Home¶

June 19, 2009
in releases
3 min read

1.4.23 - Leaving the nest

Time for a new release: spawn-fcgi is now going its own ways in an independent project (hence the release slogan; see https://redmine.lighttpd.net/projects/spawn-fcgi), wsgi applications in / should work now (use the fastcgi/scgi option “fix-root-scriptname”) and many other fixes and improvements.

Please note that the “X-Sendfile-Range” header did not make it into 1.4.23, and we will try a more powerful approach for 1.4.24 (see #2008).

Important changes

Fix workaround for incorrect path info/scriptname if fastcgi prefix is “/” (fixes #729)
Finally removed spawn-fcgi
Fix bug with FastCGI request id overflow under high load; just use always id 1 as we don’t use multiplexing. (thx jgray)
Workaround broken operating systems: check for trailing ‘/’ in filenames (fixes #1989)

Downloads

https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.23.tar.gz
- SHA256: 8555db22ed7d429160701555611d8cd5eff42fc7e6e3ad3b050279c9b2145469
- SHA1: 37f8b4827d7a1f69812d8185fcecf72277020876
- MD5: 41dfad5c366d34d83c3d2b46d4c08f5c
https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.23.tar.bz2
- SHA256: 72896e6677b12aee2371c12e6d3f8299cfbdb2f89ad4b519a96b3ba80852a5fa
- SHA1: a07b7bfdbf882ebe645cc140f4a658c46725224e
- MD5: 0ab6bb7b17bf0f515ce7dce68e5e215a
SHA256 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.23.sha256sum
SHA1 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.23.sha1sum
MD5 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.23.md5sum

March 7, 2009
in releases
1 min read

1.4.22 - Echoes

And here we are again… we had some bad regressions, so 1.4.22 was needed earlier than we expected and spawn-fcgi is still included in this release.

But spawn-fcgi 1.6.0 has been released, see https://redmine.lighttpd.net/projects/spawn-fcgi/news, so expect it to be removed soon.

Important Changes

Fix default vhost in mod_simple_vhost (fixes #1905)
Fix segfault in mod_scgi (fixes #1911)
Fix error handling in freebsd sendfile (fixes #1913)

Downloads

https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.22.tar.gz
- MD5: 949c33a81e83f7718a47280bef21b90c
- SHA1: e5268929dff832c7786e3b623ca67e6bb0c2913e
https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.22.tar.bz2
- MD5: ed4ca3897eadf419c893b03fee53c982
- SHA1: 33390d4cc72b61405c0803358f8d9112821c194b
SHA1 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.22.sha1sum
MD5 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.22.md5sum

February 28, 2009
in releases
1 min read

spawn-fcgi 1.6.0

As mentioned before, we planned to extract spawn-fcgi into its own project and remove it from lighttpd.

Now the first standalone release has been published, starting at version 1.6.0.

Read more about it in the announcement: Release: spawn-fcgi 1.6.0

Future release announcements regarding spawn-fcgi will be published at https://redmine.lighttpd.net/projects/spawn-fcgi/news so please keep that in mind when looking for updates.

February 16, 2009
in releases
3 min read

1.4.21 - “Yes we can… do another release”

Four and a half months after the release of 1.4.20 comes a new version in the stable branch of lighty: 1.4.21 is here.\ It is a bugfix release but also contains 3 small new features.\ We would like to thank everybody who reported bugs, especially the ones who provided patches.

spawn-fcgi warning

We decided to remove spawn-fcgi after this release from the lighttpd source, there is now a separate project for it:\ https://redmine.lighttpd.net/projects/spawn-fcgi

Important changes

Reverted fix for CVE-2008-4359 (too many regressions - see #1720 and r2362): do NOT use rewrite/redirect to protect specific urls!
Fixed a bug when server.max-connections was hit
SSLv2 disabled by default
New setting to disable returning of a 417 if “Expect: 100-continue” header is given:
```
server.reject-expect-100-with-417 = "disable"
```
Settings that require numbers can now be strings too which get converted. Useful in conjunction wth env vars (thx andrewb)
mod_compress now supports caching through etags and last-modified
The annoying log entries about timeouted connections are now disabled by default and can be enabled with a new setting:

debug.log-timeouts = "enable"

* New $HTTP["language"] conditional (thx to petar) which allows interesting new configs like:

\$HTTP\["language"\] =\~ "(de\|it\|hr)" {\
url.redirect = ( "\^/\$" =\> "http://www.site.net/%1/" )\
}

Downloads

https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.21.tar.gz
- MD5: 5ff4e7075652f6cc200fa278ea2b1f96
- SHA1: 6b42570b0b19cfbcb4324780c61625b139f6ef8e
https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.21.tar.bz2
- MD5: 49eeba63c931fa82120711adc7182731
- SHA1: e76f83b9c56c83f0a734ad0bdd20351fc97472d2
SHA1 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.21.sha1sum
MD5 checksums: https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.21.md5sum

September 30, 2008
in releases
3 min read

1.4.20 - Otherwise the terrorists win

After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out. We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system. Please pay special attention to the security announcements:

lighttpd_sa_2008_04.txt (patch: lighttpd-1.4.19_fix_ssl_dos.patch)
lighttpd_sa_2008_05.txt (patch: lighttpd-1.4.x_rewrite_redirect_decode_url.patch)
lighttpd_sa_2008_06.txt (patch: lighttpd-1.4.x_userdir_lowercase.patch)
lighttpd_sa_2008_07.txt (patch: lighttpd-1.4.x_request_header_memleak.patch)

Download

lighttpd-1.4.20.tar.gz
(sha1sum: 61790c02d9e96c3cb23ffd3907f1caee64c475dd
md5sum: 7ce7eefb487682b61d9b06b41864c64a)
lighttpd-1.4.20.tar.bz2
(sha1sum: e5944a40579e0f37c6a0eeb0ad751344b2d6006c
md5sum: ed6ee0bb714f393219a32768d86984d8)

March 10, 2008
in releases
3 min read

1.4.19 - Made in Germany

Long time no see.

It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5.¹ Currently he ports it to glib2.

But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. cough Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side. (darix)

lighttpd_sa_2008_01.txt (patch: lighttpd-1.4.x_high_load_dos.patch)
lighttpd_sa_2008_02.txt (patch: lighttpd-1.4.x_mod_cgi_disclosure.patch)
lighttpd_sa_2008_03.txt (patch: lighttpd-1.4.x_mod_userdir_disclosure.patch)

Download

lighttpd-1.4.19.tar.gz\ (sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee\ md5sum: cede410e7adee3ea14206749190a8b5d)
lighttpd-1.4.19.tar.bz2\ (sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc\ md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40)

January 23, 2008
1 min read

Mono + FastCGI

Reggie pointed me to the FastCGI support for Mono. For our lighttpd they have a full featured page that should cover all possible configuration needs.

Feel free to try it out and comment on this article if it works as expected.

October 28, 2007
1 min read

Giving Solaris some love

Weekend time is hacking time. This weekend it is about getting 1.5.0 running nicely on Solaris and making sure lighttpd is a first class citizen there.

All tests successful (1 subtest UNEXPECTEDLY SUCCEEDED), 88 subtests skipped.
Files=22, Tests=324, 60 wallclock secs ( 1.98 cusr +  1.03 csys =  3.01 CPU)

September 9, 2007
in releases
1 min read

1.4.18 - speeding up a bit

“Release early, release often.”

So here we are again. The previous release is already 12 days old! It already got grey hair.

And again we have a small security bug! It seems, if you get the more popular, more people are looking at your code. This time Mattias Bengtsson and Philip Olausson from secweb.se took a look at the code. They found a small bug that could lead to remote code execution in fastcgi applications. (We wont mention names here.)

Lighttpd SA 2007:12 (patch: lighttpd-1.4.x_mod_fastcgi_overrun.patch)

Download

lighttpd-1.4.18.tar.gz\ (sha1sum: 30eb24cdfcfeadf10fa16f187330bdc5deb25ed2\ md5sum: 5db3204d57436a032f899ff9dbce793f)
lighttpd-1.4.18.tar.bz2\ (sha1sum: a53a8f8ae8d42d036f0b5129764b822e943cc778\ md5sum: 26f98dddf9d8c0775221b800986003ee)

August 29, 2007
in releases
2 min read

1.4.17 - for the sake of the server.error-handler-404

Ok. We broke it. And yes it took longer than expected to fix it.

Anyway. It was worth to wait. We fixed lots of bugs in this release. For a complete list of changes see below.

The final fix for bug #948 changed the behavior of the server.error-handler-404. In the past lighttpd tried to send 404 responses generated by CGI/FastCGI/SCGI applications to the configured handler. With the current design of the plugin handling the 404 handler this failed, if the subrequest used the same backend as the original request (FastCGI -> FastCGI 404 handler). Starting with 1.4.17, only the original request will trigger the 404 handler. That means your application has to generate the content for the 404 response itself. You can no longer rely on the 404 handler for dynamically generated 404 responses.

Download

lighttpd-1.4.17.tar.gz\ (sha1sum: f86684db6979c363d74689a51c3e8a7af066025e\ md5sum: 7172c39c2a166fe7f9ab6df30fa4298f)
lighttpd-1.4.17.tar.bz2\ (sha1sum: e7684d29b2a42bc0628dc59b05741fc5fb5f699b\ md5sum: 85c99c2d6baf8ad9e38e6267efe7d9aa)

Thanks for using lighttpd! :)