lighttpd
IMPORTANT all 1.4.x users should upgrade to 1.4.19, all users of 1.5-svn should at least upgrade to r1922.

1.4.16 - Let's ship it

July 24th, 2007

We all could use some refreshment in this hot summer. So how about a fresh and shiny new lighttpd release? Sadly the main reasons are again a few security fixes. (Bad developers, bad!) But we broke it, we fix it. On the other hand we squeezed in a new cool feature aswell. The E-Tag generation is now configurable. So if your files are on a NFS cluster you can now e.g. disable the inode number usage for the E-Tag.

Teh bugz!!!

header parsing bug
Lighttpd SA 2007:03
(patch: lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch)
various mod_auth bugs
Lighttpd SA 2007:04
Lighttpd SA 2007:05
Lighttpd SA 2007:06
Lighttpd SA 2007:07
(patch: lighttpd-1.4.x_mod_auth_sec.patch)
mod_access bug
Lighttpd SA 2007:08 (patch: lighttpd-1.4.x_mod_access_bypass.patch)
mod_fastcgi local DOS bug
Lighttpd SA 2007:09 (patch: lighttpd-1.4.x_mod_fastcgi_local_dos.patch)

The reader might wonder now why we delayed the release that long. We actually tried to get CVE numbers for all the bugs, to avoid confusion later. But so far we did not succeed in receiving them. As the bugs got publically announced now, we are forced to release.

External references

Download

  • lighttpd-1.4.16.tar.gz
    (sha1sum: b160cece6c0dd15746d10957d28ba02b2e9e77ce
    md5sum: 04988067026e93ccb46e19fa8c17ae97     )
  • lighttpd-1.4.16.tar.bz2
    (sha1sum: 8f137ff71f629fe24a745c758b72dce24a8669f2
    md5sum: ea671997591f772417b7e540d325f8cc    )

Thanks for using lighttpd! :)

27 Responses to “1.4.16 - Let's ship it”

  1. icy Says:
    July 24th, 2007 at 07:18 PM hope package maintainers catch up soon :)
  2. Yusuf Says:
    July 25th, 2007 at 03:09 AM If you have multiple lighttpd servers serving the same static content, you should also disable use of inode in ETag generation else you will reduce the number of 304 responses generated by your server
  3. free SMS malo Says:
    July 25th, 2007 at 05:12 PM Thanks Man! this version works fine! i had no problems @ update!
  4. WLMP Project TEAM Says:
    July 27th, 2007 at 09:19 AM LightTPD 1.5.(Win32/Cygwin) package is released. Download links: - LightTPD 1.4.16 (SSL) http://wlmp.dtech.hu/down_lighty.php?lang=en - LightTPD 1.4.16 (NoSSL)
  5. WLMP Project TEAM Says:
    July 27th, 2007 at 09:23 AM LightTPD for Windows 1.4.16 package is released. Download links: - LightTPD 1.4.16 (Win32/SSL) http://wlmp.dtech.hu/down_lighty.php?lang=en Download links: - LightTPD 1.4.16 (Win32/NoSSL) http://wlmp.dtech.hu/down_lighty.php?lang=en&type=nossl
  6. Amr Hamdy Says:
    July 27th, 2007 at 05:28 PM Those are nice news! Keep working well, guys! Lighttpd is really the best :)
  7. Ben Says:
    July 27th, 2007 at 05:30 PM Sorry to post this here, but trac tell me I am spam :( After upgrading to 1.4.16 all my redirect_to calls in Rails (dispatch.fcgi) return a 404 and a You Are Being Redirected message with a link. Here are the headers and page source: '''Headers''' Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: session_id=ffd993f39ae46a910fc07a26b1502476; path=/ Location: URL I WANT TO REDIRECT TO Cache-Control: no-cache Content-Length: 108 Date: Fri, 27 Jul 2007 17:27:19 GMT Server: lighttpd/1.4.16 404 Not Found '''Page Source''' <html><body>You are being redirected.</body></html> Apologies if this is a rails issue and not a lighttpd issue, but it just started when I upgraded to the 1.4.16.
  8. Aaron Kalsnes Says:
    July 27th, 2007 at 08:46 PM Thank you for the new release! lighttpd is a great product :)
  9. gogo Says:
    July 27th, 2007 at 09:46 PM All Rails redirections have now an in-between page appearing saying 'You are being redirected'. One needs to click on the click to get to the page.
  10. TECK Says:
    July 29th, 2007 at 09:01 PM Thanks for the update. :)
  11. budsz Says:
    July 30th, 2007 at 07:59 PM Hallo, Last night, I try to compiled this version under FreeBSD 4.10 STABLE: root:/usr/local/src/lighttpd-1.4.16# pkg_info | grep libtool libtool-1.5.22_2 Generic shared library support script libtool-1.5.6_1 Generic shared library support script (version 1.5) root:/usr/local/src/lighttpd-1.4.16# pkg_info | grep pcre pcre-7.0 Perl Compatible Regular Expressions library root:/usr/local/src/lighttpd-1.4.16#./configure --prefix=/usr/local --with-bzip2 --with-openssl --with-openssl-libs=/usr/lib --with-openssl-includes=/usr/include --disable-ipv6 root:/usr/local/src/lighttpd-1.4.16# make make all-recursive Making all in src source='mod_flv_streaming.c' object='mod_flv_streaming.lo' libtool=yes DEPDIR=.deps depmode=gcc /usr/local/bin/bash ../depcomp /usr/local/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -DLIBRARY_DIR="\"/usr/local/lib\"" -I. -I.. -D_REENTRANT -D__EXTENSIONS__ -I/usr/local/include -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGE_FILES -g -O2 -Wall -W -Wshadow -pedantic -std=gnu99 -c -o mod_flv_streaming.lo mod_flv_streaming.c gcc -DHAVE_CONFIG_H -DLIBRARY_DIR=\"/usr/local/lib\" -I. -I.. -D_REENTRANT -D__EXTENSIONS__ -I/usr/local/include -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGE_FILES -g -O2 -Wall -W -Wshadow -pedantic -std=gnu99 -c mod_flv_streaming.c -Wp,-MD,.deps/mod_flv_streaming.TPlo -fPIC -DPIC -o .libs/mod_flv_streaming.o cc1: unknown C standard `gnu99' In file included from mod_flv_streaming.c:2: /usr/include/stdlib.h:111: warning: ANSI C does not support `long long' /usr/include/stdlib.h:117: warning: ANSI C does not support `long long' In file included from mod_flv_streaming.c:5: base.h:493: warning: comma at end of enumerator list *** Error code 1 Stop in /usr/local/src/lighttpd-1.4.16/src. *** Error code 1 Stop in /usr/local/src/lighttpd-1.4.16. *** Error code 1 Stop in /usr/local/src/lighttpd-1.4.16. Anyone know what happen?, in port FreeBSD official current version until lighttpd-1.4.15. And my old port collection until lighttpd-1.4.11. I try to patch base on http://www.lighttpd.net/, the problem look like same with version lighttpd-1.4.16. So I thing this cause new patch. Any suggestion if installing via source?. Thanks You.
  12. overcast Says:
    July 31st, 2007 at 05:37 PM budsz - How about moving to something newer than FreeBSD 4? What is that 5 years old at least?
  13. soenke Says:
    August 1st, 2007 at 01:46 PM Darix, it would be nice if #518 makes it into the next minor release. Thanks!
  14. vermaden Says:
    August 3rd, 2007 at 09:37 AM server.error-handler-404 is specified in lighttpd.conf: server.error-handler-404 = "/.error-handler.html" why lighttpd adds its error message while I have mine? lighttpd adds this: <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title>404 - Not Found</title> </head> <body>

