Lighttpd 1.4.35 发布了,该版本包含很多 bug 修复,包括 scan.coverity.com 扫描的问题。但最主要的是一个 SQL 注入(和路径遍历)问题:
lighttpd SA-2014-01 (no CVE yet)
Changes from 1.4.34
[network/ssl] fix build error if TLSEXT is disabled
[mod_fastcgi] fix use after free (only triggered if fastcgi debug is active)
[mod_rrdtool] fix invalid read (string not null terminated)
[mod_dirlisting] fix memory leak if pcre fails
[mod_fastcgi,mod_scgi] fix resource leaks on spawning backends
[mod_magnet] fix memory leak
add comments for switch fall throughs
remove logical dead code
[buffer] fix length check in buffer_is_equal_right_len
fix resource leaks in error cases on config parsing and other initializations
add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546)
[mod_cml_lua] fix null pointer dereference
force assertion: setting FD_CLOEXEC must work (if available)
[network] check return value of lseek()
fix unchecked return values from stream_open/stat_cache_get_entry
[mod_webdav] fix logic error in handling file creation error
check length of unix domain socket filenames
fix SQL injection / host name validation (thx Jann Horn)
下载地址:http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.35.tar.gz
来自:oschina开源中国社区
