* [mod_cgi] skip local-redir handling if to self (fixes#2779, #2108)
* [mod_webdav] fix crash when plugin_ctx cleaned up (fixes#2780)
* [mod_fastcgi] detect child exit, restart proactively
* [mod_scgi] detect child exit, restart proactively
* [TLS] ssl.read-ahead = "disable" for low mem (fixes#2778)
pkgsrc changes:
- Rename non-standard "memcache" option to "memcached" (retaining
compatibility for the old option for a while)
------------------------------
- 1.4.44
* [mod_scgi] fix segfault (fixes#2762)
* [mod_authn_gssapi] fix memory leak
* [config] warn if mod_authn_ldap,mysql not listed
* [mod_magnet] fix magnet_cgi_set() set of env vars (fixes#2763)
* [mod_cgi] FreeBSD 9.3/MacOSX does not have pipe2() (fixes#2765)
* [mod_extforward] fix crash on invalid IP (fixes#2766)
* [mod_fastcgi] fix segfault if all backends down (fixes#2768)
* [mod_cgi] fix out of sockets error for POST to CGI (fixes#2771)
* [mod_auth] compile fix for Mac OS X XCode (fixes#2772)
* [mod_authn_gssapi] better resource cleanup
* [core] compile fix for Mac OS X 10.6 (old) (fixes#2773)
* fix race in dynamic handler configs (reentrancy) (fixes#2774)
* [mod_authn_mysql] close mysql_conn in cleanup
* [mod_webdav] compile fix when locking not enabled
* load mod_auth & mod_authn_file in sample/test.conf
* comment out auth.backend.ldap.* in tests/*.conf
* [mod_fastcgi,mod_scgi] warn if invalid "bin-path"
* RAND_pseudo_bytes() is deprecated in openssl 1.1.0
* openssl 1.1.0 init and cleanup
* [mod_cgi] remove direct calls to network_backend*
* [build] build network_*.c into lighttpd executable
* suggest inclusion of mod_geoip... before mod_ssi.
* set systemd settings similar to lighttpd2
* [doc] remove reference to Linux rt-signals
* [mod_authn_gssapi] fix missing error ret, coverity
* [core] rename li_rand() to li_rand_pseudo_bytes()
* remove #include "stream.h" where not used
* [mod_cml] include lua headers before base.h
* [core] combine duplicated connection reset code
* [mod_ssi] produce content in subrequest hook
* [core] remove srv->entropy[]
* [core] defer li_rand_init() until first use
* [core] permit connection-level state in modules
* [mod_dirlisting] render dirlisting as HTML (fixes#2767)
* [mod_proxy] replace HTTP Host sent to backend (fixes#2770)
* [mod_ssi] basic recursive SSI include virtual (fixes#536)
* [mod_ssi] implement, ignore <!--#comment ... -->
* [core] consolidate duplicated read-to-close code
* [core] fix segfault when parsing a bad config file
* [core] support Transfer-Encoding: chunked req body (fixes#2156)
* [autobuild] set NO_RDYNAMIC=yes for midipix
* [mod_proxy] proxy.balance = "sticky" option (fixes#2117)
* [mod_secdownload] warn if SHA used w/o SSL crypto
* [build] compile fixes for AIX
* [build] check for pipe2() at configure time
* [mod_evhost] fix an incorrect error trace
* [tests] mark tests/docroot/www/*.pl scripts a+x
* [mod_cgi] fall back to pipe() if pipe2() fails
* fix SCons fullstatic build with glibc pthreads
* [TLS] openssl 1.1.0 makes SSL_OP_NO_SSLv2 no-op
(pkgsrc changes)
- Add Selection on PLIST depending on options
- 1.4.41
* remove long-deprecated, non-functional config opts
* [config] inherit server.use-ipv6 and server.set-v6only (fixes#678)
* [mod_auth] fix Digest auth to be better than Basic (fixes#1844)
* [mod_ssi] fix #config sizefmt="bytes"
* [autobuild] move inet_pton detection later
* [core] #include <sys/filio.h> for FIONREAD (fixes#2726)
* [autobuild] clock_gettime() -lrt with glibc < 2.17
