Project

General

Profile

1.4.20

closed

2008-09-30

"Otherwise the terrorists win"

100%

95 issues   (95 closed — 0 open)

Release Info

  • Version: 1.4.20
  • Previous version: 1.4.19
  • Branch: 1.4
  • Status: Stable
  • Release Purpose: security and bug fixes
  • Release manager: darix
  • Released date: 2008-09-30

"Otherwise the terrorists win"

After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out.
We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system.

Please pay special attention to the security announcements:

Changes from 1.4.19

  • Fix mod_compress to compile with old gcc version (#1592)
  • Fix mod_extforward to compile with old gcc version (#1591)
  • Update documentation for #1587
  • Fix #285 again: read error after SSL_shutdown (thx ) and clear the error queue before some other calls (CVE-2008-1531)
  • Fix mod_magnet: enable "request.method" and "request.protocol" in lighty.env (#1308)
  • Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
  • Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small "memleak" (#1628)
  • Don't send empty Server headers (#1620)
  • Fix conditional interpretation of core options
  • Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: "%%" => "%", "$$" => "$"
  • Fix accesslog port (should be port from the connection, not the "server.port") (#1618)
  • Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
  • Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
  • Handle EINTR in mod_cgi during write() (#1640)
  • Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
  • Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn't append an error page
  • Remove lighttpd.spec* from source, fixing all problems with it ;-)
  • Do not rely on PATH_MAX (POSIX does not require it) (#580)
  • Disable logging to access.log if filename is an empty string
  • Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
  • merge spawn-fcgi changes from trunk (from @2191)
  • let spawn-fcgi propagate exit code from spawned fcgi application
  • close connection after redirect in trigger_b4_dl (thx icy)
  • close connection in mod_magnet if returned status code
  • fix bug with IPv6 in mod_evasive (#1579)
  • fix scgi HTTP/1.* status parsing (#1638), found by
  • tests fixed system, use foreground daemons and waitpid
  • tests removed pidfile from test system
  • tests fixed tests needing php running (if not running on port 1026, search php in envPHP or /usr/bin/php-cgi)
  • fixed typo in mod_accesslog (#1699)
  • replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
  • case insensitive match for secdownload md5 token (#1710)
  • Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
  • fixed mod_secdownload problem with unsigned time_t (#1688)
  • handle EAGAIN and EINTR for freebsd sendfile (#1675)
  • Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
  • fixed round-robin balancing in mod_proxy (#1715)
  • fixed EINTR handling for waitpid in mod_fastcgi
  • mod_{fast,s}cgi: overwrite environment variables (#1722)
  • inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn't (#631)
  • fixed url encoding to encode more characters (#266)
  • allow digits in scgi env vars (#1712)
  • fixed dropping last character of evhost pattern (#161)
  • print helpful error message on conditionals in global block (#1550)
  • decode url before matching in mod_rewrite (#1720)
  • fixed conditional patching of ldap filter (#1564)
  • Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
  • fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
  • fixed format string bugs in mod_accesslog for SYSLOG
  • replaced fprintf with log_error_write in fastcgi debug
  • fixed mem leak in ssi expression parser (#1753), thx Take5k
  • hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
  • do not send content-encoding for 304 (#1754), thx yzlai
  • fix segfault for stat_cache(fam) calls with relative path (without '/', can be triggered by x-sendfile) (#1750)
  • fix splitting of auth-ldap filter
  • workaround ldap connection leak if a ldap connection failed (restarting ldap)
  • fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
  • fix memleak in request header parsing (#1774, thx qhy)
  • fix mod_rewrite memleak/endless loop detection (#1775, thx phy - again!)
  • use decoded url for matching in mod_redirect (#1720)

