After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out.
We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system.
Please pay special attention to the security announcements:

Download

  • lighttpd-1.4.20.tar.gz
    (sha1sum: 61790c02d9e96c3cb23ffd3907f1caee64c475dd
    md5sum: 7ce7eefb487682b61d9b06b41864c64a)
  • lighttpd-1.4.20.tar.bz2
    (sha1sum: e5944a40579e0f37c6a0eeb0ad751344b2d6006c
    md5sum: ed6ee0bb714f393219a32768d86984d8)

1.4.19 - Made in Germany

March 10, 2008

Long time no see.

It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5. [1] Currently he ports it to glib2.

But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. *cough* Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix)

Download

  • lighttpd-1.4.19.tar.gz
    (sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
    md5sum: cede410e7adee3ea14206749190a8b5d
    )
  • lighttpd-1.4.19.tar.bz2
    (sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc
    md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40
    )

1.4.18 - speeding up a bit

September 09, 2007

"Release early, release often."

So here we are again. The previous release is already 12 days old! It already got grey hair.

And again we have a small security bug! It seems, if you get the more popular, more people are looking at your code. This time Mattias Bengtsson and Philip Olausson from secweb.se took a look at the code. They found a small bug that could lead to remote code execution in fastcgi applications. (We wont mention names here.)

Download

  • lighttpd-1.4.18.tar.gz
    (sha1sum: 30eb24cdfcfeadf10fa16f187330bdc5deb25ed2
    md5sum: 5db3204d57436a032f899ff9dbce793f
    )
  • lighttpd-1.4.18.tar.bz2
    (sha1sum: a53a8f8ae8d42d036f0b5129764b822e943cc778
    md5sum: 26f98dddf9d8c0775221b800986003ee
    )

Changes

  • fixed compile error on IRIX 6.5.x on prctl() (#1333)
  • fixed forwarding a SIGINT and SIGHUP when using max-workers (#902)
  • fixed FastCGI header overrun in mod_fastcgi (reported by mattias@secweb.se)
  • fixed hanging redirects with keep-alive due to missing "Content-Length: 0" headers
  • fixed crashing when using undefined environment variables in the config
  • fixed compilation of mod_mysql_vhost on irix (#1341)

For all the packagers: if you wonder what happened to lighttpd 2007-SA:11 and lighttpd 2007-SA:10, they will be released in the next days.