Release Info¶

• Version: 1.4.41
• Previous version: 1.4.40
• Branch: 1.4
• Status: stable
• Release Purpose: bug fixes
• Release manager: gstrauss
• Released date: 2016-07-31

Important changes from 1.4.40¶

• security fixes
• fix bugs introduced in 1.4.40

Downloads¶

• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.gz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.gz.asc
  • SHA256: 8a5749e218237fafc3119dd8a4fcf510ea728728b3fcf1193fcad7209be4b6d7
• http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.xz
  • GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.xz.asc
  • SHA256: 4bcc383ef6d6dc7b284f68882d71a178e2986c83c4e85eeb3c8f3b882e346b6c
• SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.sha256sum

Highlights¶

• security fixes
  • security: encode quoting chars in HTML and XML
  • security: ensure gid != 0 if server.username is set, but not server.groupname
  • security: disable stat_cache if server.follow-symlink = "disable"
  • security: httpoxy defense: do not emit HTTP_PROXY to CGI env
• fix bugs introduced in 1.4.40 (sorry)
  • bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
  • bug: lighttpd 1.4.40 times out on TLS requests with POST data
  • bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
  • bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP["remoteip"]
  • bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER["socket"] scope identifier
  • bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
  • bug: lighttpd 1.4.40 might trigger assert when converting to hex string
• behavior changes
  • new: use TMPDIR if server.upload-dirs is not defined, "/var/tmp" if neither
  • new: inherit server.use-ipv6 and server.set-v6only from global scope
  • reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

• mod_ssi will set REQUEST_URI to original, client-requested URI
  to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml

Changes from 1.4.40¶

• remove long-deprecated, non-functional config opts
• [config] inherit server.use-ipv6 and server.set-v6only (fixes #678)
• [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
• [mod_ssi] fix #config sizefmt="bytes"
• [autobuild] move inet_pton detection later
• [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
• [autobuild] clock_gettime() -lrt with glibc < 2.17
• [security] do not emit HTTP_PROXY to CGI env
• [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
• [core] avoid spurious trace and error abort
• [core] stay in CON_STATE_CLOSE until done with req
• [core] $HTTP["remoteip"] must handle IPv6 w/o []
• [mod_status] show keep-alive status w/ text output (fixes #2740)
• do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
• revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
• [core] permit IPv6 address scope identifier
• [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
• [TLS] read all available records from SSL_read()
• [core] try AF_INET after AF_INET6 if use-ipv6
• [core] set chunkqueue tempdirs at startup
• [security] ensure gid != 0 if server.username set (fixes #2725)
• [security] disable stat_cache if !follow-symlink (fixes #2724)
• [core] fix buffer_copy_string_hex() assert (fixes #2742)
• [security] encode quoting chars in HTML and XML
• [cmake] always define _GNU_SOURCE
• [cmake] enable warnings for GCC and Clang
• [cmake] set cmake_minimum_required to 2.8.2

External references¶

• http://www.lighttpd.net/2016/7/31/1.4.41