lighttpd-1.4.76-bp156.1.2

- update to 1.4.76:
  * detect VU#421644 HTTP/2 CONTINUATION Flood
  * issue trace and send GO_AWAY
  * tarball is now more reproducible and verifiable

- update to 1.4.75:
  * incrementally stronger TLS cipher defaults
  * fix a regression in mod_dirlisting in lighttpd 1.4.74
  * add missing file src/compat/sys/queue.h to the release tarball
- packaging changes upon notes by the upstream developers:
  * drop usage of lightytest.sh and PHP dependencies
  * drop unneeeded build dependencies and build options
  * drop non-default BZIP2 support
  * update description of -mod_webdav

- update to 1.4.74:
  * Some messages sent to syslog() (if enabled in lighttpd config)
    have been changed to use different priorities (e.g.
    LOG_WARNING, LOG_DEBUG) instead of everything being sent with
    LOG_ERROR priority. The change affects only lighttpd configs
    which set server.errorlog-use-syslog = “enable” (not default)
  * Other bug fixes

- fix user/group with rpm 4.19 (boo#1219549)

- update to 1.4.73:
  * CVE-2023-44487: HTTP/2 detect and log rapid reset attack
    (boo#1216123)

- update to 1.4.72:
  * a number of buf fixes and developer visible changes

- update to 1.4.71:
  * HTTP/2 support separated to mod_h2 module

- update to 1.4.70:
  * speed up CGI spawning
  * support HTTP/2 downstream proxy serving multiple clients on
    single connection (mod_extforward, mod_maxminddb)
  * no longer building separate modules for built-in modules
    lighttpd omits building separate (unused) modules for:
    mod_access mod_alias mod_evhost mod_expire mod_fastcgi
    mod_indexfile mod_redirect mod_rewrite mod_scgi mod_setenv
    mod_simple_vhost mod_staticfile

- update to 1.4.69:
  * bug fixes and portability fixes

- update to 1.4.68:
  * TLS modules now default to using stronger, modern ciphers and
    will default to allow client preference in selecting ciphers.
    Allowing client preference in selecting ciphers is safe to do along
    with restrictions to use modern ciphers supporting PFS, and is
    better for mobile users without AES hardware acceleration.
    Legacy ciphers can still be configured in lighttpd.conf using
    `ssl.openssl.ssl-conf-cmd`, as long as the ciphers are supported by
    the underlying TLS libraries. https://wiki.lighttpd.net/Docs_SSL
    new defaults:
    “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
    “Options” => “-ServerPreference”
    old defaults:
    “CipherString” => “HIGH”,
    “Options” => “ServerPreference”
  * Deprecated TLS options have been removed.
    – ssl.honor-cipher-order
    – ssl.dh-file
    – ssl.ec-curve
    – ssl.disable-client-renegotiation
    – ssl.use-sslv2
    – ssl.use-sslv3
    See https://wiki.lighttpd.net/Docs_SSL for replacements with
    `ssl.openssl.ssl-conf-cmd`, but prefer lighttpd defaults instead.
  * Deprecated: mod_evasive has been removed
  * Deprecated: mod_secdownload has been removed
  * Deprecated: mod_uploadprogress has been removed
  * Deprecated: mod_usertrack has been removed
    These four modules can be replaced with a few lines of LUA.

- package license file

- build with php8 on current releases

- Remove deprecated GeoIP support (bsc#1156198)
  * drop mod_geoip subpackage

- update to 1.4.67:
  * Update comment about TCP_INFO on OpenBSD
  * [mod_ajp13] fix crash with bad response headers (fixes #3170)
  * [core] handle RDHUP when collecting chunked body
    CVE-2022-41556 boo#1203872
  * [core] tweak streaming request body to backends
  * [core] handle ENOSPC with pwritev() (#3171)
  * [core] manually calculate off_t max (fixes #3171)
  * [autoconf] force large file support (#3171)
  * [multiple] quiet coverity warnings using casts
  * [meson] add license keyword to project declaration

- update to 1.4.66:
  * a number of bug fixes
  * Fix HTTP/2 downloads >= 4GiB
  * Fix SIGUSR1 graceful restart with TLS
  * futher bug fixes
  * CVE-2022-37797: null pointer dereference in mod_wstunnel,
    possibly a remotely triggerable crash (boo#1203358)
  * In an upcoming release the TLS modules will default to using
    stronger, modern chiphers and will default to allow client
    preference in selecting ciphers.
    “CipherString” => “EECDH+AESGCM:AES256+EECDH:CHACHA20:SHA256:!SHA384”,
    “Options” => “-ServerPreference”
    old defaults:
    “CipherString” => “HIGH”,
    “Options” => “ServerPreference”
  * A number of TLS options are how deprecated and will be removed
    in a future release:
    – ssl.honor-cipher-order
    – ssl.dh-file
    – ssl.ec-curve
    – ssl.disable-client-renegotiation
    – ssl.use-sslv2
    – ssl.use-sslv3
    The replacement option is ssl.openssl.ssl-conf-cmd, but lighttpd
    defaults should be prefered
  * A number of modules are now deprecated and will be removed in a
    future release: mod_evasive, mod_secdownload, mod_uploadprogress,
    mod_usertrack can be replaced by mod_magnet and a few lines of lua.

- update to 1.4.65:
  * WebSockets over HTTP/2
  * RFC 8441 Bootstrapping WebSockets with HTTP/2
  * HTTP/2 PRIORITY_UPDATE
  * RFC 9218 Extensible Prioritization Scheme for HTTP
  * prefix/suffix conditions in lighttpd.conf
  * mod_webdav safe partial-PUT
  * webdav.opts += (“partial-put-copy-modify” => “enable”)
  * mod_accesslog option: accesslog.escaping = “json”
  * mod_deflate libdeflate build option
  * speed up request body uploads via HTTP/2
  * Behavior Changes
  * change default server.max-keep-alive-requests = 1000 to adjust
  * to increasing HTTP/2 usage and to web2/web3 application usage
  * (prior default was 100)
  * mod_status HTML now includes HTTP/2 control stream id 0 in the output
  * which contains aggregate counts for the HTTP/2 connection
  * (These lines can be identified with URL ‘*’, part of “PRI *” preface)
  * alternative: https://wiki.lighttpd.net/ModMagnetExamples#lua-mod_status
  * MIME type application/javascript is translated to text/javascript (RFC 9239)

- Set ProtectHome to read-only, otherwise access to the users public_html can
  break (bsc#1195465)

- update to 1.4.64:
  * CVE-2022-22707: off-by-one stack overflow in the mod_extforward
    plugin (boo#1194376)
  * graceful restart/shutdown timeout changed from 0 (disabled) to
    8 seconds. configure an alternative with:
    server.feature-flags += (“server.graceful-shutdown-timeout” => 8)
  * deprecated modules (previously announced) have been removed:
    mod_authn_mysql, mod_mysql_vhost, mod_cml, mod_flv_streaming,
    mod_geoip, mod_trigger_b4_dl

- update to 1.4.63:
  * import xxHash v0.8.1
  * fix reqpool mem corruption in 1.4.62
- includes changes in 1.4.62:
  * [mod_alias] fix use-after-free bug
  * many developer visible bug fixes
- build with pcre2 and without libev, as per upcoming deprecation

- update to 1.4.61:
  * mod_dirlisting: sort "../" to top
  * fix HTTP/2 upload > 64k w/ max-request-size
  * code level and developer visible bug fixes

- update to 1.4.60:
  * HTTP/2 smoother and lower memory use (in general)
  * HTTP/2 tuning to better handle aggressive client initial
    requests
  * reduce memory footprint; workaround poor glibc behavior;
    jemalloc is better
  * mod_magnet lua performance improvements
  * mod_dirlisting performance improvements and new caching option
  * memory constraints for extreme edge cases in mod_dirlisting,
    mod_ssi, mod_webdav
  * connect(), write(), read() time limits on backends (separate
    from client timeouts)
  * lighttpd restarts if large discontinuity in time occurs
    (embedded systems)
  * RFC7233 Range support for all non-streaming responses, not
    only static files
  * connect() to backend now has default 8 second timeout
    (configurable)

- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_lighttpd.service.patch

- Fix squatted descriptions.

- update to 1.4.59:
  * HTTP/2 enabled by default
  * mod_deflate zstd suppport
  * new mod_ajp13

