shinji257
18-10-2008, 02:18
Any chance we might be able to get 1.4.20 for Lighttpd? It includes some security fixes.
I am building both the most recent 1.4 and 1.5 code from subversion. If I manage to build and work cleanly on my router then I may go ahead and make ipkg using that code however I would like the maintainer to do it and make a regular release if possible.
http://www.lighttpd.net/2008/9/30/1-4-20-Otherwise-the-terrorists-win
After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out. We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system. Please pay special attention to the security announcements:
* lighttpd_sa_2008_04.txt (patch: lighttpd-1.4.19_fix_ssl_dos.patch)
* lighttpd_sa_2008_05.txt (patch: lighttpd-1.4.x_rewrite_redirect_decode_url.patch)
* lighttpd_sa_2008_06.txt (patch: lighttpd-1.4.x_userdir_lowercase.patch)
* lighttpd_sa_2008_07.txt (patch: lighttpd-1.4.x_request_header_memleak.patch)
Download
* lighttpd-1.4.20.tar.gz
(sha1sum: 61790c02d9e96c3cb23ffd3907f1caee64c475dd
md5sum: 7ce7eefb487682b61d9b06b41864c64a)
* lighttpd-1.4.20.tar.bz2
(sha1sum: e5944a40579e0f37c6a0eeb0ad751344b2d6006c
md5sum: ed6ee0bb714f393219a32768d86984d8)
Changes
* Fix mod_compress to compile with old gcc version (#1592)
* Fix mod_extforward to compile with old gcc version (#1591)
* Update documentation for #1587
* Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls (CVE-2008-1531)
* Fix mod_magnet: enable “request.method” and “request.protocol” in lighty.env (#1308)
* Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
* Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small “memleak” (#1628)
* Don’t send empty Server headers (#1620)
* Fix conditional interpretation of core options
* Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: “%” => “”, ”$$” => ”$”
* Fix accesslog port (should be port from the connection, not the “server.port”) (#1618)
* Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
* Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
* Handle EINTR in mod_cgi during write() (#1640)
* Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
* Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn’t append an error page
* Remove lighttpd.spec* from source, fixing all problems with it ;-)
* Do not rely on PATH_MAX (POSIX does not require it) (#580)
* Disable logging to access.log if filename is an empty string
* Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
* merge spawn-fcgi changes from trunk (from @2191)
* let spawn-fcgi propagate exit code from spawned fcgi application
* close connection after redirect in trigger_b4_dl (thx icy)
* close connection in mod_magnet if returned status code
* fix bug with IPv6 in mod_evasive (#1579)
* fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com
* [tests] fixed system, use foreground daemons and waitpid
* [tests] removed pidfile from test system
* [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi)
* fixed typo in mod_accesslog (#1699)
* replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
* case insensitive match for secdownload md5 token (#1710)
* Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
* fixed mod_secdownload problem with unsigned time_t (#1688)
* handle EAGAIN and EINTR for freebsd sendfile (#1675)
* Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
* fixed round-robin balancing in mod_proxy (#1715)
* fixed EINTR handling for waitpid in mod_fastcgi
* mod_{fast,s}cgi: overwrite environment variables (#1722)
* inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn’t (#631)
* fixed url encoding to encode more characters (#266)
* allow digits in [s]cgi env vars (#1712)
* fixed dropping last character of evhost pattern (#161)
* print helpful error message on conditionals in global block (#1550)
* decode url before matching in mod_rewrite (#1720)
* fixed conditional patching of ldap filter (#1564)
* Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
* fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by “anders1”
* fixed format string bugs in mod_accesslog for SYSLOG
* replaced fprintf with log_error_write in fastcgi debug
* fixed mem leak in ssi expression parser (#1753), thx Take5k
* hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
* do not send content-encoding for 304 (#1754), thx yzlai
* fix segfault for stat_cache(fam) calls with relative path (without ’/’, can be triggered by x-sendfile) (#1750)
* fix splitting of auth-ldap filter
* workaround ldap connection leak if a ldap connection failed (restarting ldap)
* fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
* fix memleak in request header parsing (#1774, thx qhy)
* fix mod_rewrite memleak/endless loop detection (#1775, thx phy – again!)
