You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by pq...@apache.org on 2009/10/03 22:45:44 UTC
svn commit: r17 [4/18] - in /release/httpd: ./ binaries/ binaries/netware/
binaries/os2/ binaries/reliantunix/ binaries/rpm/ binaries/rpm/SRPMS/
binaries/rpm/i386/ binaries/rpm/x86_64/ binaries/solaris/ binaries/win32/
binaries/win32/patches_applied/ b...
Added: release/httpd/CHANGES_2.0
==============================================================================
--- release/httpd/CHANGES_2.0 (added)
+++ release/httpd/CHANGES_2.0 Sat Oct 3 16:45:15 2009
@@ -0,0 +1,7354 @@
+ -*- coding: utf-8 -*-
+Changes with Apache 2.0.63
+
+ *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
+ to /Device/Nul as the server is starting up, mirroring unix MPM's.
+ PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
+
+ *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
+ by recreating the bucket allocator each time the trans pool is cleared.
+ PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
+
+Changes with Apache 2.0.62 (not released)
+
+ *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+ mod_status: Ensure refresh parameter is numeric to prevent
+ a possible XSS attack caused by redirecting to other URLs.
+ Reported by SecurityReason. [Mark Cox, Joe Orton]
+
+ *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+ mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
+ [Joe Orton]
+
+ *) Introduce the ProxyFtpDirCharset directive, allowing the administrator
+ to identify a default, or specific servers or paths which list their
+ contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
+
+ *) log.c: Ensure Win32 resurrects its lost robust logger processes.
+ [William Rowe]
+
+ *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
+ shutdown of the server when the MaxClients is higher then 257,
+ in a more responsive manner [Mladen Turk, William Rowe]
+
+ *) Add explicit charset to the output of various modules to work around
+ possible cross-site scripting flaws affecting web browsers that do not
+ derive the response character set as required by RFC2616. One of these
+ reported by SecurityReason [Joe Orton]
+
+ *) http_protocol: Escape request method in 405 error reporting.
+ This has no security impact since the browser cannot be tricked
+ into sending arbitrary method strings. [Jeff Trawick]
+
+ *) http_protocol: Escape request method in 413 error reporting.
+ Determined to be not generally exploitable, but a flaw in any case.
+ PR 44014 [Victor Stinner <victor.stinner inl.fr>]
+
+Changes with Apache 2.0.61
+
+ *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+ [Davi Arnaut, Nick Kew]
+
+ *) SECURITY: CVE-2007-1863 (cve.mitre.org)
+ mod_cache: Prevent segmentation fault if a Cache-Control header has
+ no value. [Niklas Edmundsson <nikke acc.umu.se>]
+
+ *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser. [Joe Orton]
+
+ *) SECURITY: CVE-2007-3304 (cve.mitre.org)
+ prefork, worker MPMs: Ensure that the parent process cannot
+ be forced to kill processes outside its process group.
+ [Joe Orton, Jim Jagielski]
+
+ *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous.
+ PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray]
+
+ *) log core: ensure we use a special pool for stderr logging, so that
+ the stderr channel remains valid from the time plog is destroyed,
+ until the time the open_logs hook is called again. [William Rowe]
+
+ *) mod_ssl: Version reporting update; displays 'compiled against'
+ Apache and build-time SSL Library versions at loglevel [info],
+ while reporting the run-time SSL Library version in the server
+ info tags. Helps to identify a mod_ssl built against one flavor
+ of OpenSSL but running against another (also adds SSL-C version
+ number reporting.) [William Rowe]
+
+ *) mod_autoindex: Add in Type and Charset options to IndexOptions
+ directive. This allows the admin to explicitly set the
+ content-type and charset of the generated page and is therefore
+ a viable workaround for buggy browsers affected by CVE-2007-4465
+ (cve.mitre.org). [Jim Jagielski]
+
+ *) main core: Emit errors during the initial apr_app_initialize()
+ or apr_pool_create() (when apr-based error reporting is not ready).
+ [William Rowe, Jeff Trawick]
+
+ *) log core: Fix issue which could cause piped loggers to be orphaned
+ and never terminate after a graceful restart. PR 40651. [Joe Orton,
+ Ruediger Pluem]
+
+ *) log core: fix the new piped logger case where we couldn't connect
+ the replacement stderr logger's stderr to the NULL stdout stream.
+ Continue in this case, since the previous alternative of no error
+ logging at all (/dev/null) is far worse. [William Rowe]
+
+ *) mpm_winnt: Prevent the parent-child pipe from leaking into other
+ spawned processes, and ensure we have a /Device/null handle for
+ stdout when running as-a-service. [William Rowe]
+
+ *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
+
+ *) mod_so: Solve dev's confusion by reporting expected/seen module
+ magic signatures when failing with a 'garbled' message, and solve
+ user's confusion by pointing out 'perhaps compiled for a different
+ version of apache?'. [William Rowe]
+
+ *) mod_ssl: initialize thread locks before initializing the hardware
+ acceleration library, so the latter can make use of the former.
+ PR 20951. [<adunn ncipher.com>]
+
+ *) mod_ssl: Support limited buffering of request bodies to allow
+ per-location renegotiation to proceed. PR 12355. [Joe Orton]
+
+ *) mod_cgi, mod_cgid: Don't return apr_status_t error value
+ from input filter chain. PR 31759 (mutated). [Jo Rhett,
+ Nick Kew]
+
+ *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
+ [Jeff Trawick]
+
+ *) proxy_http.c: Overlay existing cookies with proxied ones, ala
+ httpd-2.2. [Jim Jagielski]
+
+ *) mod_proxy: ProxyTimeout (and others) ignored due to not merging
+ the *_set params. PR 11540. [Jim Jagielski]
+
+ *) mod_isapi: Correctly present SERVER_PORT_SECURE.
+ PR 40573. [Matt Eaton <asf divinehawk.com>]
+
+ *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
+ support. Also corrects the slashes for Windows. PR 15993. [William Rowe]
+
+ *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
+ token parser worked while the resulting length was misinterpreted.
+ PR 29098. [Brock Bland <bbland serena.com>]
+
+ *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
+ attempts to stream the response at the client. Log these as well.
+ PR 30022, 40470. [William Rowe, Matt Eaton <asf divinehawk.com>]
+
+ *) mod_isapi: Ensure we walk through all the methods the developer may have
+ employed to report their HTTP status result code.
+ PR 16637 30033 28089. [Matt Lewandowsky <matt iamcode.net>, William Rowe]
+
+There was no 2.0.60
+
+Changes with Apache 2.0.59
+
+ *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+ mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+ handling. For some RewriteRules this could lead to a pointer being
+ written out of bounds. Reported by Mark Dowd of McAfee.
+ [Mark Cox]
+
+ *) Win32: Minor fixes to build more cleanly under Visual Studio 2005
+ from the command line build. [William Rowe]
+
+Changes with Apache 2.0.58
+
+ *) Legal: Restored original years in copyright notices.
+ [Colm MacCarthaigh]
+
+Changes with Apache 2.0.57
+
+ *) mod_cgid: run the get_suexec_identity hook within the request-handler
+ instead of within cgid. PR 36410. [Colm MacCarthaigh]
+
+ *) core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282.
+ [Davi Arnaut <davi haxent.com.br>]
+
+ *) mod_proxy: Report the proxy server name correctly in the "Via:" header,
+ when UseCanonicalName is Off. PR 11971. [Martin Kraemer]
+
+ *) mod_isapi: Various trivial code-fixes to permit mod_isapi to load and
+ run on Unix. [William Wrowe]
+
+ *) HTML-escape the Expect error message. Not classed as security as
+ an attacker has no way to influence the Expect header a victim will
+ send to a target site. Reported by Thiago Zaninotti
+ <thiango nstalker.com>. [Mark Cox]
+
+Changes with Apache 2.0.56
+
+ *) SECURITY: CVE-2005-3357 (cve.mitre.org)
+ mod_ssl: Fix a possible crash during access control checks if a
+ non-SSL request is processed for an SSL vhost (such as the
+ "HTTP request received on SSL port" error message when an 400
+ ErrorDocument is configured, or if using "SSLEngine optional").
+ PR 37791. [Rüdiger Plüm, Joe Orton]
+
+ *) SECURITY: CVE-2005-3352 (cve.mitre.org)
+ mod_imap: Escape untrusted referer header before outputting in HTML
+ to avoid potential cross-site scripting. Change also made to
+ ap_escape_html so we escape quotes. Reported by JPCERT.
+ [Mark Cox]
+
+ *) Add APR/APR-Util Compiled and Runtime Version numbers to the
+ output of 'httpd -V'. [William Rowe]
+
+ *) Ensure that the proper status line is written to the client, fixing
+ incorrect status lines caused by filters which modify r->status without
+ resetting r->status_line, such as the built-in byterange filter.
+ [Jeff Trawick]
+
+ *) Default handler: Don't return output filter apr_status_t values.
+ PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
+
+ *) mod_speling: Stop crashing with certain non-file requests.
+ [Jeff Trawick]
+
+ *) keep the Content-Length header for a HEAD with no response body.
+ PR 18757 [Greg Ames]
+
+ *) Modify apr[util] .h detection to avoid breakage on VPATH builds
+ using Solaris make (amoung others) and avoid breakage in ./buildconf
+ when srclib/apr[-util] are symlinks rather than directories proper.
+ [William Rowe]
+
+ *) Avoid server-driven negotiation when a CGI script has emitted an
+ explicit "Status:" header. PR 38070. [Nick Kew]
+
+ *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
+ format is used. PR 27787. [André Malo]
+
+ *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
+ [Justin Erenkrantz]
+
+ *) mod_cache: Correctly handle responses with a 301 status. PR 37347.
+ [Paul Querna]
+
+ *) mod_proxy_http: Prevent data corruption of POST request bodies when
+ client accesses proxied resources with SSL. PR 37145.
+ [Ruediger Pluem, William Rowe]
+
+ *) Eliminated the NET_TIME filter, restructuring the timeout logic.
