NEWS (18207B)
1 Thu Apr 16 10:36:54 AM CEST 2026 2 Released GNU libmicrohttpd 1.0.5. 3 4 This is a bugfix release. 5 It fixes a additional HTTP request smuggling issues (CWE-444). 6 7 -- Christian Grothoff 8 9 Mon Apr 13 11:42:06 AM CEST 2026 10 Released GNU libmicrohttpd 1.0.4. 11 12 This is a bugfix release. 13 It fixes a minor HTTP request smuggling issue (CWE-444). 14 15 -- Christian Grothoff 16 17 Thu Apr 2 12:16:28 AM CEST 2026 18 Released GNU libmicrohttpd 1.0.3. 19 20 This is a bugfix release. 21 It primarily fixes a list traversal issue that could 22 cause connection handling issues when other connections 23 were suspended. 24 25 -- Christian Grothoff 26 27 Mon Jul 14 2025 05:03:07 PM CEST 28 Released GNU libmicrohttpd 1.0.2. 29 30 This is a bugfix release. 31 It primarily fixes a double-close() bug on bind() errors. 32 33 -- Christian Grothoff 34 35 Fri 23 Feb 2024 21:00:00 UZT 36 Released GNU libmicrohttpd 1.0.1. 37 38 This is a correction release. 39 This release mainly fixes and improves builds with non-default configure 40 parameters. 41 42 -- Evgeny Grin (Karlson2k) 43 44 Thu 01 Feb 2024 15:00:00 CET 45 Released GNU libmicrohttpd 1.0.0. 46 47 This is the first non-bugfix release since version 0.9.75 and the first 48 ever stable release of GNU libmicrohttpd. It is a huge one with new 49 features and fixes. 50 51 The major changes: 52 * Rewritten parsing of clients' requests, fully aligned with current 53 RFCs (9110 and 9112) requirements. Added detailed control of strict 54 or lenient specification enforcement. Application may choose between 55 more compatible mode or more strict and secure mode. 56 * Reworked Digest Auth, greater enhanced support for current RFC 7617 57 features. MHD currently is the only known server-side implementation 58 with support for SHA-512/256, userhash and username in extended 59 notation. At the same time the very old RFC2069 is supported, as 60 well as MD5 and SHA-256. 61 * Improved functionality in multi-threading environment, especially with 62 external sockets polling modes. 63 * Reworked Basic Auth, adding new convenient API functions. 64 * Re-implemented GnuTLS initialisation. Now supported 65 libmicrohttpd-specific system-wide configuration, as well as generic 66 GnuTLS system-wide configuration. Application may adjust settings based 67 on system configuration instead of specifying its own full 68 configuration. 69 * Tons of other new functionality and various fixes. For detailed changes 70 see the ChangeLog or Git commit logs. 71 72 73 Since last non-bugfix release there are 1062 commits added with 74 67007 lines insertions and 26616 deletions. 75 76 -- Evgeny Grin (Karlson2k) 77 78 Sun 28 May 2023 18:00:00 MSK 79 Released GNU libmicrohttpd 0.9.77. 80 81 This is mostly a bugfix release. 82 This version created by taking patches from the current development 83 branch and back-porting them on top of version 0.9.76. 84 The most notable changes are: some improvements for Digest and Basic 85 authorizations, fixed efficiency for TLS upgraded connections, fixed 86 processing of folded headers in requests, fixed functionality with 87 blocking sockets, improved and fixed internal test-suite. 88 89 The more detailed list of the important changes: 90 91 API changes: 92 + Added new function MHD_get_version_bin(). 93 94 Improvements and enhancements: 95 * Digest Auth: changed algorithm identifiers in server generated 96 headers from "md5" / "sha-256" to "MD5" / "SHA-256" to better match 97 RFC (while clients should use caseless matching). 98 * Improved Base64 decoding by new implementation with robust input 99 data validation checks. 100 * Improved configure for cross-compiling, for better compatibility 101 with POSIX and for better compatibility with the latest compiler 102 versions. 103 * New internal tests: for Base64 decoding, Basic Auth and folded 104 headers. 105 * Supported new libcurl API in tests to mute deprecation warnings. 106 * Supported ARM and ARM64 for VC compilers. 107 108 Functionality changes: 109 * any negative number returned by response data generation callback 110 function is treated as an error. Previously negative values except 111 predefined error codes could produce undefined behaviour. 112 * Added handling of "DEBUG" preprocessor macro as an alias of "_DEBUG". 113 114 Fixes: 115 # Fixed functionality with blocking sockets. 116 # Fixed very inefficient data pumping for upgraded TLS connections. 117 # Fixed processing of folded headers in the requests. 118 # Fixed data races when closing upgraded connection. 