Release Info

  • Version: 1.4.26
  • Previous version: 1.4.25
  • Branch: 1.4
  • Status: stable
  • Release Purpose: security fix, bug fixes
  • Release manager: stbuehler
  • Released date: 2010-02-07

"Chinese dragon"

There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability)


Changes from 1.4.25

  • Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105)
  • Remove dependency on automake >= 1.11 with m4_ifdef check
  • mod_accesslog: support %e (fixes #2113, thx presbrey)
  • Fix mod_cgi cgi.execute-x-only option in global block
  • mod_fastcgi: x-sendfile2 parse error debugging
  • Fix mod_proxy dead host detection if connect() fails
  • Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159)
  • Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt)
  • Append to previous buffer in con read, fix DoS/OOM vulnerability (fixes #2147, found by liming, CVE-2010-0295)
  • Fix HUP detection in close-state if event-backend doesn't support FDEVENT_HUP (like select or poll on FreeBSD)

External references

Updated by stbuehler almost 12 years ago · 2 revisions