1.4.43

October 31, 2016

Important changes

  • improve FastCGI, SCGI, proxy reconnect on failure
  • bug fixes

Downloads

Highlights

  • improvements
    • improve FastCGI, SCGI, proxy reconnect on failure
    • build systems: do not build modules for which dependencies are not present
    • autobuild: use CC_FOR_BUILD for lemon when cross-compiling
    • config: warn if mod_authn_ldap,mysql not listed
    • config file remote IP conditions are valid for TLS SNI
    • mod_deflate ignore trailing ‘*’ in deflate.mimetypes
    • mod_deflate skip deflate if loadavg too high
    • mod_accesslog %{ratio}n logs compression ratio
    • mod_expire by mimetype
    • mod_evhost partial matching patterns
    • mod_dirlisting config header and readme files
  • bug fixes
    • fix potential tempfile corruption with streaming response
    • fix fd leak when using libev (1.4.42)
    • fix ssl client certificate authentication segfaults (1.4.42)
    • fix mod_scgi prefix matching to always match url

1.4.42

October 16, 2016

Important changes

  • new modules, expanded features, rewritten auth framework
  • fix bugs introduced in 1.4.40/1.4.41

Downloads

Highlights

  • new modules, expanded features
    • performance: use extended socket/file syscalls and flags
    • rewritten auth framework
      • updated mod_authn_ldap
      • new mod_authn_gssapi
      • new mod_authn_mysql
    • new mod_deflate
    • new mod_geoip
    • new mod_uploadprogress
    • mod_dirlisting sortable columns
    • mod_fastcgi support for authorizer, responder keyed with same path/extension
    • mod_cgi permit CGI exec of unreadable files
    • mod_scgi support for uwsgi protocol for Python WSGI backends
    • add some SSL_* variables to CGI environment
  • bug fixes
    • remove preemptive shutdown() to backend
    • fix backend socket connect issue: enforce wait for POLLWR after EINPROGRESS
    • fix crash if ready events on abandoned fd
    • fix broken digest auth
  • behavior changes
    • behavior change in mod_ssi to conform to same CGI env as CGI, FastCGI, SCGI:
      • REQUEST_URI is original client request, instead of URI modified by mod_rewrite.
      • DOCUMENT_ROOT changes if mod_alias or mod_userdir changes basedir.

1.4.41

July 31, 2016

Important changes

  • security fixes
  • fix bugs introduced in 1.4.40

Downloads

Highlights

  • security fixes
    • security: encode quoting chars in HTML and XML
    • security: ensure gid != 0 if server.username is set, but not server.groupname
    • security: disable stat_cache if server.follow-symlink = “disable”
    • security: httpoxy defense: do not emit HTTP_PROXY to CGI env
  • fix bugs introduced in 1.4.40 (sorry)
    • bug: lighttpd 1.4.40 might leave client sockets in TIME WAIT (FIN2_WAIT)
    • bug: lighttpd 1.4.40 times out on TLS requests with POST data
    • bug: lighttpd 1.4.40 reversed REQUEST_URI/REDIRECT_URI (now reverted)
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $HTTP[“remoteip”]
    • bug: lighttpd 1.4.40 rejects IPv6 addrs in $SERVER[“socket”] scope identifier
    • bug: lighttpd 1.4.40 segfault in mod_accesslog if %T in custom format
    • bug: lighttpd 1.4.40 might trigger assert when converting to hex string
  • behavior changes
    • new: use TMPDIR if server.upload-dirs is not defined, “/var/tmp” if neither
    • new: inherit server.use-ipv6 and server.set-v6only from global scope
    • reverted REQUEST_URI/REDIRECT_URI to match behavior in lighttpd <= 1.4.39

Future scheduled behavior changes in lighttpd 1.4.42

  • mod_ssi will set REQUEST_URI to original, client-requested URI
    to match behavior of mod_cgi, mod_fastcgi, mod_scgi, mod_cml