119 # Removed duplication of "Connection: upgrade" header. 120 # Digest auth: fixed thread sync to avoid "stale hash" results. 121 # Fixed harmless unwanted extra data processing resulting in triggering 122 of the assert. 123 # Fixed tests for LTO. 124 # Removed removed non-portable functions in examples. 125 # Fixed delayed call of connection notification callback in 126 thread-per-connection mode. 127 # Fixed Address Sanitizer unpoison of memory when memory pool is 128 destroyed. This fixed periodic ASAN error when used for a long time 129 with the sanitizer. 130 # Fixed compiler warnings in library code, examples, tests and configure 131 checks. 132 # New TLS certificates for test-suite: all with SAN fields and SHA-256 133 hash. 134 # Tests: fixed tests on Darwin 22.x (Ventura). 135 # Tests: redesigned one tests group to avoid stress-testing of the OS. 136 137 -- Evgeny Grin (Karlson2k) 138 139 Sun 26 Feb 2023 17:49:30 CET 140 Released GNU libmicrohttpd 0.9.76 hotfix. -CG 141 142 This is a hotfix release. 143 This only change since previous release is fixed potential DoS vector 144 in MHD_PostProcessor discovered by Gynvael Coldwind and Dejan 145 Alvadzijevic (CVE-2023-27371). 146 While the researchers have not been able to exploit this attack vector 147 when libmicrohttpd is compiled with the standard GNU C library, it is 148 recommended that you update MHD as soon as possible if your 149 applications are using (optional) MHD_PostProcessor functionality. 150 151 -- Evgeny Grin (Karlson2k) 152 153 Sun 26 Dec 2021 20:30:00 MSK 154 Released GNU libmicrohttpd 0.9.75 -EG 155 156 This is a correction release. 157 The main improvement is the implementation of workaround for some 158 OSes (like OpenBSD 7) where "monotonic" clock may jump back. Now 159 MHD is able to automatically detect such situation and recover if 160 the jump is small. This workaround is needed with increased 161 accuracy of connection timeout introduced in previous version, as 162 with lower accuracy (v0.9.73 and before) these jumpbacks were 163 unnoticeable. 164 Other changes: fixed some compiler, Makefile, and configure 165 warnings on specific platforms; one test further improved. 166 167 -- Evgeny Grin (Karlson2k) 168 169 170 Sun 19 Dec 2021 18:30:00 MSK 171 Released GNU libmicrohttpd 0.9.74 172 173 This release brings a lot of fixes and improvements, and 174 important new features. 175 The most significant addition is the new experimental 176 implementation of WebSockets contributed by David Gausmann. This 177 implementation is not fully tested yet so currently it is disabled 178 by default. 179 Other changes include a lot of improvements and clarifications 180 in doxy comments in microhttpd.h header file, improved compliance 181 with the RFC HTTP specifications, the new implementation of reply 182 header forming, the new implementation of request chunked encoding 183 parsing, new automatic error replies, internal optimisations, and 184 many important fixes, including fixes for long-standing bugs. 185 186 More detailed list of notable changes: 187 188 API changes: 189 + Added new function MHD_get_reason_phrase_len_for(). 190 + Added MHD_CONNECTION_INFO_HTTP_STATUS type of information 191 queried by MHD_get_connection_info(). 192 + Added new response flag MHD_RF_SEND_KEEP_ALIVE_HEADER to force 193 sending of "keep-alive" header even if not required by RFC. 194 + Added new response creation function 195 MHD_create_response_from_buffer_with_free_callback_cls() with 196 custom cleanup callback. 197 + Added new response flag MHD_RF_HTTP_1_0_COMPATIBLE_STRICT with 198 the same functionality as existing MHD_RF_HTTP_VERSION_1_0_ONLY 199 flag. The old flag will be deprecated. 200 + Added new response flag MHD_RF_HTTP_1_0_SERVER with the same 201 functionality as existing MHD_RF_HTTP_VERSION_1_0_RESPONSE flag. 202 The old flag will be deprecated. 203 204 New features: 205 + Added experimental WebSockets extension with separate header. 206 Disabled by default as it is not fully tested yet. 207 + Added '--enable-sanitizers[=address,undefined,leak,user-poison]' 208 configure parameter (instead of '--enable-sanitizer'), 209 implemented custom memory poisoning for memory pools. 210 211 Improvements and enhancements: 212 * Doxy function descriptions was corrected, clarified, extended, 213 and improved. Now it should be much easier to learn MHD just by 214 reading the headers. 215 * Completely rewritten reply header forming. New implementation is 216 more robust, simpler maintainable and expandable, and better 217 follows RFC HTTP specifications. 