lighty's life

lighty developer blog

PRE-RELEASE: Lighttpd 1.4.26rc1-r2710

We would like to draw your attention to the latest pre-release of the stable 1.4 branch of lighttpd.

You can get the pre-release from these urls:
SHA1 checksums:

Please test it as much as possible and provide us with feedback.
A lot of testing ensures a good release.

There have been some important bug fixes (request parser handling for splitted header data, a fd leak in mod_cgi, a segfault with broken configs in mod_rewrite/mod_redirect and of course the latest security issue with an OOM vulnerability)

If no showstoppers are encountered, there will be a final release soon.

PS: As it is often asked in the comments: We don’t plan to release 1.5, as we are working on 2.0; we can’t support too many different versions, so while we are still trying to keep 1.5 working, our main efforts will be keeping 1.4 stable and working on 2.0 for now.

Changelog since 1.4.25:

  • Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105)
  • Remove dependency on automake >= 1.11 with m4_ifdef check
  • mod_accesslog: support %e (fixes #2113, thx presbrey)
  • Fix mod_cgi cgi.execute-x-only option in global block
  • mod_fastcgi: x-sendfile2 parse error debugging
  • Fix mod_proxy dead host detection if connect() fails
  • Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159)
  • Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt)
  • Append to previous buffer in con read, fix DoS/OOM vulnerability (fixes #2147, found by liming, CVE-2010-0295)

If you want to get the latest source for any branch, you can get it from our svn repository.
Documentation to do so can be obtained from this page:
Bug reports or feature requests can be filed in our ticket system:
Please make sure to check if there isn’t a ticket already here:
Perhaps you also want to have a look at our new download site

Thank you for flying light.