轻量级的web服务器:lighttpd 1.4.19发布
时间:2008-03-14 来源:linux论坛
自从1.4.18发布以来,已经几乎半年了。这六个月来。Jan一直在致力于1.5的令人感兴趣的特性。[1] 目前它移植到glib2了。
但是回到1.4.19。是的,发布时间再一次因为一些安全漏洞而延误了。(咳嗽声) 然而我们得到了大量其他的好的错误修复。所有的赞美都归功于我们新的lighttpd英雄 Stefan Bühler。我这边非常感谢你。 (darix)
* lighttpd_sa_2008_01.txt (补丁: lighttpd-1.4.x_high_load_dos.patch)
* lighttpd_sa_2008_02.txt (补丁: lighttpd-1.4.x_mod_cgi_disclosure.patch)
* lighttpd_sa_2008_03.txt (补丁: lighttpd-1.4.x_mod_userdir_disclosure.patch)
下载
* lighttpd-1.4.19.tar.gz
(sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
md5sum: cede410e7adee3ea14206749190a8b5d )
* lighttpd-1.4.19.tar.bz2
(sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc
md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40)
更改
* added support for If-Range: <date> (#1346)
* added support for matching $HTTP["scheme"] in configs
* fixed initgroups() called after chroot (#1384)
* fixed case-sensitive check for Auth-Method (#1456)
* execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
* fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
* print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
* prevent crash in certain php-fcgi configurations (#841)
* add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
* open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
* HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
* generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
* support letterhomes in mod_userdir (#1473)
* support chained proxies in mod_extforward (#1528)
* fixed bogus "cgi died ?" if we kill the CGI process on shutdown
* fixed ECONNRESET handling in network-openssl
* fixed handling of EAGAIN in network-linux-sendfile (#657)
* reset conditional cache (#1164)
* create directories in mod_compress (was broken with alias/userdir) (#1027)
* fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
* mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
* remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
* generate etag/last-modified header for on-the-fly-compressed files (#1171)
* req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
* fixed memory leak on windows (#1347)
* fixed building outside of the src dir (#1349)
* fixed including of stdint.h/inttypes.h in etag.c (#1413)
* do not add Accept-Ranges header if range-request is disabled (#1449)
* log the ip of failed auth tries in error.log (enhancement #1544)
* fixed RoundRobin in mod_proxy (#516)
* check for symlinks after successful pathinfo matching (#1574)
* fixed mod-proxy.t to run with a builddir outside of the src dir
* do not suppress content on "307 Temporary Redirect" (#1412)
* fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
* do not generate a "Content-Length: 0" header for HEAD requests, added test too
* remove compress cache file if compression or write failed (#1150)
* fixed body handling of status 300 requests
* spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
* fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
* fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
* fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
* workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
* make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found
* fixed handling of waitpid() == EINTR mod_ssi on solaris
[1] No. We don't have a release date for it. Especially not with all the big changes going on.
但是回到1.4.19。是的,发布时间再一次因为一些安全漏洞而延误了。(咳嗽声) 然而我们得到了大量其他的好的错误修复。所有的赞美都归功于我们新的lighttpd英雄 Stefan Bühler。我这边非常感谢你。 (darix)
* lighttpd_sa_2008_01.txt (补丁: lighttpd-1.4.x_high_load_dos.patch)
* lighttpd_sa_2008_02.txt (补丁: lighttpd-1.4.x_mod_cgi_disclosure.patch)
* lighttpd_sa_2008_03.txt (补丁: lighttpd-1.4.x_mod_userdir_disclosure.patch)
下载
* lighttpd-1.4.19.tar.gz
(sha1sum: 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
md5sum: cede410e7adee3ea14206749190a8b5d )
* lighttpd-1.4.19.tar.bz2
(sha1sum: fd4450e7faae55ebe0905114722995b0c57397cc
md5sum: d787374e4e4aaa09d5cfa9ab9d23ad40)
更改
* added support for If-Range: <date> (#1346)
* added support for matching $HTTP["scheme"] in configs
* fixed initgroups() called after chroot (#1384)
* fixed case-sensitive check for Auth-Method (#1456)
* execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
* fixed a bug that made /-prefixed extensions being handled also when matching the end of the uri in fcgi,scgi and proxy modules (#1489)
* print error if X-LIGHTTPD-send-file cannot be done; reset header Content-Length for send-file. Patches by Stefan Buehler
* prevent crash in certain php-fcgi configurations (#841)
* add IdleServers and Scoreboard directives in ?auto mode for mod_status (#1507)
* open log immediately after daemonizing, fixes SIGPIPEs on startup (#165)
* HTTPS env var should be "on" when using mod_extforward and the X-Forwarded-Proto header is set. (#1499)
* generate ETag and Last-Modified headers for mod_ssi based on newest modified include (#1491)
* support letterhomes in mod_userdir (#1473)
* support chained proxies in mod_extforward (#1528)
* fixed bogus "cgi died ?" if we kill the CGI process on shutdown
* fixed ECONNRESET handling in network-openssl
* fixed handling of EAGAIN in network-linux-sendfile (#657)
* reset conditional cache (#1164)
* create directories in mod_compress (was broken with alias/userdir) (#1027)
* fixed out of range access in fd array (#1562, #372) (CVE-2008-0983)
* mod_compress should check if the request is already handled, e.g. by fastcgi (#1565)
* remove broken workaround for buggy Opera version with ssl/chunked encoding (#285)
* generate etag/last-modified header for on-the-fly-compressed files (#1171)
* req-method OPTIONS: do not insert default response if request was denied, do not deny OPTIONS by default (#1324)
* fixed memory leak on windows (#1347)
* fixed building outside of the src dir (#1349)
* fixed including of stdint.h/inttypes.h in etag.c (#1413)
* do not add Accept-Ranges header if range-request is disabled (#1449)
* log the ip of failed auth tries in error.log (enhancement #1544)
* fixed RoundRobin in mod_proxy (#516)
* check for symlinks after successful pathinfo matching (#1574)
* fixed mod-proxy.t to run with a builddir outside of the src dir
* do not suppress content on "307 Temporary Redirect" (#1412)
* fixed Content-Length header if response body gets removed in connections.c (#1412, part 2)
* do not generate a "Content-Length: 0" header for HEAD requests, added test too
* remove compress cache file if compression or write failed (#1150)
* fixed body handling of status 300 requests
* spawn-fcgi: only try to connect to unix socket (not tcp) before spawning (#1575)
* fix sending source of cgi script instead of 500 error if fork fails (CVE-2008-1111)
* fix min-procs handling in mod_scgi.c, just set to max-procs (patch from #623)
* fix sending "408 - Timeout" instead of "410 - Gone" for timedout urls in mod_secdownload (#1440)
* workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed) (CVE-2008-1270)
* make configure checks for --with-pcre, --with-zlib and --with-bzip2 failing if the headers aren't found
* fixed handling of waitpid() == EINTR mod_ssi on solaris
[1] No. We don't have a release date for it. Especially not with all the big changes going on.
相关阅读 更多 +
