1.4.41
closedRelease Info¶
- Version: 1.4.41
- Previous version: 1.4.40
- Branch: 1.4
- Status: stable
- Release Purpose: bug fixes
- Release manager: gstrauss
- Released date: 2016-07-31
Important changes from 1.4.40¶
- security fixes
- fix bugs introduced in 1.4.40
Downloads¶
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.gz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.gz.asc
- SHA256:
8a5749e218237fafc3119dd8a4fcf510ea728728b3fcf1193fcad7209be4b6d7
- http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.xz
- GPG signature: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.xz.asc
- SHA256:
4bcc383ef6d6dc7b284f68882d71a178e2986c83c4e85eeb3c8f3b882e346b6c
- SHA256 checksums: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.sha256sum
Highlights¶
- security fixes
- security: encode quoting chars in HTML and XML
- security: ensure gid != 0 if server.username is set, but not server.groupname
- security: disable stat_cache if server.follow-symlink = "disable"
- security: httpoxy defense: do not emit HTTP_PROXY to CGI env
- fix bugs introduced in 1.4.40 (sorry)
- bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
- bug: lighttpd 1.4.40 times out on TLS requests with POST data
- bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
- bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP["remoteip"]
- bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER["socket"] scope identifier
- bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
- bug: lighttpd 1.4.40 might trigger assert when converting to hex string
- behavior changes
- new: use TMPDIR if server.upload-dirs is not defined, "/var/tmp" if neither
- new: inherit server.use-ipv6 and server.set-v6only from global scope
- reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39
Future scheduled behavior changes in lighttpd 1.4.42
- mod_ssi will set REQUEST_URI to original, client-requested URI
to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml
to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml
Changes from 1.4.40¶
- remove long-deprecated, non-functional config opts
- [config] inherit server.use-ipv6 and server.set-v6only (fixes #678)
- [mod_auth] fix Digest auth to be better than Basic (fixes #1844)
- [mod_ssi] fix #config sizefmt="bytes"
- [autobuild] move inet_pton detection later
- [core] #include <sys/filio.h> for FIONREAD (fixes #2726)
- [autobuild] clock_gettime() -lrt with glibc < 2.17
- [security] do not emit HTTP_PROXY to CGI env
- [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes #2737)
- [core] avoid spurious trace and error abort
- [core] stay in CON_STATE_CLOSE until done with req
- [core] $HTTP["remoteip"] must handle IPv6 w/o []
- [mod_status] show keep-alive status w/ text output (fixes #2740)
- do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
- revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes #2738)
- [core] permit IPv6 address scope identifier
- [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
- [TLS] read all available records from SSL_read()
- [core] try AF_INET after AF_INET6 if use-ipv6
- [core] set chunkqueue tempdirs at startup
- [security] ensure gid != 0 if server.username set (fixes #2725)
- [security] disable stat_cache if !follow-symlink (fixes #2724)
- [core] fix buffer_copy_string_hex() assert (fixes #2742)
- [security] encode quoting chars in HTML and XML
- [cmake] always define _GNU_SOURCE
- [cmake] enable warnings for GCC and Clang
- [cmake] set cmake_minimum_required to 2.8.2
External references¶
Also available in: TXT