Announcing:
LiteSpeed Web Server v6.0.12
In this release: HTTP/3 security fix, bug fixes, and more!
RELEASE LOG:
[Security] Address a few crashes and memory leaks in HTTP/3 implementation.
[Security] Add more strict virtual host name validation in WebAdmin to address a potential XSS vulnerability.
[Improvement] Add server level control to return 404 or 403 when directory auto-index is disabled.
[Improvement] Better stale cache purge handling.
[Improvement] Add pagination for long auto indexed pages.
[Improvement] Support following ErrorDocument customizations in .htaccess for early stage internal errors.
[Tuning] Enable suEXEC for PHP 8.1 by default.
[Tuning] Do not enable cPanel HTTP server monitoring in update script.
[Tuning] Adjust internal shell scripts for better ubuntu compatibility.
[Bug Fix] Address broken alt-python application caused by the new way virtualenv was built.
[Bug Fix] Address broken vhost level mod_security configuration.
[Bug Fix] Address random crashes in mod_security engine.
[Bug Fix] Address a rare multi-threaded mod_security engine race condition.
[Bug Fix] Add more validation checks to avoid accidentally killing system process when stopping detached external application processes.
[Bug Fix] Improve auto index script to avoid calling function ini_set().
[Bug Fix] Address crashes in ESI/SSI engine.
[Bug Fix] Address POST cache issues.
[Bug Fix] Block request header "transfer-encoding: chunked" for HTTP/2 and HTTP/3.
[Bug Fix] Enforce HTTP authentication for OPTIONS requests.
https://www.litespeedtech.com/products/litespeed-web-server/release-log
Please remember, there may be some delay between this announcement and the ability to auto-update. If you don't want to wait, you can update manually via the following command: `/usr/local/lsws/admin/misc/lsup.sh -f -v 6.0.12`
Cheers!
Thursday, May 12, 2022