218 * Performance improvements: now HTTP version and request method are 219 decoded one time only (previously MHD used string comparison many 220 times during processing the data). 221 * Rewritten request chunked payload decoding. The new 222 implementation better conforms to the HTTP RFC, detects format 223 problems earlier, replies to the clients with description of 224 detected problems, handles untypical (but syntactically correct) 225 values properly. 226 * Added special replies for wrong/unsupported HTTP versions in 227 requests, broken HTTP chunked encoding in requests, 228 * As required by HTTP RFC, added automatic error replies if client 229 used broken chunked encoding, too large chunk size, too large 230 payload size, or broken Content-Length header. 231 * Optimized connection's memory pool handling. 232 * Changed timeout precision from one second to one millisecond. 233 * Added some checks for incorrect user data, reporting problems in 234 MHD log. 235 * Improved performance of hash calculations functions by using 236 compiler built-ins (if available). 237 * Implemented SHA-1 calculations (required for WebSockets). 238 * Added universal MSVC project that works with any (sufficiently 239 new) version of MSVC. 240 * Developed simple HTTP client to test MHD under very special 241 conditions. 242 * Implemented 45 new tests. 243 * Improved existing tests to test more aspects of MHD. 244 * Added check for correct results of system and libcurl functions. 245 * Response headers are checked during forming of responses. 246 * HTTPS tests were improved. 247 * Added rebuild on W32 of all required files if files are missing. 248 * Many internal optimisations and improvements. 249 250 Functionality changes: 251 * Keep-alive header is omitted by default for HTTP/1.1 connections. 252 Use of header can be enforced by response flag. 253 * Chunked encoding is used for HTTP/1.1 non-keep-alive connections 254 for responses with unknown size. Previously MHD used "indication 255 of the end of the response by closing connection" in such cases, 256 however it is not correct for HTTP/1.1 connections as per HTTP 257 RFC. 258 * As required by HTTP RFC, use HTTP/1.1 version instead of HTTP/1.0 259 in reply headers when client is HTTP/1.0 . HTTP/1.0 version can 260 be enforced by response flag. 261 * User response headers are used in replies in the same order as 262 was added by application. 263 * Allowed tab characters in response header values. 264 * All custom "Connection:" response headers are automatically 265 combined into single "Connection:" header. 266 * "keep-alive" token silently dropped from custom "Connection:" 267 response header. "Keep-alive" cannot be enforced and used 268 automatically if possible. 269 * Allow tab character in custom response header value. 270 * Disallow space character in custom response header value. 271 * Do not allow responses with 1xx codes for HTTP/1.0 requests. 272 * Detected and reported incorrect "Upgrade" responses. 273 * W32 targets are changed to Vista+ by default. XP is supported 274 still. 275 276 Fixes: 277 # Fixed short busy-waiting (up to one second) when connection is 278 going to be expired and closed. 279 # Fixed handling of errors during start of new connection, fixed 280 inability to accept new connections in thread-per-connection mode 281 due to the missing decrement of number of daemon's connections if 282 start of new thread is failed. 283 # Fixed incorrect parsing of LFLF, LFCR, CRCR, and bare CR as 284 single linefeed in request header and request chunked payload. 285 Now only CRLF or bare LF are recognized as linefeed. 286 # Fixed response chunked encoding handling. Now it works properly 287 with non-keep-alive connection, with fixed size replies (if 288 chunked was enforced by header), and in other situations. 289 # Other fixes for chunked replies. 290 # Fixed handling of custom connection timeout in thread-per- 291 connection mode. 292 # Fixed wrongly used MHD_REQUEST_TERMINATED_COMPLETED_OK code for 293 application notification when MHD_REQUEST_TERMINATED_WITH_ERROR 294 code must be used. 295 # Fixed code MHD_REQUEST_TERMINATED_READ_ERROR not reported (code 296 MHD_REQUEST_TERMINATED_WITH_ERROR was incorrectly used instead). 297 # Fixed handling of request chunked encoding with untypical 298 formatting. 299 # Fixed processing of last part of hex-encoded values under 300 certain conditions. 