1.4.26 - Chinese dragon

February 07, 2010

There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability)


Changes from 1.4.25

  • Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105)
  • Remove dependency on automake >= 1.11 with m4_ifdef check
  • mod_accesslog: support %e (fixes #2113, thx presbrey)
  • Fix mod_cgi cgi.execute-x-only option in global block
  • mod_fastcgi: x-sendfile2 parse error debugging
  • Fix mod_proxy dead host detection if connect() fails
  • Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159)
  • Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt)
  • Append to previous buffer in con read, fix DoS/OOM vulnerability (fixes #2147, found by liming, CVE-2010-0295)
  • Fix HUP detection in close-state if event-backend doesn’t support FDEVENT_HUP (like select or poll on FreeBSD)