We should have released sooner (due to #2670) - let’s hope we got it right this time :)

Important changes

• mod_secdownload now requires an algorithm option to be set
• fix a header parse bug (#2670)
• sendfile support for darwin (just select “sendfile” as backend)

Downloads

• lighttpd-1.4.38.tar.gz (GPG signature)
  • SHA256: eb3c689f83ee3545dc688d99e36011b28145a1727bb6d17c94c5ed6684edcdd1
• lighttpd-1.4.38.tar.xz (GPG signature)
  • SHA256: 4912568b7befcf3f552ca4668bd7f38cd85f42a22944359d00816ec27eb1e504
• SHA256 checksums

Changes from 1.4.37

• [stat-cache] fix handling of collisions, might have returned wrong data (fixes #2669)
• [core] allocate at least 4k buffer for incoming data
• [core] fix search for header end if split across chunks (fixes #2670)
• [core] check configparserAlloc() result with force_assert
• [mod_auth] implement and use safe_memclear, using memset_s or explicit_bzero if available (thx loganaden)
• [core] don’t buffer request bodies smaller than 64k on disk
• add force_assert for many allocations and function results
• [mod_secdownload] use a hopefully constant time comparison to check hash (fixes #2679)
• [config] check config option scope; warn if server option is given in conditional
• [core] revert increase of temp file size back to 1MB, provide a configure option “server.upload-temp-file-size” instead (fixes #2680)
• [core] add ‘~’ to safe characters in ENCODING_REL_URI/ENCODING_REL_URI_PART encoding
• [core] encode path with ENCODING_REL_URI in redirect to directory (fixes #2661, thx gstrauss)
• [mod_secdownload] add required algorithm option; old behaviour available as “md5”, new options “hmac-sha1” and “hmac-sha256”
• [mod_fastcgi/mod_scgi] zero sockaddr structs before use (fixes #2691, thx Kyle J. McKay)
• [network] add darwin-sendfile backend (fixes #2687, thx Kyle J. McKay)
• [core] show correct crypt support result (fixes #2690, thx Kyle J. McKay)