* use decoded url for matching in mod_redirect (#1720)
EDIT: Ok. I just found that my native build lacked alot of stuff so I got started on one in my cross-compile environment. I did manage to get it to build but I hit hiccups with it building libmemcache so I removed the requirement and the support for it as well as memcached which are both related. Probably would be nice but for a router it may be a bit much right out of the box. Soon I will have a package here for testing purposes. The package name will be lighttpd and will be lighttpd version 1.4.20. The maintainer will be marked with my name since I made this package. I will include the same patches along with a couple of others to clear a few things up. I'll document them here later when I get the ipkg up. The makefile used is a direct derivative from the original.
I will also see about creating one for 1.5 from the subversion repository as well as a experimental build of 1.4 from the same area. Those will not have any patches and may be updated periodically with the latest code. 1.5 may require a new init.d startup file to allow it to startup and shutdown correctly. The use of lighttpd-angel may be required. I'll look into what others are doing for their scripts. Please note that the src-server.c.patch file is not applied to the subversion repository. Therefore the issue that would be fixed in the normal build may not be here. Specifically it removed the need for floating point emulation on embedded platforms. I don't know if this is a performance patch or an actual bug.
Note: Both 1.4 and 1.5 on subversion compile cleanly on the router with no patching. I assume they will work fine even when I create an ipkg although I will test them first before releasing. Their package names will be lighttpd-dev (1.4 development test) and lighttpd15-dev (1.5 development test).
I am building both the most recent 1.4 and 1.5 code from subversion. If I manage to build and work cleanly on my router then I may go ahead and make ipkg using that code however I would like the maintainer to do it and make a regular release if possible.
http://www.lighttpd.net/2008/9/30/1-4-20-Otherwise-the-terrorists-win
After two prereleases and a lot of bugfixing, we are proud to announce a new release of the 1.4 branch: 1.4.20 is finally out. We would like to thank everybody who tested the prereleases and/or reported bugs in our ticket system. Please pay special attention to the security announcements:
* lighttpd_sa_2008_04.txt (patch: lighttpd-1.4.19_fix_ssl_dos.patch)
* lighttpd_sa_2008_05.txt (patch: lighttpd-1.4.x_rewrite_redirect_decode_url.patch)
* lighttpd_sa_2008_06.txt (patch: lighttpd-1.4.x_userdir_lowercase.patch)
* lighttpd_sa_2008_07.txt (patch: lighttpd-1.4.x_request_header_memleak.patch)
Download
* lighttpd-1.4.20.tar.gz
(sha1sum: 61790c02d9e96c3cb23ffd3907f1caee64c475dd
md5sum: 7ce7eefb487682b61d9b06b41864c64a)
* lighttpd-1.4.20.tar.bz2
(sha1sum: e5944a40579e0f37c6a0eeb0ad751344b2d6006c
md5sum: ed6ee0bb714f393219a32768d86984d8)
Changes
* Fix mod_compress to compile with old gcc version (#1592)
* Fix mod_extforward to compile with old gcc version (#1591)
* Update documentation for #1587
* Fix #285 again: read error after SSL_shutdown (thx marton.illes@balabit.com) and clear the error queue before some other calls (CVE-2008-1531)
* Fix mod_magnet: enable “request.method” and “request.protocol” in lighty.env (#1308)
* Fix segfault for appending matched parts if there was no regex matching (just give empty strings) (#1601)
* Use data_response_init in mod_fastcgi x-sendfile handling for response.headers, fix a small “memleak” (#1628)
* Don’t send empty Server headers (#1620)
* Fix conditional interpretation of core options
* Enable escaping of % and $ in redirect/rewrite; only two cases changed their behaviour: “%” => “”, ”$$” => ”$”
* Fix accesslog port (should be port from the connection, not the “server.port”) (#1618)
* Fix mod_fastcgi prefix matching: match the prefix always against url, not the absolute filepath (regardless of check-local)
* Overwrite Content-Type header in mod_dirlisting instead of inserting (#1614), patch by Henrik Holst
* Handle EINTR in mod_cgi during write() (#1640)
* Allow all http status codes by default; disable body only for 204,205 and 304; generate error pages for 4xx and 5xx (#1639)
* Fix mod_magnet to set con->mode = p->id if it generates content, so returning 4xx/5xx doesn’t append an error page
* Remove lighttpd.spec* from source, fixing all problems with it ;-)
* Do not rely on PATH_MAX (POSIX does not require it) (#580)