301 # Fixed value returned for MHD_CONNECTION_INFO_REQUEST_HEADER_SIZE. 302 # Fixed returned value for MHD_FEATURE_AUTOSUPPRESS_SIGPIPE on W32, 303 now it is MHD_YES as W32 does not need SIGPIPE suppression. 304 # Fixed portability of bitwise NOT for enums values. 305 # Fixed SHA-256 and MD5 calculations with unaligned data. 306 # Fixed incorrect caseless matching for HTTP version. 307 # Fixed incorrect caseless matching for request method. 308 # Fixed compatibility with old GnuTLS versions. 309 # Fixed compiler warnings on 32-bits platforms. 310 # Fixed blocking sockets setting in tests and examples for W32. 311 # Fixed examples to really use libmagic if present. 312 # HTTPS tests were fixed. 313 # Fixed libcurl test with case-insensitive match for HTTP methods, 314 method names must use case-sensitive match. 315 # Fixed tests compatibility with old libcurl versions. 316 # Fixed build on W32 with llvm-dlltool (this tool is too 317 oversimplified) 318 319 -- Evgeny Grin (Karlson2k) 320 321 322 Sun 25 Apr 2021 14:00:00 MSK 323 Released GNU libmicrohttpd 0.9.73 324 325 This release brings new features, improvements, and a few fixes. 326 The most important addition is the new function for vector-backed 327 responses, based on the patch contributed by NASA engineers. 328 Other changes include compatibility with autoconf 2.70+, improved 329 testsuite compatibility with CI systems, fixed and improved MSVC 330 builds, and implementation of ALPN support. 331 332 More detailed list of notable changes: 333 334 API changes: 335 + Added new function MHD_create_response_from_iovec(), based on the 336 patch provided by Lawrence Sebald and Damon N. Earp from NASA. 337 + Added MHD_OPTION_SIGPIPE_HANDLED_BY_APP daemon option. 338 + Added new function MHD_run_wait(). 339 + Added MHD_OPTION_TLS_NO_ALPN to disable usage of ALPN even if 340 it is supported by TLS library. 341 342 New features: 343 + Added '--enable-heavy-tests' configure parameter (disabled by 344 default). 345 + Implemented support for ALPN. 346 347 Improvements and enhancements: 348 * Return timeout of zero also for connections awaiting cleanup. 349 * Compatibility with autoconf >=2.70, used new autoconf features. 350 * Warn user when custom logger option is not the first option. 351 * Added information to the header about minimal MHD version when 352 particular symbols were introduced. 353 * Updated test certificates to be compatible with modern browsers. 354 * Added on-fly detection of UNIX domain sockets and pipes, MHD does 355 not try to use TCP/IP-specific socket options on them. 356 * Report more detailed error description in the MHD log for send 357 and receive errors. 358 * Enabled bind port autodetection for MSVC builds. 359 360 Fixes: 361 # Fix PostProcessor to always properly stop iteration when 362 application callback tells it to do so. 363 # Fixed MD5 digest authorization broken when compiled without 364 variable length arrays support (notably with MSVC). 365 # Fixed detection of type of send errors on W32. 366 367 -- Evgeny Grin (Karlson2k) 368 369 370 Mon 28 Dec 2020 21:36:00 MSK 371 Released GNU libmicrohttpd 0.9.72 372 373 This release is mostly a bugfix release, with greatly improved 374 compatibility with various OSes/kernels, including FreeBSD, Windows, 375 OpenBSD, NetBSD, Darwin (macOS), Solaris. Performance is improved, 376 especially with HTTPS connections and stay-alive HTTP connections. 377 378 Notable changes since version 0.9.71: 379 380 API changes: 381 + New function MHD_create_response_from_pipe() 382 383 Improvements and enhancements: 384 * Fully rewritten code for buffering/pushing from kernel network buffers 385 for compatibility with various OSes. Reduced number of additional 386 sys-calls, network is better utilized, responses are delivered faster. 387 * Restored optimal sendfile() usage on FreeBSD. 388 * MHD now takes care about SIGPIPE handling by blocking it in internal 389 threads and avoiding functions (like sendfile()) that could generate 390 SIGPIPE when blocking of this signal is not possible. 391 392 Fixes: 393 # Fixed crash in PostProcessor. 394 # Fixed several resources leaks in corner cases. 395 # Improved thread sync, thread safety and fixed one use-after-free under 396 special conditions during stopping of daemon. 397 # Updated HTTP status codes, header names and methods from the 398 registries. 399 # Fixed functioning without listen socket and with internal threads. 400 # Fixed streaming of chunked responses for both HTTP and HTTPS. 401 # Various compatibility fixes. 402 403 -- Evgeny Grin (Karlson2k) 404 405 406 Tue Jan 9 20:52:48 MST 2007 407 Project posted.