March 12, 2014

Important changes

This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.

Security fixes


Changes from 1.4.34

  • [network/ssl] fix build error if TLSEXT is disabled
  • [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active)
  • [mod_rrdtool] fix invalid read (string not null terminated)
  • [mod_dirlisting] fix memory leak if pcre fails
  • [mod_fastcgi,mod_scgi] fix resource leaks on spawning backends
  • [mod_magnet] fix memory leak
  • add comments for switch fall throughs
  • remove logical dead code
  • [buffer] fix length check in buffer_is_equal_right_len
  • fix resource leaks in error cases on config parsing and other initializations
  • add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546)
  • [mod_cml_lua] fix null pointer dereference
  • force assertion: setting FD_CLOEXEC must work (if available)
  • [network] check return value of lseek()
  • fix unchecked return values from stream_open/stat_cache_get_entry
  • [mod_webdav] fix logic error in handling file creation error
  • check length of unix domain socket filenames
  • fix SQL injection / host name validation (thx Jann Horn, CVE-2014-2323, CVE-2014-2324)