There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect, HUP detection and an OOM/DoS vulnerability)

Downloads

• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.26.tar.gz
  • SHA256: 08fc11864a0ad6d2871f32e6d0b0eaeb070f78698a72959f812526173145986e
  • SHA1: c22642dc3616043293fb895b9f049b9270dbb2a0
  • MD5: 3ce5be17a4dac3c384a8a452c664b840
• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.26.tar.bz2
  • SHA256: d7c25a5bb08c8dbc3e8d86f9e564c90ebf0c365d7fcf5ee801e912fb3c2357fd
  • SHA1: f9710da0152792d83c223a1248345a2d145d6f32
  • MD5: a682c8efce47a2f4263a247ba0813c9b
• SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.26.sha256sum
• SHA1 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.26.sha1sum
• MD5 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.26.md5sum

Changes from 1.4.25

• Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105)
• Remove dependency on automake >= 1.11 with m4_ifdef check
• mod_accesslog: support %e (fixes #2113, thx presbrey)
• Fix mod_cgi cgi.execute-x-only option in global block
• mod_fastcgi: x-sendfile2 parse error debugging
• Fix mod_proxy dead host detection if connect() fails
• Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159)
• Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt)
• Append to previous buffer in con read, fix DoS/OOM vulnerability (fixes #2147, found by liming, CVE-2010-0295)
• Fix HUP detection in close-state if event-backend doesn’t support FDEVENT_HUP (like select or poll on FreeBSD)