Important changes

One important denial of service (in 1.4.31) fix: CVE-2012-5533.

Downloads

• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.gz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.gz.asc
  • SHA256: 0765e07dac432393dea3950639d5ba646ded95a9408ad002e54b3353ab6b9645
• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.bz2
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.bz2.asc
  • SHA256: 60691b2dcf3ad2472c06b23d75eb0c164bf48a08a630ed3f308f61319104701f
• https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.xz
  • GPG signature: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.tar.xz.asc
  • SHA256: 1368f80069ce71f5928cad59c8e60c0b95876942ca9e02c53853e54ae24aedc1
• SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.32.sha256sum

External references

• CVE-2012-5533
  • lighttpd-SA-2012-01
  • lighttpd-1.4.31_fix_connection_header_dos.patch

Changes from 1.4.31

• Code cleanup with clang/sparse (fixes #2437, thx kibi)
• Ignore EPIPE/ECONNRESET after SSL_shutdown
• Handle ENAMETOOLONG, return 404 Not Found (fixes #2396, thx dererkazo)
• configure.ac: remove old stuff, add some new to fix warnings in automake 1.12 (fixes #2419, thx blino)
• add PATCH method (fixes #2424)
• fix :port handling in $HTTP[“host”] checks (fixes #2135. thx liming)
• network_server_init: fix double free and memleak on error (fixes #2440, thx kyprizel)
• detect “x-gzip”/”x-bzip2” as separate encodings, more strict encoding matching (fixes #2443)
• tests: make sure mod_proxy doesn’t leave running processes (fixes #2435, thx kibi)
• mod_extforward: log address of untrusted proxy with debug.log-request-handling
• fix DoS in Connection header value split (reported by Jesse Sipprell, CVE-2012-5533)
• remove whitespace at end of header keys