Skip to content

Releases: litespeedtech/openlitespeed

Block hacking attempts, support QUIC stream priority, improve Ruby application compatibility

28 Oct 17:04
Compare
Choose a tag to compare

[Security] Block "litespeed_role" cookie used for hacking LSCWP.
[Improvement] Move OSCP cache, status and rtreport to SHM location to reduce disk wearing.
[Improvement] Add support for QUIC stream priority.
[Bug Fix] Make Ruby application compatible with Ruby 3.3 and Rails 7.2
[Bug Fix] Fix per IP ACL and statistics.
[Bug Fix] More strict HTTP request validation.
[Bug Fix] Fix setting cookie via a rewrite rule.
[Bug Fix] Address issues in namespace and cgroup support.
[Misc] Update lsquic to v4.1.0 .
[Misc] Update libmodsecurity to v3.0.13 .

Proxy chunked encoding support, bug fixes to cache, nodejs, aio, cgroup and namespace

28 Mar 16:56
Compare
Choose a tag to compare
  • [Security] Fix chunked encoding + proxy related issues (thanks to @Skad0sh @ma1f0y @sayoojbkumar)
  • [Feature] Add request body chunked encoding support for proxy backend
  • [Bugfix] Fix excessive cache missing due to varying on cookie.
  • [Bugfix] Make nodejs helper script compatible with older nodejs versions.
  • [Bugfix] Minor fixes to namespace and cgroup support.
  • [Bugfix] Update lsquic to v4.0.8
  • [Bugfix] Fix crash in AIO code.

Strict header validation, defend HTTP/2 rapid reset, range request fix

01 Jan 23:31
Compare
Choose a tag to compare
  • [Security] More strict header validations
  • [Security] Detect HTTP/2 repaid reset attack and disable HTTP/2 for attacking IP.
  • [Improve] Update libmodsecurity to 3.0.11
  • [Bug Fix] Fix a HTTP/3 integration issue that causes high CPU usage.
  • [Bug Fix] Rewrite rule configured in parent directory is disabled due to an empty .htaccess.
  • [Bug Fix] Address a compatibility issue with Ruby application using Rack 3.0+.
  • [Bug Fix] Address issue in serving a HTTP range request.
  • [Bug Fix] Address range request download error.
  • [Bug Fix] Address PHP possible dead lock error.

Namespace, iouring, QUICv2, hCaptcha support and more

26 Feb 17:15
Compare
Choose a tag to compare
  • Linux Namespace container for resource isolation.
  • Asynchronous I/O via iouring, linux AIO and posix AIO.
  • Update HTTP3 with the latest QUICv2 support.
  • hCaptcha support for reCAPTCHA validation.
  • JSon real-time and status report.
  • Improved compatibility with MacOSX, FreeBSD.
  • Improved build.sh with optional module compilation.
  • Static link luajit 2.1 for mod_lua.
  • Other minor bug fixes.

Request header validation and mod_security update

21 Aug 22:12
Compare
Choose a tag to compare
  • [Security] Apply more strict request header validation.
  • [Security] Update libmodsecurity to v3.10.
  • [Tuning] Lift default memory limit for external applications.
  • [Improvement] Add private cache session cookie detection for WordPress.
  • [Bug Fix] Address bug in converting x-forwarded-scheme to x-forwarded-proto.

Version 1.7.17 release

21 Jun 01:41
Compare
Choose a tag to compare
  • [Security] Address request header smuggling over HTTP/2 and HTTP/3
  • [New Feature] Add support for ARM aarch64 platform.
  • [Bug Fix] Update lsquic to v3.2.0
  • [Bug Fix] Update libmodsecurity to v3.0.9
  • [Bug Fix] Address passing large request headers to PHP-FPM.
  • [Bug Fix] Properly detect when out of disk space using posix_fallocate().
  • [Bug Fix] Support bcrypt authentication hash format starting with "$2b$".
  • [Bug Fix] Other minor bug fixes.

Version 1.7.16 release

16 May 22:31
Compare
Choose a tag to compare
  • [Security] Address a few crashes and memory leaks in HTTP/3 implementation.
  • [Security] Address CVE-2022-0072, CVE-2022-0073 and CVE-2022-0074 with 1.7.16.1 update.
  • [Improvement] Add support for vhost strict ownership validation.
  • [Improvement] Add pagination for long pages generated by auto index.
  • [Bug Fix] Block request header "transfer-encoding: chunked" for HTTP/2 and HTTP/3.
  • [Bug Fix] Correctly handle "next" flag in rewrite rule parser.
  • [Bug Fix] Address a few random crashes.

Version 1.7.15 release

16 Feb 16:04
Compare
Choose a tag to compare
  • [Security] Fix a dynamic linking security issue, reported by RACK911.
  • [Bug Fix] Correct a few minor cache engine issues.
  • [Bug Fix] "Force Strict Ownership" feature now works as expected.
  • [Bug Fix] Address Bubblewrap integration issues.
  • [Bug Fix] Address an issue with including the same configuration file multiple times.
  • [Improvement] New directory auto indexing script.

Version 1.7.14 release

07 Sep 21:05
Compare
Choose a tag to compare
  • [Bug Fix] Update libmodsecurity from v3.0.4 to v3.0.5.
  • [Bug Fix] Address a crash in handling range requests to files without a suffix (introduced in OLS v1.7.12).
  • [Bug Fix] Address a corner case that breaks POST requests without a content length header for HTTP/2 or QUIC streams.
  • [Bug Fix] Address a crash in QUIC.cloud IP fetching code (introduced in OLS v1.7.13).

Version 1.7.13 release

19 Aug 18:23
Compare
Choose a tag to compare
  • [New Feature] Auto whitelist QUIC.cloud and Cloudflare IPs.
  • [New Feature] Auto whitelist local IP.
  • [Bug Fix] Address random 500 responses when serving cached pages.
  • [Bug Fix] Do not send "Content-type" header for static files without a filename suffix.
  • [Bug Fix] Cleanup admin.sock.* automatically.