Four and a half months after the release of 1.4.20 comes a new version in the stable branch of lighty: 1.4.21 is here.
It is a bugfix release but also contains 3 small new features.
We would like to thank everybody who reported bugs, especially the ones who provided patches.

spawn-fcgi warning

We decided to remove spawn-fcgi after this release from the lighttpd source, there is now a separate project for it:

Important changes

  • Reverted fix for CVE-2008-4359 (too many regressions – see #1720 and r2362): do NOT use rewrite/redirect to protect specific urls!
  • Fixed a bug when server.max-connections was hit
  • SSLv2 disabled by default
  • New setting to disable returning of a 417 if “Expect: 100-continue” header is given:

    server.reject-expect-100-with-417 = “disable”
  • Settings that require numbers can now be strings too which get converted. Useful in conjunction wth env vars (thx andrewb)
  • mod_compress now supports caching through etags and last-modified
  • The annoying log entries about timeouted connections are now disabled by default and can be enabled with a new setting:

    debug.log-timeouts = “enable”
  • New $HTTP["language"] conditional (thx to petar) which allows interesting new configs like:

    $HTTP[“language”] =~ “(de|it|hr)” {
    url.redirect = ( “^/$” => “” )


Changes from 1.4.20

  • Fix base64 decoding in mod_auth (#1757, thx guido)
  • Fix mod_cgi segfault when bound to unix domain socket (#653)
  • Do not rely on ioctl FIONREAD (#673)
  • Now really fix mod auth ldap (#1066)
  • Fix leaving zombie process with include_shell (#1777)
  • Removed debian/, openwrt/ and cygwin/; they weren’t kept up-to-date, and we decided to remove dist. specific stuff
  • Try to convert string options to shorts for numeric options in config file; allows to use env-vars for numeric options. (#1159, thx andrewb)
  • Do not cache default vhost in mod_simple_vhost (#709)
  • Trust pcre-config, do not check for pcre manually (#1769)
  • Fix fastcgi authorization in subdirectories with check-local=disabled; don’t split pathinfo for authorizer. (#963)
  • Add possibility to disable methods in mod_compress (#1773)
  • Fix duplicate connection keep-alive/transfer-encoding headers (#960)
  • Fixed fix for round-robin in mod_proxy (forgot to increment the index) (#1715)
  • Fix fastcgi-authorizer handling; Status: 200 is now accepted as the doc requests
  • Compare address family in inet_ntop_cache
  • Revert CVE-2008-4359 (#1720) fix “encoding+simplifying urls for rewrite/redirect”: too many regressions.
  • Use FD_CLOEXEC if possible (fixes #1821)
  • Optimized buffer usage in mod_proxy (fixes #1850)
  • Fix uninitialized value in time struct after strptime
  • Do not pass Proxy-Connection: header from client to backend http server in mod_proxy (#1877)
  • Fix wrong malloc sizes in mod_accesslog (probably nothing bad happened…) (fixes #1855, thx ycheng)
  • Some small buffer.c fixes (closes #1837)
  • Remove floating point math from server.c (fixes #1402)
  • Disable SSLv2 by default
  • Use/enforce sane max-connection values (fixes #1803)
  • Allow mod_compress to return 304 (Not Modified); compress ignores the static-file.etags option.(fixes #1884)
  • Add option to ignore the “Expect: 100-continue” header instead of returning 417 Expectation failed (closes #1017)
  • Use modified etags in mod_compress (fixes #1800)
  • Fix max-connection limit handling/100% cpu usage (fixes #1436)
  • Fix error handling in freebsd-sendfile (fixes #1813)
  • Silenced the annoying “request timed out” warning, enable with the “debug.log-timeouts” option (fixes #1529)
  • Allow tabs in header values (fixes #1822)
  • Added Language conditional (fixes #1119); patch by petar
  • Fix wrong format strings (#1900, thx stepancheg)

Getting involved

If you want to get the latest source for any branch, you can get it from our svn repository.
Documentation to do so can be obtained from this page:
Bug reports or feature requests can be filed in our ticket system:
Please make sure to check if there isn’t a ticket already here: