LiteSpeed Web Server Changelog

Build 1

[Improvement] Avoid reCAPTCHA verification on AJAX requests to minimize false positives.
[Improvement] Make built-in error and reCAPTCHA verification pages responsive.
[Improvement] Remove '[' ']' enclosure for IPv6 addresses in the access log and request environment variable REMOTE_ADDR.
[Bug Fix] Fixed a bug that caused HTTP/2 requests to stall under rare conditions.
[Bug Fix] Fixed a bug that caused broken non-keepalive HTTPS responses.
[Bug Fix] Fixed a bug that caused WordPress brute force protection false positive.

Build 0

[Security] Addressed recent HTTP/2 DoS advisories (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md). Fixed CVE-2019-9516 ""0-Length Headers Leak"" vulnerability. Completely blocks unaffected attacks:  CVE-2019-9511 ""Data Dribble"", CVE-2019-9512 ""Ping Flood"", CVE-2019-9513 ""Resource Loop"", CVE-2019-9514 ""Reset Flood"", CVE-2019-9515 ""Settings Flood"", CVE-2019-9517 ""Internal Data Buffering"", and CVE-2019-9518 ""Empty Frames Flood"".
[New Feature] Updated HTTP/3 support to Internet Draft 22.
[New Feature] Smart server PUSH uses cookies to track pushed assets, avoiding pushing the same asset repeatedly.
[Improvement] reCAPTCHA engine has been improved to reduce false positives. 
[Bug fix] Fixed a chunk encoding bug that could cause data corruption.
[Bug Fix] Fixed a bug that could cause truncated response bodies to be transferred over non-keepalive HTTPS connections. This usually affects front-end CDN services.
[Bug Fix] Fixed a regression that prevented Apache vhosts from using PHP daemon mode.
[Bug Fix] Fixed a cache engine bug that failed to forward the `X-Litespeed-purge2` response header to front-end ADC cache engines. 
[Bug Fix] Fixed a bug that causes Python WSGI applications to fork child processes frequently.

Build 3

[Bug Fix] Fixed a bug that could cause truncated response bodies to be transferred over non-keepalive HTTPS connections. This usually affects front-end CDN services.

Build 2

[New Feature] Updated HTTP/3 support to Internet Draft 22 .
[New Feature] Smart server PUSH uses cookies to track pushed assets, avoiding pushing the same asset repeatedly.
[Improvement] Re-enabled PHP graceful shutdown now that the PHP LiteSpeed SAPI 7.5 package is ready.
[Improvement] Tuned reCAPTCHA verification to avoid requesting verification on image/css/js files.
[Bug Fix] Minor bug fixes for 404 logging and some rare crashes.

Build 1

[Update] Updated cPanel/WHM plugins to v1.2.3.3 and v3.3.3.5 respectively.
[Bug fix] Fixed a chunk encoding bug that could cause data corruption.
[Bug fix] Fixed a bug with customized reCAPTCHA pages.
[Bug fix] Fixed a QUIC engine bug that affected graceful restarts.
[Bug fix] Fixed a BAN request method parsing bug.

Build 0

[Major Improvement] Massive HTTP/2 HTTPS performance boost (up to 5x faster than LSWS v5.3.x).
[Major New Feature] Experimental HTTP/3 draft 20 support.
[Major New Feature] Redis and rewrite based dynamic virtual hosting.
[Major New Feature] Server level reCAPTCHA protection efficiently defends against layer-7 DDoS attacks of any size.
[New Feature] Added support for Q046 in QUIC engine.
[New Feature] HTTPS accelerator with direct dynamic TLS record packaging, improving both HTTPS throughput and TTFB without compromise.
[New Feature] HTTPS handshake offloading, improving HTTPS handshake speed and avoiding clogging the server's main event loop. (No extra configuration required)
[New Feature] SO_REUSEPORT support, improving multi-worker scalability for high traffic deployments.
[New Feature] HTTPS certificate compression, reducing the size of HTTPS handshake exchange data.
[Improvement] Improved HTTP/2 stream prioritization for a better user browsing experience.

RC4

[New Feature] Support for SO_REUSEPORT for multi-worker license.
[New Feature] HTTPS/QUIC handshake offloading.
[New Feature] TLSv1.3 certificate compression.
[New Feature] High Availability for Redis dynamic vhost setup.
[New Feature] Support for Google QUIC 046.
[New Feature] Experimental IETF QUIC draft-20.

RC3

[Major New Feature] Dynamic Virtual Host configuration through REDIS backend.
[Major Improvement] Greatly improved HTTP/2 performance -- up to 7x faster than previous implementations.
[Bug fix] Improved QUIC engine performance and stability.
[Bug fix] All bug fixes and enhancements on 5.3.x branch included.

RC2

[Major New Feature] Dynamic virtual hosting through rewrite rules.
[Improvement] Improved HTTP/2 performance.
[New Feature] QUIC proxy backend support for backend communication through QUIC.
[Bug fix] All applicable bug fixes from the 5.3 branch.
[Bug fix] Fixed a few server crash bugs.

RC1

[New Feature] Recaptcha verification for DDoS attack mitigation.
[New Feature] Support for Ruby/Python/Nodejs applications in native configuration.
[New Feature] Added Virtual Host level trusted IP control, managed through .htaccess.
[Major Improvement] Added LiteSpeed TLS Accelerator, maximizing HTTPS & HTTP/2 performance.
[Major Improvement] HTTP/2 performance has been improved with a better header compression/decompression work flow.
[Bug fix] All bug fixes from LSWS 5.3.5 incremental builds included.

Build 6

[Update] Updated cPanel/WHM plugins v1.2.3.2 and v3.3.3.4 respectively.
[Bug fix] Temporarily stop PHP processes with SIGKILL as a workaround for problems caused by clean shutdown logic added to PHP LiteSpeed SAPI v7.4.3.
[Bug fix] Added websocket proxy support for cPanel and webmail subdomains in addition to WHM subdomains.
[Bug fix] Fixed a QUIC engine bug and made QUIC more DoS attack resistant.

Build 5

[Bug Fix] Updated WHM plugin to v3.3.3.2 to fix a bug introduced in the previous version that caused most plugin actions to result in a PHP fatal error.
[Bug Fix] To avoid server crash, PCLMUL will be disabled in the zlib library if the server CPU does not support PCLMUL instructions.

Build 4

[New feature] Web Cache Manager CLI support for DirectAdmin.
[Bug fix] Fixed websocket proxy from https to ws:// backend; made WHM terminal work properly through proxy.
[Bug fix] Improved compatibility with Apache; "Require ip xxx" can bypass HTTP authentication.
[Bug fix] Added support for "AddEncoding br ..." to avoid double compression.
[Bug fix] Updated WebAdmin code to avoid some E_STRICT warnings.
[Bug fix] Fixed server PUSH parsing problem when 'Link' header contains multiple URLs.

Build 3

[Bug fix] Fixed an ACL bug occurring when environment variables are used in Allow/Deny configurations.
[Bug fix] Fixed a request parser bug which caused the server to crash when a partition holding a temp file is out of space.
[Bug fix] Fixed a cache engine bug that caused requests to certain URLs to hang.

Build 2

[Bug fix] Fixed a regression in PHP daemon mode that causes 503 errors.

Build 1

[Bug fix] Fixed an IP2Location configuration bug that could cause the server to crash during startup.
[Bug fix] Fixed a bug with nested ESI subrequests that caused random crashes.