+ This provides a working mod_echo on all platforms, and ensures any
+ custom protocol module is at least given an initial timeout value
+ based on the <VirtualHost > context's Timeout directive.
+ [William Rowe]
+
+ *) mod_ssl: Correct issue where mod_ssl does not pick up the
+ ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton]
+
+ *) Document the ReceiveBufferSize change done in r157583.
+ [Murray Nesbitt <murray cpan.org>]
+
+ *) mod_deflate: Merge the Vary header, instead of Setting it. Fixes
+ applications that send the Vary Header themselves. PR 37559.
+ [Paul Querna]
+
+ *) mod_dav: Fix a null pointer dereference in an error code path during the
+ handling of MKCOL. [Ghassan Misherghi <ghassanm ucdavis.edu>]
+
+ *) mod_mime_magic: Handle CRLF-format magic files so that it works with
+ the default installation on Windows. [Jeff Trawick]
+
+ *) Write message to error log if AuthGroupFile cannot be opened.
+ PR 37566. [Rüdiger Plüm]
+
+ *) Add ReceiveBufferSize directive to control the TCP receive buffer.
+ [Eric Covener <covener gmail.com>]
+
+ *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
+ [Paul Querna]
+
+ *) Remove the base href tag from proxy_ftp, as it breaks relative
+ links for clients not using an Authorization header. [Graham Leggett,
+ Jon Snow <jsnow27 gatesec.net>]
+
+ *) http_request.c: Add missing va_end call. [André Malo]
+
+ *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
+ [Paul Querna]
+
+ *) support/check_forensic: Fix temp file usage
+ [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
+
+ *) Chunk filter: Fix chunk filter to create correct chunks in the case that
+ a flush bucket is surrounded by data buckets. [Ruediger Pluem]
+
+ *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
+ respond to OPTIONS directly rather than via server default.
+ [Roy Fielding] PR 15242
+
+ *) Added new module mod_version, which provides version dependent
+ configuration containers. [André Malo]
+
+ *) Add core version query function (ap_get_server_revision) and
+ accompanying ap_version_t structure (minor MMN bump).
+ [André Malo]
+
+Changes with Apache 2.0.55
+
+ *) SECURITY: CVE-2005-2700 (cve.mitre.org)
+ mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+ enforced in per-location context if "SSLVerifyClient optional"
+ was configured in the vhost configuration. [Joe Orton]
+
+ *) SECURITY: CVE-2005-2970 (cve.mitre.org)
+ worker MPM: Fix a memory leak which can occur after an aborted
+ connection in some limited circumstances. [Greg Ames]
+
+ *) mod_ldap: Fix PR 36563. Keep track of the number of attributes
+ retrieved from LDAP so that all of the values can be properly
+ cached even if the value is NULL.
+ [Brad Nicholes, Ondrej Sury <ondrej sury.org>]
+
+ *) SECURITY: CVE-2005-2491 (cve.mitre.org):
+ Fix integer overflows in PCRE in quantifier parsing which could
+ be triggered by a local user through use of a carefully-crafted
+ regex in an .htaccess file. [Philip Hazel]
+
+ *) SECURITY: CVE-2005-2088 (cve.mitre.org)
+ proxy: Correctly handle the Transfer-Encoding and Content-Length
+ headers. Discard the request Content-Length whenever T-E: chunked
+ is used, always passing one of either C-L or T-E: chunked whenever
+ the request includes a request body. Resolves an entire class of
+ proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
+
+ *) Added TraceEnable [on|off|extended] per-server directive to alter
+ the behavior of the TRACE method. This addresses a flaw in proxy
+ conformance to RFC 2616 - previously the proxy server would accept
+ a TRACE request body although the RFC prohibited it. The default
+ remains 'TraceEnable on'. [William Rowe]
+
+ *) Add ap_log_cerror() for logging messages associated with particular
+ client connections. [Jeff Trawick]
+
+ *) Correct mod_cgid's argv[0] so that the full path can be delved by the
+ invoked cgi application, to conform to the behavior of mod_cgi.
+ [Pradeep Kumar S <pradeep.smani gmail.com>]
+
+ *) mod_include: Fix possible environment variable corruption when
+ using nested includes. PR 12655. [Joe Orton]
+
+ *) Support the suppress-error-charset setting, as with Apache 1.3.x.
+ PR 31274. [Jeff Trawick]
+
+ *) EBCDIC: Handle chunked input from client or, with proxy, origin
+ server. [Jeff Trawick]
+
+ *) Fix bad globbing comparison which could result in getting
+ a directory listing when a file was requested. PR 34512.
+ [sean <infamous41md hotmail.com>]
+
+ *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
+ was called even if mod_auth_ldap_check_user_id() was not
+ (or if it didn't succeed) for non-authoritative cases.
+ [Jim Jagielski]
+
+ *) SECURITY: CVE-2005-2728 (cve.mitre.org)
+ Fix cases where the byterange filter would buffer responses
+ into memory. PR 29962. [Joe Orton]
+
+ *) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
+ PR 15207. [Jim Jagielski]
+
+ *) mod_ldap: Fix various shared memory cache handling bugs.
+ PR 34209. [Joe Orton]
+
+ *) Fix a file descriptor leak when starting piped loggers. PR 33748.
+ [Joe Orton]
+
+ *) mod_ldap: Avoid segfaults when opening connections if using a version
+ of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
+
+ *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
+
+ *) SECURITY: CVE-2005-2088 (cve.mitre.org)
+ core: If a request contains both Transfer-Encoding and Content-Length
+ headers, remove the Content-Length, mitigating some HTTP Request
+ Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
+
+ *) proxy HTTP: If a response contains both Transfer-Encoding and a
+ Content-Length, remove the Content-Length and don't reuse the
+ connection, mitigating some HTTP Response Splitting attacks.
+ [Jeff Trawick]
+
+ *) Prevent hangs of child processes when writing to piped loggers at
+ the time of graceful restart. PR 26467. [Jeff Trawick]
+
+ *) SECURITY: CVE-2005-1268 (cve.mitre.org)
+ mod_ssl: Fix off-by-one overflow whilst printing CRL information
+ at "LogLevel debug" which could be triggered if configured
+ to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]
+
+ *) mod_userdir: Fix possible memory corruption issue. PR 34588.
+ [David Leonard <dleonard vintela.com>]
+
+ *) worker mpm: don't take down the whole server for a transient
+ thread creation failure. PR 34514 [Greg Ames]
+
+ *) mod_rewrite: use buffered I/O to improve performance with large
+ RewriteMap txt: files. [Greg Ames]
+
+ *) proxy HTTP: Rework the handling of request bodies to handle
+ chunked input and input filters which modify content length, and
+ avoid spooling arbitrary-sized request bodies in memory.
+ PR 15859. [Jeff Trawick]
+
+Changes with Apache 2.0.54
+
+ *) mod_cache: Add CacheIgnoreHeaders directive. PR 30399.
+ [Rüdiger Plüm <r.pluem t-online.de>]
+
+ *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
+ the ldap socket connection timeout value.
+ [Brad Nicholes]
+
+ *) Correctly export all mod_dav public functions.
+ [Branko Äibej <brane xbc.nu>]
+
+ *) Add a build script to create a solaris package. [Graham Leggett]
+
+ *) worker MPM: Fix a problem which could cause httpd processes to
+ remain active after shutdown. [Jeff Trawick]
+
+ *) Unix MPMs: Shut down the server more quickly when child processes are
+ slow to exit. [Joe Orton, Jeff Trawick]
+
+ *) Remove formatting characters from ap_log_error() calls. These
+ were escaped as fallout from CVE-2003-0020.
+ [Eric Covener <ecovener gmail.com>]
+
+ *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418.
+ [David Reid]
+
+ *) htdigest: Fix permissions of created files. PR 33765. [Joe Orton]
+
+ *) core_input_filter: Move buckets to a persistent brigade instead of
+ creating a new brigade. This stop a memory leak when proxying a
+ Streaming Media Server. PR 33382. [Paul Querna]
+
+ *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid
+ hiccups from additional path information passed in non-utf-8 format.
+ [Richard Donkin <rd9 donkin.org]
+
+Changes with Apache 2.0.53
+
+ *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
+ [Max Bowsher <maxb ukf.net>]
+
+ *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
+ [Rici Lake <rici ricilake.net>]
+
+ *) mod_proxy: Respect errors reported by pre_connection hooks.
+ [Jeff Trawick]
+
+ *) --with-module can now take more than one module to be statically
+ linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
+ If the <modtype>-subdirectory doesn't exist it will be created and
+ populated with a standard Makefile.in. [Erik Abele]
+
+ *) Fix the RPM spec file so that an RPM build now works. An RPM
+ build now requires system installations of APR and APR-util.
+ Remove some arbitrary moving around of binaries - the RPM now
+ maps to the ASF build of httpd.
+ [Graham Leggett]
+
+ *) mod_dumpio, an I/O logging/dumping module, added to the
+ modules/expermimental subdirectory. [Jim Jagielski]
+
+ *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
+ library handles special characters. PR 24437. [Jess Holle]
+
+ *) Win32 MPM: Correct typo in debugging output. [William Rowe]
+
+ *) conf: Remove AddDefaultCharset from the default configuration because
+ setting a site-wide default does more harm than good. PR 23421.
+ [Roy Fielding]
+
+ *) Add charset to example CGI scripts. [Roy Fielding]
+
+ *) mod_ssl: fail quickly if SSL connection is aborted rather than
+ making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton]
+
+ *) Remove compiled-in upper limit on LimitRequestFieldSize.
+ [Bill Stoddard]
+
+ *) Start keeping track of time-taken-to-process-request again for
+ mod_status if ExtendedStatus is enabled. [Jim Jagielski]
+
+ *) mod_proxy: Handle client-aborted connections correctly. PR 32443.
+ [Janne Hietamäki, Joe Orton]
+
+ *) Fix handling of files >2Gb on all platforms (or builds) where
+ apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
+
+ *) mod_include: Fix bug which could truncate variable expansions
+ of N*64 characters by one byte. PR 32985. [Joe Orton]
+
+ *) Correct handling of certain bucket types in ap_save_brigade, fixing
+ possible segfaults in mod_cgi with #include virtual. PR 31247.