- Update to 1.4.58:
  * [mod_wolfssl] use wolfSSL TLS version defines
  * [mod_wolfssl] compile with earlier wolfSSL vers
  * [core] prefer IPv6+IPv4 func vs IPv4-specific func
  * [core] reuse large mem chunks (fix mem usage) (fixes #3033)
  * [core] add comment for FastCGI mem use in hctx->rb (#3033)
  * [mod_proxy] fix sending of initial reqbody chunked
  * [multiple] fdevent_waitpid() wrapper
  * [core] sys-time.h - localtime_r,gmtime_r macros
  * [core] http_date.[ch] encapsulate HTTP-date parse
  * [core] specialized strptime() for HTTP date fmts
  * [multiple] employ http_date.h, sys-time.h
  * [core] http_date_timegm() (portable timegm())
  * buffer_append_path_len() to join paths
  * [core] inet_ntop_cache -> sock_addr_cache
  * [multiple] etag.[ch] -> http_etag.[ch]; better imp
  * [core] fix crash after specific err in config file
  * [core] fix bug in FastCGI uploads (#3033)
  * [core] http_response_match_if_range()
  * [mod_webdav] typedef off_t loff_t for FreeBSD
  * [multiple] chunkqueue_write_chunk()
  * [build] add GNUMAKEFLAGS=--no-print-directory
  * [core] fix bug in read retry found by coverity
  * [core] attempt to quiet some coverity warnings
  * [mod_webdav] compile fix for Mac OSX/11
  * [core] handle U+00A0 in config parser
  * [core] fix lighttpd -1 one-shot with pipes
  * [core] quiet start/shutdown trace in one-shot mode
  * [core] allow keep-alives in one-shot mode (#3042)
  * [mod_webdav] define _ATFILE_SOURCE if AT_FDCWD
  * [core] setsockopt IPV6_V6ONLY if server.v4mapped
  * [core] prefer inet_aton() over inet_addr()
  * [core] add missing mod_wolfssl to ssl compat list
  * [mod_openssl] remove ancient preprocessor logic
  * [core] SHA512_Init, SHA512_Update, SHA512_Final
  * [mod_wolfssl] add complex preproc logic for SNI
  * [core] wrap a macro value with parens
  * [core] fix handling chunked response from backend (fixes #3044)
  * [core] always set file.fd = -1 on FILE_CHUNK reset (fixes #3044)
  * [core] skip some trace if backend Upgrade (#3044)
  * [TLS] cert-staple.sh POSIX sh compat (fixes #3043)
  * [core] portability fix if st_mtime not defined
  * [mod_nss] portability fix
  * [core] warn if mod_authn_file needed in conf
  * [core] fix chunked decoding from backend (fixes #3044)
  * [core] reject excess data after chunked encoding (#3046)
  * [core] track chunked encoding state from backend (fixes #3046)
  * [core] li_restricted_strtoint64()
  * [core] track Content-Length from backend (fixes #3046)
  * [core] enhance config parsing debugging (#3047)
  * [core] reorder srv->config_context to match ndx (fixes #3047)
  * [mod_proxy] proxy.header = ("force-http10" => ...)
  * [mod_authn_ldap] fix crash (fixes #3048)
  * [mod_authn_ldap, mod_vhostdb_ldap] default cafile
  * [core] fix array_copy_array() sorted[]
  * [multiple] replace fall through comment with attr
  * [core] fix crash printing trace if backend is down
  * [core] fix decoding chunked from backend (fixes #3049)
  * [core] attempt to quiet some coverity warnings
  * [core] perf: request processing
  * [core] http_header_str_contains_token()
  * [mod_flv_streaming] parse query string w/o copying
  * [mod_evhost] use local array to split values
  * [core] remove srv->split_vals
  * [core] add User-Agent to http_header_e enum
  * [core] store struct server * in struct connection
  * [core] use func rc to indicate done reading header
  * [core] replace connection_set_state w/ assignment
  * [core] do not pass srv to http header parsing func
  * [core] cold buffer_string_prepare_append_resize()
  * [core] chunkqueue_compact_mem()
  * [core] connection_chunkqueue_compact()
  * [core] pass con around request, not srv and con
  * [core] reduce use of struct parse_header_state
  * [core] perf: HTTP header parsing using \n offsets
  * [core] no need to pass srv to connection_set_state
  * [core] perf: connection_read_header_more()
  * [core] perf: connection_read_header_hoff() hot
  * [core] inline connection_read_header()
  * [core] pass ptr to http_request_parse()
  * [core] more 'const' in request.c prototypes
  * [core] handle common case of alnum or - field-name
  * [mod_extforward] simplify code: use light_isxdigit
  * [core] perf: array.c performance enhancements
  * [core] mark some data_* funcs cold
  * [core] http_header.c internal inline funcs
  * [core] remove unused array_reset()
  * [core] prefer uint32_t to size_t in base.h
  * [core] uint32_t for struct buffer sizes
  * [core] remove unused members of struct server
  * [core] short-circuit path to clear request.headers
  * [core] array keys are non-empty in key-value list
  * [core] keep a->data[] sorted; remove a->sorted[]
  * [core] __attribute_returns_nonnull__
  * [core] differentiate array_get_* for ro and rw
  * [core] (const buffer *) in (struct burl_parts_t)
  * [core] (const buffer *) for con->server_name
  * [core] perf: initialize con->conf using memcpy()
  * [core] run config_setup_connection() fewer times
  * [core] isolate data_config.c, vector.c
  * [core] treat con->conditional_is_valid as bitfield
  * [core] http_header_hkey_get() over const array
  * [core] inline buffer as part of DATA_UNSET key
  * [core] inline buffer key for *_patch_connection()
  * [core] (data_unset *) from array_get_element_klen
  * [core] inline buffer as part of data_string value
  * [core] add const to callers of http_header_*_get()
  * [core] inline array as part of data_array value
  * [core] const char *op in data_config
  * [core] buffer string in data_config
  * [core] streamline config_check_cond()
  * [core] keep a->data[] sorted (REVERT)
  * [core] array a->sorted[] as ptrs rather than pos
  * [core] inline header and env arrays into con
  * [mod_accesslog] avoid alloc for parsing cookie val
  * [core] simpler config_check_cond()
  * [mod_redirect,mod_rewrite] store context_ndx
  * [core] const char *name in struct plugin
  * [core] srv->plugin_slots as compact list
  * [core] rearrange server_config, server members
  * [core] macros CONST_LEN_STR and CONST_STR_LEN
  * [core] struct plugin_data_base
  * [core] improve condition caching perf
  * [core] config_plugin_values_init() new interface
  * [mod_access] use config_plugin_values_init()
  * [core] (const buffer *) from strftime_cache_get()
  * [core] mv config_setup_connection to connections.c
  * [core] use (const char *) in config file parsing
  * [mod_staticfile] use config_plugin_values_init()
  * [mod_skeleton] use config_plugin_values_init()
  * [mod_setenv] use config_plugin_values_init()
  * [mod_alias] use config_plugin_values_init()
  * [mod_indexfile] use config_plugin_values_init()
  * [mod_expire] use config_plugin_values_init()
  * [mod_flv_streaming] use config_plugin_values_init()
  * [mod_magnet] use config_plugin_values_init()
  * [mod_usertrack] use config_plugin_values_init()
  * [mod_userdir] split policy from userdir path build
  * [mod_userdir] use config_plugin_values_init()
  * [mod_ssi] use config_plugin_values_init()
  * [mod_uploadprogress] use config_plugin_values_init()
  * [mod_status] use config_plugin_values_init()
  * [mod_cml] use config_plugin_values_init()
  * [mod_secdownload] use config_plugin_values_init()
  * [mod_geoip] use config_plugin_values_init()
  * [mod_evasive] use config_plugin_values_init()
  * [mod_trigger_b4_dl] use config_plugin_values_init()
  * [mod_accesslog] use config_plugin_values_init()
  * [mod_simple_vhost] use config_plugin_values_init()
  * [mod_evhost] use config_plugin_values_init()
  * [mod_vhostdb*] use config_plugin_values_init()
  * [mod_mysql_vhost] use config_plugin_values_init()
  * [mod_maxminddb] use config_plugin_values_init()
  * [mod_auth*] use config_plugin_values_init()
  * [mod_deflate] use config_plugin_values_init()
  * [mod_compress] use config_plugin_values_init()
  * [core] add xsendfile* check if xdocroot is NULL
  * [mod_cgi] use config_plugin_values_init()
  * [mod_dirlisting] use config_plugin_values_init()
  * [mod_extforward] use config_plugin_values_init()
  * [mod_webdav] use config_plugin_values_init()
  * [core] store addtl data in pcre_keyvalue_buffer
  * [mod_redirect] use config_plugin_values_init()
  * [mod_rewrite] use config_plugin_values_init()
  * [mod_rrdtool] use config_plugin_values_init()
  * [multiple] gw_backends config_plugin_values_init()
  * [core] config_get_config_cond_info()
  * [mod_openssl] use config_plugin_values_init()
  * [core] use config_plugin_values_init()
  * [core] collect more config logic into configfile.c
  * [core] config_plugin_values_init_block()
  * [core] gw_backend config_plugin_values_init_block
  * [core] remove old config_insert_values_*() funcs
  * [multiple] plugin.c handles common FREE_FUNC code
  * [core] run all trigger and sighup handlers
  * [mod_wstunnel] change DEBUG_LOG to use log_error()
  * [core] stat_cache_path_contains_symlink use errh
  * [core] isolate use of data_config, configfile.h
  * [core] split cond cache from cond matches
  * [mod_auth] inline arrays in http_auth_require_t
  * [core] array_init() arg for initial size
  * [core] gw_exts_clear_check_local()
  * [core] gw_backend less pointer chasing
  * [core] connection_handle_errdoc() separate func
  * [multiple] prefer (connection *) to (srv *)
  * [core] create http chunk header on the stack
  * [multiple] connection hooks no longer get (srv *)
  * [multiple] plugin_stats array
  * [core] read up-to fixed size chunk before fionread
  * [core] default chunk size 8k (was 4k)
  * [core] pass con around gw_backend instead of srv
  * [core] log_error_multiline_buffer()
  * [multiple] reduce direct use of srv->cur_ts
  * [multiple] extern log_epoch_secs
  * [multiple] reduce direct use of srv->errh
  * [multiple] stat_cache singleton
  * [mod_expire] parse config into structured data
  * [multiple] generic config array type checking
  * [multiple] rename r to rc rv rd wr to be different
  * [core] (minor) config_plugin_keys_t data packing
  * [core] inline buffer in log_error_st errh
  * [multiple] store srv->tmp_buf in tb var
  * [multiple] quiet clang compiler warnings
  * [core] http_status_set_error_close()
  * [core] http_request_host_policy w/ http_parseopts
  * [multiple] con->proto_default_port
  * [core] store log filename in (log_error_st *)
  * [core] separate log_error_open* funcs
  * [core] fdevent uses uint32_t instead of size_t
  * [mod_webdav] large buffer reuse
