Project

General

Profile

Release-1 4 19 » History » Revision 3

Revision 2 (glen, 2008-03-11 11:59) → Revision 3/4 (glen, 2008-03-11 11:59)

h1. = Release Info 

 = 
  * Version: 1.4.19 
 
  * Previous version: [[Release-1.4.18|1.4.18]] 
 [wiki:Release-1.4.18 1.4.18] 
  * Branch: 1.4 
 
  * Status: Stable 
 
  * Release Purpose: security and bug fixes 
 
  * Release manager: darix 
 
  * Released date: 2008-03-10 

 "Made in Germany" 

 Yes again the release date was nailed down by a few security bugs. *cough* Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix) 

 

  * "Lighttpd [http://www.lighttpd.net/security/lighttpd_sa_2008_01.txt Lighttpd SA 2008:01":http://www.lighttpd.net/security/lighttpd_sa_2008_01.txt 2008:01] (patch: "lighttpd-1.4.x_high_load_dos.patch":http://www.lighttpd.net/security/lighttpd-1.4.x_high_load_dos.patch) 
 [http://www.lighttpd.net/security/lighttpd-1.4.x_high_load_dos.patch lighttpd-1.4.x_high_load_dos.patch]) 
  * "Lighttpd [http://www.lighttpd.net/security/lighttpd_sa_2008_02.txt Lighttpd SA 2008:02":http://www.lighttpd.net/security/lighttpd_sa_2008_02.txt 2008:02] (patch: "lighttpd-1.4.x_mod_cgi_disclosure.patch":http://www.lighttpd.net/security/lighttpd-1.4.x_mod_cgi_disclosure.patch) 
 [http://www.lighttpd.net/security/lighttpd-1.4.x_mod_cgi_disclosure.patch lighttpd-1.4.x_mod_cgi_disclosure.patch]) 
  * "Lighttpd [http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt Lighttpd SA 2008:03":http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt 2008:03] (patch: "lighttpd-1.4.x_mod_userdir_disclosure.patch":http://www.lighttpd.net/security/lighttpd-1.4.x_mod_userdir_disclosure.patch) 





 h1. [http://www.lighttpd.net/security/lighttpd-1.4.x_mod_userdir_disclosure.patch lighttpd-1.4.x_mod_userdir_disclosure.patch]) 




 = Changes from 1.4.18 

 = 
  * added support for If-Range: <date> (#1346) 
 
  * added support for matching {{{$HTTP[[scheme]]}}} {{{$HTTP["scheme"]}}} in configs 
 
  * fixed initgroups() called after chroot (#1384) 
 
  * fixed case-sensitive check for Auth-Method (#1456) 
 
  * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428) 
 
  * fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489) 
 
  * print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler 
 
  * prevent crash in certain php-fcgi configurations (#841) 
 
  * add {{{IdleServers}}@IdleServers@} {{{IdleServers}}} and Scoreboard directives in ?auto mode for mod_status (#1507) 
 
  * open log immediately after daemonizing, fixes SIGPIPEs on startup (#165) 
 
  * HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499) 
 
  * generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491) 
 
  * support letterhomes in mod_userdir (#1473) 
 
  * support chained proxies in mod_extforward (#1528) 
 
  * fixed bogus "cgi died ?" if we kill the CGI process on shutdown 
 
  * fixed ECONNRESET handling in network-openssl 
 
  * fixed handling of EAGAIN in network-linux-sendfile (#657) 
 
  * reset conditional cache (#1164) 
 
  * create directories in mod_compress (was broken with alias/userdir) (#1027) 
 
  * fixed out of range access in fd array (#1562, #372) ("CVE-2008-0983":http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0983) 
 ([http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0983 CVE-2008-0983]) 
  * mod_compress should check if the request is already handled, e.g. by fastcgi (#1565) 
 
  * remove broken workaround for buggy Opera version with ssl/chunked encoding (#285) 
 
  * generate etag/last-modified header for on-the-fly-compressed files (#1171) 
 
  * req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324) 
 
  * fixed memory leak on windows (#1347) 
 
  * fixed building outside of the src dir (#1349) 
 
  * fixed including of stdint.h/inttypes.h in etag.c (#1413) 
 
  * do not add Accept-Ranges header if range-request is disabled (#1449) 
 
  * log the ip of failed auth tries in error.log (enhancement #1544) 
 
  * fixed {{{RoundRobin}}@RoundRobin@} {{{RoundRobin}}} in mod_proxy (#516) 
 
  * check for symlinks after successful pathinfo matching (#1574) 
 
  * fixed mod-proxy.t to run with a builddir outside of the src dir 
 
  * do not suppress content on "307 Temporary Redirect" (#1412) 
 
  * fixed Content-Length header if response body gets removed in connections.c (#1412, part 2) 
 
  * do not generate a "Content-Length: 0" header for HEAD requests, added test too 
 
  * remove compress cache file if compression or write failed (#1150) 
 
  * fixed body handling of status 300 requests  
  
  * spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575) 
 
  * fix sending source of cgi script instead of 500 error if fork fails ("CVE-2008-1111":http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111) 
 ([http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1111 CVE-2008-1111]) 
  * fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623) 
 
  * fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440) 
 
  * workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) ("CVE-2008-1270":http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1270) 
 ([http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1270 CVE-2008-1270]) 
  * make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found 
 
  * fixed handling of waitpid() == EINTR mod_ssi on solaris 


 h1. 

 = External references 

 = 
  * http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany 


 h1. 

 = Downloads 

 = 
  * http://www.lighttpd.net/download/lighttpd-1.4.19.tar.gz 
 
   * MD5: cede410e7adee3ea14206749190a8b5d 
 
   * SHA1: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee 
 
  * http://www.lighttpd.net/download/lighttpd-1.4.19.tar.bz2 
 
   * MD5: d787374e4e4aaa09d5cfa9ab9d23ad40 
 
   * SHA1: fd4450e7faae55ebe0905114722995b0c57397cc