Build 0

[Security] Added built-in filter to block attempts at hacking LiteMage with crafted ESI requests.
[New Feature] lscmctl script can now be used to install/uninstall the LiteSpeed Web Cache Manager user-end plugin for cPanel. 
[New Feature] Recommend a plugin or broadcast a message to all discovered WordPress installations with the dash notify feature, available in both the lscmctl script and WHM plugin.
[Improvement] Bundled WHM and user-end cPanel plugins have been updated to v3.3.1 and v1.2.0.2 respectively.
[Improvement] Support request header sizes of up to 64K.
[Improvement] Ignore <if> <else> <elseif> configuration contexts.
[Improvement] Added support for Apache configuration directive ""Require ip ..."".
[Improvement] Improved lsup.sh with stable release tier.
[Improvement] Improved rc-inst.sh to install systemd unit file for Plesk + Debain/Ubuntu.
[Improvement] Improved NodeJS application compatibility and mod_passenger configuration handling.
[Improvement] Added autoconfig for PHP 7.4.
[Improvement] Improved compatibility with LSAPI 7.3 .
[Improvement] Improved HPACK encoding performance.
[Improvement] Cache engine now updates ""X-LiteSpeed-Cache-Control max-age"" value based on actual expire time when a front-end lscache proxy exists. 
[Improvement] Improved compatibility with Apache mod_security on variables REQUEST_BODY, REQUEST_FILENAME and LAST_UPDATE_TIME.
[Improvement] Fixed PHP handler compatibility issues with Plesk's updated configuration template.
[Improvement] Improved WordPress brute force detection IP logging.
[Bug fix] Fixed an Apache SSL vhost SNI configuration bug.
[Bug fix] Fixed a QuicEngine bug that could cause broken responses.
[Bug fix] Fixed a cache + ESI engine bug that caused random server crashes.
[Bug fix] Fixed rewrite engine infinite loop when rewrite map file is stored in an NFS mount.
[Bug fix] Improved detached mode process manager to accurately stop detached processes when requested.
[Bug Fix] Added User-Agent and Referer headers to server pushed requests to avoid failing possible checks in a user's custom configuration.
[Bug Fix] Fixed FreeBSD 100% cpu usage for kqueue event loops when AIO logging is enabled.
[Bug Fix] Fixed an SSL OCSP stapling bug.
[Bug Fix] Fixed broken server restart when port offset had been set.
[Bug Fix] Fixed a memory leak in the GeoIP module.

Build 8

[Bug Fix] Fixed a cache + ESI bug that could cause random crashes.
[Bug Fix] Fixed a rewrite engine bug.
[Bug Fix] Fixed a memory leak in the GeoIP module.
[Bug Fix] Fixed a Plesk compatibility issue.

Build 7

[Improvement] Better WordPress brute force detection IP logging.
[Improvement] Allow request header sizes greater than 32K.
[Improvement] Added PID to error log messages for worker processes.
[Bug fix] Fixed a Ruby selector regression introduced in v5.3.7 build 3.
[Bug fix] Fixed an SSL OCSP stapling bug.
[Bug Fix] Fixed broken server restart when port offset had been set.

Build 6

[New Feature] Added the ability to install/uninstall the LiteSpeed Web Cache Manager user-end plugin for cPanel using the lscmctl script.
[Improvement] Fixed PHP handler compatibility issues with Plesk's updated configuration template.
[Improvement] Improved LSAPI compatibility with LSAPI 7.3 .
[Improvement] Improved HPACK encoding performance.
[Improvement] Cache engine now updates X-LiteSpeed-Cache-Control max-age value based on actual expire time when a front-end lscache proxy exists.
[Improvement] Natively configured detached PHP process groups are now gracefully restarted. 

Build 5

[New Feature] Recommend a plugin or broadcast a message to all discovered WordPress installations with the dash notify feature available in the lscmctl script and WHM plugin.
[Improvement] Ignore <if> <else> <elseif> configuration contexts.
[Improvement] Added autoconfig for PHP 7.4.
[Update] Updated WHM plugin to v3.3 and user-end cPanel plugin to v1.2.
[Bug Fix] ESI engine bug fix.
[Bug Fix] Fixed freeBSD 100% cpu usage for kqueue event loops.
[Bug Fix] Fixed a detached mode process manager bug that accidentally killed other lshttpd worker processes. 

