lighttpd to 1.4.35 (important)

lighttpd was updated to version 1.4.35, fixing bugs and
security issues:

CVE-2014-2323: SQL injection vulnerability in
mod_mysql_vhost.c in lighttpd allowed remote attackers to
execute arbitrary SQL commands via the host name, related
to request_check_hostname.

CVE-2014-2323: Multiple directory traversal vulnerabilities
in (1) mod_evhost and (2) mod_simple_vhost in lighttpd
allowed remote attackers to read arbitrary files via a …
(dot dot) in the host name, related to
request_check_hostname.

More information can be found on the lighttpd advisory
page:
<a href=“http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2”>http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2</a>
014_01.txt

Other changes:

• [network/ssl] fix build error if TLSEXT is disabled
• [mod_fastcgi] fix use after free (only triggered if
  fastcgi debug is active)
• [mod_rrdtool] fix invalid read (string not null
  terminated)
• [mod_dirlisting] fix memory leak if pcre fails
• [mod_fastcgi,mod_scgi] fix resource leaks on spawning
  backends
• [mod_magnet] fix memory leak
• add comments for switch fall throughs
• remove logical dead code
• [buffer] fix length check in buffer_is_equal_right_len
• fix resource leaks in error cases on config parsing and
  other initializations
• add force_assert() to enforce assertions as simple
  assert()s are disabled by -DNDEBUG (fixes #2546)
• [mod_cml_lua] fix null pointer dereference
• force assertion: setting FD_CLOEXEC must work (if
  available)
• [network] check return value of lseek()
• fix unchecked return values from
  stream_open/stat_cache_get_entry
• [mod_webdav] fix logic error in handling file creation
  error
• check length of unix domain socket filenames
• fix SQL injection / host name validation (thx Jann Horn)
  for all the changes see
  /usr/share/doc/packages/lighttpd/NEWS