+ [Joe Orton]
+
+ *) Allow for the use of --with-module=foo:bar where the ./modules/foo
+ directory is local only. Assumes, of course, that the required
+ files are in ./modules/foo, but makes it easier to statically
+ build/log "external" modules. [Jim Jagielski]
+
+ *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
+ ldap authorization only modules have access to the util_ldap
+ user cache without having to require ldap authentication as well.
+ PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
+
+ *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
+ allows the module to only authorize a user if the attribute value
+ specified matches the value of the user object. PR 31913
+ [Ryan Morgan <rmorgan pobox.com>]
+
+ *) SECURITY: CVE-2004-0942 (cve.mitre.org)
+ Fix for memory consumption DoS in handling of MIME folded request
+ headers. [Joe Orton]
+
+ *) SECURITY: CVE-2004-0885 (cve.mitre.org)
+ mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
+ bypassed during an SSL renegotiation. PR 31505.
+ [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
+
+ *) mod_ssl: Fail at startup rather than segfault at runtime if a
+ client cert is configured with an encrypted private key.
+ PR 24030. [Joe Orton]
+
+ *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
+ [Joe Orton]
+
+ *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
+ [Jeff Trawick]
+
+ *) mod_cache: CacheDisable will only disable the URLs it was meant to
+ disable, not all caching. PR 31128.
+ [Edward Rudd <eddie omegaware.com>, Paul Querna]
+
+ *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
+ cache responses. [Justin Erenkrantz]
+
+ *) mod_rewrite: Handle per-location rules when r->filename is unset.
+ Previously this would segfault or simply not match as expected,
+ depending on the platform. [Jeff Trawick]
+
+ *) mod_rewrite: Fix 0 bytes write into random memory position.
+ PR 31036. [André Malo]
+
+ *) mod_disk_cache: Do not store aborted content. PR 21492.
+ [Rüdiger Plüm <r.pluem t-online.de>]
+
+ *) mod_disk_cache: Correctly store cached content type. PR 30278.
+ [Rüdiger Plüm <r.pluem t-online.de>]
+
+ *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
+ statistics display. PR 29216. [Graham Leggett]
+
+ *) mod_ldap: fix a bogus error message to tell the user which file
+ is causing a potential problem with the LDAP shared memory cache.
+ PR 31431 [Graham Leggett]
+
+ *) SECURITY: CVE-2004-1834 (cve.mitre.org)
+ mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
+
+ *) Fix the re-linking issue when purging elements from the LDAP cache
+ PR 24801. [Jess Holle <jessh ptc.com>]
+
+ *) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
+
+ *) Fix Expires handling in mod_cache. [Justin Erenkrantz]
+
+ *) Alter mod_expires to run at a different filter priority to allow
+ proper Expires storage by mod_cache. [Justin Erenkrantz]
+
+Changes with Apache 2.0.52
+
+ *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
+
+ *) Fix the global mutex crash when the global mutex is never allocated
+ due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
+
+ *) Fix a segfault in the LDAP cache when it is configured switched
+ off. [Jess Holle <jessh ptc.com>]
+
+ *) SECURITY: CVE-2004-0811 (cve.mitre.org)
+ Fix merging of the Satisfy directive, which was applied to
+ the surrounding context and could allow access despite configured
+ authentication. PR 31315. [Rici Lake <rici ricilake.net>]
+
+ *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
+ is enabled. Previously, such urls would still be rejected.
+ [Jeff Trawick, Bill Stoddard]
+
+ *) mod_mem_cache: Fixed race condition causing segfault because of memory being
+ freed twice, or reused after being freed.
+ [J. Clar, W. Stoddard, G. Ames]
+
+ *) Add -l option to rotatelogs to let it use local time rather than
+ UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
+
+ *) mod_log_config: Fix a bug which prevented request completion time
+ from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
+ processing. PR 29696. [Alois Treindl <alois astro.ch>]
+
+Changes with Apache 2.0.51
+
+ *) SECURITY: CVE-2004-0786 (cve.mitre.org)
+ Fix an input validation issue in apr-util which could be
+ triggered by malformed IPv6 literal addresses. [Joe Orton]
+
+ *) SECURITY: CVE-2004-0747 (cve.mitre.org)
+ Fix buffer overflow in expansion of environment variables in
+ configuration file parsing. [André Malo]
+
+ *) SECURITY: CVE-2004-0809 (cve.mitre.org)
+ mod_dav_fs: Fix a segfault in the handling of an indirect lock
+ refresh. PR 31183. [Joe Orton]
+
+ *) mod_include no longer checks for recursion, because that's done
+ in the core. This allows for careful usage of recursive SSI.
+ [André Malo]
+
+ *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
+ [chunyan sheng <shengperson yahoo.com>, André Malo]
+
+ *) Include directives no longer refuse to process symlinks on
+ directories. Instead there's now a maximum nesting level
+ of included directories (128 as distributed). This is configurable
+ at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
+ PR 28492. [André Malo]
+
+ *) Win32: apache -k start|restart|install|config can leave stranded
+ piped logger processes (eg, rotatelogs.exe) due to improper
+ server shutdown on these code paths.
+ [Bill Stoddard]
+
+ *) SECURITY: CVE-2004-0751 (cve.mitre.org)
+ mod_ssl: Fix a segfault in the SSL input filter which could be
+ triggered if using "speculative" mode, for instance by a
+ proxy request to an SSL server. PR 30134. [Joe Orton]
+
+ *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
+ PR 30464. [Joe Orton, Madhusudan Mathihalli]
+
+ *) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
+
+ *) Prevent CGI script output which includes a Content-Range header
+ from being passed through the byterange filter. [Joe Orton]
+
+ *) Satisfy directives now can be influenced by a surrounding <Limit>
+ container. PR 14726. [André Malo]
+
+ *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
+ PR 27985. [André Malo]
+
+ *) mod_disk_cache: Implement binary format for on-disk header files.
+ [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
+
+ *) mod_disk_cache: Optimize network performance of disk cache subsystem by
+ allowing zero-copy (sendfile) writes and other miscellaneous fixes.
+ [Justin Erenkrantz]
+
+ *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
+ switch to the provider API instead of hooks. [Justin Erenkrantz]
+
+ *) mod_autoindex: Don't truncate the directory listing if a stat()
+ call fails (for instance on a >2Gb file). PR 17357.
+ [Joe Orton]
+
+ *) Makefile fix: httpd is linked against LIBS given to the
+ 'make' invocation. PR 7882. [Joe Orton]
+
+ *) WinNT MPM: Fix a broken log message at termination. PR 28063.
+ [Eider Oliveira <eider bol.com.br>]
+
+ *) Prevent Win32 pool corruption at startup [Allan Edwards]
+
+ *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
+ chosen SSL environment variable. PR 20957.
+ [Martin v. Loewis <martin v.loewis.de>]
+
+ *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
+ [Zvi Har'El <rl math.technion.ac.il>]
+
+ *) apachectl: Fix a problem finding envvars if sbindir != bindir.
+ PR 30723. [Friedrich Haubensak <hsk imb-jena.de>]
+
+ *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]
+
+ *) SECURITY: CVE-2004-0748 (cve.mitre.org)
+ mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]
+
+ *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
+ PR 18989. [Joe Orton]
+
+ *) mod_userdir: Ensure that the userdir identity is used for
+ suexec userdir access in a virtual host which has suexec configured.
+ PR 18156. [Joshua Slive]
+
+ *) mod_rewrite no longer confuses the RewriteMap caches if
+ different maps defined in different virtual hosts use the
+ same map name. PR 26462. [André Malo]
+
+ *) mod_setenvif: Remove "support" for Remote_User variable which
+ never worked at all. PR 25725. [André Malo]
+
+ *) Backport from 2.1 / Regression from 1.3: mod_headers now knows
+ again the functionality of the ErrorHeader directive. But instead
+ using this misnomer additional flags to the Header directive were
+ introduced ("always" and "onsuccess", defaulting to the latter).
+ PR 28657. [André Malo]
+
+ *) Use the higher performing 'httpready' Accept Filter on all platforms
+ except FreeBSD < 4.1.1. [Paul Querna]
+
+ *) mod_usertrack: Escape the cookie name before pasting into the
+ regexp. [André Malo]
+
+ *) Extend the SetEnvIf directive to capture subexpressions of the
+ matched value. [André Malo]
+
+ *) Recursive Include directives no longer crash. The server stops
+ including configuration files after a certain nesting level (128
+ as distributed). This is configurable at compile time using the
+ -DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]
+
+ *) mod_dir: the trailing-slash behaviour is now configurable using the
+ DirectorySlash directive. [André Malo]
+
+ *) Allow proxying of resources that are invoked via DirectoryIndex.
+ PR 14648, 15112, 29961. [André Malo]
+
+ *) util_ldap: Switched the lock types on the shared memory cache
+ from thread reader/writer locks to global mutexes in order to
+ provide cross process cache protection. [Brad Nicholes]
+
+ *) util_ldap: Reworked the cache locking scheme to eliminate duplicate
+ cache entries in the credentials cache due to race conditions.
+ [Brad Nicholes]
+
+ *) util_ldap: Enhanced the util_ldap cache-info display to show more
+ detail about the contents and current state of the cache.
+ [Brad Nicholes]
+
+ *) Enable the option to support anonymous shared memory in mod_ldap.
+ This makes the cache work on Linux again. [Graham Leggett]
+
+ *) Enable special ErrorDocument value 'default' which restores the
+ canned server response for the scope of the directive.
+ [Geoffrey Young, André Malo]
+
+ *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
+ is set in r->subprocess_env allow mismatched query strings to pass.
+ PR 27758. [Paul Querna, Geoffrey Young]
+
+ *) Accept URLs for the ServerAdmin directive. If the supplied
+ argument is not recognized as an URL, assume it's a mail address.
