Release-1 4 35 » History » Revision 1

Revision 1/2 | Next »
stbuehler, 2014-03-12 13:06

Release Info

  • Version: 1.4.35
  • Previous version: 1.4.34
  • Branch: 1.4
  • Status: stable
  • Release Purpose: bug fixes
  • Release manager: stbuehler
  • Released date: 2014-03-12

Important changes from 1.4.35

This release contains a lot of bug fixes, many detected by (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.


Changes from 1.4.34

  • [network/ssl] fix build error if TLSEXT is disabled
  • [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active)
  • [mod_rrdtool] fix invalid read (string not null terminated)
  • [mod_dirlisting] fix memory leak if pcre fails
  • [mod_fastcgi,mod_scgi] fix resource leaks on spawning backends
  • [mod_magnet] fix memory leak
  • add comments for switch fall throughs
  • remove logical dead code
  • [buffer] fix length check in buffer_is_equal_right_len
  • fix resource leaks in error cases on config parsing and other initializations
  • add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546)
  • [mod_cml_lua] fix null pointer dereference
  • force assertion: setting FD_CLOEXEC must work (if available)
  • [network] check return value of lseek()
  • fix unchecked return values from stream_open/stat_cache_get_entry
  • [mod_webdav] fix logic error in handling file creation error
  • check length of unix domain socket filenames
  • fix SQL injection / host name validation (thx Jann Horn)

External references

Updated by stbuehler over 10 years ago · 1 revisions