  * [mod_accesslog] flush file log buffer at 8k size
  * [core] include settings.h where used
  * [core] static buffers for mtime_cache
  * [core] convenience macros to check req methods
  * [core] support multiple error logs
  * [multiple] omit passing srv to fdevent_handler
  * [core] remove unused arg to fdevent_fcntl_set_nb*
  * [core] slightly simpify server_(over)load_check()
  * [core] isolate fdevent subsystem
  * [core] isolate stat_cache subsystem
  * [core] remove include base.h where unused
  * [core] restart dead piped loggers every 64 sec
  * [mod_webdav] use copy_file_range() if available
  * [core] perf: buffer copy and append
  * [core] copy some srv->srvconf into con->conf
  * [core] move keep_alive flag into request_st
  * [core] pass scheme port to http_request_parse()
  * [core] pass http_parseopts around request.c
  * [core] rename specific_config to request_config
  * [core] move request_st,request_config to request.h
  * [core] pass (request_st *) to request.c funcs
  * [core] remove unused request_st member 'request'
  * [core] rename content_length to reqbody_length
  * [core] t/test_request.c using (request_st *)
  * [core] (const connection *) in http_header_*_get()
  * [mod_accesslog] log_access_record() fmt log record
  * [core] move request start ts into (request_st *)
  * [core] move addtl request-specific struct members
  * [core] move addtl request-specific struct members
  * [core] move plugin_ctx into (request_st *)
  * [core] move addtl request-specific struct members
  * [core] move request state into (request_st *)
  * [core] store (plugin *) in p->data
  * [core] store subrequest_handler instead of mode
  * [multiple] copy small struct instead of memcpy()
  * [multiple] split con, request (very large change)
  * [core] r->uri.path always set, though might be ""
  * [core] C99 restrict on some base funcs
  * [core] dispatch handler in handle_request func
  * [core] http_request_parse_target()
  * [mod_magnet] modify r->target with "uri.path-raw"
  * [core] remove r->uri.path_raw; generate as needed
  * [core] http_response_comeback()
  * [core] http_response_config()
  * [tests] use buffer_eq_slen() for str comparison
  * [core] http_status_append() short-circuit 200 OK
  * [core] mark some chunk.c funcs as pure
  * [core] use uint32_t in http_header.[ch]
  * [core] perf: tighten some code in some hot paths
  * [core] parse header label before end of line
  * [mod_auth] "nonce_secret" option to validate nonce (fixes #2976)
  * [build] fix build on MacOS X Tiger
  * [doc] lighttpd.conf: lighttpd choose event-handler
  * [config] blank server.tag if whitespace-only
  * [mod_proxy] stream request using HTTP/1.1 chunked (fixes #3006)
  * [multiple] correct misspellings in comments
  * [multiple] fix some cc warnings in 32-bit, powerpc
  * [tests] fix skip count in mod-fastcgi w/o php-cgi
  * [multiple] ./configure --with-nettle to use Nettle
  * [core] skip excess close() when FD_CLOEXEC defined
  * [mod_cgi] remove redundant calls to set FD_CLOEXEC
  * [core] return EINVAL if stat_cache_get_entry w/o /
  * [mod_webdav] define PATH_MAX if not defined
  * [mod_accesslog] process backslash-escapes in fmt
  * [mod_openssl] disable cert vrfy if ALPN acme-tls/1
  * [core] add seed before openssl RAND_pseudo_bytes()
  * [mod_mbedtls] mbedTLS option for TLS
  * [core] prefer getxattr() instead of get_attr()
  * [multiple] use *(unsigned char *) with ctypes
  * [mod_openssl] do not log ECONNRESET unless debug
  * [mod_openssl] SSL_R_UNEXPECTED_EOF_WHILE_READING
  * [mod_gnutls] GnuTLS option for TLS (fixes #109)
  * [mod_openssl] rotate session ticket encryption key
  * [mod_openssl] set cert from callback in 1.0.2+ (fixes #2842)
  * [mod_openssl] set chains from callback in 1.0.2+ (#2842)
  * [core] RFC-strict parse of Content-Length
  * [build] point ./configure --help to support forum
  * [core] stricter parse of numerical digits
  * [multiple] add summaries to top of some modules
  * [core] sys-crypto-md.h w/ inline message digest fn
  * [mod_openssl] enable read-ahead, if set, after SNI
  * [mod_openssl] issue warning for deprecated options
  * [mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail
  * [mod_openssl] use openssl feature define for ALPN
  * [mod_openssl] update default DH params
  * [core] SecureZeroMemory() on _WIN32
  * [core] safe memset calls memset() through volatile
  * [doc] update comments in doc/config/modules.conf
  * [core] more precise check for request stream flags
  * [mod_openssl] rotate session ticket encryption key
  * [mod_openssl] ssl.stek-file to specify encrypt key
  * [mod_mbedtls] ssl.stek-file to specify encrypt key
  * [mod_gnutls] ssl.stek-file to specify encrypt key
  * [mod_openssl] disable session cache; prefer ticket
  * [mod_openssl] compat with LibreSSL
  * [mod_openssl] compat with WolfSSL
  * [mod_openssl] set SSL_OP_PRIORITIZE_CHACHA
  * [mod_openssl] move SSL_CTX curve conf to new func
  * [mod_openssl] basic SSL_CONF_cmd for alt TLS libs
  * [mod_openssl] OCSP stapling (fixes #2469)
  * [TLS] cert-staple.sh - refresh OCSP responses (#2469)
  * [mod_openssl] compat with BoringSSL
  * [mod_gnutls] option to override GnuTLS priority
  * [mod_gnutls] OCSP stapling (#2469)
  * [mod_extforward] config warning for module order
  * [mod_webdav] store webdav.opts as bitflags
  * [mod_webdav] limit webdav_propfind_dir() recursion
  * [mod_webdav] unsafe-propfind-follow-symlink option
  * [mod_webdav] webdav.opts "propfind-depth-infinity"
  * [mod_openssl] detect certs marked OCSP Must-Staple
  * [mod_gnutls] detect certs marked OCSP Must-Staple
  * [mod_openssl] default to set MinProtocol TLSv1.2
  * [mod_nss] NSS option for TLS (fixes #1218)
  * [core] fdevent_load_file() shared code
  * [mod_openssl,mbedtls,gnutls,nss] fdevent_load_file
  * [core] error if s->socket_perms chmod() fails
  * [mod_openssl] prefer some WolfSSL native APIs
  * quiet clang analyzer scan-build warnings
  * [core] uint32_t is plenty large for path names
  * [mod_mysql_vhost] deprecated; use mod_vhostdb_mysql
  * [core] splaytree_djbhash() in splaytree.h (reuse)
  * [cmake] update deps for src/t/test_*
  * [cmake] update deps for src/t/test_*
  * [build] remove tests/mod-userdir.t from builds
  * [build] fix typo in src/Makefile.am EXTRA_DIST
  * [core] remove unused mbedtls_enabled flag
  * [core] store fd in srv->stdin_fd during setup
  * [multiple] address coverity warnings
  * [mod_webdav] fix theoretical NULL dereference
  * [mod_webdav] update rc for PROPFIND allprop
  * [mod_webdav] build fix: ifdef live_properties
  * [multiple] address coverity warnings
  * [meson] fix libmariadb dependency
  * [meson] add missing libmaxminddb section
  * [mod_auth,mod_vhostdb] add caching option (fixes #2805)
  * [mod_authn_ldap,mod_vhostdb_ldap] add timeout opt (#2805)
  * [mod_auth] accept "nonce-secret" & "nonce_secret"
  * [mod_openssl] fix build warnings on MacOS X
  * [core] Nettle assert()s if buffer len > digest sz
  * [mod_authn_dbi] authn backend employing DBI
  * [mod_authn_mysql,file] use crypt() to save stack
  * [mod_vhostdb_dbi] allow strings and ints in config
  * add ci-build.sh
  * move ci-build.sh to scripts
  * [build] build fixes for AIX
  * [mod_deflate] Brotli support
  * [build] bzip2 default to not-enabled in build
  * [mod_deflate] fix typo in config option
  * [mod_deflate] propagate errs from internal funcs
  * [mod_deflate] deflate.cache-dir compressed cache
  * [mod_deflate] mod_deflate subsumes mod_compress
  * [doc] mod_compress -> mod_deflate
  * [tests] mod_compress -> mod_deflate
  * [mod_compress] remove mod_compress
  * [build] add --with-brotli to CI build
  * [core] server.feature-flags extensible config
  * [core] con layer plugin_ctx separate from request
  * [multiple] con hooks store ctx in con->plugin_ctx
  * [core] separate funcs to reset (request_st *)
  * [multiple] rename connection_reset hook to request
  * [mod_nss] func renames for consistency
  * [core] detect and reject TLS connect to cleartext
  * [mod_deflate] quicker check for Content-Encoding
  * [mod_openssl] read secret data w/ BIO_new_mem_buf
  * [core] decode Transfer-Encoding: chunked from gw
  * [mod_fastcgi] decode Transfer-Encoding: chunked
  * [core] stricter parsing of POST chunked block hdr
  * [mod_proxy] send HTTP/1.1 requests to backends
  * [tests] test_base64.c clear buf vs reset
  * [core] http_header_remove_token()
  * [mod_webdav] fix inadvertent string truncation
  * [core] add some missing standard includes
  * [mod_extforward] attempt to quiet Coverity warning
  * [mod_authn_dbi,mod_authn_mysql] fix coverity issue
  * scons: fix check environment
  * Add avahi service file under doc/avahi/
  * [mod_webdav] fix fallback if linkat() fails
  * [mod_proxy] do not forward Expect: 100-continue
  * [core] chunkqueue_compact_mem() must upd cq->last
  * [core] dlsym for FAMNoExists() for compat w/ fam
  * [core] disperse settings.h to appropriate headers
  * [core] inline buffer_reset()
  * [mod_extforward] save proto per connection
  * [mod_extforward] skip after HANDLER_COMEBACK
  * [core] server.feature-flags to enable h2
  * [core] HTTP_VERSION_2
  * [multiple] allow TLS ALPN "h2" if "server.h2proto"
  * [mod_extforward] preserve changed addr for h2 con
  * [core] do not send Connection: close if h2
  * [core] lowercase response hdr field names for h2
  * [core] recognize status: 421 Misdirected Request
  * [core] parse h2 pseudo-headers
  * [core] request_headers_process()
  * [core] connection_state_machine_loop()
  * [core] reset connection counters per connection
  * [mod_accesslog,mod_rrdtool] HTTP/2 basic accounting
  * [core] connection_set_fdevent_interest()
  * [core] HTTP2-Settings
  * [core] adjust http_request_headers_process()
  * [core] http_header_parse_hoff()
  * [core] move http_request_headers_process()
  * [core] reqpool.[ch] for (request_st *)
  * [multiple] modules read reqbody via fn ptr
  * [multiple] isolate more con code in connections.c
  * [core] isolate more resp code in response.c
  * [core] h2.[ch] with stub funcs (incomplete)
  * [core] alternate between two joblists
  * [core] connection transition to HTTP/2; incomplete
  * [core] mark some error paths with attribute cold
  * [core] discard 100 102 103 responses from backend
  * [core] skip write throttle for 100 Continue
