Project

General

Profile

Release-1 4 20 » History » Revision 2

Revision 1 (stbuehler, 2008-09-30 09:47) → Revision 2/4 (stbuehler, 2008-10-01 16:47)

= Release Info = 
  * Version: 1.4.20 
  * Previous version: [wiki:Release-1.4.19 1.4.19] 
  * Branch: 1.4 
  * Status: Stable 
  * Release Purpose: security and bug fixes 
  * Release manager: darix 
  * Released date: 2008-09-30 

 "Otherwise the terrorists win" 

 After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out. 
 We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system. 

 Please pay special attention to the security announcements: 

  * [http://www.lighttpd.net/security/lighttpd_sa_2008_04.txt Lighttpd SA 2008:04] (patch: [http://www.lighttpd.net/security/lighttpd-1.4.19_fix_ssl_dos.patch lighttpd-1.4.19_fix_ssl_dos.patch]) [http://www.lighttpd.net/security/lighttpd-1.4.x_high_load_dos.patch lighttpd-1.4.x_high_load_dos.patch]) 
  * [http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt Lighttpd SA 2008:05] (patch: [http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch lighttpd-1.4.x_rewrite_redirect_decode_url.patch]) 
  * [http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt Lighttpd SA 2008:06] (patch: [http://www.lighttpd.net/security/lighttpd-1.4.x_userdir_lowercase.patch lighttpd-1.4.x_userdir_lowercase.patch]) 
  * [http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt Lighttpd SA 2008:07] (patch: [http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch lighttpd-1.4.x_request_header_memleak.patch]) 

 = Changes from 1.4.19 = 
  * Fix mod_compress to compile with old gcc version (#1592) 
  * Fix mod_extforward to compile with old gcc version (#1591) 
  * Update documentation for #1587 
  * Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls ([http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1531 CVE-2008-1531]) 
  * Fix mod_magnet: enable "request.method" and "request.protocol" in lighty.env (#1308) 
  * Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601) 
  * Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small "memleak" (#1628) 
  * Don't send empty Server headers (#1620) 
  * Fix conditional interpretation of core options 
  * Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: "%%" => "%", "$$" => "$" 
  * Fix accesslog port (should be port from the connection, not the "server.port") (#1618) 
  * Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local) 
  * Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst 
  * Handle EINTR in mod_cgi during write() (#1640) 
  * Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639) 
  * Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn't append an error page 
  * Remove lighttpd.spec* from source, fixing all problems with it ;-) 
  * Do not rely on PATH_MAX (POSIX does not require it) (#580) 
  * Disable logging to access.log if filename is an empty string 
  * Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624) 
  * merge spawn-fcgi changes from trunk (from @2191) 
  * let spawn-fcgi propagate exit code from spawned fcgi application 
  * close connection after redirect in trigger_b4_dl (thx icy) 
  * close connection in mod_magnet if returned status code 
  * fix bug with IPv6 in mod_evasive (#1579) 
  * fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com 
  * [tests] fixed system, use foreground daemons and waitpid 
  * [tests] removed pidfile from test system 
  * [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi) 
  * fixed typo in mod_accesslog (#1699) 
  * replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt) 
  * case insensitive match for secdownload md5 token (#1710) 
  * Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687) 
  * fixed mod_secdownload problem with unsigned time_t (#1688) 
  * handle EAGAIN and EINTR for freebsd sendfile (#1675) 
  * Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716) 
  * fixed round-robin balancing in mod_proxy (#1715) 
  * fixed EINTR handling for waitpid in mod_fastcgi 
  * mod_{fast,s}cgi: overwrite environment variables (#1722) 
  * inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631) 
  * fixed url encoding to encode more characters (#266) 
  * allow digits in [s]cgi env vars (#1712) 
  * fixed dropping last character of evhost pattern (#161) 
  * print helpful error message on conditionals in global block (#1550) 
  * decode url before matching in mod_rewrite (#1720) 
  * fixed conditional patching of ldap filter (#1564) 
  * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server) 
  * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1" 
  * fixed format string bugs in mod_accesslog for SYSLOG 
  * replaced fprintf with log_error_write in fastcgi debug 
  * fixed mem leak in ssi expression parser (#1753), thx Take5k 
  * hide some ssl errors per default, enable them with debug.log-ssl-noise (#397) 
  * do not send content-encoding for 304 (#1754), thx yzlai 
  * fix segfault for stat_cache(fam) calls with relative path (without '/', can be triggered by x-sendfile) (#1750) 
  * fix splitting of auth-ldap filter 
  * workaround ldap connection leak if a ldap connection failed (restarting ldap) 
  * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie) 
  * fix memleak in request header parsing (#1774, thx qhy) 
  * fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!) 
  * use decoded url for matching in mod_redirect (#1720) 

 = External references = 
  * http://www.lighttpd.net/2008/9/30/1-4-20-Otherwise-the-terrorists-win 

 = Downloads = 
  * http://www.lighttpd.net/download/lighttpd-1.4.20.tar.gz 
   * MD5: 7ce7eefb487682b61d9b06b41864c64a 
   * SHA1: 61790c02d9e96c3cb23ffd3907f1caee64c475dd 
  * http://www.lighttpd.net/download/lighttpd-1.4.20.tar.bz2 
   * MD5: ed6ee0bb714f393219a32768d86984d8 
   * SHA1: e5944a40579e0f37c6a0eeb0ad751344b2d6006c