We’ve just released another patch release. This release includes several bug fixes, including a few security patches for wthttp:
One related to client certificates, where an internal header normally used for dedicated session processes could be spoofed and would be accepted by Wt regardless of whether it was actually behind a reverse proxy or using dedicated session processes
Another related to dedicated session processes, where X-Forwarded-Proto and X-Forwarded-Port would be trusted by the parent process, even if the parent process was not behind a reverse proxy
See the release notes for more details on the bug fixes.
Here are the links:
Wt 4.1.2 (C++): download wt-4.1.2.tar.gz (release notes)
Wt 3.4.2 (C++): download wt-3.4.2.tar.gz (release notes)
JWt 3.4.2 (Java): download jwt-3.4.2.zip (release notes)
Binary builds for Windows are available on the GitHub releases page.