1.4.26 - Chinese dragon

February 07, 2010

There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability)


Li Ming reported a serious bug in lighttpd:

If you send the request data very slow (e.g. sleep 0.01 after each byte),
lighttpd will easily use all available memory and die (especially for parallel
requests), allowing a DoS within minutes.


The bug is tracked as CVE-2010-0295.

As far as we know all versions are affected.

1.4.25 - the slogan is a lie

November 21, 2009

We did some important bug fixes (some of them new since 1.4.24, and some older bugs). Only 2 small new features: traceback for lua errors and the SSL_CLIENT_* vars export for ssl client cert validation.