Lighttpd 1.4.14 released

April 13, 2007

We are pleased to announce the release of lighttpd 1.4.14. This is mainly a bug fix release including 2 security fixes. It is recommended to upgrade or at least apply the patches.

Download

As 1.4.14 had a cookies related bug please use 1.4.15

Thanks for using lighttpd!:)

The complete list of changes

  • fix crash if gethostbyaddr() failed on redirect [1718]
  • properly handle 206 responses generated by *cgi scripts. (#755) [1716]
  • added HTTPS=on to the environment of cgi scripts (#861) [1684]
  • fix handling of 303 (#1045) [1678]
  • made the configure check for lua more portable [1677]
  • added mod_extforward module [1665]
  • references to the fam stat cache engine should be conditional (#1039) [1664]
  • fix http 500 errors (colin.stephen/at/o2.com) #1041 [1663]
  • prevent wrong pidfile unlinking on graceful restart (Chris Webb) [1656]
  • ignore empty packets from STDERR stream. #998
  • fix a crash for files with an mtime of 0 reported by cubiq on irc [1519] CVE-2007-1870
  • allow empty passwords with ldap (Jörg Sonnenberger) [1516]
  • mod_scgi.c segfault fix #964 [1501]
  • Added round-robin support to mod_fastcgi [1500]
  • Handle DragonFlyBSD the same way as Freebsd (Jörg Sonnenberger) [1492,1676]
  • added now and weeks support to mod_expire. #943
  • fix cpu hog in certain requests [1473] CVE-2007-1869
  • fix for handling hostnames with trailing dot [1406]
  • fixed header-injection via server.tag (#1106)
  • disabled caching of files without a content-type to solve the aggressive caching of FF
  • remove trailing white-spaces from HTTP-requests before parsing (#1098)
  • fixed accesslog.use-syslog in a conditional and the caching of the accesslog for files (fixes #1064)
  • fixed various crashes at startup on broken accesslog.format strings (#1000)
  • fixed handling of %% in accesslog.format
  • fixed conditional dir-listing.exclude (#930)
  • reduced default PATH_MAX to 255 (#826)
  • ECONNABORTED is not known on cygwin (#863)
  • fixed crash on url.redirect and url.rewrite if %0 is used in a global context (#800)
  • fixed possible crash in debug-message in mod_extforward
  • fixed compilation of mod_extforward on glibc < 2.3.4
  • fixed include of empty in the configfiles (#1076)
  • send SIGUSR1 to fastcgi children before SIGTERM. libfcgi wants SIGUSR1. (#737)
  • fixed missing AUTH_TYPE entry in the fastcgi environment. (#889)
  • fixed compilation in network_writev.c on MacOS X 10.3.9 (#903)
  • added kill-signal as another setting for fastcgi backends. See the wiki for more.