Build 4

[Improvement] Improved lsup.sh with stable tier.
[Improvement] Improved NodeJS application compatibility and mod_passenger configuration handling.
[Bug Fix] Fixed a bug in detached mode process manager that failed to stop running processes under certain server environments.
[Bug Fix] Added User-Agent and Referer headers to server pushed requests to avoid failing possible checks in a user's custom configuration.
[Bug Fix] Implemented mod_security REQUEST_BODY as a dedicate variable.

Build 3

[Improvement] Improved rc-inst.sh to install systemd unit file for Plesk + Debain/Ubuntu.
[Bug fix] Fixed an ESI engine memory management bug that caused random server crashes.
[Bug fix] Fixed rewrite engine infinite loop when rewrite map file is stored in an NFS mount.

Build 2

[Bug Fix] Fixed a detached mode process manager bug introduced in build 1.

Build 1

[Security] Added built-in filter to block attempts to hack LitemMage with crafted ESI request.
[Bug Fix] Fixed a detached mode process manager bug made killing other unrelated processes possible.
[Bug Fix] Fixed an Apache SSL vhost SNI configuration bug.
[Bug Fix] Fixed a QuicEngine bug that could cause broken responses.

Build 0

[Security] Fixed a XSS vulnerability in directory auto index script.
[Improvement] Improved QUIC transport protocol performance and reliability.
[Improvement] Improved default configuration for servers with heavy disk I/O wait.
[Improvement] Made IP based SSL SNI configuration exactly match Apache's.
[Improvement] Made .rtreport symbolic links root owned to avoid LFD file warnings.
[Improvement] Improved ESI support for JSON responses.
[Improvement] Improved lsup.sh script to check build number against latest build.
[Update] Updated bundled WHM plugin to v3.2.0.3 and user-end cPanel plugin to v1.1.1.2 to address an integration issue with the recent LSCWP release.
[Bug Fix] Fixed a file descriptor leak in piped logger.
[Bug Fix] Fixed a bug that prevented changing the Cache-Control or Expire headers within PHP.
[Bug Fix] Fixed inaccurate real-time statistics.
[Bug Fix] Fixed a rewrite engine compatibility issue.
[Bug Fix] Fixed a regression in "Redirect" directive handling.
[Bug Fix] Fixed a QUIC engine bug when handling extra long response headers.
[Bug Fix] Fixed a regression that broke the "SetHandler" directive.
[Bug fix] Fixed a rewrite engine bug where target URLs containing "../" could cause problems.
[Bug fix] Fixed an external loop redirect detection bug.
[Bug Fix] Fixed a mod_security bug stopping response headers from being logged to the audit_log.
[Bug Fix] Fixed a mod_security engine bug that was mistakenly skipping some rules for POST requests.
[Bug Fix] Fixed an ESI engine bug that broke detection for looping includes, causing the server to run out of memory.
[Bug Fix] Increased logging for detach mode process manager. A forced lock release will now occur if a dead lock is detected when starting detach mode processes.
[Bug Fix] Fixed systemd unit file lshttpd.service by requiring network-online.target.
[Bug Fix] Allow xx.xx.xx.xx/32 as valid IP in ACL configuration.

Build 6

[Security] .rtreport no longer world readable.
[Improvement] Improved QUIC transport protocol performance and reliability.
[Improvement] Made IP based SSL SNI configuration exactly match Apache's.
[Improvement] Made .rtreport symbolic links root owned to avoid LFD file warnings.
[Bug Fix] Fixed inaccurate real-time statistics.

Build 5

[Update] Updated bundled WHM plugin to v3.2.0.3 and user-end cPanel plugin to v1.1.1.2.
[Improvement] Improved lsup.sh script to check build number against latest build.
[Bug Fix] Fixed systemd unit file lshttpd.service, by requiring network-online.target.
[Bug Fix] Allow xx.xx.xx.xx/32 as valid IP in ACL configuration.