+ PR 28174. [André Malo, Paul Querna]
+
+ *) initialize server arrays prior to calling ap_setup_prelinked_modules
+ so that static modules can push Defines values when registering
+ hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
+
+ *) Small fix to allow reverse proxying to an ftp server. Previously
+ an attempt to do this would try and connect to 0.0.0.0, regardless
+ of the server specified. PR 24922
+ [Pascal Terjan <pt...@linuxfr.org>]
+
+ *) Add the NOTICE file to the rpm spec file in compliance with the
+ Apache v2.0 license. [Graham Leggett]
+
+ *) RPM spec file changes: changed default dependancy to link to db4
+ instead of db3. Fixed complaints about unpackaged files.
+ [Graham Leggett]
+
+Changes with Apache 2.0.50
+
+ *) SECURITY: CVE-2004-0493 (cve.mitre.org)
+ Close a denial of service vulnerability identified by Georgi
+ Guninski which could lead to memory exhaustion with certain
+ input data. [Jeff Trawick]
+
+ *) mod_cgi: Handle output on stderr during script execution on Unix
+ platforms; preventing deadlock when stderr output fills pipe buffer.
+ Also fixes case where stderr from nph- scripts could be lost.
+ PR 22030, 18348. [Joe Orton, Jeff Trawick]
+
+ *) mod_alias now emits a warning if it detects overlapping *Alias*
+ directives. [André Malo]
+
+ *) mod_rewrite no longer turns forward proxy requests into reverse proxy
+ requests. PR 28125 [ast domdv.de, André Malo]
+
+ *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
+ exported on Win32 and Netware as well (minor MMN bump). PR 28523.
+ [Edward Rudd <eddie omegaware.com>, André Malo]
+
+ *) Restore the ability to disable the use of AcceptEx on Win9x systems
+ automatically (broken in 2.0.49). PR 28529. [André Malo]
+
+ *) <VirtualHost myhost> now applies to all IP addresses for myhost
+ instead of just the first one reported by the resolver. This
+ corrects a regression since 1.3. [Jeff Trawick]
+
+ *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
+ against ServerRoot PR#26602 [Brad Nicholes]
+
+ *) SECURITY: CVE-2004-0488 (cve.mitre.org)
+ mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
+ (trusted) client certificate subject DN which exceeds 6K in length.
+ [Joe Orton]
+
+ *) mod_dav_fs: Fix MKCOL response for missing parent collections, which
+ caused issues for the Eclipse WebDAV extension.
+ PR 29034. [Joe Orton]
+
+ *) mod_deflate: Fix memory consumption (which was proportional to the
+ response size). PR 29318. [Joe Orton]
+
+ *) mod_ssl: Log the errors returned on failure to load or initialize
+ a crypto accelerator engine. [Joe Orton]
+
+ *) Allow RequestHeader directives to be conditional. PR 27951.
+ [Vincent Deffontaines <vincent gryzor.com>, André Malo]
+
+ *) Allow LimitRequestBody to be reset to unlimited. PR 29106
+ [André Malo]
+
+ *) Fix a bunch of cases where the return code of the regex compiler
+ was not checked properly. This affects: mod_setenvif, mod_usertrack,
+ mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
+
+ *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
+ small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
+
+ *) Remove 2Gb log file size restriction on some 32-bit platforms.
+ PR 13511. [Joe Orton]
+
+ *) mod_logio no longer removes the EOS bucket. PR 27928.
+ [Bojan Smojver <bojan rexursive.com>]
+
+ *) htpasswd no longer refuses to process files that contain empty
+ lines. [André Malo]
+
+ *) Regression from 1.3: At startup, suexec now will be checked for
+ availability, the setuid bit and user root. The works only if
+ httpd is compiled with the shipped APR version (0.9.5).
+ PR 28287. [André Malo]
+
+ *) Unix MPMs: Stop dropping connections when the file descriptor
+ is at least FD_SETSIZE. [Jeff Trawick]
+
+ *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
+
+ *) mod_isapi: send_response_header() failed to copy status string's
+ last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
+
+ *) Fix a segfault when requests for shared memory fails and returns
+ NULL. Fix a segfault caused by a lack of bounds checking on the
+ cache. PR 24801. [Graham Leggett]
+
+ *) Throw an error message if an attempt is made to use the LDAPTrustedCA
+ or LDAPTrustedCAType directives in a VirtualHost. PR 26390
+ [Brad Nicholes]
+
+ *) Fix a potential segfault if the bind password in the LDAP cache
+ is NULL. PR 28250. [Jari Ahonen <jah progress.com>]
+
+ *) Quotes cannot be used around require group and require dn
+ directives, update the documentation to reflect this. Also add
+ quotes around the dn and group within debug messages, to make it
+ more obvious why authentication is failing if quotes are used in
+ error. PR 19304. [Graham Leggett]
+
+ *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
+ from escaping filters twice when the backslash character is used.
+ PR 24437. [Jess Holle <jessh ptc.com>]
+
+ *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
+ functions leave the connections in a sane state after errors have
+ occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
+ 27271 [Graham Leggett]
+
+ *) mod_ldap calls ldap_simple_bind_s() to validate the user
+ credentials. If the bind fails, the connection is left
+ in an unbound state. Make sure that the ldap connection
+ record is updated to show that the connection is no longer
+ bound. [Brad Nicholes]
+
+ *) Ensure that lines in the request which are too long are
+ properly terminated before logging.
+ [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
+
+ *) Update the bind credentials for the cached LDAP connection to
+ reflect the last bind. This prevents util_ldap from creating
+ unnecessary connections rather than reusing cached connections.
+ [Brad Nicholes]
+
+ *) mod_isapi: GetServerVariable returned improperly terminated header
+ fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
+ [Jesse Pelton <jsp pkc.com>]
+
+ *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
+ size. PR 20617. [Jesse Pelton <jsp pkc.com>]
+
+ *) mod_dav: Fix a problem that could cause crashes when manipulating
+ locks on some platforms. [Jeff Trawick]
+
+ *) mod_headers no longer crashes if an empty header value should
+ be added. [André Malo]
+
+ *) Fix segfault in mod_expires, which occured under certain
+ circumstances. PR 28047. [André Malo]
+
+ *) htpasswd: use apr_temp_dir_get() and general cleanup
+ [Guenter Knauf <eflash gmx.net>, Thom May]
+
+ *) mod_ssl: Fix memory leak in session cache handling. PR 26562
+ [Madhusudan Mathihalli]
+
+ *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
+ a pool cleanup. PR 27945. [Joe Orton]
+
+ *) Add forensic logging module (mod_log_forensic).
+ [Ben Laurie]
+
+ *) logresolve: Allow size of log line buffer to be overridden at
+ build time (MAXLINE). PR 27793. [Jeff Trawick]
+
+ *) Fix the comment delimiter in htdbm so that it correctly parses the
+ username comment. Also add a terminate function to allow NetWare
+ to pause the output before the screen is destroyed.
+ [Guenter Knauf <eflash gmx.net>, Brad Nicholes]
+
+ *) Fix crash when Apache was started with no Listen directives.
+ [Michael Corcoran <mcorcoran warpsolutions.com>]
+
+ *) core_output_filter: Fix bug that could result in sending
+ garbage over the network when module handlers construct
+ bucket brigades containing multiple file buckets all referencing
+ the same open file descriptor. [Bojan Smojver]
+
+ *) Fix memory corruption problem with ap_custom_response() function.
+ The core per-dir config would later point to request pool data
+ that would be reused for different purposes on different requests.
+ [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
+
+ *) Win32: Tweak worker thread accounting routines to eliminate
+ server hang when number of Listen directives in httpd.conf
+ is greater than or equal to the setting of ThreadsPerChild.
+ [Bill Stoddard]
+
+Changes with Apache 2.0.49
+
+ *) SECURITY: CVE-2004-0174 (cve.mitre.org)
+ Fix starvation issue on listening sockets where a short-lived
+ connection on a rarely-accessed listening socket will cause a
+ child to hold the accept mutex and block out new connections until
+ another connection arrives on that rarely-accessed listening socket.
+ With Apache 2.x there is no performance concern about enabling the
+ logic for platforms which don't need it, so it is enabled everywhere
+ except for Win32. [Jeff Trawick]
+
+ *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
+ [Jeff Trawick]
+
+ *) Win32: find_read_listeners was not correctly handling multiple
+ listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
+
+ *) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
+ [Manni Wood <manniwood planet-save.com>]
+
+ *) Fix some piped log problems: bogus "piped log program '(null)'
+ failed" messages during restart and problem with the logger
+ respawning again after Apache is stopped. PR 21648, PR 24805.
+ [Jeff Trawick]
+
+ *) Fixed file extensions for real media files and removed rpm extension
+ from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
+
+ *) Remove compile-time length limit on request strings. Length is
+ now enforced solely with the LimitRequestLine config directive.
+ [Paul J. Reder]
+
+ *) mod_ssl: Send the Close Alert message to the peer before closing
+ the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
+
+ *) SECURITY: CVE-2004-0113 (cve.mitre.org)
+ mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
+ PR 27106. [Joe Orton]
+
+ *) mod_ssl: Fix bug in passphrase handling which could cause spurious
+ failures in SSL functions later. PR 21160. [Joe Orton]
+
+ *) mod_log_config: Fix corruption of buffered logs with threaded
+ MPMs. PR 25520. [Jeff Trawick]
+
+ *) Fix mod_include's expression parser to recognize strings correctly
+ even if they start with an escaped token. [André Malo]
+
+ *) Add fatal exception hook for use by diagnostic modules. The hook
+ is only available if the --enable-exception-hook configure parm
+ is used and the EnableExceptionHook directive has been set to
+ "on". [Jeff Trawick]
+
+ *) Allow mod_auth_digest to work with sub-requests with different
+ methods than the original request. PR 25040.
+ [Josh Dady <jpd indecisive.com>]
+
+ *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
+ argumentless containers.
