Releases: litespeedtech/openlitespeed
Releases · litespeedtech/openlitespeed
Block hacking attempts, support QUIC stream priority, improve Ruby application compatibility
[Security] Block "litespeed_role" cookie used for hacking LSCWP.
[Improvement] Move OSCP cache, status and rtreport to SHM location to reduce disk wearing.
[Improvement] Add support for QUIC stream priority.
[Bug Fix] Make Ruby application compatible with Ruby 3.3 and Rails 7.2
[Bug Fix] Fix per IP ACL and statistics.
[Bug Fix] More strict HTTP request validation.
[Bug Fix] Fix setting cookie via a rewrite rule.
[Bug Fix] Address issues in namespace and cgroup support.
[Misc] Update lsquic to v4.1.0 .
[Misc] Update libmodsecurity to v3.0.13 .
Proxy chunked encoding support, bug fixes to cache, nodejs, aio, cgroup and namespace
- [Security] Fix chunked encoding + proxy related issues (thanks to @Skad0sh @ma1f0y @sayoojbkumar)
- [Feature] Add request body chunked encoding support for proxy backend
- [Bugfix] Fix excessive cache missing due to varying on cookie.
- [Bugfix] Make nodejs helper script compatible with older nodejs versions.
- [Bugfix] Minor fixes to namespace and cgroup support.
- [Bugfix] Update lsquic to v4.0.8
- [Bugfix] Fix crash in AIO code.
Strict header validation, defend HTTP/2 rapid reset, range request fix
- [Security] More strict header validations
- [Security] Detect HTTP/2 repaid reset attack and disable HTTP/2 for attacking IP.
- [Improve] Update libmodsecurity to 3.0.11
- [Bug Fix] Fix a HTTP/3 integration issue that causes high CPU usage.
- [Bug Fix] Rewrite rule configured in parent directory is disabled due to an empty .htaccess.
- [Bug Fix] Address a compatibility issue with Ruby application using Rack 3.0+.
- [Bug Fix] Address issue in serving a HTTP range request.
- [Bug Fix] Address range request download error.
- [Bug Fix] Address PHP possible dead lock error.
Namespace, iouring, QUICv2, hCaptcha support and more
- Linux Namespace container for resource isolation.
- Asynchronous I/O via iouring, linux AIO and posix AIO.
- Update HTTP3 with the latest QUICv2 support.
- hCaptcha support for reCAPTCHA validation.
- JSon real-time and status report.
- Improved compatibility with MacOSX, FreeBSD.
- Improved build.sh with optional module compilation.
- Static link luajit 2.1 for mod_lua.
- Other minor bug fixes.
Request header validation and mod_security update
- [Security] Apply more strict request header validation.
- [Security] Update libmodsecurity to v3.10.
- [Tuning] Lift default memory limit for external applications.
- [Improvement] Add private cache session cookie detection for WordPress.
- [Bug Fix] Address bug in converting x-forwarded-scheme to x-forwarded-proto.
Version 1.7.17 release
- [Security] Address request header smuggling over HTTP/2 and HTTP/3
- [New Feature] Add support for ARM aarch64 platform.
- [Bug Fix] Update lsquic to v3.2.0
- [Bug Fix] Update libmodsecurity to v3.0.9
- [Bug Fix] Address passing large request headers to PHP-FPM.
- [Bug Fix] Properly detect when out of disk space using posix_fallocate().
- [Bug Fix] Support bcrypt authentication hash format starting with "$2b$".
- [Bug Fix] Other minor bug fixes.
Version 1.7.16 release
- [Security] Address a few crashes and memory leaks in HTTP/3 implementation.
- [Security] Address CVE-2022-0072, CVE-2022-0073 and CVE-2022-0074 with 1.7.16.1 update.
- [Improvement] Add support for vhost strict ownership validation.
- [Improvement] Add pagination for long pages generated by auto index.
- [Bug Fix] Block request header "transfer-encoding: chunked" for HTTP/2 and HTTP/3.
- [Bug Fix] Correctly handle "next" flag in rewrite rule parser.
- [Bug Fix] Address a few random crashes.
Version 1.7.15 release
- [Security] Fix a dynamic linking security issue, reported by RACK911.
- [Bug Fix] Correct a few minor cache engine issues.
- [Bug Fix] "Force Strict Ownership" feature now works as expected.
- [Bug Fix] Address Bubblewrap integration issues.
- [Bug Fix] Address an issue with including the same configuration file multiple times.
- [Improvement] New directory auto indexing script.
Version 1.7.14 release
- [Bug Fix] Update libmodsecurity from v3.0.4 to v3.0.5.
- [Bug Fix] Address a crash in handling range requests to files without a suffix (introduced in OLS v1.7.12).
- [Bug Fix] Address a corner case that breaks POST requests without a content length header for HTTP/2 or QUIC streams.
- [Bug Fix] Address a crash in QUIC.cloud IP fetching code (introduced in OLS v1.7.13).
Version 1.7.13 release
- [New Feature] Auto whitelist QUIC.cloud and Cloudflare IPs.
- [New Feature] Auto whitelist local IP.
- [Bug Fix] Address random 500 responses when serving cached pages.
- [Bug Fix] Do not send "Content-type" header for static files without a filename suffix.
- [Bug Fix] Cleanup admin.sock.* automatically.