|
| 1 | +## v1.6.2 (2026-04-12) |
| 2 | + |
| 3 | +### Fix |
| 4 | + |
| 5 | +- **security**: replace unbounded sync.Map PathCache with bounded LRU (hashicorp/golang-lru) to prevent memory exhaustion DoS (SEC-001) |
| 6 | +- **security**: make panic stack traces configurable via STATIC_DEBUG env var (SEC-003) |
| 7 | +- **security**: generate random multipart boundary per response using crypto/rand (SEC-004) |
| 8 | +- **security**: add MaxCompressSize (10 MB) limit for on-the-fly gzip (SEC-005) |
| 9 | +- **security**: apply path.Clean in CacheKeyForPath to prevent cache poisoning (SEC-006) |
| 10 | +- **security**: suppress server name disclosure (SEC-007) |
| 11 | +- **security**: sanitize control characters in access log URIs (SEC-008) |
| 12 | +- **security**: remove deprecated PreferServerCipherSuites TLS option (SEC-009) |
| 13 | +- **security**: handle template execution errors in directory listing (SEC-010) |
| 14 | +- **security**: add MaxServeFileSize (1 GB) hard limit for large file serving (SEC-011) |
| 15 | +- **security**: add clarifying comment on CORS wildcard Vary behavior (SEC-012) |
| 16 | +- **security**: document ETag 64-bit truncation rationale (SEC-013) |
| 17 | +- **security**: set explicit MaxRequestBodySize (1024 bytes) (SEC-014) |
| 18 | +- **security**: add MaxConnsPerIP config support for rate limiting (SEC-015) |
| 19 | +- **security**: validate symlink targets during cache preload (SEC-016) |
| 20 | + |
| 21 | +### Docs |
| 22 | + |
| 23 | +- update landing page, README, and USER_GUIDE for security audit remediations |
| 24 | +- add 3 new config fields to documentation tables |
| 25 | +- mark all 16 security findings as resolved in audit report |
| 26 | + |
| 27 | +### Test |
| 28 | + |
| 29 | +- add TestBuildHandler_MaxServeFileSize (under/over/disabled) |
| 30 | +- add TestMiddleware_MaxCompressSize (under/over/at-limit/disabled) |
| 31 | +- expand TestCacheKeyForPath with path normalization edge cases |
| 32 | +- add TestPathCache_BoundedLRU, LookupPromotesEntry, FlushClearsAll, DefaultSizeOnZero |
| 33 | +- add TestNew_HTTPOnly_SecurityDefaults and TestNew_TLS_SecurityDefaults |
| 34 | +- add TestNew_MaxConnsPerIP_Zero for disabled state |
| 35 | + |
| 36 | +### Build |
| 37 | + |
| 38 | +- bump brotli v1.2.0 → v1.2.1 |
| 39 | +- bump klauspost/compress v1.18.4 → v1.18.5 |
| 40 | +- bump fasthttp v1.69.0 → v1.70.0 |
| 41 | + |
1 | 42 | ## v1.6.1 (2026-03-28) |
2 | 43 |
|
3 | 44 | ### Fix |
|
0 commit comments