July 26, 2015

This release contains mostly bug fixes.

Important changes

  • [ssl] disable SSL3.0 by default
  • escape all strings for logging
  • fix segfault when temp file for upload couldn’t be created (found by coverity)
  • changes to the internal API for buffers, chunks and more; 3rd party plugins are likely to break


Changes from 1.4.35

  • use keep-alive timeout while waiting for HTTP headers; use always the read timeout while waiting for the HTTP body
  • fix bad shift in conditional netmask “…/0” handling
  • add more mime types and a script to generate mime.conf (fixes #2579)
  • add support for (Free)BSD extended attributes
  • [build] use fortify flags with “extra-warnings”
  • [mod_dirlisting,mod_redirect,mod_rewrite] abort config parsing if pcre-compile fails or isn’t available
  • [ssl] disable SSL3.0 by default
  • fixed typo in example config found by openSUSE user (boo# 907709)
  • [network] fix compile break in calculation of sockaddr_un size if SUN_LEN is not defined (fixes #2609)
  • [connections] fix bug in connection state handling
  • print backtrace in assert logging with libunwind
  • major refactoring of internal buffer/chunk handling
  • [mod_auth] use crypt_r instead of crypt if available
  • fix error message for T_CONFIG_ARRAY config values if an entry value is not a string
  • fix segfaults in many plugins if they failed configuration
  • escape all strings for logging (fixes #2646 log file injection, reported by Jaanus Kääp)
  • fix hex escape in accesslog (fixes #2559)
  • show extforward re-run warning only with debug.log-request-handling (fixes #2561)
  • parse If-None-Match for ETag validation (fixes #2578)
  • fix memory leak in mod_status when no counters are set (found by coverity)
  • [mod_magnet] fix segfault when accessing not existing lighty.req_env[] entry (found by coverity)
  • fix segfault when temp file for upload couldn’t be created (found by coverity)
  • mime.conf: add some new mime types, remove .dat, .sha1, .md5, update .vcf
  • [mod_proxy] add unix domain socket support (fixes #2653)
  • [configfile] fix reading uninitialized variable (found by Willian B.)