  * [core] adjust (disabled) debug code
  * [core] update comment
  * [core] link in ls-hpack (EXPERIMENTAL)
  * [core] HTTP/2 HPACK using LiteSpeed ls-hpack
  * [core] h2_send_headers() specialized for resp hdrs
  * [core] http_request_parse_header() specialized
  * [core] comment possible future ls-hpack optimize
  * [mod_status] separate funcs to print request table
  * [mod_status] adjust to print HTTP/2 requests
  * [core] redirect to dir using relative-path
  * [core] ignore empty field-name from backends
  * [mod_auth] fix crash if auth.require misconfigured (fixes #3023)
  * [core] fix 1-char trunc of default server.tag
  * [core] request_acquire(), request_release()
  * [core] keep pool of (request_st *) for HTTP/2
  * [mod_status] dedicated funcs for r->state labels
  * [core] move connections_get_state to connections.c
  * [core] fix crash on master after graceful restart
  * [core] defer optimization to read small files
  * [core] do not require '\0' term for k,v hdr parse
  * [scripts] cert-staple.sh enhancements
  * [core] document algorithm used in lighttpd etag
  * [core] ls-hpack optimizations
  * [core] fix crash on master if blank line request
  * [core] use djbhash in gw_backend to choose host
  * [core] rename md5.[ch] to algo_md5.[ch]
  * [core] move djbhash(), dekhash() to algo_md.h
  * [core] rename splaytree.[ch] to algo_splaytree.[ch]
  * [core] import xxHash v0.8.0
  * [build] modify build, includes for xxHash v0.8.0
  * [build] remove ls-hpack/deps
  * [core] xxhash no inline hints; let compiler choose
  * [mod_dirlisting] fix config parsing crash
  * [mod_openssl] clarify trace w/ deprecated options
  * [doc] refresh doc/config/*/*
  * [core] code size: disable XXH64(), XXH3()
  * [doc] update README and INSTALL
  * [core] combine Cookie request headers with ';'
  * [core] log stream id with debug.log-state-handling
  * [core] set r->state in h2.c
  * [mod_ssi] update chunk after shell output redirect
  * [mod_webdav] preserve bytes_out when chunks merged
  * [multiple] inline chunkqueue_length()
  * [core] cold h2_log_response_header*() funcs
  * [core] update HTTP status codes list from IANA
  * [mod_wolfssl] standalone module
  * [core] Content-Length in http_response_send_file()
  * [core] adjust response header prep for common case
  * [core] light_isupper(), light_islower()
  * [core] tst,set,clr macros for r->{rqst,resp}_htags
  * [core] separate http_header_e from _htags bitmask
  * [core] http_header_hkey_get_lc() for HTTP/2
  * [core] array.[ch] using uint32_t instead of size_t
  * [core] extend (data_string *) to store header id
  * [multiple] extend enum http_header_e list
  * [core] http_header_e <=> lshpack_static_hdr_idx
  * [core] skip ls-hpack decode work unused by lighttpd
  * [TLS] error if inherit empty TLS cfg from globals
  * [core] connection_check_expect_100()
  * [core] support multiple 1xx responses from backend
  * [core] reload c after chunkqueue_compact_mem()
  * [core] relay 1xx from backend over HTTP/2
  * [core] relay 1xx from backend over HTTP/1.1
  * [core] chunkqueue_{peek,read}_data(), squash
  * [multiple] TLS modules use chunkqueue_peek_data()
  * [mod_magnet] magnet.attract-response-start-to
  * [multiple] code reuse chunkqueue_peek_data()
  * [core] reuse r->start_hp.tv_sec for r->start_ts
  * [core] config_plugin_value_tobool() accept "0","1"
  * [core] graceful and immediate restart option
  * [mod_ssi] init status var before waitpid()
  * [core] graceful shutdown timeout option
  * [core] lighttpd -1 supports pipes (e.g. netcat)
  * [core] perf adjustments to avoid load miss
  * [multiple] use sock_addr_get_family in more places
  * [multiple] inline chunkqueue where always alloc'd
  * [core] propagate state after writing
  * [core] server_run_con_queue()
  * [core] defer handling FDEVENT_HUP and FDEVENT_ERR
  * [core] handle unexpected EOF reading FILE_CHUNK
  * [core] short-circuit connection_write_throttle()
  * [core] walk queue in connection_write_chunkqueue()
  * [core] connection_joblist global
  * [core] be more precise checking streaming flags
  * [core] fdevent_load_file_bytes()
  * [TLS] use fdevent_load_file_bytes() for STEK file
  * [core] allow symlinks under /dev for rand devices
  * [multiple] use light_btst() for hdr existence chk
  * [mod_deflate] fix potential NULL deref in err case
  * [core] save errno around close() if fstat() fails
  * [mod_ssi] use stat_cache_open_rdonly_fstat()
  * [core] fdevent_dup_cloexec()
  * [core] dup FILE_CHUNK fd when splitting FILE_CHUNK
  * [core] stat_cache_path_isdir()
  * [multiple] use stat_cache_path_isdir()
  * [mod_mbedtls] quiet CLOSE_NOTIFY after conn reset
  * [mod_gnutls] quiet CLOSE_NOTIFY after conn reset
  * [core] limit num ranges in Range requests
  * [core] remove unused r->content_length
  * [core] http_response_parse_range() const file sz
  * [core] pass open fd to http_response_parse_range
  * [core] stat_cache_get_entry_open()
  * [core,mod_deflate] leverage cache of open fd
  * [doc] comment out config disabling Range for .pdf
  * [core] coalesce nearby ranges in Range requests
  * [mod_fastcgi] decode chunked is cold code path
  * [core] fix chunkqueue_compact_mem w/ partial chunk
  * [core] alloc optim reading file, sending chunked
  * [core] reuse chunkqueue_compact_mem*()
  * [mod_cgi] use splice() to send input to CGI
  * [multiple] ignore openssl 3.0.0 deprecation warns
  * [mod_openssl] migrate ticket cb to openssl 3.0.0
  * [mod_openssl] construct OSSL_PARAM on stack
  * [mod_openssl] merge ssl_tlsext_ticket_key_cb impls
  * [multiple] openssl 3.0.0 digest interface migrate
  * [tests] detect multiple SSL/TLS/crypto providers
  * [core] sys-crypto-md.h consistent interfaces
  * [wolfssl] wolfSSL_CTX_set_mode differs from others
  * [multiple] use NSS crypto if no other crypto avail
  * [multiple] stat_cache_path_stat() for struct st
  * [TLS] ignore empty "CipherString" in ssl-conf-cmd
  * [multiple] remove chunk file.start member
  * [core] modify use of getrlimit() to not be fatal
  * [mod_webdav] add missing update to cq accounting
  * [mod_webdav] update defaults after worker_init
  * [mod_openssl] use newer openssl 3.0.0 func
  * [core] config_plugin_value_to_int32()
  * [core] minimize pause during graceful restart
  * [mod_deflate] use large mmap chunks to compress
  * [core] stat_cache_entry reference counting
  * [core] FILE_CHUNK can hold stat_cache_entry ref
  * [core] http_chunk_append_file_ref_range()
  * [multiple] use http_chunk_append_file_ref()
  * [core] always lseek() with shared fd
  * [core] silence coverity warnings (false positives)
  * [core] silence coverity warnings in ls-hpack
  * [core] silence coverity warnings (another try)
  * [core] fix fd sharing when splitting file chunk
  * [mod_mbedtls] quiet unused variable warning
  * [core] use inline funcs in sys-crypto-md.h
  * [core] add missing declaration for NSS rand
  * [core] init NSS lib for basic crypto algorithms
  * [doc] change mod_compress refs to mod_deflate
  * [doc] replace bzip2 refs with brotli
  * [build] remove svnversion from versionstamp rule
  * [doc] /var/run -> /run
  * [multiple] test for nss includes
  * [mod_nss] more nss includes fixes
  * [mod_webdav] define _NETBSD_SOURCE on NetBSD
  * [core] silence coverity warnings (another try)
  * [mod_mbedtls] newer mbedTLS vers support TLSv1.3
  * [mod_accesslog] update defaults after cycling log
  * [multiple] add some missing config cleanup
  * [core] fix (startup) mem leaks in configparser.y
  * [core] STAILQ_* -> SIMPLEQ_* on OpenBSD
  * [mod_wolfssl] use more wolfssl/options.h defines
  * [mod_wolfssl] cripple SNI if not built OPENSSL_ALL
  * [mod_wolfssl] need to build --enable-alpn for ALPN
  * [mod_secdownload] fix compile w/ NSS on FreeBSD
  * [mod_mbedtls] wrap addtl code in preproc defines
  * [TLS] server.feature-flags "ssl.session-cache"
  * [core] workaround fragile code in wolfssl types.h
  * [core] move misplaced error trace to match option
  * [core] adjust wolfssl workaround for another case
  * [multiple] consistent order for crypto lib select
  * [multiple] include mbedtls/config.h after select
  * [multiple] include wolfssl/options.h after select
  * [core] set NSS_VER_INCLUDE after crypto lib select
  * [core] use system xxhash lib if available
  * [doc] refresh doc/config/conf.d/mime.conf
  * [meson] add matching -I for lua lib version
  * [build] prepend search for lua version 5.4
  * [core] use inotify in stat_cache.[ch] on Linux
  * [build] detect inotify header <sys/inotify.h>
  * [mod_nss] update session ticket NSS devel comment
  * [core] set last_used on rd/wr from backend (fixes #3029)
  * [core] cold func for gw_recv_response error case
  * [core] use kqueue() instead of FAM/gamin on *BSD
  * [core] no graceful-restart-bg on OpenBSD, NetBSD
  * [mod_openssl] add LIBRESSL_VERSION_NUMBER checks
  * [core] use struct kevent on stack in stat_cache
  * [core] stat_cache preprocessor paranoia
  * [mod_openssl] adjust LIBRESSL_VERSION_NUMBER check
  * [mod_maxminddb] fix config validation typo
  * [tests] allow LIGHTTPD_EXE_PATH override
  * [multiple] handle NULL val as empty in *_env_add (fixes #3030)
  * [core] accept "HTTP/2.0", "HTTP/3.0" from backends (fixes #3031)
  * [build] check for xxhash in more ways
  * [core] accept "HTTP/2.0", "HTTP/3.0" from backends (#3031)
  * [core] http_response_buffer_append_authority()
  * [core] define SHA*_DIGEST_LENGTH macros if missing
  * [doc] update optional pkg dependencies in INSTALL
  * [mod_alias] validate given order, not sorted order
  * [core] filter out duplicate modules
  * [mod_cgi] fix crash if initial write to CGI fails
  * [mod_cgi] ensure tmp file open() before splice()
  * [multiple] add back-pressure gw data pump (fixes #3033)
  * [core] fix bug when HTTP/2 frames span chunks
  * [multiple] more forgiving config str to boolean (fixes #3036)
  * [core] check for __builtin_expect() availability
  * [core] quiet more request parse errs unless debug
  * [core] consolidate chunk size checks
  * [mod_flv_streaming] use stat_cache_get_entry_open
  * [mod_webdav] pass full path to webdav_unlinkat()
  * [mod_webdav] fallbacks if _ATFILE_SOURCE not avail
  * [mod_fastcgi] move src/fastcgi.h into src/compat/
  * [mod_status] add additional HTML-encoding
  * [core] server.v4mapped option
  * [mod_webdav] workaround for gvfs dir redir bug