External references

Downloads

Time tracking
Estimated time 0.10 hour
Issues by
Bug

75/75
Feature

20/20
Related issues
Bug #76: Multiple fastcgi.server's Actions
Bug #161: Lighttpd misbehaves when missing end / in evhost.path-pattern Actions
Bug #212: Executable expects modules in /usr/local/lib even though it is configured with --prefix=/usr Actions
Bug #361: Uploading in 1.4.5 and above (especially 1.4.7) not compatible with Rails Actions
Bug #370: spawn-fcgi binds fcgis to *:port, which can be a security risk Actions
Bug #401: conflict between server.indexfiles & url.access.deny Actions
Bug #420: setenv.add-environment() maps all variable names uppercase Actions
Bug #627: casts corrupt int values (on PPC) Actions
Bug #667: html files downloaded instead of displayed with mod_alias Actions
Bug #888: Bug in compiling Actions
Bug #895: lighty 1.4.13 + php/fastcgi hangs after a short time of running Actions
Bug #925: lighty crashes whenever a file operation is done via webdav Actions
Bug #989: Mailman Error Actions
Bug #1028: patch to compile with solaris 10/nexenta Actions
Bug #1030: mod_webdav and sqlite Actions
Bug #1079: Error (mod_fastcgi.c.989) launching lighttpd with Ruby as FastCGI Backend Actions
Bug #1096: first HTTP authentication against LDAP fails: Bad search filter Actions
Bug #1116: lighttpd 1.4.13 reproducible (every time) segfault when file cannot be stat-ed (with simple test-case) Actions
Bug #1151: compile error (during compiling mod_fastcgi) Actions
Bug #1152: mod_proxy fails with proxy.balance = "round-robin" Actions
Bug #1167: spawn-fcgi fails with setuidgid Actions
Bug #1219: spawn-fcgi no fork mode Actions
Bug #1261: mod_evhost produces wrong patterns if the fqdn ends with a dot Actions
Bug #1269: fastcgi.map-extensions doesn't work / odd static behavior Actions
Bug #1308: lighty.env['request.method'] and lighty.env['request.protocol'] always return nil Actions
Bug #1326: lighttpd.conf logic does not work as expected. Actions
Bug #1335: source disclosure vulnerability on win32 with ntfs alternate data streams Actions
Bug #1408: get data from proxy Actions
Bug #1429: Sporadic crashes with 1.4.18 Actions
Bug #1434: freebsd-sendfile bring cpu 100% Actions
Bug #1444: Crashes when running out of FDs Actions
Bug #1452: spawn-fcgi doesn't pass on the exit code from child's it spawns Actions
Bug #1463: Permissions in logs Actions
Bug #1482: lighty does not appear to use server.errorfile-prefix when fastcgi returns error Actions
Bug #1502: mod_setenv very broken Actions
Bug #1527: Possible Solution to "Prem. end of script headers" with PHP? Actions
Bug #1550: segfault Actions
Bug #1561: Kernel Panic on FreeBSD 5.4-STABLE Actions
Bug #1564: auth.backend.ldap.filter not working with conditionals/not being rebuilt Actions
Bug #1588: (log pollution) mod_evhost is active even when there is no hostname specified in the request Actions
Bug #1589: server.force-lowercase-filenames doesn't work inside userdir's Actions
Bug #1590: External spawned fastcgi processes do not work, file returned instead Actions
Bug #1598: bypassing htdigest authentication by adding trailing "/" to the end of the url Actions
Bug #1614: Content-Type header is inserted and not overwritten in mod_dirlisting Actions
Bug #1620: When server.tag's value is "", an empty Server: HTTP field is sent in the response headers Actions
Bug #1621: When server.tag's value is "", an empty Server: HTTP field is sent in the response headers Actions
Bug #1638: mod_scgi fails to parse Http Status during for Response Actions
Bug #1640: mod_cgi does not handle EINTR during write() to cgi child [PATCH] Actions
Bug #1644: Large HTTP Posts - get corrupted or just hang - with fastcgi PHP Actions
Bug #1650: missing BuildRequires pcre-devel and bzip2-devel Actions
Bug #1653: mod_alias silently drops aliases containing a ~ Actions
Bug #1661: Old lighttpd.conf no longer works (remoteip condition fails) Actions
Bug #1676: Order of nested conditionals (remoteip - host) Actions
Bug #1701: mod_redirect rules do not work in 1.4.19 Actions
Bug #1711: %0 in mod_rewrite Actions
Bug #1712: mod_cgi remaps digits to "_" in environment variable names. Actions
Bug #1716: mod_scgi process spawning without replacing fd=0 (stdin) by socket as in fcgi Actions
Bug #1721: Requests are not processed, fcgi load increases, but processes are idle and server load minimum Actions
Bug #1722: mod_fastcgi/mod_scgi: bin-environment doesn't override parent environment Actions
Bug #1726: mod_access/server-error-404H Actions
Bug #1727: mod_access/server-error-404 regression Actions
Bug #1731: HTTP 405 Status code truncates content Actions
Bug #1734: mod_proxy stalling with freebsd-kqueue event handler Actions
Bug #1750: X-LIGHTTPD-send-file with relative path and fam as stat enginge segfaults Actions
Bug #1752: large file download from backend server Actions
Bug #1754: lighty SHOULD not include "Content-Encoding" in a 304 Not Modified response Actions
Bug #1774: lighttpd memory leak on duplicated request header Actions
Bug #1775: lighttpd 1.4.x mod_rewrite memory leak Actions
Bug #1776: lighttpd 99% CPU when uploading file Actions
Bug #1781: lighttpd 1.4.20 doesn't include RPM spec file Actions
Bug #1799: error: cannot compute sizeof (off_t) Actions
Bug #1831: Set in the lighttpd.conf following text $HTTP["host"] or $HTTP["url"] receive an error Actions
Bug #1833: Verbindung fehlgeschlagen /Cannot connect to server - with lighttpd Actions
Bug #1846: lighttpd dead but pid file exists Actions
Bug #1884: not replying 304 when needed (1.4.20, mod_compress) Actions
Feature #48: Add a infrastructure to pass variables between modules Actions
Feature #159: per-directory configuration Actions
Feature #166: mod_layout Actions
Feature #430: mod_auth doesn't support virtual hosts Actions
Feature #814: mimetype.charset? Actions
Feature #939: no character encoding line in sample lighttpd.conf Actions
Feature #984: error matching null http referrer Actions
Feature #1209: should be able to disable ETag for static files Actions
Feature #1220: Support external 404 error page (server.error-handler-404) Actions
Feature #1284: lighttpd don't print keep alive answering header Actions
Feature #1293: [PATCH] Allow disabling of access log in specific directories Actions
Feature #1390: Running lighttpd within linux. Actions
Feature #1409: Please provide CSDB records Actions
Feature #1431: Expanded the URI encoding Actions
Feature #1646: Request to remove specific lines from error log Actions
Feature #1691: Typo in configure script Actions
Feature #1718: working with Nginx x-real-ip, Can not get the real Client IP Actions
Feature #1739: license information broken site link Actions
Feature #1744: server.pid-file server.username and server.groupname as parameter Actions
Feature #1745: server.pid-file server.username and server.groupname as parameter Actions

Also available in: TXT