--- lighttpd-1.4.22/NEWS 2009-03-07 08:54:39.000000000 -0500 +++ lighttpd-1.4.26-1ubuntu1/NEWS 2010-02-20 01:19:36.000000000 -0500 @@ -3,7 +3,145 @@ NEWS ==== -- 1.4.22 - +- 1.4.26 - + * Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105) + * Remove dependency on automake >= 1.11 with m4_ifdef check + * mod_accesslog: support %e (fixes #2113, thx presbrey) + * Fix mod_cgi cgi.execute-x-only option in global block + * mod_fastcgi: x-sendfile2 parse error debugging + * Fix mod_proxy dead host detection if connect() fails + * Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159) + * Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt) + * Append to previous buffer in con read, fix DoS/OOM vulnerability (fixes #2147, found by liming, CVE-2010-0295) + * Fix HUP detection in close-state if event-backend doesn't support FDEVENT_HUP (like select or poll on FreeBSD) + +- 1.4.25 - 2009-11-21 + * mod_magnet: fix pairs() for normal tables and strings (fixes #1307) + * mod_magnet: add traceback for printing lua errors + * mod_rewrite: fix compile error if compiled without pcre + * disable warning "CLOSE-read" (fixes #2091) + * mod_rrdtool: fix creating file if it doesn't exist (#1788) + * reset tlsext_server_name in connection_reset - fixes random hostnames in the $HTTP["host"] conditional + * export some SSL_CLIENT_* vars for client cert validation (fixes #1288, thx presbrey) + * mod_fastcgi: fix mod_fastcgi packet parsing + * mod_fastcgi: Don't reconnect after connect() succeeded (fixes #2096) + * Fix configure.ac to allow autoreconf, also enables make V=0 + +- 1.4.24 - 2009-10-25 + * Add T_CONFIG_INT for bigger integers from the config (needed for #1966) + * Use unsigned int (and T_CONFIG_INT) for max_request_size + * Use unsigned int for secdownload.timeout (fixes #1966) + * Keep url/host values from connection to display information while keep-alive in mod_status (fixes #1202) + * Add server.breakagelog, a "special" stderr (fixes #1863) + * Fix config evaluation for debug.log-timeouts option (#1529) + * Add "cgi.execute-x-only" to mod_cgi, requires +x for cgi scripts (fixes #2013) + * Fix FD_SETSIZE comparision warnings + * Add "lua-5.1" to searched pkg-config names for lua + * Fix unused function webdav_lockdiscovery in mod_webdav + * cmake: Fix crypt lib check + * cmake: Add -export-dynamic to link flags, fixes build on FreeBSD + * Set FD_CLOEXEC for bound sockets before pipe-logger forks (fixes #2026) + * Reset ignored signals to SIG_DFL before exec() in fastcgi/scgi (fixes #2029) + * Show "no uri specified -> 400" error only when "debug.log-request-header-on-error" is enabled (fixes #2030) + * Fix hanging connection in mod_scgi (fixes #2024) + * Allow digits in hostnames in more places (fixes #1148) + * Use connection_reset instead of handle_request_done for cleanup callbacks + * Change mod_expire to append Cache-Control instead of overwriting it (fixes #1997) + * Allow all comparisons for $SERVER["socket"] - only bind for "==" + * Remove strptime failed message (fixes #2031) + * Fix issues found with clang analyzer + * Try to fix server.tag issue with localized svnversion + * Fix handling network-write return values (#2024) + * Use disable-time in fastcgi for all disables after errors, default is 1sec (fixes #2040) + * Remove adaptive spawning code from fastcgi (was disabled for a long time) + * Allow mod_mysql_vhost to use stored procedures (fixes #2011, thx Ben Brown) + * Fix ipv6 in mod_proxy (fixes #2043) + * Print errors from include_shell to stderr + * Set tm.tm_isdst = 0 before mktime() (fixes #2047) + * Use linux-epoll by default if available (fixes #2021, thx Olaf van der Spek) + * Print an error if you use too many captures in a regex pattern (fixes #2059) + * Combine Cache-Control header value in mod_expire to existing HTTP header if header already added by other modules (fixes #2068) + * Remember keep-alive-idle in separate variable (fixes #1988) + * Fix header inclusion order, always include "config.h" before any system header + * mod_webdav: Patch to skip login information for domain part of Destination field (fixes #1793) + * mod_webdav: Delete old properties before updating new for MOVE (fixes #1317) + * Read hostname from absolute uris in the request line (fixes #1937) + * mod_fastcgi: don't disable backend if disable-time is 0 (fixes #1825) + * mod_compress: match partial+full content-type (fixes #1552) + * mod_fastcgi: fix is_local detection, respawn backends if bin-path is set (fixes #897) + * Fix linger-on-close behaviour to avoid rare failure conditions (was r2636, fixes #657) + * mod_fastcgi: restart local procs immediately after they terminated, fix local procs handling + * Fix segfault on invalid config "duplicate else conditions" (fixes #2065) + * mod_usertrack: Use T_CONFIG_INT for max-age, solves range problem (#1455) + * mod_accesslog: configurable timestamp logging (fixes #1479) + * always define _GNU_SOURCE + * Add some iterators for mod_magnet (fixes #1307) + * Fix close_timeout_ts trigger (should finally fix lingering close) + * mod_rewrite: add url.rewrite-[repeat-]if-not-file to rewrite if file doesn't exist or is not a regular file (fixes #985, thx lucas aerbeydt) + * Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg ) + * Add SSL Client Certificate verification (#1288) + * mod_fastcgi: Fix host->active_procs counter, return 503 if connect wasn't successful after 5 tries (fixes #1825) + * mod_accesslog: escape special characters (fixes #1551, thx icy) + * fix mod_webdav crash from #1793 (fixes #2084, thx hiroya) + * Don't print ssl error if client didn't support TLS SNI + * Fix linger close timeout handling, drop timeout to 5 seconds (fixes #2086) + * Fix broken return values from int to enum in mod_fastcgi + +- 1.4.23 - 2009-06-19 + * Added some extra warning options in cmake and fix the resulting warnings (unused/static functions) + * New lighttpd man page (moved it to section 8) (fixes #1875) + * Create rrd file for empty rrdfile in mod_rrdtool (#1788) + * Fix workaround for incorrect path info/scriptname if fastcgi prefix is "/" (fixes #729) + * Finally removed spawn-fcgi + * Allow xattr to overwrite mime type (fixes #1929) + * Remove link from errormsg about fastcgi apps (fixes #1942) + * Strip trailing dot from "Host:" header + * Remove the optional port info from SERVER_NAME (thx Mr_Bond) + * Fix mod_proxy RoundRobin (off by one problem if only one backend is up) + * Rename configure.in to configure.ac, with small cleanups (fixes #1932) + * Add proper SUID bit detection (fixes #416) + * Check for regular file in mod_cgi, so we don't try to start directories + * Include mmap.h from chunk.h to fix some problems with #define mmap mmap64 (fixes #1923) + * Add support for pipe logging for server.errorlog (fixes #296) + * Add revision number to package version for svn/git checkouts + * Use server.tag for SERVER_SOFTWARE if configured (fixes #357) + * Fix trailing zero char in REQUEST_URI after "strip-request-uri" in mod_fastcgi + * mod_magnet: Add env["request.remote-ip"] (fixes #1740) + * mod_magnet: Add env["request.path-info"] + * Change name/version separator back to "/" (affects every place where the version is printed) + * Fix bug with FastCGI request id overflow under high load; just use always id 1 as we don't use multiplexing. (thx jgray) + * Add some dirlisting enhancements (fixes #1458) + * Add option to enable TCP_DEFER_ACCEPT (fixes #1447) + * Limit amount of bytes read for one read-event (fixes #1070) + * Add evasive.silent option (fixes #1438) + * Make mod_extforward headers configurable (fixes #1545) + * Add '%_' pattern for complete hostname in mod_evhost (fixes #1737) + * Add IPv6 support to mod_proxy (fixes #1537) + * mod_ssi printenv: print cgi env, add environment vars to cgi env (fixes #1713) + * Fix error message if no auth backend was set + * Fix SERVER_NAME port stripping (fixes #1968) + * Fix x-sendfile 2gb limiting (fixes #1970) + * Fix mod_cgi environment keys mangling (fixes #1969) + * Fix workaround for incorrect path info/scriptname if scgi prefix is "/" (fixes #729) + * Fix max-age value in mod_expire for 'modification' (fixes #1978) + * Fix evasive.silent option (#1438) + * Fix mod-fastcgi counters + * Modify fastcgi error message + * Backup errno for later usage (reported by Guido Reina via mailinglist) + * Improve FastCGI performance (fixes #1999) + * Workaround broken operating systems: check for trailing '/' in filenames (fixes #1989) + * Allow using pcre with cross-compiling (pcre-config got fixed; fixes #1986) + * Add "lighty.req_env" table to mod_magnet for setting/getting environment values for cgi (fixes #1967, thx presbrey) + * Fix segfault in mod_expire after failed config parsing (fixes #1992) + * Add ssi.content-type option (default text/html, fixes #615) + * Add support for "real" entropy from /dev/[u]random (fixes #1977) + * Adding support for additional chars in LDAP usernames (fixes #1941) + * Ignore multiple "If-None-Match" headers (only use first one, fixes #753) + * Fix 100% cpu usage if time() < 0 (thx to gaspa and cate, fixes #1964) + * Allow max-keep-alive-requests to depend on conditional (fixes #1881) + * Make dependency on svnversion/git optional (for devel versionstamp, fixes #2009) + +- 1.4.22 - 2009-03-07 * Fix wrong lua type for CACHE_MISS/CACHE_HIT in mod_cml (fixes #533) * Fix default vhost in mod_simple_vhost (fixes #1905) * Handle EINTR in mod_rrdtool (fixes #604)