lighttpd 1.4.19 Release

Ship


lighttpdの新バージョン1.4.19が約半年ぶりにリリース。

http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany


多くのBugFix(セキュリティに関するものも)を含んでいるとのことで、1.4系を利用されている場合は、この新しい1.4.19のバージョンにアップすることが推奨されているようです。


fcgi関連(spawn-fcgiが多いけど)や、mod_extforwardに関するものもあがっているみたいなので、社内で使っているlighttpdもバージョンアップしてみようかな、と検討中。

参考

参考までに、上記URLにて公開されている変更点一覧を貼り付け。

Changes

  • added support for If-Range: <date> (#1346)
  • added support for matching $HTTP["scheme"] in configs
  • fixed initgroups() called after chroot (#1384)
  • fixed case-sensitive check for Auth-Method (#1456)
  • execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
  • fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
  • print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
  • prevent crash in certain php-fcgi configurations (#841)
  • add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
  • open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
  • HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
  • generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
  • support letterhomes in mod_userdir (#1473)
  • support chained proxies in mod_extforward (#1528)
  • fixed bogus "cgi died ?" if we kill the CGI process on shutdown
  • fixed ECONNRESET handling in network-openssl
  • fixed handling of EAGAIN in network-linux-sendfile (#657)
  • reset conditional cache (#1164)
  • create directories in mod_compress (was broken with alias/userdir) (#1027)
  • fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
  • mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
  • remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
  • generate etag/last-modified header for on-the-fly-compressed files (#1171)
  • req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
  • fixed memory leak on windows (#1347)
  • fixed building outside of the src dir (#1349)
  • fixed including of stdint.h/inttypes.h in etag.c (#1413)
  • do not add Accept-Ranges header if range-request is disabled (#1449)
  • log the ip of failed auth tries in error.log (enhancement #1544)
  • fixed RoundRobin in mod_proxy (#516)
  • check for symlinks after successful pathinfo matching (#1574)
  • fixed mod-proxy.t to run with a builddir outside of the src dir
  • do not suppress content on "307 Temporary Redirect" (#1412)
  • fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
  • do not generate a "Content-Length: 0" header for HEAD requests, added test too
  • remove compress cache file if compression or write failed (#1150)
  • fixed body handling of status 300 requests
  • spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
  • fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
  • fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
  • fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
  • workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
  • make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found
  • fixed handling of waitpid() == EINTR mod_ssi on solaris