Release Info¶

• Version: 1.4.21
• Previous version: 1.4.20
• Branch: 1.4
• Status: stable
• Release Purpose: bug fixes
• Release manager: stbuehler
• Released date: 2009-02-16

"Yes we can... do another release"

Four and a half months after the release of 1.4.20 comes a new version in the stable branch of lighty: 1.4.21 is here.
It is a bugfix release but also contains 3 small new features.
We would like to thank everybody who reported bugs, especially the ones who provided patches.

spawn-fcgi warning¶

We decided to remove spawn-fcgi after this release from the lighttpd source, there is now a separate project for it:
http://redmine.lighttpd.net/projects/spawn-fcgi

Important changes¶

• Reverted fix for CVE-2008-4359 (too many regressions - see #1720 and r2362): do NOT use rewrite/redirect to protect specific urls!
• Fixed a bug when server.max-connections was hit
• SSLv2 disabled by default
• New setting to disable returning of a 417 if "Expect: 100-continue" header is given:
  

  server.reject-expect-100-with-417 = "disable" 
  

• Settings that require numbers can now be strings too which get converted. Useful in conjunction wth env vars (thx andrewb)
• mod_compress now supports caching through etags and last-modified
• The annoying log entries about timeouted connections are now disabled by default and can be enabled with a new setting:
  

  debug.log-timeouts = "enable" 
  

• New $HTTP["language"] conditional (thx to petar) which allows interesting new configs like:
  

  $HTTP["language"] =~ "(de|it|hr)" {
      url.redirect = ( "^/$" => "http://www.site.net/%1/" )
  }
  

Downloads¶

• http://www.lighttpd.net/download/lighttpd-1.4.21.tar.gz
  • MD5: 5ff4e7075652f6cc200fa278ea2b1f96
  • SHA1: 6b42570b0b19cfbcb4324780c61625b139f6ef8e
• http://www.lighttpd.net/download/lighttpd-1.4.21.tar.bz2
  • MD5: 49eeba63c931fa82120711adc7182731
  • SHA1: e76f83b9c56c83f0a734ad0bdd20351fc97472d2
• SHA1 checksums: http://www.lighttpd.net/download/lighttpd-1.4.21.sha1sum
• MD5 checksums: http://www.lighttpd.net/download/lighttpd-1.4.21.md5sum

Changes from 1.4.20¶

• Fix base64 decoding in mod_auth (#1757, thx guido)
• Fix mod_cgi segfault when bound to unix domain socket (#653)
• Do not rely on ioctl FIONREAD (#673)
• Now really fix mod auth ldap (#1066)
• Fix leaving zombie process with include_shell (#1777)
• Removed debian/, openwrt/ and cygwin/; they weren't kept up-to-date, and we decided to remove dist. specific stuff
• Try to convert string options to shorts for numeric options in config file; allows to use env-vars for numeric options. (#1159, thx andrewb)
• Do not cache default vhost in mod_simple_vhost (#709)
• Trust pcre-config, do not check for pcre manually (#1769)
• Fix fastcgi authorization in subdirectories with check-local=disabled; don't split pathinfo for authorizer. (#963)
• Add possibility to disable methods in mod_compress (#1773)
• Fix duplicate connection keep-alive/transfer-encoding headers (#960)
• Fixed fix for round-robin in mod_proxy (forgot to increment the index) (#1715)
• Fix fastcgi-authorizer handling; Status: 200 is now accepted as the doc requests
• Compare address family in inet_ntop_cache
• Revert CVE-2008-4359 (#1720) fix "encoding+simplifying urls for rewrite/redirect": too many regressions.
• Use FD_CLOEXEC if possible (fixes #1821)
• Optimized buffer usage in mod_proxy (fixes #1850)
• Fix uninitialized value in time struct after strptime
• Do not pass Proxy-Connection: header from client to backend http server in mod_proxy (#1877)
• Fix wrong malloc sizes in mod_accesslog (probably nothing bad happened...) (fixes #1855, thx ycheng)
• Some small buffer.c fixes (closes #1837)
• Remove floating point math from server.c (fixes #1402)
• Disable SSLv2 by default
• Use/enforce sane max-connection values (fixes #1803)
• Allow mod_compress to return 304 (Not Modified); compress ignores the static-file.etags option.(fixes #1884)
• Add option to ignore the "Expect: 100-continue" header instead of returning 417 Expectation failed (closes #1017)
• Use modified etags in mod_compress (fixes #1800)
• Fix max-connection limit handling/100% cpu usage (fixes #1436)
• Fix error handling in freebsd-sendfile (fixes #1813)
• Silenced the annoying "request timed out" warning, enable with the "debug.log-timeouts" option (fixes #1529)
• Allow tabs in header values (fixes #1822)
• Added Language conditional (fixes #1119); patch by petar
• Fix wrong format strings (#1900, thx stepancheg)

External references¶

• http://www.lighttpd.net/2009/2/16/1-4-21-yes-we-can-do-another-release