7 issues   (7 closed — 0 open)

Release Info

  • Version: 1.4.34
  • Previous version: 1.4.33
  • Branch: 1.4
  • Status: stable
  • Release Purpose: bug fixes
  • Release manager: stbuehler
  • Released date: 2014-01-20

Important changes from 1.4.33

There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).

We updated the "standard" ssl cipher string recommendation to ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see the main release announcement for the detailed reasons.

Regression warning

The fix for lighttpd SA-2013-01 (CVE-2013-4508, "Using possibly vulnerable cipher suites with SNI") includes a regression:

Each SSL_CTX also gets loaded with all values for from all blocks in the config.

This means that your must not contain cyclic chains and should use unique subject names.

See Debian Bug - #729555 for more details.

Security fixes


Changes from 1.4.33

  • [mod_auth] explicitly link ssl for SHA1 (fixes #2517)
  • [mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes #2515, thx mm)
  • [ssl] fix SNI handling; only use key+cert from SNI specific config (fixes #2525, CVE-2013-4508)
  • [doc] update ssl.cipher-list recommendation
  • [stat-cache] FAM: fix use after free (CVE-2013-4560)
  • [stat-cache] fix FAM cleanup/fdevent handling
  • [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
  • [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
  • maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places
  • [core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes #2526)
  • [auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes #2533)
  • [mod_mysql_vhost] fix memory leak on config init (#2530)
  • [mod_webdav] fix fd leak found with parfait (fixes #2530, thx kukackajiri)

External references

Time tracking
Estimated time 0.03 hour
Issues by


Also available in: TXT