- Remove SuSEfirewall2 service files, SuSEfirewall2 does not exist
  anymore

- Changed /etc/logrotate.d/lighttpd from init.d to systemd
  fix boo#1146452.

- Remove deprecated GeoIP support (bsc#1156198)
  * drop mod_geoip subpackage

- update to 1.4.55:
  * a multitude of bug fixes

- update to 1.4.54 (boo#1111733):
  * behavior change: strict URL parsing and normalization (configurable)
  * performance enhancements
  * bug fixes
- includes changes from 1.4.53:
  * TLS-ALPN-01
  * systemd socket activation
  * bug fixes
- includes changes from 1.4.52:
  * performance enhancements
  * bug fixes
- includes changes from 1.4.51:
  * new module: mod_authn_pam
  * multiple security fixes
    + process headers after combining folded headers
    + mod_userdir security: skip username "." and ".."
- includes changes from 1.4.50:
  * CVE-2018-19052: path traversal in mod_alias (boo#1115016)
  * security: use-after-free after invalid Range request
  * multiple bug fixes
- Fix build with PostgreSQL 11 in Tumbleweed (boo#1153722)
- Switch to unmodified upstream tarball, add upstream signing
  keys and verify source signature

- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
  shortcut the build queues by allowing usage of systemd-mini

- Revert that pgsql workaround for tumbleweed: pampering over
  issues like this is just hiding problems. A real fix was
  submitted to the postgresql package instead.

- workaround for tumbleweed
  * update-alternatives not expanded in the build VM
    due to unknown reasons, thus /usr/bin/pg_config
    is meaningless

- Updated 10-ssl.conf (TLSv1.2 only) for lighttpd.conf in
  lighttpd_1.4.49-1.1.debian.tar.xz

- Updated 10-ssl.conf (TLSv1.2 only) for lighttpd.conf in
  lighttpd_1.4.49-1.1.debian.tar.xz

- update to 1.4.49
  + - next is 1.4.49
  + [core] adjust offset if response header blank line
  + [mod_accesslog] %{canonical,local,remote}p (fixes #2840)
  + [core] support POLLRDHUP, where available (#2743)
  + [mod_proxy] basic support for HTTP CONNECT method (#2060)
  + [mod_deflate] fix deflate of file > 2MB w/o mmap
  + [core] fix segfault if tempdirs fill up (fixes #2843)
  + [mod_compress,mod_deflate] try mmap MAP_PRIVATE
  + [core] discard from socket using recv MSG_TRUNC
  + [core] report to stderr if errorlog path ENOENT (fixes #2847)
  + [core] fix base64 decode when char is unsigned (fixes #2848)
  + [mod_authn_ldap] fix mem leak when ldap auth fails (fixes #2849)
  + [core] warn if mod_indexfile after dynamic handler
  + [core] do not reparse request if async cb
  + [core] non-blocking write() to piped loggers
  + [mod_openssl] minor code cleanup; reduce var scope
  + [mod_openssl] elliptic curve auto selection (fixes #2833)
  + [core] check for path-info forward down path
  + [mod_authn_ldap] auth with ldap referrals (fixes #2846)
  + [core] code cleanup: separate physical path sub
  + [core] merge redirect/rewrite pattern substitution
  + [core] fix POST with chunked request body (fixes #2854)
  + [core] remove unused func
  + [doc] minor update to *outdated* doc
  + [mod_wstunnel] fix for frames larger than 64k (fixes #2858)
  + [core] fix 32-bit compile POST w/ chunked request body (#2854)
  + [core] add include sys/poll.h on Solaris (fixes #2859)
  + [core] fix path-info calculation in git master (fixes #2861)
  + [core] pass array_get_element_klen() const array *
  + [core] increase stat_cache abstraction
  + [core] open additional fds O_CLOEXEC
  + [core] fix CONNECT w strict header parsing enabled
  + [mod_extforward] CIDR support for trusted proxies (fixes #2860)
  + [core] re-enable overloaded backends w/ multi wkrs
  + [autoconf] reduce minimum automake version to 1.13
  + [mod_auth] constant time compare plain passwords
  + [mod_auth] check that digest realm matches config
  + [core] fix incorrect hash algorithm impl
  + [doc] NEWS

- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)

- new upstream release 1.4.48
  + requires automake 1.14
  + new mod_authn_sasl module
- remove autoreconf call; was required for mod_geoip patch, which is now
  upstream
- add cyrus-sasl-devel, package mod_authn_sasl

- update to 1.4.47
  + [core] stricter validation of request-URI begin
  + [core] fix 1.4.46 regression in config match
  + [core] normalize config addrs for != match
  + [core] normalize config addrs for eq and ne
  + [core] fix 1.4.46 regression in Last-Modified

- new upstream release 1.4.46
- drop lighttpd-1.4.x_out_of_bounds_read.patch (fixed upstream)
- use systemd, drop init script
- drop support for suse_version <= 1210
- add some new modules and packages
- drop __DATE__/__TIME__ sed hack (usage disabled upstream by default)

- use php7 for TW (boo#1058101)

- added lighttpd-1.4.x_out_of_bounds_read.patch: fix out of bounds
  read in mod_scgi (debian#857255)

- make lighttpd user own /var/log/lighttpd/
  to be able to write logs there

- fix some rpmlint messages
  + update FSF address for lighttpd.init
  + install example scripts without +x to avoid pulling shell
    dependencies
  + W:file-contains-current-date /usr/sbin/lighttpd is a false positive;
    it only happens when the last-source-modified date is the same as
    the build date
  + I: binary-or-shlib-calls-gethostbyname has been forwarded upstream

- update to 1.4.45
  + - next is 1.4.45
  + [mod_cgi] skip local-redir handling if to self (fixes #2779, #2108)
  + [mod_webdav] fix crash when plugin_ctx cleaned up (fixes #2780)
  + [mod_fastcgi] detect child exit, restart proactively
  + [mod_scgi] detect child exit, restart proactively
  + [TLS] ssl.read-ahead = "disable" for low mem (fixes #2778)
  + [doc] NEWS
  + [tests] update test skip count for !fcgi-responder
  + [tests] FCGI_Finish() final request before exit
  + [tests] give time for periodic jobs to detect exit
  + [mod_cgi] check cgi fd for num bytes ready to read

- lighttpd-1.4.13_geoip.patch is long gone; it was replaced with
  mod_geoip-for-1.4.39.patch but is now included upstream