* Disable logging to access.log if filename is an empty string
* Implement a clean way to open /dev/null and use it to close stdin/out/err in the needed places (#624)
* merge spawn-fcgi changes from trunk (from @2191)
* let spawn-fcgi propagate exit code from spawned fcgi application
* close connection after redirect in trigger_b4_dl (thx icy)
* close connection in mod_magnet if returned status code
* fix bug with IPv6 in mod_evasive (#1579)
* fix scgi HTTP/1.* status parsing (#1638), found by met@uberstats.com
* [tests] fixed system, use foreground daemons and waitpid
* [tests] removed pidfile from test system
* [tests] fixed tests needing php running (if not running on port 1026, search php in env[PHP] or /usr/bin/php-cgi)
* fixed typo in mod_accesslog (#1699)
* replaced buffer_{append,copy}_string with the _len variant where possible (#1732) (thx crypt)
* case insensitive match for secdownload md5 token (#1710)
* Handle only HEAD, GET and POST in mod_dirlisting (same as in staticfile) (#1687)
* fixed mod_secdownload problem with unsigned time_t (#1688)
* handle EAGAIN and EINTR for freebsd sendfile (#1675)
* Use filedescriptor 0 for mod_scgi spawn socket, redirect STDERR to /dev/null (#1716)
* fixed round-robin balancing in mod_proxy (#1715)
* fixed EINTR handling for waitpid in mod_fastcgi
* mod_{fast,s}cgi: overwrite environment variables (#1722)
* inserted many con->mode checks; they should prevent two modules to handle the same request if they shouldn’t (#631)
* fixed url encoding to encode more characters (#266)
* allow digits in [s]cgi env vars (#1712)
* fixed dropping last character of evhost pattern (#161)
* print helpful error message on conditionals in global block (#1550)
* decode url before matching in mod_rewrite (#1720)
* fixed conditional patching of ldap filter (#1564)
* Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
* fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by “anders1”
* fixed format string bugs in mod_accesslog for SYSLOG
* replaced fprintf with log_error_write in fastcgi debug
* fixed mem leak in ssi expression parser (#1753), thx Take5k
* hide some ssl errors per default, enable them with debug.log-ssl-noise (#397)
* do not send content-encoding for 304 (#1754), thx yzlai
* fix segfault for stat_cache(fam) calls with relative path (without ’/’, can be triggered by x-sendfile) (#1750)
* fix splitting of auth-ldap filter
* workaround ldap connection leak if a ldap connection failed (restarting ldap)
* fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
* fix memleak in request header parsing (#1774, thx qhy)
* fix mod_rewrite memleak/endless loop detection (#1775, thx phy – again!)
* use decoded url for matching in mod_redirect (#1720)
EDIT: Ok. I just found that my native build lacked alot of stuff so I got started on one in my cross-compile environment. I did manage to get it to build but I hit hiccups with it building libmemcache so I removed the requirement and the support for it as well as memcached which are both related. Probably would be nice but for a router it may be a bit much right out of the box. Soon I will have a package here for testing purposes. The package name will be lighttpd and will be lighttpd version 1.4.20. The maintainer will be marked with my name since I made this package. I will include the same patches along with a couple of others to clear a few things up. I'll document them here later when I get the ipkg up. The makefile used is a direct derivative from the original.
I will also see about creating one for 1.5 from the subversion repository as well as a experimental build of 1.4 from the same area. Those will not have any patches and may be updated periodically with the latest code. 1.5 may require a new init.d startup file to allow it to startup and shutdown correctly. The use of lighttpd-angel may be required. I'll look into what others are doing for their scripts. Please note that the src-server.c.patch file is not applied to the subversion repository. Therefore the issue that would be fixed in the normal build may not be here. Specifically it removed the need for floating point emulation on embedded platforms. I don't know if this is a performance patch or an actual bug.
Note: Both 1.4 and 1.5 on subversion compile cleanly on the router with no patching. I assume they will work fine even when I create an ipkg although I will test them first before releasing. Their package names will be lighttpd-dev (1.4 development test) and lighttpd15-dev (1.5 development test).