Actions
Release Info¶
- Version: 1.4.35
- Previous version: 1.4.34
- Branch: 1.4
- Status: stable
- Release Purpose: bug fixes
- Release manager: stbuehler
- Released date: 2014-03-12
Important changes from 1.4.35¶
This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.
Downloads¶
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.gz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.gz.asc
- SHA256:
62c23de053fd82e1bf64f204cb6c6e44ba3c16c01ff1e09da680d982802ef1cc
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.bz2
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.bz2.asc
- SHA256:
4a71c1f6d8af41ed894b507720c4c17184dc320590013881d5170ca7f15c5bf7
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.xz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.xz.asc
- SHA256:
113e9b72ccbd1da5deb0774bf93cf0ca15dc82aad2da0f04e5ab27d37d3f30a3
- SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.sha256sum
Changes from 1.4.34¶
- [network/ssl] fix build error if TLSEXT is disabled
- [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active)
- [mod_rrdtool] fix invalid read (string not null terminated)
- [mod_dirlisting] fix memory leak if pcre fails
- [mod_fastcgi,mod_scgi] fix resource leaks on spawning backends
- [mod_magnet] fix memory leak
- add comments for switch fall throughs
- remove logical dead code
- [buffer] fix length check in buffer_is_equal_right_len
- fix resource leaks in error cases on config parsing and other initializations
- add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546)
- [mod_cml_lua] fix null pointer dereference
- force assertion: setting FD_CLOEXEC must work (if available)
- [network] check return value of lseek()
- fix unchecked return values from stream_open/stat_cache_get_entry
- [mod_webdav] fix logic error in handling file creation error
- check length of unix domain socket filenames
- fix SQL injection / host name validation (thx Jann Horn)
External references¶
Updated by stbuehler over 10 years ago · 2 revisions