* [security] do not emit HTTP_PROXY to CGI env
* [build_cmake] clock_gettime() -lrt w/ glibc < 2.17 (fixes#2737)
* [core] avoid spurious trace and error abort
* [core] stay in CON_STATE_CLOSE until done with req
* [core] $HTTP["remoteip"] must handle IPv6 w/o []
* [mod_status] show keep-alive status w/ text output (fixes#2740)
* do not set REDIRECT_URI in mod_magnet, mod_rewrite (#2738)
* revert 1.4.40 swap of REQUEST_URI, REDIRECT_URI (fixes#2738)
* [core] permit IPv6 address scope identifier
* [TLS] better handling of SSL_ERROR_WANT_READ/WRITE
* [TLS] read all available records from SSL_read()
* [core] try AF_INET after AF_INET6 if use-ipv6
* [core] set chunkqueue tempdirs at startup
* [security] ensure gid != 0 if server.username set (fixes#2725)
* [security] disable stat_cache if !follow-symlink (fixes#2724)
* [core] fix buffer_copy_string_hex() assert (fixes#2742)
* [security] encode quoting chars in HTML and XML
* [cmake] always define _GNU_SOURCE
* [cmake] enable warnings for GCC and Clang
* [cmake] set cmake_minimum_required to 2.8.2
----------------------
- 1.4.38 - 2015-12-05
* [stat-cache] fix handling of collisions, might have returned wrong
data (fixes#2669)
* [core] allocate at least 4k buffer for incoming data
* [core] fix search for header end if split across chunks (fixes#2670)
* [core] check configparserAlloc() result with force_assert
* [mod_auth] implement and use safe_memclear, using memset_s or
explicit_bzero if available (thx loganaden)
* [core] don't buffer request bodies smaller than 64k on disk
* add force_assert for many allocations and function results
* [mod_secdownload] use a hopefully constant time comparison to check
hash (fixes#2679)
* [config] check config option scope; warn if server option is given
in conditional
* [core] revert increase of temp file size back to 1MB, provide a
configure option "server.upload-temp-file-size" instead (fixes
#2680)
* [core] add '~' to safe characters in
ENCODING_REL_URI/ENCODING_REL_URI_PART encoding
* [core] encode path with ENCODING_REL_URI in redirect to directory
(fixes#2661, thx gstrauss)
* [mod_secdownload] add required algorithm option; old behaviour
available as "md5", new options "hmac-sha1" and "hmac-sha256"
* [mod_fastcgi/mod_scgi] zero sockaddr structs before use (fixes
#2691, thx Kyle J. McKay)
* [network] add darwin-sendfile backend (fixes#2687, thx Kyle J. McKay)
* [core] show correct crypt support result (fixes#2690, thx Kyle J. McKay)
----------------
- 1.4.37
* [mod_proxy] remove debug log line from error log (fixes#2659)
* [mod_dirlisting] fix dir-listing.set-footer not showing
* fix out-of-filedescriptors when uploading "large" files (fixes#2660, thx rmilecki)
* increase upload temporary chunk file size from 1MB to 16MB
* fix undefined integer shift
* rewrite network sendfile/mmap/writev/write backends
* fix some unchecked return value warnings
* [kqueue] fix kevent call
* [autoconf] define HAVE_CRYPT when crypt() is present
* [bsd xattr] fix compile break with BSD extended attributes in stat_cache
* [mod_cgi] rewrite mmap and generic (post body) send error handling
* [mmap] fix mmap alignment
* [plugins] when modules are linked statically still only load the modules given in the config
* [mmap] handle SIGBUS in network; those get triggered if the file gets smaller during reading
* fix some warnings found by coverity ("leak" in setup phase, not catching too long unix socket paths in mod_proxy)
This release contains mostly bug fixes.
