1.4.20 - Otherwise the terrorists win
September 30th, 2008
After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out. We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system. Please pay special attention to the security announcements:
- lighttpd_sa_2008_04.txt (patch: lighttpd-1.4.19_fix_ssl_dos.patch)
- lighttpd_sa_2008_05.txt (patch: lighttpd-1.4.x_rewrite_redirect_decode_url.patch)
- lighttpd_sa_2008_06.txt (patch: lighttpd-1.4.x_userdir_lowercase.patch)
- lighttpd_sa_2008_07.txt (patch: lighttpd-1.4.x_request_header_memleak.patch)
Download
- lighttpd-1.4.20.tar.gz
(sha1sum: 61790c02d9e96c3cb23ffd3907f1caee64c475dd
md5sum: 7ce7eefb487682b61d9b06b41864c64a) - lighttpd-1.4.20.tar.bz2
(sha1sum: e5944a40579e0f37c6a0eeb0ad751344b2d6006c
md5sum: ed6ee0bb714f393219a32768d86984d8)
Changes
- Fix mod_compress to compile with old gcc version (#1592)
- Fix mod_extforward to compile with old gcc version (#1591)
- Update documentation for #1587
- Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls (CVE-2008-1531)
- Fix mod_magnet: enable “request.method” and “request.protocol” in lighty.env (#1308)
- Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
- Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small “memleak” (#1628)
- Don’t send empty Server headers (#1620)
- Fix conditional interpretation of core options
- Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: “%” => “”, ”$$” => ”$”
- Fix accesslog port (should be port from the connection, not the “server.port”) (#1618)
- Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
- Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
- Handle EINTR in mod_cgi during write() (#1640)
- Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
- Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn’t append an error page
- Remove lighttpd.spec* from source, fixing all problems with it ;-)
- Do not rely on PATH_MAX (POSIX does not require it) (#580)
- Disable logging to access.log if filename is an empty string
- Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
- merge spawn-fcgi changes from trunk (from @2191)
- let spawn-fcgi propagate exit code from spawned fcgi application
- close connection after redirect in trigger_b4_dl (thx icy)
- close connection in mod_magnet if returned status code
- fix bug with IPv6 in mod_evasive (#1579)
- fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com
- [tests] fixed system, use foreground daemons and waitpid
- [tests] removed pidfile from test system
- [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi)
- fixed typo in mod_accesslog (#1699)
- replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
- case insensitive match for secdownload md5 token (#1710)
- Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
- fixed mod_secdownload problem with unsigned time_t (#1688)
- handle EAGAIN and EINTR for freebsd sendfile (#1675)
- Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
- fixed round-robin balancing in mod_proxy (#1715)
- fixed EINTR handling for waitpid in mod_fastcgi
- mod_{fast,s}cgi: overwrite environment variables (#1722)
- inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn’t (#631)
- fixed url encoding to encode more characters (#266)
- allow digits in [s]cgi env vars (#1712)
- fixed dropping last character of evhost pattern (#161)
- print helpful error message on conditionals in global block (#1550)
- decode url before matching in mod_rewrite (#1720)
- fixed conditional patching of ldap filter (#1564)
- Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
- fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by “anders1”
- fixed format string bugs in mod_accesslog for SYSLOG
- replaced fprintf with log_error_write in fastcgi debug
- fixed mem leak in ssi expression parser (#1753), thx Take5k
- hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
- do not send content-encoding for 304 (#1754), thx yzlai
- fix segfault for stat_cache(fam) calls with relative path (without ’/’, can be triggered by x-sendfile) (#1750)
- fix splitting of auth-ldap filter
- workaround ldap connection leak if a ldap connection failed (restarting ldap)
- fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
- fix memleak in request header parsing (#1774, thx qhy)
- fix mod_rewrite memleak/endless loop detection (#1775, thx phy – again!)
- use decoded url for matching in mod_redirect (#1720)
18 Responses to “1.4.20 - Otherwise the terrorists win”
Sorry, comments are closed for this article.
September 30th, 2008 at 02:17 AM thx for release :), im almost firt one to notice new official release regards
September 30th, 2008 at 03:15 AM It looks like this version of official tar ball removes the lighttpd-1.4.19/lighttpd.spec.in file, so it cannot be built rpm with rpmbuild -ta command.
September 30th, 2008 at 02:40 PM the spec was removed intentionally. for that distro you need a rpm?
October 1st, 2008 at 04:37 AM This is a pretty awesome title for a release :) But then again, this is a pretty awesome piece of software. Thanks again to everyone who worked on this!
October 2nd, 2008 at 09:02 AM I had to put the old specs file to buid an rpm. it work for me, I am trying now. I need the rpm for Centos 5.2
October 2nd, 2008 at 12:50 PM Congrats on getting 1.4.20 out the door :) And thanks for your hard works dev's :) One thing, can the developers setup a mailing list for releases please Thanks
October 2nd, 2008 at 10:05 PM Up and running since the 30th, thanks! And yes, that mailing list for release announcements would be nice to have.
October 5th, 2008 at 02:33 AM Thanks for the hard works :D
October 5th, 2008 at 04:24 AM Thanks!
October 6th, 2008 at 10:06 AM Thanks for the new release. It's not yet in Debian Etch though after six days :-(
October 6th, 2008 at 09:09 PM Congrats on the new release! Look forward to giving it a whirl. I'd like to third the request for a release mailing list. Be nice to know when the new releases are officially out!
October 7th, 2008 at 07:55 PM Great job, now everything works without any problems on my servers!
October 7th, 2008 at 08:08 PM Thanks, Lighttpd rocks, it beat the **** out of apache.
October 7th, 2008 at 08:20 PM Great job, now everything works without any problems on my servers!
October 8th, 2008 at 01:58 AM Thanks for the release. How to install it by using Ubuntu pakage manager ? I allways need to use the source.
October 9th, 2008 at 01:10 AM Great job! Now my lightys mem-usage is growing much slower.
October 9th, 2008 at 02:33 AM I'm still using Lightty 1.4.18 on my CentOS, how do I upgrade it to 1.4.20? thanks
October 9th, 2008 at 10:02 PM hi there is an entry: Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local) i have a fastcgi app written in C. with 1.4.19 this configuration works: fastcgi.server=( "/www/web/in"=>( ( "socket"=>"/www/sockets/ppl.in.socket", "bin-path"=>"/www/web/in", "max-procs"=>1 ) ) ); in 1.4.20 it doesn't. what should i do to correct this? neil neil [--a-t--] krnl.hu