1.4.19 - Made in Germany
March 10, 2008
Long time no see.
It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5.1 Currently he ports it to glib2.
But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. cough Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix)
- lighttpd_sa_2008_01.txt (patch: lighttpd-1.4.x_high_load_dos.patch)
- lighttpd_sa_2008_02.txt (patch: lighttpd-1.4.x_mod_cgi_disclosure.patch)
- lighttpd_sa_2008_03.txt (patch: lighttpd-1.4.x_mod_userdir_disclosure.patch)
Download
- lighttpd-1.4.19.tar.gz
(sha1sum:79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
md5sum:cede410e7adee3ea14206749190a8b5d
) - lighttpd-1.4.19.tar.bz2
(sha1sum:fd4450e7faae55ebe0905114722995b0c57397cc
md5sum:d787374e4e4aaa09d5cfa9ab9d23ad40
)
Changes
- added support for If-Range: <date> (#1346)
- added support for matching $HTTP[“scheme”] in configs
- fixed initgroups() called after chroot (#1384)
- fixed case-sensitive check for Auth-Method (#1456)
- execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
- fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
- print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
- prevent crash in certain php-fcgi configurations (#841)
- add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
- open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
- HTTPS env var should be “on” when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
- generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
- support letterhomes in mod_userdir (#1473)
- support chained proxies in mod_extforward (#1528)
- fixed bogus “cgi died ?” if we kill the CGI process on shutdown
- fixed ECONNRESET handling in network-openssl
- fixed handling of EAGAIN in network-linux-sendfile (#657)
- reset conditional cache (#1164)
- create directories in mod_compress (was broken with alias/userdir) (#1027)
- fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
- mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
- remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
- generate etag/last-modified header for on-the-fly-compressed files (#1171)
- req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
- fixed memory leak on windows (#1347)
- fixed building outside of the src dir (#1349)
- fixed including of stdint.h/inttypes.h in etag.c (#1413)
- do not add Accept-Ranges header if range-request is disabled (#1449)
- log the ip of failed auth tries in error.log (enhancement #1544)
- fixed RoundRobin in mod_proxy (#516)
- check for symlinks after successful pathinfo matching (#1574)
- fixed mod-proxy.t to run with a builddir outside of the src dir
- do not suppress content on “307 Temporary Redirect” (#1412)
- fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
- do not generate a “Content-Length: 0” header for HEAD requests, added test too
- remove compress cache file if compression or write failed (#1150)
- fixed body handling of status 300 requests
- spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
- fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
- fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
- fix sending “408 - Timeout” instead of “410 - Gone” for timedout urls in mod_secdownload (#1440)
- workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
- make configure checks for –with-pcre, –with-zlib and –with-bzip2 failing if the headers aren’t found
- fixed handling of waitpid() == EINTR mod_ssi on solaris
-
No. We don’t have a release date for it. Especially not with all the big changes going on. ↩