Build 4

[Update] Updated bundled WHM plugin to v3.2.0.2 and user-end cPanel plugin to v1.1.1.1 to address an integration issue with the recent LSCWP v2.9.3.
[Bug Fix] Fixed a mod_security engine bug that was mistakenly skipping some rules for POST requests.
[Bug Fix] Fixed an ESI engine bug that broke detection for looping includes, causing the server to run out of memory.
[Bug Fix] Increased logging for detach mode process manager. A forced lock release will now occur if a dead lock is detected when starting detach mode processes.

Build 3

[Improvement] Improved ESI support for JSON responses.
[Bug fix] Fixed rewrite engine bug where target URLs containing "../" could cause problems.
[Bug fix] Fixed an external loop redirect detection bug.
[Bug Fix] Fixed a mod_security bug stopping response headers from being logged to the audit_log.

Build 2

[Bug Fix] Fixed a regression that broke the "SetHandler" directive.
[Bug Fix] OCSP cache directory now properly adjusted in chroot environments.

Build 1

[Improvement] Improved default configuration for servers with heavy disk I/O wait.
[Bug Fix] Fixed a rewrite engine compatibility issue.
[Bug Fix] Fixed a regression in "Redirect" directive handling.
[Bug Fix] Fixed a QUIC engine bug when handling extra long response headers.

Build 0

[New Feature] lscmctl script can now be used to set custom server and virtual host cache roots with the 'setcacheroot' command.
[Improvement] Added "ProxyPass"/"ProxyPassMatch" support for AJP backend.
[Improvement] Added support for "IP:port" in "X-Forwarded-For" header.
[Improvement] Reliably switch back to Apache in the case of a LiteSpeed licensing problem.
[Improvement] Added back support for SecFilterEngine and SecFilterScanPOST directives for backward compatibility.
[Update] Updated bundled WHM plugin to v3.2.0.1 and user-end cPanel plugin to v1.1.1. 
[Bug Fix] Fixed AddHandler directive behavior to be the same as AddType.
[Bug Fix] Fixed an OCSP stapling bug that caused Mozilla connection issues.
[Bug Fix] Stopped PHP from logging errors into the error log when stderr.log was disabled.
[Bug Fix] Fixed a SecRemoteRule handling bug.
[Bug Fix] Fixed a bug causing detached PHP processes to be stopped during graceful restarts, which may cause random 503 errors.
[Bug Fix] Fixed a bug in processing GeoIP2 mmdb database.
[Bug Fix] Fixed a bug introduced in v5.3.5 build 5 that broke cPanel/WHM's "redirect to closest matched domain" feature.
[Bug Fix] Fixed cPanel two factor authentication.
[Bug Fixes] Minor bug fixes involving Apache compatibility issues.

Build 9

[Bug Fix] Fixed a bug causing detached PHP processes to be stopped during graceful restarts.

Build 8

[Bug Fix] Fixed an OCSP response verification bug (introduced in the previous build) that caused crashing.
[Bugfix] Fixed a bug in processing GeoIP2 mmdb database. 
[Bugfix] Fixed a bug introduced in 5.3.5 build 5 that breaks cPanel/WHM redirect to closest matched domain feature.

Build 7

[Enhancement] Added extra validation on OCSP response to avoid outdated response for newly renewed certificate. 
[Integration] Made LSWS compatible with Apache configuration generated by cPanel v78.
[Bug Fix] Fixed AddHandler directive behavior to be the same as AddType.

Build 6

[New Feature] Added "ProxyPass"/"ProxyPassMatch" support for AJP backend.
[New Feature] Added support for "IP:port" in "X-Forwarded-For" header.
[Improvement] Detached PHP processes are now detected and restarted more reliably.
[Bug Fix] Applied a SecRemoteRules fix to avoid rule file corruption.
[Bug Fix] Fixed a bug that could cause a blank response body for pre-compressed content.

Build 5

[Update] Updated default welcome page content.
[Bug Fix] Fixed a SecRemoteRule handling bug.
[Bug Fix] Fixed a bug causing detached mode PHP processes to log PHP stderr messages to the server's error log file.
[Bug Fix] Fixed an awstats integration bug that broke dynamic page generation mode.
[Bug Fix] Fixed an infinite loop bug that occurred with badly configured contexts.