Important changes
-----------------
- [ssl] disable SSL3.0 by default
- escape all strings for logging
- fix segfault when temp file for upload couldn’t be created (found by coverity)
- changes to the internal API for buffers, chunks and more; 3rd party plugins are likely to break
This release contains a lot of bug fixes, many detected by scan.coverity.com (and more to come). The main reason for the release is a fix for an SQL injection (and path traversal) bug triggered by specially crafted (and invalid) Host: headers.
* [mod_auth] explicitly link ssl for SHA1 (fixes 2517)
* [mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes 2515, thx mm)
* [ssl] fix SNI handling; only use key+cert from SNI specific config (fixes 2525, CVE-2013-4508)
* [doc] update ssl.cipher-list recommendation
* [stat-cache] FAM: fix use after free (CVE-2013-4560)
* [stat-cache] fix FAM cleanup/fdevent handling
* [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
* [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
* maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places
* [core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes 2526)
* [auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes 2533)
* [mod_mysql_vhost] fix memory leak on config init (2530)
* [mod_webdav] fix fd leak found with parfait (fixes 2530, thx kukackajiri)
mod_fastcgi: fix mix up of “mode” => “authorizer” in other fastcgi configs (fixes 2465, thx peex)
fix handling of If-Modified-Since if If-None-Match is present (don’t return 412 for date parsing errors);
follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags.
[mod_fastcgi,log] support multi line logging (fixes 2252)
call ERR_clear_error only for ssl connections in CON_STATE_ERROR
reject non ASCII characters in HTTP header names
[mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes 2483)
[mod_auth] add htpasswd -s (SHA1) support if openssl is used (needs openssl for SHA1). This doesn’t use any salt, md5 with salt is probably better.
[mod_auth] fix base64_decode (2484)
fix some bugs found with canalyze (fixes 2484, thx Zhenbo Xu)
fix undefined stuff found with clang
[cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add Wl,-as-needed to extra warnings (fixes 2448)
[mod_auth] fix invalid read in digest qop=auth-int handling (fixes 2478)
[auto* build] simplify autogen.sh, handle automake 1.13 test running (fixes 2490)
[mod_userdir] add userdir.active option, “enabled” by default
[core] return 501 Not Implemented in static file mode for all methods except GET/POST/HEAD/OPTIONS
[core] recognize more http methods to forward to backends (fixes 2346)
[ssl] use DH only if openssl supports it (fixes 2479)
[network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes 2470)
[ssl] Fix $HTTP[“scheme”] conditional, could be “http” for ssl connections if the ssl $SERVER[“socket”] conditional was nested (fixes 2501)
[ssl] accept ssl renegotiations if they are not disabled (fixes 2491)
[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes 2492)
[auth] put REMOTE_USER into cgi environment, making it accessible to lua via lighty.req_env (fixes 2495)
[auth] new method “extern” to use already present REMOTE_USER (from magnet, ssl, …) (fixes 2436)
[core] remove requirement that default doc-root has to exist, there are reasonable scenarios not requiring static files at all
[core] check whether server.chroot exists
[mod_simple_vhost] fix cache; skip module if simple-vhost.server-root is empty (thx rm for reporting)
[mod_accesslog] add accesslog.syslog-level option (fixes 2480)
[core] allow files to be used as document-root (fixes 2475)
[core] set signal handlers before forking child processes in modules/plugins_call_set_defaults (fixes 2502)
Changes from 1.4.30
- [ssl] fix segfault in counting renegotiations for openssl versions
without TLSEXT/SNI (thx carpii for reporting)
- Move fdevent subsystem includes to implementation files to reduce
conflicts (fixes#2373)
- [mod_compress] fix handling if etags are disabled but cache-dir
is set - may lead to double response
- disable mmap by default (fixes#2391)
- buffer_caseless_compare: always convert letters to lowercase to get
transitive results, fixing array lookups (fixes#2405)
- Fix handling of empty header list entries in http_request_split_value,
fixing invalid read in valgrind (fixes#2413)
- Fix access log escaping of " and \\ (fixes#1551)
- [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649,
RFC 2617) (fixes#2410)
- [auth] Add "AUTH_TYPE" environment (for * cgi), remove fastcgi specific
workaround, add fastcgi test case (fixes#889)
- [mod_*cgi,mod_accesslog] Fix splitting :port with ipv6 (fixes#2333,
thx simoncpu)
- Detect multiple -f options: show error message instead of assert
(fixes#2416)
- [mod_extforward] Support ipv6 addresses (fixes#1889)
- [mod_redirect] Support url.redirect-code option (fixes#2247)
- Fix --enable-mmap handling in configure.ac
Changes from 1.4.29
- Always use our 'own' md5 implementation, fixes linking issues on MacOS
(fixes#2331)
- Limit amount of bytes we send in one go; fixes stalling in one connection
and timeouts on slow systems.