+ ["Philippe M. Chiasson" <gozer cpan.org>]
+
+ *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
+ [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
+
+ *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
+ [Glenn Nielsen <glenn apache.org>]
+
+ *) The whole codebase was relicensed and is now available under
+ the Apache License, Version 2.0 (http://www.apache.org/licenses).
+ [Apache Software Foundation]
+
+ *) Fixed cache-removal order in mod_mem_cache.
+ [Jean-Jacques Clar, Cliff Woolley]
+
+ *) mod_setenvif: Fix the regex optimizer, which under circumstances
+ treated the supplied regex as literal string. PR 24219.
+ [André Malo]
+
+ *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
+ instead of mmn. [André Malo]
+
+ *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
+ could lead to a 400 (Bad Request) response. [André Malo]
+
+ *) Keep focus of ITERATE and ITERATE2 on the current module when
+ the module chooses to return DECLINE_CMD for the directive.
+ PR 22299. [Geoffrey Young <geoff apache.org>]
+
+ *) Add support for IMT minor-type wildcards (e.g., text/*) to
+ ExpiresByType. PR#7991 [Ken Coar]
+
+ *) Fix segfault in mod_mem_cache cache_insert() due to cache size
+ becoming negative. PR: 21285, 21287
+ [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
+
+ *) core.c: If large file support is enabled, allow any file that is
+ greater than AP_MAX_SENDFILE to be split into multiple buckets.
+ This allows Apache to send files that are greater than 2gig.
+ Otherwise we run into 32/64 bit type mismatches in the file size.
+ [Brad Nicholes]
+
+ *) proxy_http fix: mod_proxy hangs when both KeepAlive and
+ ProxyErrorOverride are enabled, and a non-200 response without a
+ body is generated by the backend server. (e.g.: a client makes a
+ request containing the "If-Modified-Since" and "If-None-Match"
+ headers, to which the backend server respond with status 304.)
+ [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
+
+ *) mod_dav: Reject requests which include an unescaped fragment in the
+ Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
+
+ *) Build array of allowed methods with proper dimensions, fixing
+ possible memory corruption. [Jeff Trawick]
+
+ *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
+ PR 15057. [Otmar Lendl <lendl nic.at>]
+
+ *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
+ [Joe Orton]
+
+ *) mod_usertrack no longer inspects the Cookie2 header for
+ the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
+
+ *) mod_usertrack no longer overwrites other cookies.
+ PR 26002. [Scott Moore <apache nopdesign.com>]
+
+ *) worker MPM: fix stack overlay bug that could cause the parent
+ process to crash. [Jeff Trawick]
+
+ *) Win32: Add Win32DisableAcceptEx directive. This Windows
+ NT/2000/CP directive is useful to work around bugs in some
+ third party layered service providers like virus scanners,
+ VPN and firewall products, that do not properly handle
+ WinSock 2 APIs. Use this directive if your server is issuing
+ AcceptEx failed messages.
+ [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
+
+ *) Make REMOTE_PORT variable available in mod_rewrite.
+ PR 25772. [André Malo]
+
+ *) Fix a long delay with CGI requests and keepalive connections on
+ AIX. [Jeff Trawick]
+
+ *) mod_autoindex: Add 'XHTML' option in order to allow switching between
+ HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
+
+ *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
+ [André Malo]
+
+ *) mod_ssl: Advertise SSL library version as determined at run-time rather
+ than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
+
+ *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
+ format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
+
+ *) Fix build with parallel make. PR 24643. [Joe Orton]
+
+ *) mod_rewrite: In external rewrite maps lookup keys containing
+ a newline now cause a lookup failure. PR 14453.
+ [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
+
+ *) Backport major overhaul of mod_include's filter parser from 2.1.
+ The new parser code is expected to be more robust and should
+ catch all of the edge cases that were not handled by the previous one.
+ The 2.1 external API changes were hidden by a wrapper which is
+ expected to keep the API backwards compatible. [André Malo]
+
+ *) Add a hook (insert_error_filter) to allow filters to re-insert
+ themselves during processing of error responses. Enable mod_expires
+ to use the new hook to include Expires headers in valid error
+ responses. This addresses an RFC violation. It fixes PRs 19794,
+ 24884, and 25123. [Paul J. Reder]
+
+ *) Add Polish translation of error messages. PR 25101.
+ [Tomasz Kepczynski <tomek jot23.org>]
+
+ *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
+ supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
+ Bill Stoddard]
+
+ *) Add mod_status hook to allow modules to add to the mod_status
+ report. [Joe Orton]
+
+ *) Fix htdbm to generate comment fields in DBM files correctly.
+ [Justin Erenkrantz]
+
+ *) mod_dav: Use bucket brigades when reading PUT data. This avoids
+ problems if the data stream is modified by an input filter. PR 22104.
+ [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
+
+ *) Fix RewriteBase directive to not add double slashes. [André Malo]
+
+ *) Improve 'configure --help' output for some modules. [Astrid KeÃler]
+
+ *) Correct UseCanonicalName Off to properly check incoming port number.
+ [Jim Jagielski]
+
+ *) Fix slow graceful restarts with prefork MPM. [Joe Orton]
+
+ *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
+ if any property values were set which defined namespaces these
+ came out mangled in the PROPFIND response. PR 11637.
+ [Amit Athavale <amit_athavale persistent.co.in>]
+
+ *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
+ the destination resource gives a 401. PR 15571. [Joe Orton]
+
+ *) SECURITY: CVE-2003-0020 (cve.mitre.org)
+ Escape arbitrary data before writing into the errorlog. Unescaped
+ errorlogs are still possible using the compile time switch
+ "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
+
+ *) mod_autoindex / core: Don't fail to show filenames containing
+ special characters like '%'. PR 13598. [André Malo]
+
+ *) mod_status: Report total CPU time accurately when using a threaded
+ MPM. PR 23795. [Jeff Trawick]
+
+ *) Fix memory leak in handling of request bodies during reverse
+ proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
+
+ *) Win32 MPM: Implement MaxMemFree to enable setting an upper
+ limit on the amount of storage used by the bucket brigades
+ in each server thread. [Bill Stoddard]
+
+ *) Modified the cache code to be header-location agnostic. Also
+ fixed a number of other cache code bugs related to PR 15852.
+ Includes a patch submitted by Sushma Rai <rsushma novell.com>.
+ This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
+ closing the PR since that is what they are using. [Paul J. Reder]
+
+ *) complain via error_log when mod_include's INCLUDES filter is
+ enabled, but the relevant Options flag allowing the filter to run
+ for the specific resource wasn't set, so that the filter won't
+ silently get skipped. next remove itself, so the warning will be
+ logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
+
+ *) mod_info: HTML escape configuration information so it displays
+ correctly. PR 24232. [Thom May]
+
+ *) Restore the ability to add a description for directories that
+ don't contain an index file. (Broken in 2.0.48) [André Malo]
+
+ *) Fix a problem with the display of empty variables ("SetEnv foo") in
+ mod_include. PR 24734 [Markus Julen <mj zermatt.net>]
+
+ *) mod_log_config: Log the minutes component of the timezone correctly.
+ PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]
+
+ *) mod_proxy: Fix cases where an invalid status-line could be sent
+ to the client. PR 23998. [Joe Orton]
+
+ *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
+ are also loaded. [Joe Orton]
+
+ *) mod_ssl: Use human-readable OpenSSL error strings in logs; use
+ thread-safe interface for retrieving error strings. [Joe Orton]
+
+ *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
+ avoid reporting an Internal Server error if it is used without
+ having been set in the httpd.conf file. PR: 23748, 24459
+ [André Malo, Liam Quinn <liam htmlhelp.com>]
+
+ *) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
+ option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]
+
+ *) mod_include no longer allows an ETag header on 304 responses.
+ PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
+
+ *) EBCDIC: Convert header fields to ASCII before sending (broken
+ since 2.0.44). [Martin Kraemer]
+
+ *) Fix the inability to log errors like exec failure in
+ mod_ext_filter/mod_cgi script children. This was broken after
+ such children stopped inheriting the error log handle.
+ [Jeff Trawick]
+
+ *) Fix mod_info to use the real config file name, not the default
+ config file name. [Aryeh Katz <aryeh secured-services.com>]
+
+ *) Set the scoreboard state to indicate logging prior to running
+ logging hooks so that server-status will show 'L' for hung loggers
+ instead of 'W'. [Jeff Trawick]
+
+Changes with Apache 2.0.48
+
+ *) SECURITY: CVE-2003-0789 (cve.mitre.org)
+ mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
+ communicate with the cgid daemon and the CGI script.
+ [Jeff Trawick]
+
+ *) SECURITY: CVE-2003-0542 (cve.mitre.org)
+ Fix buffer overflows in mod_alias and mod_rewrite which occurred
+ if one configured a regular expression with more than 9 captures.
+ [André Malo]
+
+ *) mod_include: fix segfault which occured if the filename was not
+ set, for example, when processing some error conditions.
+ PR 23836. [Brian Akins <bakins web.turner.com>, André Malo]
+
+ *) fix the config parser to support <Foo>..</Foo> containers (no
+ arguments in the opening tag) supported by httpd 1.3. Without
+ this change mod_perl 2.0's <Perl> sections are broken.
+ ["Philippe M. Chiasson" <gozer cpan.org>]
+
+ *) mod_cgid: fix a hash table corruption problem which could
+ result in the wrong script being cleaned up at the end of a
+ request. [Jeff Trawick]
+
+ *) Update httpd-*.conf to be clearer in describing the connection
+ between AddType and AddEncoding for defining the meaning of
+ compressed file extensions. [Roy Fielding]
+
+ *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
+ PR 23416. [André Malo]
+
+ *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
+ rewritten request using "proxy:". The code was adding multiple "proxy:"
+ fields in the rewritten URI. PR: 13946.
+ [Eider Oliveira <eider bol.com.br>]
+
+ *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
+ expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
+
+ *) Ensure that ssl-std.conf is generated at configure time, and switch
+ to using the expanded config variables to work the same as
+ httpd-std.conf PR: 19611
+ [Thom May]
+
+ *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
+ [Hartmut Keil <Hartmut.Keil adnovum.ch>]
+
+ *) mod_autoindex: If a directory contains a file listed in the
+ DirectoryIndex directive, the folder icon is no longer replaced
+ by the icon of that file. PR 9587.