- update to 1.4.44
  + - next is 1.4.44
  + [mod_scgi] fix segfault (fixes #2762)
  + [mod_authn_gssapi] fix memory leak
  + [config] warn if mod_authn_ldap,mysql not listed
  + [mod_magnet] fix magnet_cgi_set() set of env vars (fixes #2763)
  + [mod_cgi] FreeBSD 9.3/MacOSX does not have pipe2() (fixes #2765)
  + [mod_extforward] fix crash on invalid IP (fixes #2766)
  + [mod_fastcgi] fix segfault if all backends down (fixes #2768)
  + [mod_cgi] fix out of sockets error for POST to CGI (fixes #2771)
  + [mod_auth] compile fix for Mac OS X XCode (fixes #2772)
  + [mod_authn_gssapi] better resource cleanup
  + [core] compile fix for Mac OS X 10.6 (old) (fixes #2773)
  + fix race in dynamic handler configs (reentrancy) (fixes #2774)
  + [mod_authn_mysql] close mysql_conn in cleanup
  + [mod_webdav] compile fix when locking not enabled
  + load mod_auth & mod_authn_file in sample/test.conf
  + comment out auth.backend.ldap.* in tests/*.conf
  + [mod_fastcgi,mod_scgi] warn if invalid "bin-path"
  + RAND_pseudo_bytes() is deprecated in openssl 1.1.0
  + openssl 1.1.0 init and cleanup
  + [mod_cgi] remove direct calls to network_backend*
  + [build] build network_*.c into lighttpd executable
  + suggest inclusion of mod_geoip... before mod_ssi.
  + set systemd settings similar to lighttpd2
  + [doc] remove reference to Linux rt-signals
  + [mod_authn_gssapi] fix missing error ret, coverity
  + [core] rename li_rand() to li_rand_pseudo_bytes()
  + remove #include "stream.h" where not used
  + [mod_cml] include lua headers before base.h
  + [core] combine duplicated connection reset code
  + [mod_ssi] produce content in subrequest hook
  + [core] remove srv->entropy[]
  + [core] defer li_rand_init() until first use
  + [core] permit connection-level state in modules
  + [mod_dirlisting] render dirlisting as HTML (fixes #2767)
  + [mod_proxy] replace HTTP Host sent to backend (fixes #2770)
  + [mod_ssi] basic recursive SSI include virtual (fixes #536)
  + [mod_ssi] implement, ignore <!--#comment ... -->
  + [core] consolidate duplicated read-to-close code
  + [core] fix segfault when parsing a bad config file
  + [core] support Transfer-Encoding: chunked req body (fixes #2156)
  + [autobuild] set NO_RDYNAMIC=yes for midipix
  + [mod_proxy] proxy.balance = "sticky" option (fixes #2117)
  + [mod_secdownload] warn if SHA used w/o SSL crypto
  + [build] compile fixes for AIX
  + [build] check for pipe2() at configure time
  + [mod_evhost] fix an incorrect error trace
  + [tests] mark tests/docroot/www/*.pl scripts a+x
  + [mod_proxy] proxy.replace-http-host enable/disable
  + [mod_cgi] fall back to pipe() if pipe2() fails
  + fix SCons fullstatic build with glibc pthreads
  + [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op
  + [doc] NEWS

- update to 1.4.43
  + - next is 1.4.43
  + [autobuild] remove mod_authn_gssapi dep on resolv
  + [mod_deflate] ignore '*' in deflate.mimetypes
  + minor: make packdist.sh more convenient for me
  + [autobuild] omit module stubs when missing deps
  + [autobuild] rm module stub code for missing deps
  + [TLS] openssl 1.1.0 hides struct bignum_st
  + [autobuild] move http_cgi_ssl_env() for Mac OS X (fixes #2757)
  + [core] use paccept() on NetBSD (replace accept4())
  + [TLS] remote IP conditions are valid for TLS SNI (fixes #2272)
  + [doc] lighttpd-angel.8 (fixes #2254)
  + [cmake] build fcgi-auth, fcgi-responder for tests
  + [mod_accesslog] %{ratio}n logs compression ratio (fixes #2133)
  + [mod_deflate] skip deflate if loadavg too high (fixes #1505)
  + [mod_expire] expire by mimetype (fixes #423)
  + [mod_evhost] partial matching patterns (fixes #1194)
  + [mod_evhost] mod-evhost.t tests (#1194)
  + build: use CC_FOR_BUILD for lemon when cross-compiling
  + [lemon] standalone; remove #include "first.h"
  + [mod_dirlisting] config header and readme files
  + [config] warn if mod_authn_ldap,mysql not listed
  + fix FastCGI, SCGI, proxy reconnect on failure
  + [core] network_open_file_chunk() temp file opt
  + [mod_rewrite] add more info in error log msg
  + [core] fix fd leak when using libev (fixes #2761)
  + [core] fix potential streaming tempfile corruption (fixes #2760)
  + minor: coverity comments
  + [mod_scgi] fix prefix matching to always match url
  + move script to doc/scripts/ax_prog_cc_for_build.m4
  + [autobuild] adjust Makefile.am for FreeBSD
  + [core] check fcntl O_APPEND succeeds w/ mkstemp()
  + [doc] NEWS
  + [autobuild] add lemon.c to src/Makefile.am
  + [autobuild] build fix for lemon.c
  + [autobuild] put ax_prog_cc_for_build.m4 in top directory
  + [scons] workaround FreeBSD11 fullstatic link error
  + [scons] only apply FreeBSD11 workaround on FreeBSD
  + [mod_cgi] FreeBSD 9.3 does not have pipe2()
  + [build] move some build scripts to scripts/
  + [autotools] fix configure.ac for opensuse 13.2
  + [build] fix warning for (potentially) unused func

- package new modules
- remove mod_geoip_for_1.4.40.patch

- update to 1.4.42
  + - next is 1.4.42
  + [TLS] SSL_shutdown() only if handshake finished
  + [mod_proxy,mod_scgi] shutdown remote only if local (#2743)
  + [core] check if client half-closed TCP if POLLHUP (#2743)
  + [core] enforce wait for POLLWR after EINPROGRESS (fixes #2744)
  + [core] do not enter handler twice after read body
  + [core] proxy,scgi omit shutdown() to backend (fixes #2743)
  + [mod_dirlisting] dirlist does not handle POST
  + [mod_dirlisting] js column sort for dirlist table (fixes #613, fixes #2315)
  + [mod_auth] Digest auth fails after rewrite (fixes #2745)
  + [mod_auth] refactor out auth backend code
  + [mod_auth] refactor out auth backend code
  + [mod_auth] refactor out auth backend code
  + [mod_auth] extensible interface for auth backends
  + [mod_auth] extensible interface for auth backends
  + [core] better DragonFlyBSD support (fixes #2746)
  + [mod_auth] include base.h for USE_OPENSSL def
  + [mod_auth] support CRYPT-MD5-NTLM algorithm (fixes #1743)
  + [mod_auth] terminate salt for CRYPT-MD5-NTLM
  + [core] fix crash if ready events on abandoned fd (fixes #2748)
  + fix mis-cast in unused code
  + [mod_auth] http_auth_md5_hex2bin()
  + [mod_auth] remove empty mod_auth.h
  + [mod_auth] mod_authn_mysql.c MySQL auth backend (fixes #752, fixes #1845)
  + [mod_cgi] permit CGI exec of unreadable files (fixes #2374)
  + [mod_uploadprogress] add to default build
  + [mod_geoip] add to default build (fixes #2705, fixes #2101, fixes #2092, fixes #2025, fixes #1962, fixes #1938)
  + [mod_fastcgi] Authorizer support with Responder (fixes #321, fixes #322)
  + [tests] test coverage for issues (#321, #322)
  + dynamic handlers store debug flag in handler_ctx
  + [mod_fastcgi] allow authorizer, responder for same path/ext (#321)
  + backport mod_deflate to lighttpd 1.4 (fixes #1824, fixes #2753)
  + [autobuild] test_configfile might need vector.c (fixes #2752)
  + remove unused sys-mmap.h from stat_cache.c
  + [mod_deflate] fix longjmp clobber compiler warning
  + remove unused array type TYPE_COUNT data_count
  + [mod_auth] structured data, register auth schemes
  + [mod_auth] mod_authn_gssapi Kerberos auth backend (fixes #1899)
  + silence warnings from clang ccc-analyzer
  + [autobuild] skip two new tests if no fcgi-auth
  + [SCons] define with_krb5 for SCons build
  + [SCons] fix syntax error in SConstruct
  + [SCons] define with_geoip for SCons build
  + [CMake] fix clang -Wcast-align warnings in lemon.c
  + remove excess initializers (fix compiler warnings)
  + fix errors detected by Coverity Scan
  + performance: use Linux extended syscalls and flags
  + [mod_scgi] add uwsgi protocol support
  + [mod_auth] refactor LDAP code into smaller funcs
  + [mod_auth] HTTP Basic auth backends also do authz (#1817)
  + [mod_auth] ldap filter subst user for multiple '$' (fixes #1508)
  + [mod_auth] permit specifying ldap DN; skip search (fixes #1248)
  + [autobuild] update module/feature report
  + [cmake] build mod_authn_gssapi if WITH_KRB5
  + DragonFlyBSD defines __DragonFly__ (#2746)
  + [mod_auth] fix printing of IP in error trace
  + quiet coverity warning
  + [mod_mysql_vhost] support multiple '?' replacement (fixes #2163)
  + [core] make server.max-request-size scopeable (#1901)
  + [core] server.max-request-field-size (fixes #2130)
  + [core] optional condition in config "else" clause (fixes #1268)
  + [core] restrict where config "else" clauses occur (#1268)
  + silence warnings from clang ccc-analyzer
  + consistent, shared code to create CGI env
  + [TLS] replace env entries in https_add_ssl_entries
  + [TLS] set SSL_CLIENT_M_SERIAL w/ client cert SN (fixes #2268)
  + [TLS] set SSL_CLIENT_VERIFY w/ client cert (#1288, #2693)
  + [TLS] set SSL_PROTOCOL, SSL_CIPHER* (fixes #2511)
  + [core] rand.[ch] to use better RNGs when available
  + [mod_cgi] fix pipe_cloexec() when no O_CLOEXEC
  + ignore return value from fcntl() FD_CLOEXEC
  + silence warnings from clang ccc-analyzer
  + fix SCons build
  + build w/o compiler warnings if no zlib or bz2lib
  + parallelize dist package build (packdist.sh)
  + [doc] NEWS
  + quiet coverity warning
  + add random() to list of rand() fallbacks

