Announcing:
OpenLiteSpeed v1.4.50
In this release: Addressed HTTP/2 DoS advisories, bug fixes, and more!
RELEASE LOG:
Core
--------
[Security] Addressed recent HTTP/2 DoS advisories (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md). Fixed CVE-2019-9512 ""Ping Flood"", CVE-2019-9515 ""Settings Flood"", CVE-2019-9516 ""0-Length Headers Leak"", and CVE-2019-9518 ""Empty Frames Flood"" vulnerabilities. Completely blocks unaffected attacks: CVE-2019-9511 ""Data Dribble"", CVE-2019-9513 ""Resource Loop"", CVE-2019-9514 ""Reset Flood"", and CVE-2019-9517 ""Internal Data Buffering"".
[Improvement] Added support for HTTP response code 413: response is larger than defined max dynamic response length.
[Improvement] Updated install.sh script to make it compatible with FreeBSD.
[Bug Fix] Fixed a dllibmodsecurity.sh bug that was causing module modsecurity to fail to build on some operating systems.
[Bug Fix] Fixed a bug that caused the server to returned a 404 response code, instead of a 403 response code, when a file had a permission issue.
[Bug Fix] Fixed ""empty response"" bug when serving responses larger than 2GB.
[Bug Fix] Fixed an autoLoadHtaccess bug in automatically created contexts where only the first level sub-directory of a Vhost would be loaded.
[Bug Fix] Fixed a bug when attempting to get new directory paths when automatically adding missing contexts.
[Bug Fix] Fixed a forcedType bug causing extApps to always use server level settings regardless of VHost level settings.
[Bug Fix] Fixed a REMOTE_ADDR env bug for IPv6 that caused roundcube errors.
WebAdmin
--------
[Security] Updated jquery library from version 2.1.1 to 2.2.4, addressing a cross site scripting vulnerability present in the earlier version.
https://openlitespeed.org/release-log/
Cheers!
OpenLiteSpeed v1.4.50
In this release: Addressed HTTP/2 DoS advisories, bug fixes, and more!
RELEASE LOG:
Core
--------
[Security] Addressed recent HTTP/2 DoS advisories (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md). Fixed CVE-2019-9512 ""Ping Flood"", CVE-2019-9515 ""Settings Flood"", CVE-2019-9516 ""0-Length Headers Leak"", and CVE-2019-9518 ""Empty Frames Flood"" vulnerabilities. Completely blocks unaffected attacks: CVE-2019-9511 ""Data Dribble"", CVE-2019-9513 ""Resource Loop"", CVE-2019-9514 ""Reset Flood"", and CVE-2019-9517 ""Internal Data Buffering"".
[Improvement] Added support for HTTP response code 413: response is larger than defined max dynamic response length.
[Improvement] Updated install.sh script to make it compatible with FreeBSD.
[Bug Fix] Fixed a dllibmodsecurity.sh bug that was causing module modsecurity to fail to build on some operating systems.
[Bug Fix] Fixed a bug that caused the server to returned a 404 response code, instead of a 403 response code, when a file had a permission issue.
[Bug Fix] Fixed ""empty response"" bug when serving responses larger than 2GB.
[Bug Fix] Fixed an autoLoadHtaccess bug in automatically created contexts where only the first level sub-directory of a Vhost would be loaded.
[Bug Fix] Fixed a bug when attempting to get new directory paths when automatically adding missing contexts.
[Bug Fix] Fixed a forcedType bug causing extApps to always use server level settings regardless of VHost level settings.
[Bug Fix] Fixed a REMOTE_ADDR env bug for IPv6 that caused roundcube errors.
WebAdmin
--------
[Security] Updated jquery library from version 2.1.1 to 2.2.4, addressing a cross site scripting vulnerability present in the earlier version.
https://openlitespeed.org/release-log/
Cheers!