    404 - Not Found

    </body> </html> I havent found any way yo turn this off, whe it can be turned off?
  15. Martin Says:
    August 4th, 2007 at 01:36 PM Thanks for Lighttpd! :-)
  16. budsz Says:
    August 5th, 2007 at 09:02 PM Overcast : Yes that's right. Maybe this one of old version I have, I've already try on FreeBSD 6.2- everything gone be alright. I don't know what the exactly problem exist.
  17. ksugiura Says:
    August 6th, 2007 at 02:50 PM It seems lighttpd-1.4.16 returns 403 or 404 to all requests handled by server.error-handler-404, because of line no.1448 in src/connections.c (con->http_status = con->error_handler_saved_status;). This overwrites the error handler's status code by the previous one (403 or 404). I'm not sure of the intent of this line, but it breaks execution of Ruby on Rails. If you comment it out and recompile lighttpd, Rails can work properly.
  18. Dhonn Says:
    August 6th, 2007 at 11:43 PM I'm having trouble with 404 as well. When files do not exist on the server I have it redirect to the server that does... but its not redirecting. I'm just getting a bunch of blank images.
  19. Rembrandt Says:
    August 7th, 2007 at 11:49 PM Seriously: Next time DON'T WAIT.... there still 0dayz avaiable so if you wanna "provide" a good piece of software: Give a FUCK about CVE Numbers and junk like this.
  20. don_furd Says:
    August 8th, 2007 at 09:09 PM Was having problems with the 404 problem and Rails too, recompiled as per ksugiura's instructions and all works well. Thanks ksugiura.
  21. Alucard Says:
    August 9th, 2007 at 12:35 AM 404s are broke for me too. I get my 404 handler page (well, it's set to be an image, but it's reduced to gibberish), then the default, which is wrong.
  22. iKenny Says:
    August 9th, 2007 at 09:29 PM Same here with the Rails issues. Would it be possible to re-release this version with this fixed? I have my app running on a public server and can't get into lighttpd myself to make the change. thanks for any help!
  23. Tonypm Says:
    August 13th, 2007 at 08:37 PM It would be extremely helpful if the breaking of Redirect in Rails were to be considered a candidate for an urgent fix. But at the moment there does not appear to be a formal response or position on this. ??
  24. Jan Kneschke Says:
    August 13th, 2007 at 10:13 PM We are working on a fix for the error-handler-404 right now and plan to get .17 out of the door in the next 2-3 days.
  25. Uncle Tom Says:
    August 16th, 2007 at 11:18 PM I have just run into the rails redirect message thing, and just want to also chime in that this should be an urgent fix. I just ran into this after doing an upgrade to Fedora Core 7, which now ships with lighttpd 1.4.16. I see there is a patch, and will just wait for 1.4.17 to show up with it included ......
  26. depot Says:
    August 17th, 2007 at 06:57 AM Thanks Man!
  27. twhitton Says:
    August 23rd, 2007 at 03:03 PM Still waiting on a fix. FC7 is broken at the moment.

Sorry, comments are closed for this article.