1.4.34

closed

2014-01-20

100%

Release Info¶

Version: 1.4.34
Previous version: 1.4.33
Branch: 1.4
Status: stable
Release Purpose: bug fixes
Release manager: stbuehler
Released date: 2014-01-20

Important changes from 1.4.33¶

There have been some important security fixes pending (which you should already have gotton through your favorite distribution); I am sorry for the delayed release (we probably should communicate security bugs on our page and mailing lists too for those who are not following oss-security).

We updated the "standard" ssl cipher string recommendation to ssl.cipher-list = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"; see the main release announcement for the detailed reasons.

Regression warning¶

The fix for lighttpd SA-2013-01 (CVE-2013-4508, "Using possibly vulnerable cipher suites with SNI") includes a regression:

Each SSL_CTX also gets loaded with all values for ssl.ca-file from all blocks in the config.

This means that your ssl.ca-files must not contain cyclic chains and should use unique subject names.

See Debian Bug - #729555 for more details.

Security fixes¶

Downloads¶

http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.gz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.gz.asc
- SHA256: 468f8bbe7bac9d294c79d6454cd97990c13191b270c21b7c4e398936713b2642
http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.bz2
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.bz2.asc
- SHA256: e4b5682ef21b0bdea4a18dc7ccac6b5a0bf526b691ad0fe5c25c8b9fc38d0c12
http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.xz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.xz.asc
- SHA256: 3e067bd12a6c953862139f0ee4cb03a0cd8cff9b3ffe393ddc7dc3956431cb72
SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.sha256sum

Changes from 1.4.33¶

[mod_auth] explicitly link ssl for SHA1 (fixes #2517)
[mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes #2515, thx mm)
[ssl] fix SNI handling; only use key+cert from SNI specific config (fixes #2525, CVE-2013-4508)
[doc] update ssl.cipher-list recommendation
[stat-cache] FAM: fix use after free (CVE-2013-4560)
[stat-cache] fix FAM cleanup/fdevent handling
[core] check success of setuid,setgid,setgroups (CVE-2013-4559)
[ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places
[core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes #2526)
[auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes #2533)
[mod_mysql_vhost] fix memory leak on config init (#2530)
[mod_webdav] fix fd leak found with parfait (fixes #2530, thx kukackajiri)

External references¶

http://www.lighttpd.net/2014/1/20/1-4-34/

Time tracking

Estimated time	0.03 hour

Related issues
		Bug #2515: r2873 breaks compilation without IPV6	Actions
		Bug #2517: Undefined symbols _SHA1	Actions
		Bug #2519: Sanatising is not a word	Actions
		Bug #2525: ssl.cipher-list not inherited into SNI	Actions
		Bug #2526: Support url.rewrite (handle_uri_raw callbacks) in $HTTP["url"] and $HTTP["query-string"]	Actions
		Bug #2530: Parfait analysis errors	Actions
		Bug #2533: Automake on Solaris	Actions

Also available in: TXT

Project

General

Profile

Lighttpd