+ [David Shane Holden <dpejesh yahoo.com>]
+
+ *) Fixed mod_usertrack to not get false positive matches on the
+ user-tracking cookie's name. PR 16661.
+ [Manni Wood <manniwood planet-save.com>]
+
+ *) mod_cache: Fix the cache code so that responses can be cached
+ if they have an Expires header but no Etag or Last-Modified
+ headers. PR 23130.
+ [<bjorn exoweb.net>]
+
+ *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
+ were sent (e.g. with 304 or 204 response codes). [Astrid KeÃler]
+
+ *) Modify ap_get_client_block() to note if it has seen EOS.
+ [Justin Erenkrantz]
+
+ *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
+ content if the Accept-Encoding header contained only other tokens than
+ "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
+
+ *) Avoid an infinite recursion, which occured if the name of an included
+ config file or directory contained a wildcard character. PR 22194.
+ [André Malo]
+
+ *) mod_ssl: Fix a problem setting variables that represent the
+ client certificate chain. PR 21371 [Jeff Trawick]
+
+ *) Unix: Handle permissions settings for flock-based mutexes in
+ unixd_set_global|proc_mutex_perms(). Allow the functions to be
+ called for any type of mutex. PR 20312 [Jeff Trawick]
+
+ *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
+
+ *) Fix a misleading message from the some of the threaded MPMs when
+ MaxClients has to be lowered due to the setting of ServerLimit.
+ [Jeff Trawick]
+
+ *) Lower the severity of the "listener thread didn't exit" message
+ to debug, as it is of interest only to developers. PR 9011
+ [Jeff Trawick]
+
+ *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
+ [Cliff Woolley, Jean-Jacques Clar]
+
+ *) Install config.nice into the build/ directory to make
+ minor version upgrades easier. [Joshua Slive]
+
+ *) Fix mod_deflate so that it does not call deflate() without checking
+ first whether it has something to deflate. (Currently this causes
+ deflate to generate a fatal error according to the zlib spec.)
+ PR 22259. [Stas Bekman]
+
+ *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
+ identity spoof is encountered.
+ [Sander Striker]
+
+ *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
+ containing the .htaccess file is requested without a trailing slash.
+ PR 20195. [André Malo]
+
+ *) ab: Overlong credentials given via command line no longer clobber
+ the buffer. [André Malo]
+
+ *) mod_deflate: Don't attempt to hold all of the response until we're
+ done. [Justin Erenkrantz]
+
+ *) Assure that we block properly when reading input bodies with SSL.
+ PR 19242. [David Deaves <David.Deaves dd.id.au>, William Rowe]
+
+ *) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
+
+ *) mod_ext_filter: Set additional environment variables for use by
+ the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
+
+ *) Fix buildconf errors when libtool version changes. [Jeff Trawick]
+
+ *) Remember an authenticated user during internal redirects if the
+ redirection target is not access protected and pass it
+ to scripts using the REDIRECT_REMOTE_USER environment variable.
+ PR 10678, 11602. [André Malo]
+
+ *) mod_include: Fix a trio of bugs that would cause various unusual
+ sequences of parsed bytes to omit portions of the output stream.
+ PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
+
+ *) Update the header token parsing code to allow LWS between the
+ token word and the ':' seperator. [PR 16520]
+ [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
+
+ *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
+ [Joe Schaefer <joe+gmane sunstarsys.com>]
+
+ *) Added FreeBSD directory layout. PR 21100.
+ [Sander Holthaus <info orangexl.com>, André Malo]
+
+ *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
+ response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
+
+ *) mod_rewrite: Perform child initialization on the rewrite log lock.
+ This fixes a log corruption issue when flock-based serialization
+ is used (e.g., FreeBSD). [Jeff Trawick]
+
+ *) Don't respect the Server header field as set by modules and CGIs.
+ As with 1.3, for proxy requests any such field is from the origin
+ server; otherwise it will have our server info as controlled by
+ the ServerTokens directive. [Jeff Trawick]
+
+Changes with Apache 2.0.47
+
+ *) SECURITY: CVE-2003-0192 (cve.mitre.org)
+ Fixed a bug whereby certain sequences of per-directory
+ renegotiations and the SSLCipherSuite directive being used to
+ upgrade from a weak ciphersuite to a strong one could result in
+ the weak ciphersuite being used in place of the strong one.
+ [Ben Laurie]
+
+ *) SECURITY: CVE-2003-0253 (cve.mitre.org)
+ Fixed a bug in prefork MPM causing temporary denial of service
+ when accept() on a rarely accessed port returns certain errors.
+ Reported by Saheed Akhtar <S.Akhtar talis.com>. [Jeff Trawick]
+
+ *) SECURITY: CVE-2003-0254 (cve.mitre.org)
+ Fixed a bug in ftp proxy causing denial of service when target
+ host is IPv6 but proxy server can't create IPv6 socket. Fixed by
+ the reporter. [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
+
+ *) SECURITY [VU#379828] Prevent the server from crashing when entering
+ infinite loops. The new LimitInternalRecursion directive configures
+ limits of subsequent internal redirects and nested subrequests, after
+ which the request will be aborted. PR 19753 (and probably others).
+ [William Rowe, Jeff Trawick, André Malo]
+
+ *) core_output_filter: don't split the brigade after a FLUSH bucket if
+ it's the last bucket. This prevents creating unneccessary empty
+ brigades which may not be destroyed until the end of a keepalive
+ connection.
+ [Juan Rivera <Juan.Rivera citrix.com>]
+
+ *) Add support for "streamy" PROPFIND responses.
+ [Ben Collins-Sussman <sussman collab.net>]
+
+ *) mod_cgid: Eliminate a double-close of a socket. This resolves
+ various operational problems in a threaded MPM, since on the
+ second attempt to close the socket, the same descriptor was
+ often already in use by another thread for another purpose.
+ [Jeff Trawick]
+
+ *) mod_negotiation: Introduce "prefer-language" environment variable,
+ which allows to influence the negotiation process on request basis
+ to prefer a certain language. [André Malo]
+
+ *) Make mod_expires' ExpiresByType work properly, including for
+ dynamically-generated documents. [Ken Coar, Bill Stoddard]
+
+Changes with Apache 2.0.46
+
+ *) SECURITY: CVE-2003-0245 (cve.mitre.org)
+ Fixed a bug causing apr_pvsprintf() to crash by sending an overly
+ long string. This can be triggered remotely through mod_dav,
+ mod_ssl, and other mechanisms.
+ Reported by David Endler <DEndler iDefense.com>. [Joe Orton]
+
+ *) SECURITY: CVE-2003-0189 (cve.mitre.org)
+ Fixed a denial-of-service vulnerability affecting basic
+ authentication on Unix platforms related to thread-safety in
+ apr_password_validate().
+ Reported by John Hughes <john.hughes entegrity.com>.
+
+ *) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
+ when a MKACTIVITY request comes in.
+ [Ben Collins-Sussman <sussman collab.net>]
+
+ *) Perform run-time query in apxs for apr and apr-util's includes.
+ [Justin Erenkrantz]
+
+ *) run libtool from the apr install directory (in case that is different
+ from the apache install directory) [Jeff Trawick]
+
+ *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
+
+ *) If mod_mime_magic does not know the content-type, do not attempt to
+ guess. PR 16908. [Andrew Gapon <agapon telcordia.com>]
+
+ *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
+ caching. PR 17864.
+ [Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]
+
+ *) Add a delete flag to htpasswd.
+ [Thom May]
+
+ *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
+ now work scheme dependent and the query string will only be
+ appended if supported by the particular scheme. [André Malo]
+
+ *) Add another check for already compressed content in mod_deflate.
+ PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
+
+ *) Fixes for VPATH builds; copying special.mk and any future .mk files
+ from the source tree as well as the build tree (now creates a usable
+ configuration for apxs), and eliminated redundant -I'nclude paths.
+ [William Rowe]
+
+ *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
+ for SSLC and OpenSSL toolkit compatibility. Still work remains to
+ be done to cripple features based on the limitations of RSA's binary
+ distribution of their SSL-C toolkit.
+ [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
+
+ *) Linux 2.4+: If Apache is started as root and you code
+ CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
+ [Greg Ames]
+
+ *) ap_get_mime_headers_core: allocate space for the trailing null
+ when folding is in effect.
+ PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]
+
+ *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
+
+ *) mod_log_config: Add the ability to log the id of the thread
+ processing the request via new %P formats. [Jeff Trawick]
+
+ *) Use appropriate language codes for Czech (cs) and Traditional Chinese
+ (zh-tw) in default config files. PR 9427. [André Malo]
+
+ *) mod_auth_ldap: Use generic whitespace character class when parsing
+ "require" directives, instead of literal spaces only. PR 17135.
+ [André Malo]
+
+ *) Hook mod_rewrite's type checker before mod_mime's one. That way the
+ RewriteRule [T=...] Flag should work as expected now. PR 19626.
+ [André Malo]
+
+ *) htpasswd: Check the processed file on validity. If a line is not empty
+ and not a comment, it must contain at least one colon. Otherwise exit
+ with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]
+
+ *) Fix a problem that caused httpd to be linked with incorrect flags
+ on some platforms when mod_so was enabled by default, breaking
+ DSOs on AIX. PR 19012 [Jeff Trawick]
+
+ *) By default, use the same CC and CPP with which APR was built.
+ The user can override with CC and CPP environment variables.
+ [Jeff Trawick]
+
+ *) Fix ap_construct_url() so that it surrounds IPv6 literal address
+ strings with []. This fixes certain types of redirection.
+ PR 19207. [Jeff Trawick]
+
+ *) forward port of buffer overflow fixes for htdigest. [Thom May]
+
+ *) Added AllowEncodedSlashes directive to permit control of whether
+ the server will accept encoded slashes ('%2f') in the URI path.
