| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search | 
| Name: lighttpd-mod_mbedtls | Distribution: openSUSE Tumbleweed | 
| Version: 1.4.82 | Vendor: openSUSE | 
| Release: 1.2 | Build date: Fri Sep 12 22:14:47 2025 | 
| Group: Productivity/Networking/Web/Servers | Build host: reproducible | 
| Size: 48055 | Source RPM: lighttpd-1.4.82-1.2.src.rpm | 
| Packager: http://bugs.opensuse.org | |
| Url: https://www.lighttpd.net/ | |
| Summary: TLS module for lighttpd that uses mbedTLS | |
TLS module for lighttpd that uses mbedTLS.
BSD-3-Clause
* Fri Sep 12 2025 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.82:
    * restrict request trailers to configured list:
      trailers in request headers will be ignored unless allowed
      field names are explicitly configured in a comma-separated list
      containing no spaces:
      server.feature-flags += (“request.trailer-whitelist” => “…”)
      This changes behavior from lighttpd 1.4.80, which added support
      for request trailers and header merging, but did not restrict
      request trailers.
    * bug fixes
* Thu Aug 14 2025 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.80:
    * detect and issue error trace for HTTP/2 MadeYouReset
      CVE-2025-8671 (boo#1243888)
    * stricter HTTP request/response header, trailer, and chunked
      validation/parsing
    * support HTTP response trailers
    * support HTTP request trailers merge to headers (if not
      streaming request body)
    * extend TLS error log messages to include client addr if error
      caused by client
    * extend TLS error log messages for HTTP/2 attack detection
    * reject path info on static files by default
      (static-file.disable-pathinfo)
* Mon Jul 21 2025 Stefan Bühler <source@stbuehler.de>
  - update upstream keys (uids / expiry)
  - split some modules into separate packages, but require them in the
    main package for now:
    * mod_openssl
    * mod_deflate
    * mod_authn_dbi
  - add alternative tls modules:
    * mod_gnutls
    * mod_mbedtls
    * mod_nss
  - suggest DBI drivers with dbi modules
  - suggest some geoip packages for mod_maxminddb
  - kTLS offloading support (boo#1240669):
    * autoload tls kernel module with mod_openssl and mod_gnutls
  - use lua5.4 (upgrade from lua5.1) for mod_magnet
  - require libxcrypt-devel explicitly (for crypt_r)
* Sun May 18 2025 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.79:
    * bug fix for mod_openssl using both ECDSA and RSA certs
    * hardened systemd lighttpd.service
  - drop harden_lighttpd.service.patch
* Wed Mar 26 2025 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.78:
    * option to reload TLS certs and CRLs
    * bug fixes
* Sun Mar 23 2025 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.77:
    * stronger TLS defaults: TLSv1.3
    * defaults t limit TLSv1.3 Groups to the IANA “Recommended” set:
      “X25519:P-256:P-384:X448”
    * server.error-handler-404 operates only on 404
    * lighttpd.conf renamed lighttpd.annotated.conf, lighttpd.conf is
      now a simpler header which includes lighttpd.annotated.conf.
* Sat Apr 13 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.76:
    * detect VU#421644 HTTP/2 CONTINUATION Flood
    * issue trace and send GO_AWAY
    * tarball is now more reproducible and verifiable
* Sat Mar 23 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.75:
    * incrementally stronger TLS cipher defaults
    * fix a regression in mod_dirlisting in lighttpd 1.4.74
    * add missing file src/compat/sys/queue.h to the release tarball
  - packaging changes upon notes by the upstream developers:
    * drop usage of lightytest.sh and PHP dependencies
    * drop unneeeded build dependencies and build options
    * drop non-default BZIP2 support
    * update description of -mod_webdav
* Fri Mar 01 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.74:
    * Some messages sent to syslog() (if enabled in lighttpd config)
      have been changed to use different priorities (e.g.
      LOG_WARNING, LOG_DEBUG) instead of everything being sent with
      LOG_ERROR priority. The change affects only lighttpd configs
      which set server.errorlog-use-syslog = “enable” (not default)
    * Other bug fixes
* Mon Feb 05 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - fix user/group with rpm 4.19 (boo#1219549)
* Tue Oct 31 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.73:
    * CVE-2023-44487: HTTP/2 detect and log rapid reset attack
      (boo#1216123)
* Sat Oct 07 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.72:
    * a number of buf fixes and developer visible changes
* Sun May 28 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.71:
    * HTTP/2 support separated to mod_h2 module
* Fri May 12 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.70:
    * speed up CGI spawning
    * support HTTP/2 downstream proxy serving multiple clients on
      single connection (mod_extforward, mod_maxminddb)
    * no longer building separate modules for built-in modules
      lighttpd omits building separate (unused) modules for:
      mod_access mod_alias mod_evhost mod_expire mod_fastcgi
      mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv
      mod_simple_vhost mod_staticfile
* Sat Feb 11 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.69:
    * bug fixes and portability fixes
* Sat Jan 21 2023 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.68:
    * TLS modules now default to using stronger, modern ciphers and
      will default to allow client preference in selecting ciphers.
