It has been a long time since the last release again, and again we have many bug fixes -
and some small new features, check the following summary or the complete list below.

There have been fixes for ssl (SNI handling and the SSL_CTX_set_options fix) and
mod_cgi and mod_proxy (response handling).

There is a new fdevent handler “libev”; “linux-rtsig” got removed.

And we bind now IPv6 sockets to IPv6 only in almost all cases (we disable “dual-stack”),
see IPv6-Config for details.


1.4.26 - Chinese dragon

February 07, 2010

There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability)


Li Ming reported a serious bug in lighttpd:

If you send the request data very slow (e.g. sleep 0.01 after each byte),
lighttpd will easily use all available memory and die (especially for parallel
requests), allowing a DoS within minutes.


The bug is tracked as CVE-2010-0295.

As far as we know all versions are affected.