--- embedaddon/lighttpd/NEWS	2013/10/14 10:32:47	1.1.1.1
+++ embedaddon/lighttpd/NEWS	2014/06/15 20:20:05	1.1.1.2
@@ -3,7 +3,42 @@
 NEWS
 ====
 
-- 1.4.33 -
+- 1.4.35
+  * [network/ssl] fix build error if TLSEXT is disabled
+  * [mod_fastcgi] fix use after free (only triggered if fastcgi debug is active)
+  * [mod_rrdtool] fix invalid read (string not null terminated)
+  * [mod_dirlisting] fix memory leak if pcre fails
+  * [mod_fastcgi,mod_scgi] fix resource leaks on spawning backends
+  * [mod_magnet] fix memory leak
+  * add comments for switch fall throughs
+  * remove logical dead code
+  * [buffer] fix length check in buffer_is_equal_right_len
+  * fix resource leaks in error cases on config parsing and other initializations
+  * add force_assert() to enforce assertions as simple assert()s are disabled by -DNDEBUG (fixes #2546)
+  * [mod_cml_lua] fix null pointer dereference
+  * force assertion: setting FD_CLOEXEC must work (if available)
+  * [network] check return value of lseek()
+  * fix unchecked return values from stream_open/stat_cache_get_entry
+  * [mod_webdav] fix logic error in handling file creation error
+  * check length of unix domain socket filenames
+  * fix SQL injection / host name validation (thx Jann Horn)
+
+- 1.4.34
+  * [mod_auth] explicitly link ssl for SHA1 (fixes #2517)
+  * [mod_extforward] fix compilation without IPv6, (not) using undefined var (fixes #2515, thx mm)
+  * [ssl] fix SNI handling; only use key+cert from SNI specific config (fixes #2525, CVE-2013-4508)
+  * [doc] update ssl.cipher-list recommendation
+  * [stat-cache] FAM: fix use after free (CVE-2013-4560)
+  * [stat-cache] fix FAM cleanup/fdevent handling
+  * [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
+  * [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
+  * maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places
+  * [core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes #2526)
+  * [auto* build] remove -no-undefined from linker flags, as we actually link modules with undefined symbols (fixes #2533)
+  * [mod_mysql_vhost] fix memory leak on config init (#2530)
+  * [mod_webdav] fix fd leak found with parfait (fixes #2530, thx kukackajiri)
+
+- 1.4.33 - 2013-09-27
   * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex)
   * fix handling of If-Modified-Since if If-None-Match is present (don't return 412 for date parsing errors);
     follow current draft for HTTP/1.1, which tells us to ignore If-Modified-Since if we have matching etags.