lighttpd 1.4.76 released

[Glenn Strauss <gstrauss%gluelogic.com@localhost>]

Dear package maintainers:

lighttpd 1.4.76 has been released!
https://redmine.lighttpd.net/projects/lighttpd/wiki/Release-1_4_76

Please package and publish lighttpd 1.4.76.

Important changes from 1.4.75

* detect VU#421644 HTTP/2 CONTINUATION Flood
** issue trace and send GO_AWAY
** (lighttpd not vulnerable to attack)
  
* avoid CVE-2024-3094 xz supply chain attack
** use 'git archive' to replace 'make dist' to create release tarballs
*** remove excess complexity (m4 and autotools) from release process
*** now more easily verifiable that sources come from signed git release tag


If your distro package requires any other patches that might be
upstreamed into lighttpd, please let me know.

Please let me know if you have any questions or issues.  Thank you!

Cheers, Glenn


FUTURE SCHEDULED BEHAVIOR CHANGES: (2025)
* lighttpd TLS defaults will change to MinProtocol TLSv1.3
  Other configurations will still be supported, but will not be the default.
  Proposed default: MinProtocol TLSv1.3
  Current default: MinProtocol TLSv1.2
* server.error-handler-404 will operate only on 404
  (historical error: server.error-handler-404 operated on both 404 and 403)
  Since lighttpd 1.4.40 (released Jul 2016), server.error-handler is available
  to produce dynamic error pages for 4xx and 5xx responses.
  Since lighttpd 1.4.56 (released Nov 2020), magnet.attract-response-start-to
  is an additional, high performance mechanism to produce dynamic error pages.
  https://wiki.lighttpd.net/mod_magnet