Ok. We broke it. And yes it took longer than expected to fix it.

Anyway. It was worth to wait. We fixed lots of bugs in this release. For a complete list of changes see below.

The final fix for bug #948 changed the behavior of the server.error-handler-404. In the past lighttpd tried to send 404 responses generated by CGI/FastCGI/SCGI applications to the configured handler. With the current design of the plugin handling the 404 handler this failed, if the subrequest used the same backend as the original request (FastCGI -> FastCGI 404 handler). Starting with 1.4.17, only the original request will trigger the 404 handler. That means your application has to generate the content for the 404 response itself. You can no longer rely on the 404 handler for dynamically generated 404 responses.


  • lighttpd-1.4.17.tar.gz
    (sha1sum: f86684db6979c363d74689a51c3e8a7af066025e
    md5sum: 7172c39c2a166fe7f9ab6df30fa4298f
  • lighttpd-1.4.17.tar.bz2
    (sha1sum: e7684d29b2a42bc0628dc59b05741fc5fb5f699b
    md5sum: 85c99c2d6baf8ad9e38e6267efe7d9aa

Thanks for using lighttpd! :)

1.4.16 - Let's ship it

July 24, 2007

We all could use some refreshment in this hot summer. So how about a fresh and shiny new lighttpd release? Sadly the main reasons are again a few security fixes. (Bad developers, bad!) But we broke it, we fix it. On the other hand we squeezed in a new cool feature aswell. The E-Tag generation is now configurable. So if your files are on a NFS cluster you can now e.g. disable the inode number usage for the E-Tag.

Teh bugz!!!

header parsing bug
Lighttpd SA 2007:03
(patch: lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch)
various mod_auth bugs
Lighttpd SA 2007:04
Lighttpd SA 2007:05
Lighttpd SA 2007:06
Lighttpd SA 2007:07
(patch: lighttpd-1.4.x_mod_auth_sec.patch)
mod_access bug
Lighttpd SA 2007:08 (patch: lighttpd-1.4.x_mod_access_bypass.patch)
mod_fastcgi local DOS bug
Lighttpd SA 2007:09 (patch: lighttpd-1.4.x_mod_fastcgi_local_dos.patch)

The reader might wonder now why we delayed the release that long. We actually tried to get CVE numbers for all the bugs, to avoid confusion later. But so far we did not succeed in receiving them. As the bugs got publically announced now, we are forced to release.

External references


  • lighttpd-1.4.16.tar.gz
    (sha1sum: b160cece6c0dd15746d10957d28ba02b2e9e77ce
    md5sum: 04988067026e93ccb46e19fa8c17ae97
  • lighttpd-1.4.16.tar.bz2
    (sha1sum: 8f137ff71f629fe24a745c758b72dce24a8669f2
    md5sum: ea671997591f772417b7e540d325f8cc

Thanks for using lighttpd! :)

Here we are again. As a good tradition with lighttpd release we are bitten by a last minute hotfix in 1.4.14. :)

The bug appeared in 1.4.14 and users of 1.4.13 or older releases are not affected.

You can read up on the other 1.4.14 changes here.


  • lighttpd-1.4.15.tar.gz
    (sha1sum: 67ba1279a0eaeda728c1e1143d302beb364a034c
    md5sum: d2ceaaf242b2b3593ff4d8222d543649
  • lighttpd-1.4.15.tar.bz2
    (sha1sum: 742b567eca011fa5ef2cc506038389a4959eab56
    md5sum: b994b8c359da578dec073cae52c4924f

Thanks for using lighttpd! :)

P.S.: BTW: reporting bugs in blog comments is not the right way. Please use Trac for that!