Build 4

[Improvement] Reliably switch back to Apache when there is a LiteSpeed licensing problem.
[Improvement] Added back support for SecFilterEngine and SecFilterScanPOST directives for backward compatibility.
[Bug Fix] Stopped PHP error logging into error log when stderr.log is disabled.

Build 3

[Bug Fix] Fixed a bug that causes excessive requests to OSCP responder.
[Bug Fix] Fixed a bug that failed to handle some types of Node.js selector configurations.
[Bug Fix] Fixed a bug that failed cPanel two factor authentication.
[Bug Fix] Fixed a bug in LiteMage combined subrequest handling.

Build 0

[Improvement] Improvements to HTTP/2, QUIC, and rewrite engine.
[Bug Fix] HTTP/2, QUIC, and rewrite engine bug fixes.
[Bug Fix] Fixed mod_security engine not handling skipAfter properly in the `SecAction` directive.
[Bug Fix] Fixed server failing to automatically fix cache directory permission problems.

Build 8

[Bug Fix] Fixed a rewrite engine bug introduced in 5.3.4 build 7, which could cause ERR_SPDY_PROTOCOL_ERROR and redirect problems.

Build 7

[Improvement] Improved mod_rewrite compatibility.
[Improvement] Improved QUIC engine by dynamically adjust batch size of outgoing packets.

Build 5

[Improvement] Improved PHP process abort feature to occur in a more timely manner.
[Bug Fix] Fixed an HTTP/2 engine bug that caused connections to reset under certain situations.

Build 4

[Improvement] Improved mod_security engine with UNIQUE_ID support.
[Update] Disabled 503 auto fix by default.
[Bug Fix] Fixed an SSL OCSP stapling bug.
[Bug Fix] Fixed memory and resource leaks.
[Bug Fix] Fixed incompatible behavior with Python selector support.
[Bug Fix] Fixed a license information display bug in WebAdmin Console.

Build 2

[Improvement] Improved compatibility for WebCache manager.
[Bug Fix] This build include a fix for gQUIC v044 support

Build 1

[Improvement] Improved NODEJS support.
[Improvement] Detect curl + HTTP/2 combination and disable HTTP/2 for future access.
[Update] Updated WHM plugin to v3.1.3.2 to address a compatibility issue with newer versions of the LSCWP plugin.
[Update] Updated cPanel user-end plugin to v1.0.2.1 to address a compatibility issue with newer versions of the LSCWP plugin.

Build 0

[MAJOR NEW FEATURE] Added support for Google QUIC v44. 
[NEW FEATURE] Improved Ruby/Python selector support and apply engine version changes on the fly.
[NEW FEATURE] Allow overriding external application environment at vhost level.
[NEW FEATURE] Log HTTP/2 in access log for HTTP/2 connection.
[NEW FEATURE] Auto detect and use cPanel signed certificate for WebAdmin.
[NEW FEATURE] Auto correct bad HTTPS proxy backend configured as HTTP.
[IMPROVEMENT] Improved compatibility with ColdFusion engine.
[UPDATE] Updated bundled WHM plugin to v3.1.3.1
[UPDATE] Updated bundled cPanel user-end plugin to v1.0.2.
[BUGFIX] Fixed mod_security engine compatibility issue with latest COMODO ruleset.
[BUGFIX] Added "Accept-Range: bytes" header back for static files.
[BUGFIX] Fixed bug in rewrite engine loop redirection detection.

Build 3

[Bug Fix]  Fixed a mod_security engine bug that caused incorrect behavior with the comodo ruleset.

Build 2

[Bug Fix] Made adjustments to PHP handler configuration to fix broken PHP selector.
[Bug Fix] Fixed a memory leak in HTTP/2.
[Bug Fix] Fixed a crash when parsing Apache configuration.

Build 0

[Bug Fix] Emergency release to ignore faulty rewrite rule introduced by cPanel
  • Admin
  • Last modified: 2019/08/21 14:10
  • by Lucas Rolff