+ Default condition is off (the historical behaviour). This permits
+ environments in which the path-info needs to contain encoded
+ slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]
+
+ *) When using Redirect in directory context, append requested query
+ string if there's no one supplied by configuration. PR 10961.
+ [André Malo]
+
+ *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
+ the pattern will not always match as desired. PR 12596.
+ [André Malo]
+
+ *) mod_autoindex now emits and accepts modern query string parameter
+ delimiters (;). Thus column headers no longer contain unescaped
+ ampersands. PR 10880 [André Malo]
+
+ *) Enable ap_sock_disable_nagle for Windows. This along with the
+ addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
+ to be disabled for Windows. [Allan Edwards]
+
+ *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
+ This patch reverts us to pre-2.0.46 behavior, using the
+ ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
+ was never compiled on Win32. [Allan Edwards, William Rowe]
+
+ *) Fix a build problem with passing unsupported --enable-layout
+ args to apr and apr-util. This broke binbuild.sh as well as
+ user-specified layout parameters. PR 18649 [Justin Erenkrantz,
+ Jeff Trawick]
+
+ *) If a Date response header was already set in the headers array,
+ this value was ignored in favour of the current time. This meant
+ that Date headers on proxied requests where rewritten when they
+ should not have been. PR: 14376 [Graham Leggett]
+
+ *) Add code to buildconf that produces an httpd.spec file from
+ httpd.spec.in, using build/get-version.sh from APR.
+ [Graham Leggett]
+
+ *) Fixed a segfault when multiple ProxyBlock directives were used.
+ PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
+
+ *) SECURITY: CVE-2003-0134 (cve.mitre.org)
+ OS2: Fix a Denial of Service vulnerability identified and
+ reported by Robert Howard <rihoward rawbw.com> that where device
+ names faulted the running OS2 worker process. The fix is
+ actually in APR 0.9.4. [Brian Havard]
+
+ *) SECURITY: CVE-2003-0083 (cve.mitre.org)
+ Forward port: Escape special characters (especially control
+ characters) in mod_log_config to make a clear distinction between
+ client-supplied strings (with special characters) and server-side
+ strings. This was already introduced in version 1.3.25.
+ [André Malo]
+
+ *) mod_deflate: Check also err_headers_out for an already set
+ Content-Encoding: gzip header. This prevents gzip compressed content
+ from a CGI script from being compressed once more. PR 17797.
+ [André Malo]
+
+Changes with Apache 2.0.45
+
+ *) Fix possible segfaults under obscure error conditions within the
+ cgid daemon. [Jeff Trawick, William Rowe]
+
+ *) SECURITY: CVE-2003-0132 (cve.mitre.org)
+ Close a Denial of Service vulnerability identified by David
+ Endler <DEndler iDefense.com> on all platforms. An unlimited
+ stream of newlines were acceptable between requests where each
+ <lf> would allocate an 80 byte buffer, leading very quickly to
+ memory exahustion. [Brian Pane]
+
+ *) Added an rpm build script.
+ [Graham Leggett, Joe Orton <jorton redhat.com>]
+
+ *) Simpler, faster code path for request header scanning [Brian Pane]
+
+ *) SECURITY: Eliminated leaks of several file descriptors to child
+ processes, such as CGI scripts. This fix depends on the APR library
+ release 0.9.2 or later (0.9.3 was distributed with the httpd
+ source tarball for Apache 2.0.45.) PR 17206
+ [Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]
+
+ *) Fix path handling of mod_rewrite, especially on non-unix systems.
+ There was some confusion between local paths and URL paths.
+ PR 12902. [André Malo]
+
+ *) Prevent endless loops of internal redirects in mod_rewrite by
+ aborting after exceeding a limit of internal redirects. The
+ limit defaults to 10 and can be changed using the RewriteOptions
+ directive. PR 17462. [André Malo]
+
+ *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
+ all worker threads are busy.
+ [Igor Nazarenko <igor_nazarenko hotmail.com>]
+
+ *) Keep the subrequest filter in place when a subrequest is
+ redirected. PR 15423. [Jeff Trawick]
+
+ *) you can now specify the compression level for mod_deflate.
+ [Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>,
+ Michael Schroepl <Michael.Schroepl telekurs.de>]
+
+ *) mod_deflate: Extend the DeflateFilterNote directive to
+ allow accurate logging of the filter's in- and outstream.
+ [André Malo]
+
+ *) Allow SSLMutex to select/use the full range of APR locking
+ mechanisms available to it. Also, fix the bug that SSLMutex uses
+ APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski,
+ Martin Kutschker <martin.t.kutschker blackbox.net>]
+
+ *) Restore the ability of htdigest.exe to create files that contain
+ more than one user. PR 12910. [André Malo]
+
+ *) Improve binary compatibility of the core between debug (aka
+ maintainer-mode) and a non-debug compile.
+ [Sander Striker]
+
+ *) mod_usertrack: don't set the cookie in subrequests. This works
+ around the problem that cookies were set twice during fast internal
+ redirects. PR 13211. [André Malo]
+
+ *) mod_autoindex no longer forgets output format and enabled version
+ sort in linked column headers. [André Malo]
+
+ *) Use .sv instead of .se as extension for Swedish documents in the
+ default configuration. PR 12877. [André Malo]
+
+ *) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
+ and standardized the LDAP SSL support across the various LDAP SDKs.
+ Isolated the SSL functionality to mod_ldap rather than speading it
+ across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA
+ and LDAPTrustedCAType directives to mod_ldap to allow for a more
+ common method of specifying the SSL certificate.
+ [Dave Ward, Brad Nicholes]
+
+ *) Fixed mod_ssl's SSLCertificateChain initialization to no longer
+ skip the first cert of the chain by default. This misbehavior
+ was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]
+
+ *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
+ be started on Unix because of such problems as bad permissions,
+ bad shebang line, etc. [Jeff Trawick]
+
+ *) Fix 64-bit problem in mod_ssl input logic.
+ [Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]
+
+ *) Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
+ [Justin Erenkrantz]
+
+ *) Rewrite ap_xml_parse_input to use bucket brigades. PR 16134.
+ [Justin Erenkrantz]
+
+ *) Fix segfault which occurred when a section in an included
+ configuration file was not closed. PR 17093. [André Malo]
+
+ *) Enhance the behavior of mod_isapi's WriteClient() callback to
+ provide better emulation for isapi modules that presume that the
+ first WriteClient() call may send status and headers. An example
+ of WriteClient() abuse is the foxisapi module, which relies on
+ that assumpion and now works. [William Rowe, Milan Kosina]
+
+ *) Check the return value of ap_run_pre_connection(). So if the
+ pre_connection phase fails (without setting c->aborted)
+ ap_run_process_connection is not executed. [Stas Bekman]
+
+ *) Fixed a problem with mod_ldap which caused it to fault when caching
+ was disabled. Needed to make sure that the code did not
+ attempt to use the cache if it didn't exist. Also fixed some memory
+ leaks which were due to not releasing LDAP resources on error
+ conditions. [Brad Nicholes]
+
+ *) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
+ mod_rewrite proxied URLs will not be escaped accidentally by
+ mod_proxy's fixup. PR 16368 [André Malo]
+
+ *) While processing filters on internal redirects, remember seen EOS
+ buckets also in the request structure of the redirect issuer(s). This
+ prevents filters (such as mod_deflate) from adding garbage to the
+ response. PR 14451. [André Malo]
+
+ *) suexec: Be more pedantic when cleaning environment. Clean it
+ immediately after startup. PR 2790, 10449.
+ [Jeff Stewart <jws purdue.edu>, André Malo]
+
+ *) Fix apxs to insert LoadModule directives only outside of sections.
+ PR 8712, 9012. [André Malo]
+
+ *) Fix suexec compile error under SUNOS4, where strerror() doesn't
+ exist. PR 5913, 9977.
+ [Jonathan W Miner <Jonathan.W.Miner lmco.com>]
+
+ *) Fix If header parsing when a non-mod_dav lock token is passed to it.
+ PR 16452. [Justin Erenkrantz]
+
+ *) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
+ not specified. Now it assumes "/" as already documented. PR 16937.
+ [André Malo]
+
+ *) Try to log an error if a piped log program fails. Try to
+ restart a piped log program in more failure situations. Fix an
+ existing problem with error handling in piped_log_spawn(). Use
+ new APR apr_proc_create() features to prevent Apache from starting
+ on Unix* in most cases where a piped log program can be started,
+ and add log messages for the other situations. *Other platforms
+ already failed Apache initialization if a piped log program
+ couldn't be started. PR 15761 [Jeff Trawick]
+
+ *) Fix mod_cern_meta to not create empty metafiles when the
+ metafile searched for does not exist. PR 12353
+ [Owen Rees <owen_rees hp.com>]
+
+ *) Introduce debugging symbols for Win32 release builds, both .pdb
+ and .dbg files (older debuggers and Dr. Watson-type utilities
+ on WinNT or Win9x don't support the newer .pdb flavor.)
+ [Allen Edwards, William Rowe]
+
+ *) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
+ information (and more). Related to PR 9076. [André Malo]
+
+ *) mod_file_cache: fix segfault serving mmaped cached files.
+ [Bill Stoddard]
+
+ *) mod_file_cache: fixed a segfault when multiple MMapFile directives
+ were used. PR 16313. [Cliff Woolley]
+
+ *) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
+ an incompatible pointer type to mmap_bucket_destroy(void*).
+ [Gerard Eviston <geviston bigpond.net.au>]
+
+ *) Enable the -n name parameter on NetWare to allow the
+ administrator to rename the Apache console screen
+ [Brad Nicholes]
+
+ *) Fixed piped access logs on Win32 by disabling OTHER_CHILD
+ support by default in APR. More development is required
+ to deploy OTHER_CHILD on Win32. [William Rowe]
+
+ *) Use saner default config values for suexec. PR 15713.
+ [Thom May <thom planetarytramp.net>]
+
+ *) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
+ (or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]
+
+ *) apxs: Include any special APR ld flags when linking the DSO.