- update to 1.4.41
  + - next is 1.4.41
  + remove long-deprecated, non-functional config opts
  + [config] inherit server.use-ipv6 and server.set-v6only (fixes #678)
  + [build] allow AUTHOR, KEYID overrides to packdist
  + [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
  + [doc] update memcache references to memcached
  + [mod_ssi] fix #config sizefmt="bytes"
  + fix some warnings reported by cppcheck
  + workaround clang compiler warning
  + [autobuild] move inet_pton detection later
  + [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
  + [autobuild] clock_gettime() -lrt with glibc < 2.17
  + minor: spelling changes in some comments/messages
  + [security] do not emit HTTP_PROXY to CGI env
  + [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
  + [core] avoid spurious trace and error abort
  + [core] stay in CON_STATE_CLOSE until done with req
  + [core] $HTTP["remoteip"] must handle IPv6 w/o []
  + [mod_status] show keep-alive status w/ text output (fixes #2740)
  + do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
  + revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
  + [core] permit IPv6 address scope identifier
  + [core] consolidate duplicated response_end code
  + [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
  + [TLS] read all available records from SSL_read()
  + [core] try AF_INET after AF_INET6 if use-ipv6
  + [core] fix result copy from getaddrinfo()
  + [core] set chunkqueue tempdirs at startup
  + [core] check if EAI_ADDRFAMILY is defined
  + [core] set chunkqueue tempdirs at startup /var/tmp
  + [security] ensure gid != 0 if server.username set (fixes #2725)
  + [security] disable stat_cache if !follow-symlink (fixes #2724)
  + [core] fix buffer_copy_string_hex() assert (fixes #2742)
  + fix buffer.c comments to match encoded_chars_*
  + [security] encode quoting chars in HTML and XML
  + [cmake] always define _GNU_SOURCE
  + [cmake] enable warnings for GCC and Clang
  + [cmake] set cmake_minimum_required to 2.8.2
  + [doc] NEWS

- update to 1.4.40
  + - next is 1.4.40
  + [mod_ssi] enhance support for ssi vars
  + add handling for lua 5.2 and 5.3 (fixes #2674)
  + use libmemcached instead of deprecated libmemcache
  + add force_assert for more allocation results
  + cleanup dead keyvalue code
  + [autobuild] fix lua configure error handling
  + [mod_cgi] use MAP_PRIVATE to mmap temporary file instead of MAP_SHARED (fixes #2715)
  + [core] do not send SIGHUP to process group unless server.max-workers is used (fixes #2711)
  + [mod_cgi] edge case chdir "/" when docroot "/" (fixes #2460)
  + fix links to online docs in template config files
  + [mod_cgi] issue trace and exit if execve() fails (closes #2302)
  + [configparser] don't continue after parse error (fixes #2717)
  + [core] never evaluate else branches until the previous branches are aready (fixes #2598)
  + [core] fix conditional cache handling
  + [core] improve conditional enabling (thx Gwenlliana, #2598)
  + [buffer] use explicit integer promotion to make the code more readable
  + [config] extend duplicate-array-key error (fixes #2704)
  + [mod_compress] case-insensitive content-codings (fixes #2645)
  + [plugins] don't include dlfcn.h if not needed (fixes #2548)
  + [mod_fastcgi] 404 for X-Sendfile file not found (fixes #2474)
  + [mod_cgi] send 500 if CGI ends and there is no response (fixes #2542)
  + [mod_cgi] consolidate CGI cleanup code
  + [mod_cgi] simplify mod_cgi_handle_subrequest()
  + [mod_cgi] kill CGI if fail to write request body
  + [mod_proxy] use case-insensitive comparision to filter headers, send Connection: Close to backend (fixes #421)
  + [mod_dirlisting] dir-listing.hide-dotfiles = "enabled" by default (fixes #1081)
  + [mod_rewrite] fix return type of process_rewrite_rules
  + [mod_secdownload] fix buffer overflow in secdl_verify_mac (reported by Fortify Open Review Project)
  + [mod_fastcgi,mod_scgi] fix leaking file-descriptor when backend spawning failed (reported by Fortify Open Review Project)
  + [core] improve array API to prevent theoretical memory leaks
  + [core] rename variable in array.c
  + [core] refactor array search; raise array size limit to SSIZE_MAX
  + [core] fix memory leak in configparser_merge_data
  + [core] provide array_extract_element and use it
  + [core] configparser: error on duplicate keys in array merge (fixes #2685)
  + [core] more careful parse of $SERVER["socket"] config str (prepare #2204)
  + [core] accept $SERVER["socket"] without port, use server.port as fallback (fixes #2204)
  + [mod_magnet] define lua_pushglobaltable (for lua5.1) and use it (fixes #2719)
  + [ssl] support disabling ssl.verifyclient.activate in SNI callback (fixes #2531)
  + restart (some) syscalls after SIGCHLD interrupted them; should fix LDAP problems (fixes #2464)
  + [core] log remote address on request timeouts (fixes #652)
  + [autobuild] use AC_CANONICAL_HOST instead of AC_CANONICAL_TARGET (fixes #1866)
  + [core] fix request_start in keep-alive requests to mark time when received first byte (fixes #2412)
  + [core] truncate pidfile on exit (fixes #2695)
  + consistent inclusion of config.h at top of files (fixes #2073)
  + [autobuild] include first.h in make dist
  + [core] add generic vector implementation
  + [core] replace array weakref with vector
  + [base64] fix crash due to broken force_assert
  + [unittests] add test_buffer and test_base64 unit tests
  + [base64] fix another crash due to broken force_assert conditions
  + [buffer] refactor buffer_path_simplify (fixes #2560)
  + [http_auth/mod_fastcgi] check get_http_*_name() for NULL return (#2583)
  + validate return values from strtol, strtoul (fixes #2564)
  + add NEWS entry for previous commit
  + [mod_ssi] Add SSI vars SCRIPT_{URI,URL} and REQUEST_SCHEME (fixes #2721)
  + [config] warn if server.upload-dirs has non-existent dirs (fixes #2508)
  + [mod_proxy] accept LF delimited headers, not just CRLF (fixes #2594)
  + [core] wait for grandchild to be ready when daemonizing (fixes #2712, thx pasdVn)
  + [core] respond 411 Length Required if request has Transfer-Encoding: chunked (fixes #631)
  + [core] fixed the loading for default modules if they are specified explicitly
  + [core] lighttpd -tt performs preflight startup checks (fixes #411)
  + [stat] mimetype.xattr-name global config option (fixes #2631)
  + [configparser] fix small leak on config failure
  + [mod_webdav] allow Depth: Infinity lock on file (fixes #2296)
  + [mod_status] use snprintf() instead of sprintf()
  + pass buf size to li_tohex()
  + use li_[iu]tostrn() instead of li_[iu]tostr()
  + [stream] fstat() after open() to obtain file size
  + [core] clean up srv before exiting for lighttpd -[vVh]
  + [mod_fastcgi,mod_scgi] check for spawning on same unix socket (fixes #319)
  + [mod_cgi] always set QUERY_STRING (fixes #1339)
  + [mod_auth] send charset="UTF-8" in WWW-Authenticate (fixes #1468)
  + [mod_magnet] rename var for clarity (fixes #1483)
  + [mod_extforward] reset cond_cache for scheme (fixes #1499)
  + [mod_webdav] readdir POSIX compat (fixes #1826)
  + [mod_expire] reset caching response headers for error docs (fixes #1919)
  + [mod_status] page refresh option (fixes #2170)
  + [mod_status] table w/ count of con states (fixes #2427)
  + [mod_dirlisting] class for dir <tr> (fixes #2304)
  + skip spawning backends for preflight tests (#2642)
  + [core] define __STDC_WANT_LIB_EXT1__ (fixes #2722)
  + [core] setrlimit max-fds <= rlim_max for non-root (fixes #2723)
  + [mod_ssi] config ssi.conditional-requests
  + [mod_ssi] config ssi.exec (fixes #2051)
  + [mod_redirect,mod-rewrite] short-circuit if blank replacement (fixes #2085)
  + [mod_indexfile] save physical path to env (fixes #448, #892)
  + [core] open fd when appending file to cq (fixes #2655)
  + [config] server.listen-backlog option (fixes #1825, #2116)
  + [core] retry tempdirs on partial write, ENOSPC (fixes #2588)
  + untangle overly complex control flow logic
  + defer reading request body until handle subrequest (fixes #2541)
  + mv funcs from connections.c to connections-glue.c
  + defer reading request body until handle subrequest
  + always poll for client POLLHUP/POLLERR events (fixes #399)
  + remove handle_joblist hook
  + handlers can read response before sending req body (fixes #131, #2566)
  + [mod_cgi] asynchronous send of request body to CGI
  + improve dynamic handler control flow logic
  + [doc] add mimetype.use-xattr to conf.d/mime.conf
  + [doc] enhance error msg for backend server config
  + [doc] add ref to RFC 7232 for conditional requests
  + make (compile and link) cleanly under cygwin
  + [core] compile with upcoming openssl 1.1.0 release (fixes #2727)
  + fix some warnings reported by static analysis tool
  + [core] set REDIRECT_STATUS to error_handler_saved_status (fixes #1828)
  + remove unused con->error_handler member
  + [core] server.error-handler new directive for error pages (fixes #2702)
  + set REDIRECT_URI in mod_rewrite, mod_magnet
  + [doc] add server.error-handler
  + server.error-handler new directive for error pages
  + [core] support IPv6 in $HTTP["remote-ip"] CIDR cond match (fixes #2706)
  + [doc] NEWS
  + [core] http_response_send_file() shared code (#2017)
  + [mod_fastcgi] use http_response_xsendfile() (fixes #799, fixes #851, fixes #2017, fixes #2076)
  + [mod_scgi] X-Sendfile feature (fixes #2253)
  + [mod_cgi] X-Sendfile feature (fixes #2313)
  + [mod_cgi,mod_fastcgi,mod_scgi] X-Sendfile features
  + [mod_webdav] lseek,read if fs can not mmap (#2666, fixes #962)
  + [mod_compress] use mmap and trap SIGBUS (#2666, fixes #1879)
  + fallback to lseek()/read() if mmap() fails (#fixes 2666)
  + [mod_auth] skip blank lines and comment lines (fixes #2327)
  + [core] fallback to write if sendfile not supported (fixes #471, #987)
  + minor: add missing #include <errno.h>
  + [core] preserve PATH_INFO case on case-insensitive fs (fixes #406)
  + [doc] add mimetype.use-xattr to create-mime.conf.pl
  + [doc] NEWS
  + [mod_ssi, mod_cml] set DOCUMENT_ROOT to basedir (fixes #2383)
  + [core] cmd line opt to shutdown after idle time limit (fixes #2696)
  + [network] separate addr trans from socket creation
  + [core] lighttpd -1 handles single request on stdin socket (fixes #1584)
  + lighttpd run modes for idle timeout, one-shot
  + [mod_fastcgi,mod_scgi] IPv6 support (fixes #2372)
  + [mod_status] add JSON output option (fixed #2432)
  + [mod_webdav] map COPY/MOVE Destination to aliases (fixes #1787)
  + [mod_webdav] improve PROPFIND,PROPPATCH (#1818, #1953)
  + [mod_webdav] improve PROPFIND,PROPPATCH; map COPY/MOVE Destination
  + [doc] NEWS
  + reset response headers, write_queue for error docs
  + fix typo in new cgi.x-sendfile directives
  + clean up oneshot_fd resource upon startup error
  + minor: fix compiler warning for extra ';'
  + build with libressl
  + [core] fix IPv6 address + port parsing (#2204)
  + static build instructions using SCons or make
  + [core] fix config merge of array lists
  + [core] simplify config merge of array lists
  + [core] add default modules while processing server config
  + [mod_auth] preserve WWW-Authenticate for error docs (fixes #2730)
  + check close() return code after writing to file
  + [doc] NEWS
  + adjustments for openssl 1.1.0 pre-release
  + [config] support include file glob (fixes #1221)
  + [mod_evasive] 302 redirect option if limit reached (fixes #2199)
  + [build] enhancements for cross-compiling (fixes #2276)
  + [mod_accesslog] report aborted con state with %X (fixes #1890)
  + [mod_ssi] fix SSI statement parser
  + [mod_ssi] include relative to alias,userdir (fixes #222)
  + [mod_ssi] add PCRE_* options to constrain regex
  + [mod_ssi] more flexible quoting (fixes #1768)
  + [core] wrap IPv6 literal in "[]" in redirect URL
  + [mod_ssi] fix parse of tag across buf boundary (fixes #2732)
  + [mod_cgi,mod_scgi] X-Sendfile sets file_started (fixes #2733)
  + [mod_fastcgi] no chunked response w/ X-Sendfile (fixes #2733)
  + [config] opts for http header parsing strictness (fixes #551, fixes #1086, fixes #1184, fixes #2143, #2258, #2281, fixes #946, fixes #1330, fixes #602, #1016)
  + [config] normalize IP strings in lighttpd.conf
  + [build_cmake] use MODULE on Mac OS X (fixes #1761)
  + minor: quiet some compiler warnings
  + use buffer_string_set_length() to truncate strings
  + use buffer_string_set_length() to truncate strings
  + [config] server.bsd-accept-filter option
  + [mod_webdav] create file w/ LOCK request if ENOENT
  + [doc] NEWS
  + [mod_webdav] getetag and lockdiscovery live props
  + [mod_webdav] create file w/ LOCK request if ENOENT
  + [core] buffer large responses to tempfiles (fixes #758, fixes #760, fixes #933, fixes #1387, #1283, fixes #2083)
  + [core] stream response to client (#949)
  + [TLS] release openssl buffers as used (fixes #1265, fixes #1283, #881)
  + [config] config options to stream request/response (#949, #376)
  + [core] option to stream request body to backend (fixes #376)
  + separate routines for reading output from backends
  + [core] option to stream response body to client (fixes #949, #760, #1283, #1387)
  + drain backend socket/pipe bufs upon FDEVENT_HUP
  + http_response_backend_error()
  + remove excess calls to joblist_append()
  + defer choosing "Transfer-Encoding: chunked"
  + asynchronous, bidirectional streaming options
  + fix errors detected by Coverity Scan
  + [build] update Makefile.am EXTRA_DIST w/ new files
  + chunkqueue_append_chunkqueue()
  + fix errors detected by Coverity Scan
  + [cygwin] fix mod_proxy and mod_fastcgi ioctl use
  + use con->conf.server_tag in modules
  + [mod_webdav] remove excess SQL param to UNLOCK
  + [doc] NEWS
  + graceful shutdown without unnecessary 1 sec delay
  + fix error handling for portability (NetBSD)
  + [core] disable Nagle algorithm (TCP_NODELAY)
  + [core] add declarations to fdevent.h (#2373)
  + [build] add $(ATTR_LIB) to liblightcomp_la_LIBADD
  + [cygwin] minor: fix compiler warning
  + [tests] remove dependency on CGI.pm
  + [core] fix s6_addr type-punned compiler warning
  + [TLS] fix return value checks during cert init
  + [core] fix server.max-request-size to be precise (fixes #2131)
  + [mod_webdav] fix proppatch mem leak, other fixes (#fixes 1334, #fixes 2000)
  + [autobuild] CMake check for struct tm tm_gmtoff (fixes #2014)
  + [core] remove assert in fdevent_unregister()
  + [mod_uploadprogress] fix mem leak (#1858)
  + [core] make server.max-request-size scopeable (fixes #1901)
  + [mod_fastcgi,mod_scgi] check for spawning on same unix socket (#319)
  + [mod_fastcgi,mod_scgi] check for spawning on same unix socket (#319)
  + fix gcc 6.1.1 compiler warn misleading-indentation
  + [mod_accesslog] %a %A %C %D %k %{}t %{}T (fixes #1145, fixes #1415, fixes #2081)
  + [mod_access] new directive url.access-allow (fixes #1421)
  + [core] fdevent_libev: update use of ev_timer
  + [core] fdevent_libev: workaround compiler warning
  + [tests] remove some tests duplicated in mod-cgi.t
  + [mod_cgi] handle local redirect response (fixes #2108)
  + update lighttpd -h
  + [doc] add self to AUTHORS (discussed w/ stbuehler)
  + [doc] NEWS

