Some time passed since the last pre-release, time for an update.

Everyone who runs 1.5.0 already has to upgrade to get fixes several vulnerabilities that got fixed in the 1.4.x branch already.

If this release passes your requirements it will be the last 1.5.0 pre-release. Afterwards we will start the the normal 1.5.x series and will add the missing features in 1.5.1 and later.

Download:
www.lighttpd.net/download/lighttpd-1.5.0-r1992.tar.gz

md5sum: b62e2442ee0f3395844b54385b14397a

Changes

• added native support for mingw32
• added experimental option to compile without glib
• fixed mod_uploadprogress
• fixed endless loop on freebsd-sendfile (#1289)
• fixed compile in IRIX and HP/UX
• fixed hardcoded font-sizes in mod_dirlisting (#1267)
• fixed different ETag length on 32/64 platforms (#1279)
• fixed conditional dir-listing.exclude (#930)
• fixed CONTENT_LENGTH = -1 in mod_cgi (#1276)
• fixed typecast of NULL on execl() (#1235)
• fixed extra Content-Length header on 1xx, 204 and 304 (#1002)
• fixed mysql server reconnects (#518)
• fixed prctl() usage (#1310, #1333)
• fixed FastCGI header overrun in mod_proxy_backend_fastcgi (reported by mattias@secweb.se)
• fixed mem-leak in mod_auth (reported by Stefan Esser)
• fixed crash with md5-sess and cnonce not set in mod_auth (reported by Stefan Esser)
• fixed missing check for base64 encoded string in mod_auth and Basic auth
  (reported by Stefan Esser)
• fixed possible crash in Auth-Digest header parser on trailing WS in
  mod_auth (reported by Stefan Esser)

In changeset 1981 I added a angel process to the lighttpd build. It solves several problems when we have everything running as expected:

• SIGHUP leads to a graceful restart (config reloads)
• SIGINT is graceful shutdown as now
• all unhandled signals lead to a restart of the lighttpd process

I'll give a presentation on lighttpd at the "Kieler Linuxtage":http://www.kieler-linuxtage.de/ on September 8th, 2007. I'll talk about lighttpd, its past and future, the special modules and performance. I will also try to give some content to the un-conference going on at the same time. Perhaps some MySQL Proxy stuff ?

Looking at the bug-system a few days ago we had something like 460 bugs open.

Quite a bunch of them were duplicates of the same issue and others were already fixed in the code and just not closed in the bug-system.

Scanning through the bugs I wrote some more test-cases to verify that the reports were valid and along the way at least these bugs got fixed:

  * added dir-listing.set-footer in mod_dirlisting (#1277)
  * fixed hardcoded font-sizes in mod_dirlisting (#1267)
  * fixed different ETag length on 32/64 platforms (#1279)
  * fixed compression of files < 128 bytes by disabling compression (#1241)
  * fixed mysql server reconnects (#518)
  * fixed disabled keep-alive for dynamic content with HTTP/1.0 (#1166)
  * fixed crash on mixed EOL sequences in mod_cgi
  * fixed key compare (#1287)
  * fixed invalid char in header values (#1286)
  * fixed invalid "304 Not Modified" on broken timestamps
  * fixed endless loop on shrinked files with sendfile() on BSD (#1289)
  * fixed counter overrun in ?auto in mod_status (#909)
  * fixed too aggresive caching of nested conditionals (#41)
  * fixed possible overflow in unix-socket path checks on BSD (#713)
  * fixed extra Content-Length header on 1xx, 204 and 304 (#1002)
  * fixed handling of duplicate If-Modified-Since to return 304
  * fixed extracting status code from NPH scripts (#1125)
  * removed config-check if passwd files exist (#1188)

Now the bug-count is at 413, a start.

We had enabled spamfilter in //trac.lighttpd.net/ long ago and it was doing fine blocking lots of spam messages, but I didn’t notice that it blocked some ham messages too by rasing “your ip is blacklisted by sc.surbl.org” error.

I appreciate your help when you try hard clicking the submit button for wiki/tickets and am sorry for blocking you.

I spent some time tweaking karma settings in trac spamfilter recently. It was a bit hard to get what karma is even by asking the ppl in #trac, until i read the source. Anyway, it looks better now, and we’ll keep watching the monitor and see if there’s something mis-blocked, and tweak the settings accordingly. You may also register and login to get pass the spam checking.

You provided feedback. We listened.

Thanks.

darix released a bug-fix release for 1.4.x

www.lighttpd.net/2007/7/24/1-4-16-let-s-ship-it

It contains fixes for crashing bugs discovered by over the last weeks and we encourage to upgrade from earlier releases to 1.4.16. Especially lighttpd-SA2007-03 should convince you to upgrade. It can crash all lighttpd 1.4.x releases. In 1.5.0 this is fixed as we replace the parser by a generated one and replacing the hand-crafted one in 1.4.×.

Baby-steps, …

As we are running this release on lighttpd.net it is time to push it out to more testers.

Download: www.lighttpd.net/download/lighttpd-1.5.0-r1857.tar.gz

Changes:

• mod-proxy-core

• added support to rewrite PATHINFO and SCRIPTNAME
• fixed setenv.environment support
• fixed random crashes
• fixed keep-alive announcement if keep-alive is disabled
• fixed handling of status 304 from the backends

• fixed handling of trailing CRLF after a KeepAlive POST
• fixed the output of lighttpd -p to result in a real configfile
• fixed loading of default modules if they are explicitly specified

Last weekend I was at the PHP Unconference and gave a talk about lighttpd. Perhaps we will see a mod_auth_backend_"openid":http://www.unconf-hh.de/index.php?title=OpenID in the near future …

A nice small unconference with some nice non-talks about Tagging and University meets Business. While the quantity of attendance was a bit low, the quality was high.

Anyway, my talk covers lighttpd, 1.5.0 and the cool modules around flv, secdownload, … and is available as PDF and SWF

All the lighttpd.net domains (blog, trac, www, xcache, upload, …) are now running lighttpd 1.5.0-trunk. It took some debugging to sort out problems with the way trac wants to handle PATH_INFO 1841
and how ruby handles fastcgi-keepalive requests via Unix-Sockets 1850 1849

In case you see that one of the sites is down, ping me (weigon) on IRC. The server is running in valgrind and should provide enough information to fix the problem.

… or eating our’s own dog food.

We are now running lighttpd 1.5.0-r1811 at lighttpd.net next to the lighttpd-1.4.13 [official debian] package.

This is one way to say that this is a Release Candidate and that we want to expose it to more testers out there. Update: lighttpd.net is running on 1.5.0-trunk/

As working demo you have:

• http://lighttpd.net
• upload.lighttpd.net/upload.html

Yes, that’s mod_uploadprogress in action :)