      Allowing client preference in selecting ciphers is safe to do along
      with restrictions to use modern ciphers supporting PFS, and is
      better for mobile users without AES hardware acceleration.
      Legacy ciphers can still be configured in lighttpd.conf using
      `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
      the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
      new defaults:
      “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
      “Options” => “-ServerPreference”
      old defaults:
      “CipherString” => “HIGH”,
      “Options” => “ServerPreference”
    * Deprecated TLS options have been removed.
      – ssl.honor-cipher-order
      – ssl.dh-file
      – ssl.ec-curve
      – ssl.disable-client-renegotiation
      – ssl.use-sslv2
      – ssl.use-sslv3
      See https://wiki.lighttpd.net/Docs_SSL for replacements with
      `ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
    * Deprecated: mod_evasive has been removed
    * Deprecated: mod_secdownload has been removed
    * Deprecated: mod_uploadprogress has been removed
    * Deprecated: mod_usertrack has been removed
      These four modules can be replaced with a few lines of LUA.
* Wed Nov 16 2022 Andreas Stieger <andreas.stieger@gmx.de>
  - package license file
* Tue Nov 15 2022 pgajdos@suse.com
  - build with php8 on current releases
* Fri Sep 23 2022 Dirk Müller <dmueller@suse.com>
  - update to 1.4.67:
    * Update comment about TCP_INFO on OpenBSD
    * [mod_ajp13] fix crash with bad response headers (fixes #3170)
    * [core] handle RDHUP when collecting chunked body
      CVE-2022-41556 boo#1203872
    * [core] tweak streaming request body to backends
    * [core] handle ENOSPC with pwritev() (#3171)
    * [core] manually calculate off_t max (fixes #3171)
    * [autoconf] force large file support (#3171)
    * [multiple] quiet coverity warnings using casts
    * [meson] add license keyword to project declaration
* Tue Sep 13 2022 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.66:
    * a number of bug fixes
    * Fix HTTP/2 downloads >= 4GiB
    * Fix SIGUSR1 graceful restart with TLS
    * futher bug fixes
    * CVE-2022-37797: null pointer dereference in mod_wstunnel,
      possibly a remotely triggerable crash (boo#1203358)
    * In an upcoming release the TLS modules will default to using
      stronger, modern chiphers and will default to allow client
      preference in selecting ciphers.
      “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
      “Options” => “-ServerPreference”
      old defaults:
      “CipherString” => “HIGH”,
      “Options” => “ServerPreference”
    * A number of TLS options are how deprecated and will be removed
      in a future release:
      – ssl.honor-cipher-order
      – ssl.dh-file
      – ssl.ec-curve
      – ssl.disable-client-renegotiation
      – ssl.use-sslv2
      – ssl.use-sslv3
      The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd
      defaults should be prefered
    * A number of modules are now deprecated and will be removed in a
      future release: mod_evasive, mod_secdownload, mod_uploadprogress,
      mod_usertrack can be replaced by mod_magnet and a few lines of lua.
* Tue Jun 21 2022 Dirk Müller <dmueller@suse.com>
  - update to 1.4.65:
    * WebSockets over HTTP/2
    * RFC 8441 Bootstrapping WebSockets with HTTP/2
    * HTTP/2 PRIORITY_UPDATE
    * RFC 9218 Extensible Prioritization Scheme for HTTP
    * prefix/suffix conditions in lighttpd.conf
    * mod_webdav safe partial-PUT
    * webdav.opts += (“partial-put-copy-modify” => “enable”)
    * mod_accesslog option: accesslog.escaping = “json”
    * mod_deflate libdeflate build option
    * speed up request body uploads via HTTP/2
    * Behavior Changes
    * change default server.max-keep-alive-requests = 1000 to adjust
    * to increasing HTTP/2 usage and to web2/web3 application usage
    * (prior default was 100)
    * mod_status HTML now includes HTTP/2 control stream id 0 in the output
    * which contains aggregate counts for the HTTP/2 connection
    * (These lines can be identified with URL ‘*’, part of “PRI *” preface)
    * alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
    * MIME type application/javascript is translated to text/javascript (RFC 9239)
* Thu Feb 03 2022 Johannes Segitz <jsegitz@suse.com>
  - Set ProtectHome to read-only, otherwise access to the users public_html can
    break (bsc#1195465)
* Sat Jan 22 2022 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 1.4.64:
    * CVE-2022-22707: off-by-one stack overflow in the mod_extforward
      plugin (boo#1194376)
    * graceful restart/shutdown timeout changed from 0 (disabled) to
      8 seconds. configure an alternative with:
      server.feature-flags += (“server.graceful-shutdown-timeout” => 8)
    * deprecated modules (previously announced) have been removed:
      mod_authn_mysql, mod_mysql_vhost, mod_cml, mod_flv_streaming,
      mod_geoip, mod_trigger_b4_dl
/usr/lib/lighttpd/mod_mbedtls.so /usr/share/licenses/lighttpd-mod_mbedtls /usr/share/licenses/lighttpd-mod_mbedtls/COPYING
Generated by rpm2html 1.8.1
Fabrice Bellet, Fri Oct 24 23:31:51 2025