- update to 1.4.39
  + -next is 1.4.38
  + fix packdist.sh output links
  + [stat-cache] fix handling of collisions, might have returned wrong data (fixes #2669)
  + [core] allocate at least 4k buffer for incoming data
  + [core] fix search for header end if split across chunks (fixes #2670)
  + [core] check configparserAlloc() result with force_assert
  + [mod_auth] implement and use safe_memclear, using memset_s or explicit_bzero if available
  + [core] don't buffer request bodies smaller than 64k on disk
  + add force_assert for many allocations and function results
  + [mod_secdownload] use a hopefully constant time comparison to check hash (fixes #2679)
  + [config] check config option scope; warn if server option is given in conditional
  + [core] revert increase of temp file size back to 1MB, provide a configure option "server.upload-temp-file-size" instead (fixes #2680)
  + [core] add '~' to safe characters in ENCODING_REL_URI/ENCODING_REL_URI_PART encoding
  + [core] encode path with ENCODING_REL_URI in redirect to directory (fixes #2661, thx gstrauss)
  + [core] refactor base64 functions into separate file
  + [mod_secdownload] add required algorithm option; old behaviour available as "md5", new options "hmac-sha1" and "hmac-sha256"
  + [autobuild] fix missing header in tar ball
  + mod-auth.t: no crypt md5 for darwin
  + [tests] test apr-md5 in mod-auth.t
  + [tests] do not half-close socket before having received the response (fixes #2688)
  + [mod_fastcgi/mod_scgi] zero sockaddr structs before use (fixes #2691)
  + [network] add darwin-sendfile backend (fixes #2687)
  + [core] show correct crypt support result (fixes #2690)
  + - next ist 1.4.39
  + [core] fix memset_s call (fixes #2698)
  + [chunk] fix use after free / double free (fixes #2700)
  + [scons] fix fullstatic build

- Add perl(CGI) BuildRequires in order to be able to pass the test
  suite.

- update to 1.4.37
  + - next is 1.4.37
  + [mod_proxy] remove debug log line from error log (fixes #2659)
  + [mod_dirlisting] fix dir-listing.set-footer not showing
  + fix out-of-filedescriptors when uploading "large" files (fixes #2660, thx rmilecki)
  + increase upload temporary chunk file size from 1MB to 16MB
  + fix undefined integer shift
  + rewrite network (write) backends
  + [cmake] lowercase commands, whitespace cleanup, remove clutter in else(...), endif(...), endforeach(...)
  + [cmake] cleanup cache variables if features get deactivated
  + fix some unchecked return value warnings
  + maintain cq->bytes_in in chunk API; keep bytes_out/bytes_in synced
  + [cmake] don't put date into config.h (not used anyway), only unset local vars for disabled features instead of clearing cache
  + [cmake] fix FreeBSD linker bug
  + [tests] search for perl in PATH instead of /usr/bin; whitespace + test config cleanups
  + [kqueue] fix kevent call
  + [tests] fix warning about newline in filename
  + [autoconf] define HAVE_CRYPT when crypt() is present
  + [bsd xattr] fix compile break with BSD extended attributes in stat_cache
  + [mod_dirlisting] remove sys/syslimits.h; base.h already includes limits.h
  + small README for FreeBSD build setup
  + [build] put --as-needed into linker flags instead of cflags
  + [mod_cgi] rewrite mmap and generic (post body) send error handling
  + [mmap] fix mmap alignment
  + [plugins] when modules are linked statically still only load the modules given in the config
  + [scons] various improvements
  + [mmap] handle SIGBUS in network; those get triggered if the file gets smaller during reading
  + [scons] fix crypt() detection, other improvements
  + [scons] fix build
  + fix some warnings found by coverity ("leak" in setup phase, not catching too long unix socket paths in mod_proxy)
  + packdist.sh: use fakeroot for make dist to have root owned files in tar