Announcing:
LiteSpeed Web Server v6.3.5
In this release: Security updates, bug fixes, and more!
RELEASE LOG:
[Security] Additional sanitation checks for external application commands to address CVE-2026-31386.
[Security] Add `UnsafeAllow3F` rewrite rule flag to address unsafe %3f encoded URLs.
[Tuning] Add Apache style configuration "ExtAppUdpHash on|off" to control hash vs domain name in extapp domain socket address.
[Bug Fix] Update CloudLinux CageFS detection method in LiteSpeed Containers management script.
[Improvement] Add Apache configuration directive "DisableHtaccessBlockbot" to disable blockbot feature in .htaccess.
[Bug Fix] Address compatibility issues with cPGuard modsecurity ruleset.
[Bug Fix] Address FreeBSD 15 + zfs posix_fallocate() error handling.
[Bug Fix] Address a PROXY protocol client address update issue for HTTP requests.
[Bug Fix] Address incorrect CPU affinity mask for external worker processes under a LXC container.
[Bug Fix] Make "Require local" configuration work properly.
[Bug Fix] Address an Apache SSL configuration problem with SSLCertificateChainFile directive.
[Bug Fix] Address various corner cases in modsecurity, HTTP/2, HTTP3, rewrite and namespace.
[Tuning] Increase VHost level limit of number of access log files from 4 to 8.
[Tuning] Server PUSH tracking cookie is now off by default.
[Tuning] Better Googlebot User-Agent detection for different services.
[Tuning] Skip some local domains for domain limited licenses.
https://www.litespeedtech.com/products/litespeed-web-server/release-log
Please remember, there may be some delay between this announcement and the ability to auto-update. If you don't want to wait, you can update manually via the following command: `/usr/local/lsws/admin/misc/lsup.sh -f -v 6.3.5`
Cheers!
LiteSpeed Web Server v6.3.5
In this release: Security updates, bug fixes, and more!
RELEASE LOG:
[Security] Additional sanitation checks for external application commands to address CVE-2026-31386.
[Security] Add `UnsafeAllow3F` rewrite rule flag to address unsafe %3f encoded URLs.
[Tuning] Add Apache style configuration "ExtAppUdpHash on|off" to control hash vs domain name in extapp domain socket address.
[Bug Fix] Update CloudLinux CageFS detection method in LiteSpeed Containers management script.
[Improvement] Add Apache configuration directive "DisableHtaccessBlockbot" to disable blockbot feature in .htaccess.
[Bug Fix] Address compatibility issues with cPGuard modsecurity ruleset.
[Bug Fix] Address FreeBSD 15 + zfs posix_fallocate() error handling.
[Bug Fix] Address a PROXY protocol client address update issue for HTTP requests.
[Bug Fix] Address incorrect CPU affinity mask for external worker processes under a LXC container.
[Bug Fix] Make "Require local" configuration work properly.
[Bug Fix] Address an Apache SSL configuration problem with SSLCertificateChainFile directive.
[Bug Fix] Address various corner cases in modsecurity, HTTP/2, HTTP3, rewrite and namespace.
[Tuning] Increase VHost level limit of number of access log files from 4 to 8.
[Tuning] Server PUSH tracking cookie is now off by default.
[Tuning] Better Googlebot User-Agent detection for different services.
[Tuning] Skip some local domains for domain limited licenses.
https://www.litespeedtech.com/products/litespeed-web-server/release-log
Please remember, there may be some delay between this announcement and the ability to auto-update. If you don't want to wait, you can update manually via the following command: `/usr/local/lsws/admin/misc/lsup.sh -f -v 6.3.5`
Cheers!