohne Fri, 04 Jan 2019 08:23:03 +0100 lighttpd (1.4.31-4) unstable; urgency=high The default Debian configuration file for PHP invoked from FastCGI was vulnerable to local symlink attacks and race conditions when an attacker manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3) before the web server started. Possibly the web server could have been tricked to use a forged PHP. The problem lies in the configuration, thus this update will fix the problem only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf If you did, dpkg will not overwrite your changes. Please make sure to set "socket" => "/var/run/lighttpd/php.socket" yourself in that case. -- Arno Töll Thu, 14 Mar 2013 01:57:42 +0100 lighttpd (1.4.30-1) unstable; urgency=medium This releases includes an option to force Lighttpd to honor the cipher order in ssl.cipher-list. This mitigates the effects of a SSL CBC attack commonly referred to as "BEAST attack". See [1] and CVE-2011-3389 for more details. To minimze the risk of this attack it is recommended either to disable all CBC ciphers (beware: this will break reasonably old clients or those who support CBC ciphers only), or pursue clients to use safe ciphers where possible at least. To do so, set ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" ssl.honor-cipher-order = "enable" in your /etc/lighttpd/conf-available/10-ssl.conf file or on any SSL enabled host you configured. If you did not change this file previously, this upgrade will update it automatically. [1] http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html -- Arno Töll Sun, 18 Dec 2011 20:26:50 +0100 lighttpd (1.4.23-1) unstable; urgency=low spawn-fcgi is now separate package. Please install "spawn-fcgi" package if you need it. -- Krzysztof Krzyżaniak (eloy) Thu, 09 Jul 2009 15:53:14 +0200