- [ssl] fix build errors when Elliptic-Curve Diffie-Hellman is disabled
- Add static-file.disable-pathinfo option to prevent handling of urls like
.../secret.php/image.jpg as static file
- Don't overwrite 401 (auth required) with 501 (unknown method) (fixes#2341)
- Fix mod_status bug: always showed "0/0" in the "Read" column for uploads
(fixes#2351)
- [mod_auth] Fix signedness error in http_auth (fixes#2370, CVE-2011-4362)
- [ssl] count renegotiations to prevent client renegotiations
- [ssl] add option to honor server cipher order (fixes#2364, BEAST attack)
- [core] accept dots in ipv6 addresses in host header (fixes#2359)
- [ssl] fix ssl connection aborts if files are larger than
the MAX_WRITE_LIMIT (256kb)
- [libev/cgi] fix waitpid ECHILD errors in cgi with libev (fixes#2324)
* solve name conflict of md5 functions with OpenSSL lib
* mod_proxy, mod_cgi and other mod_*cgi fixes
* ssl improvements
* Native solaris ports fdevent handler “solaris-eventports”
* Rename fdevent_event_add to _set to reflect what the function does. Fix some
handlers.
* Fix buffer.h to include stdio.h as it is needer for SEGFAULT()
Changes 1.4.27:
* Fix handling return value of SSL_CTX_set_options
* Fix mod_proxy HUP handling (send final chunk, fix usage counter)
* mod_proxy: close connection on write error
* Check uri instead of physical path for directory redirect
* Fix detecting git repository
* [mod_compress] Fix segfault when etags are disabled
* Reset uri.authority before TLS servername handling, reset all "keep-alive"
data in connection_del
* Print double quotes properly when dumping config file
* Include IP addresses on error log on password failures
* Fix stalls while reading from ssl sockets
* Fix etag formatting on boxes with 32-bit longs
* Fix two compiler warnings
* mod_accesslog: fix %p for ipv6 sockets
* mod_fastcgi: Send 502 "Bad Gateway" if we couldn't open the file for
X-Sendfile
* mod_staticfile: add debug output if we ignore a file with
static-file.exclude-extensions
* mod_cgi: fix race condition leaving response not forwarded to client
* mod_accesslog: Fix var declarations mixed in source
* mod_status: Add version to status page
* mod_accesslog: optimize accesslog_append_escaped
* openssl: silence annoying error messages for errno==0
* array.c: improve array_get_unused_element to check data type; fix mem leak if
unused_element didn't find a matching entry
* add check to stop loading plugins twice
* cleanup fdevent code, removed linux-rtsig handler, replaced some fprintf calls
* only require FDEVENT_IN bit to be set for listening connections
* add libev fdevent handler: server.event-handler = "libev"
* mod_proxy: return response as soon as it is available
* don't overwrite global server.force-lowercase-filenames setting
* bind to IPV6-only if ipv6 address was specified
<http://redmine.lighttpd.net/issues/2157>. Without this patch,
lighttpd 1.4.26 will fail to start if built with the pkgsrc OpenSSL
and configured to serve HTTPS. Bump PKGREVISION.
- fix various bugs, including a trivial to trigger OOM/DoS
- Allow support for checking for exec bit on cgi scripts
- Add support for TLS servername indication
- Add support client certificate verification
- Split off spawn-fcgi into a separate package
