Lighttpd 1.4.34 发布,该版本包含一些重要的安全补丁,包括:
lighttpd SA-2013-01 (CVE-2013-4508)
lighttpd SA-2013-02 (CVE-2013-4559)
lighttpd SA-2013-03 (CVE-2013-4560)
下载地址:
http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.34.tar.gz
Changes from 1.4.33
[mod_auth] explicitly link ssl for SHA1 (fixes #2517)
[mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes #2515, thx mm)
[ssl] fix SNI handling; only use key+cert from SNI specific config (fixes #2525, CVE-2013-4508)
[doc] update ssl.cipher-list recommendation
[stat-cache] FAM: fix use after free (CVE-2013-4560)
[stat-cache] fix FAM cleanup/fdevent handling
[core] check success of setuid,setgid,setgroups (CVE-2013-4559)
[ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
maintain physical.basedir (the “acting” doc-root as prefix of physical.path) in more places
[core] decode URL before rewrite, enabling it to work in $HTTP[“url”] conditionals (fixes #2526)
[auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes #2533)
[mod_mysql_vhost] fix memory leak on config init (#2530)
[mod_webdav] fix fd leak found with parfait (fixes #2530, thx kukackajiri)
来自:开源中国社区
