We are pleased to announce the release of lighttpd 1.4.14. This is mainly a bug fix release including 2 security fixes. It is recommended to upgrade or at least apply the patches.

• Lighttpd SA 2007:01 (patch: lighttpd-1.4.x_crlf_parsing_dos.patch)
• Lighttpd SA 2007:01 (patch: lighttpd-1.4.x_zero_mtime_crash.patch)

Download

As 1.4.14 had a cookies related bug please use 1.4.15

Thanks for using lighttpd!:)

The complete list of changes

• fix crash if gethostbyaddr() failed on redirect [1718]
• properly handle 206 responses generated by *cgi scripts. (#755) [1716]
• added HTTPS=on to the environment of cgi scripts (#861) [1684]
• fix handling of 303 (#1045) [1678]
• made the configure check for lua more portable [1677]
• added mod_extforward module [1665]
• references to the fam stat cache engine should be conditional (#1039) [1664]
• fix http 500 errors (colin.stephen/at/o2.com) #1041 [1663]
• prevent wrong pidfile unlinking on graceful restart (Chris Webb) [1656]
• ignore empty packets from STDERR stream. #998
• fix a crash for files with an mtime of 0 reported by cubiq on irc [1519] CVE-2007-1870
• allow empty passwords with ldap (Jörg Sonnenberger) [1516]
• mod_scgi.c segfault fix #964 [1501]
• Added round-robin support to mod_fastcgi [1500]
• Handle DragonFlyBSD the same way as Freebsd (Jörg Sonnenberger) [1492,1676]
• added now and weeks support to mod_expire. #943
• fix cpu hog in certain requests [1473] CVE-2007-1869
• fix for handling hostnames with trailing dot [1406]
• fixed header-injection via server.tag (#1106)
• disabled caching of files without a content-type to solve the aggressive caching of FF
• remove trailing white-spaces from HTTP-requests before parsing (#1098)
• fixed accesslog.use-syslog in a conditional and the caching of the accesslog for files (fixes #1064)
• fixed various crashes at startup on broken accesslog.format strings (#1000)
• fixed handling of %% in accesslog.format
• fixed conditional dir-listing.exclude (#930)
• reduced default PATH_MAX to 255 (#826)
• ECONNABORTED is not known on cygwin (#863)
• fixed crash on url.redirect and url.rewrite if %0 is used in a global context (#800)
• fixed possible crash in debug-message in mod_extforward
• fixed compilation of mod_extforward on glibc < 2.3.4
• fixed include of empty in the configfiles (#1076)
• send SIGUSR1 to fastcgi children before SIGTERM. libfcgi wants SIGUSR1. (#737)
• fixed missing AUTH_TYPE entry in the fastcgi environment. (#889)
• fixed compilation in network_writev.c on MacOS X 10.3.9 (#903)
• added kill-signal as another setting for fastcgi backends. See the wiki for more.