1.4.16 - Let's ship it

July 24, 2007

We all could use some refreshment in this hot summer. So how about a fresh and shiny new lighttpd release? Sadly the main reasons are again a few security fixes. (Bad developers, bad!) But we broke it, we fix it. On the other hand we squeezed in a new cool feature aswell. The E-Tag generation is now configurable. So if your files are on a NFS cluster you can now e.g. disable the inode number usage for the E-Tag.

Teh bugz!!!

header parsing bug
Lighttpd SA 2007:03
(patch: lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch)
various mod_auth bugs
Lighttpd SA 2007:04
Lighttpd SA 2007:05
Lighttpd SA 2007:06
Lighttpd SA 2007:07
(patch: lighttpd-1.4.x_mod_auth_sec.patch)
mod_access bug
Lighttpd SA 2007:08 (patch: lighttpd-1.4.x_mod_access_bypass.patch)
mod_fastcgi local DOS bug
Lighttpd SA 2007:09 (patch: lighttpd-1.4.x_mod_fastcgi_local_dos.patch)

The reader might wonder now why we delayed the release that long. We actually tried to get CVE numbers for all the bugs, to avoid confusion later. But so far we did not succeed in receiving them. As the bugs got publically announced now, we are forced to release.

External references

Download

  • lighttpd-1.4.16.tar.gz
    (sha1sum: b160cece6c0dd15746d10957d28ba02b2e9e77ce
    md5sum: 04988067026e93ccb46e19fa8c17ae97
    )
  • lighttpd-1.4.16.tar.bz2
    (sha1sum: 8f137ff71f629fe24a745c758b72dce24a8669f2
    md5sum: ea671997591f772417b7e540d325f8cc
    )

Thanks for using lighttpd! :)