+ This resolves problems on AIX when building a DSO with apxs+gcc.
+ [Jeff Trawick]
+
+ *) Added character set support to mod_auth_LDAP to allow it to
+ convert extended characters used in the user ID to UTF-8
+ before authenticating against the LDAP directory. The new
+ directive AuthLDAPCharsetConfig is used to specify the config
+ file that contains the character set conversion table.
+ [Brad Nicholes]
+
+ *) Don't remove the Content-Length from responses in mod_proxy
+ PR: 8677 [Brian Pane]
+
+ *) Ensure LDAP version is set to v3 on every bind. PR 14235.
+ [Sergey A. Lipnevich <sergeyli pisem.net>]
+
+ *) Fix mod_ldap to open an existing shared memory file should one
+ already exist. PR 12757. [Scooter Morris <scooter gene.com>,
+ Graham Leggett]
+
+ *) Fix the ulimit command used by apachectl on Tru64. PR 13609.
+ [Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]
+
+ *) Change the ulimit command used by apachectl on AIX so that it
+ works in all locales. [Jeff Trawick]
+
+ *) mod_ext_filter: Fix a problem building argument lists which
+ occasionally caused exec to fail. PR 15491. [Jeff Trawick]
+
+Changes with Apache 2.0.44
+
+ *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
+ from Apache 1.3. PR 14276
+ [David Shane Holden <dpejesh yahoo.com>, William Rowe]
+
+ *) mod_mime: Workaround to prevent a segfault if r->filename=NULL
+ [Brian Pane]
+
+ *) Reorder the definitions for mod_ldap and mod_auth_ldap within
+ config.m4 to make sure the parent mod_ldap is defined first.
+ This ensures that mod_ldap comes before mod_auth_ldap in the
+ httpd.conf file, which is necessary for mod_auth_ldap to load.
+ PR 14256 [Graham Leggett]
+
+ *) Fix the building of cgi command lines when the query string
+ contains '='. PR 13914 [Ville Skyttä <ville.skytta iki.fi>,
+ Jeff Trawick]
+
+ *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
+ implementation of MCacheMaxStreamingBuffer from mod_cache to
+ mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
+ lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
+ eliminate the need for explicitly coding MCacheMaxStreamingBuffer
+ in most configurations. [Bill Stoddard]
+
+ *) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
+ a redirect occurs. The code was passing a format string and
+ integer to apr_pstrcat. Changed to apr_psprintf.
+ [Paul J. Reder]
+
+ *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
+ as set by apr-util in util_ldap.c. This should allow mod_ldap
+ to work with the Netscape/Mozilla LDAP library. [Ãyvin Sømme
+ <somme oslo.westerngeco.slb.com>, Graham Leggett]
+
+ *) Fix critical bug in new --enable-v4-mapped configure option
+ implementation which broke IPv4 listening sockets on some
+ systems. [hiroyuki hanai <hanai imgsrc.co.jp>]
+
+ *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
+ patterns [André Malo <nd perlig.de>]
+
+ *) Add version string to provider API. [Justin Erenkrantz]
+
+ *) build: './configure && make' now works without an in-tree
+ apr and apr-util. [Wilfredo Sanchez]
+
+ *) mod_negotiation: Set the appropriate mime response headers
+ (Content-Type, charset, Content-Language and Content-Encoding)
+ for negotated type-map "Body:" responses (such as the error
+ pages.) [André Malo <nd perlig.de>]
+
+ *) mod_log_config: Allow '%%' escaping in CustomLog format
+ strings to insert a literal, single '%'.
+ [André Malo <nd perlig.de>]
+
+ *) mod_autoindex: AddDescription directives for directories
+ now work as in Apache 1.3, where no trailing '/' is
+ specified on the directory name. Previously, the trailing
+ '/' *had* to be specified, which was incompatible with
+ Apache 1.3. PR 7990 [Jeff Trawick]
+
+ *) Fix for PR 14556. The expiry calculations in mod_cache were
+ trying to perform "now + ((date - lastmod) * factor)" where
+ date == lastmod resulting in "now + 0". The code now follows
+ the else path (using the default expiration) if date is
+ equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]
+
+ *) Use AP_DECLARE in the debug versions of ap_strXXX in case the
+ default calling convention is not the same as the one used by
+ AP_DECLARE. [Juan Rivera <Juan.Rivera citrix.com>]
+
+ *) mod_cache: Don't cache response header fields designated
+ as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
+ [Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]
+
+ *) mod_cgid: Handle environment variables containing newlines.
+ PR 14550 [Piotr Czejkowski <apache czarny.eu.org>, Jeff
+ Trawick]
+
+ *) Move mod_ext_filter out of experimental and into filters.
+ [Jeff Trawick]
+
+ *) Fixed a memory leak in mod_deflate with dynamic content.
+ PR 14321 [Ken Franken <kfranken decisionmark.com>]
+
+ *) Add --[enable|disable]-v4-mapped configure option to control
+ whether or not Apache expects to handle IPv4 connections
+ on IPv6 listening sockets. Either setting will work on
+ systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
+ must be used on systems that always allow IPv4 connections on
+ IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
+ [Jeff Trawick]
+
+ *) This fixes a problem where the underlying cache code
+ indicated that there was one more element on the cache
+ than there actually was. This happened since element 0
+ exists but is not used. This code allocates the correct
+ number of useable elements and reports the number of
+ actually used elements. The previous code only allowed
+ MCacheMaxObjectCount-1 objects to be stored in the
+ cache. [Paul J. Reder]
+
+ *) mod_setenvif: Add SERVER_ADDR special keyword to allow
+ envariable setting according to the server IP address
+ which received the request. [Ken Coar]
+
+ *) mod_cgid: Terminate CGI scripts when the client connection
+ drops. PR 8388 [Jeff Trawick]
+
+ *) Rearrange OpenSSL engine initialization to support RAND
+ redirection on crypto accelerator.
+ [Frederic DONNAT <frederic.donnat zencod.com>]
+
+ *) Always emit Vary header if mod_deflate is involved in the
+ request. [André Malo <nd perlig.de>]
+
+ *) mod_isapi: Stop unsetting the 'empty' query string result with
+ a NULL argument in ecb->lpszQueryString, eliminating segfaults
+ for some ISAPI modules. PR 14399
+ [Detlev Vendt <detlev.vendt brillit.de>]
+
+ *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
+ notification is received before the HttpExtensionProc() returns
+ HSE_STATUS_PENDING. This only affected isapi .dll's configured
+ with the ISAPIFakeAsync on directive. PR 11918
+ [John DeSetto <jdesetto radiantsystems.com>, William Rowe]
+
+ *) mod_isapi: Fix the issue where all results from mod_isapi would
+ run through the core die handler resulting in invalid responses
+ or access log entries. PR 10216 [William Rowe]
+
+ *) Improves the user friendliness of the CacheRoot processing
+ over my last pass. This version avoids the pool allocations
+ but doesn't avoid all of the runtime checks. It no longer
+ terminates during post-config processing. An error is logged
+ once per worker, indicating that the CacheRoot needs to be set.
+ [Paul J. Reder]
+
+ *) Fix a bug where we keep files open until the end of a
+ keepalive connection, which can result in:
+ (24)Too many open files: file permissions deny server access
+ especially on threaded servers. [Greg Ames, Jeff Trawick]
+
+ *) Fix a bug in which mod_proxy sent an invalid Content-Length
+ when a proxied URL was invoked as a server-side include within
+ a page generated in response to a form POST. [Brian Pane]
+
+ *) Added code to process min and max file size directives and to
+ init the expirychk flag in mod_disk_cache. Added a clarifying
+ comment to cache_util. [Paul J. Reder]
+
+ *) The value emitted by ServerSignature now mimics the Server HTTP
+ header as controlled by ServerTokens. [Francis Daly <deva daoine.org>]
+
+ *) Gracefully handly retry situations in the SSL input filter,
+ by following the SSL libraries' retry semantics.
+ [William Rowe]
+
+ *) Terminate CGI scripts when the client connection drops. This
+ fix only applies to some normal paths in mod_cgi. mod_cgid
+ is still busted. PR 8388 [Jeff Trawick]
+
+ *) Fix a bug where 416 "Range not satisfiable" was being
+ returned for content that should have been redirected.
+ [Greg Ames]
+
+ *) Fix memory leak in mod_ssl from internal SSL library allocations
+ within SSL_get_peer_certificate and X509_get_pubkey.
+ [Zvi Har'El <rl math.technion.ac.il>
+ Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
+
+ *) mod_ssl uses free() inappropriately in several places, to free
+ memory which has been previously allocated inside OpenSSL.
+ Such memory should be freed with OPENSSL_free(), not with free().
+ [Nadav Har'El <nyh math.technion.ac.il>,
+ Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
+
+ *) Emit a message to the error log when we return 404 because
+ the URI contained '%2f'. (This was previously nastily silent
+ and difficult to debug.) [Ken Coar]
+
+ *) Fix streaming output from an nph- CGI script. CGI:IRC now
+ works. PR 8482 [Jeff Trawick]
+
+ *) More accurate logging of bytes sent in mod_logio when
+ the client terminates the connection before the response
+ is completely sent [Bojan Smojver <bojan rexursive.com>]
+
+ *) Fix some problems in the perchild MPM.
+ [Jonas Eriksson <jonas webkonsulterna.com>]
+
+ *) Change the CacheRoot processing to check for a required
+ value at config time. This saves a lot of wasted processing
+ if the mod_disk_cache module is loaded but no CacheRoot
+ was provided. This fix also adds code to log an error
+ and avoid useless pallocs and procesing when the computed
+ cache file name cannot be opened. This also updates the
+ docs accordingly. [Paul J. Reder]
+
+ *) Introduce the EnableSendfile directive, allowing users of NFS
+ shares to disable sendfile mechanics when they either fail
+ outright or provide intermitantly corrupted data. PR
+ [William Rowe]
+
+ *) Resolve the error "An operation was attempted on something
+ that is not a socket. : winnt_accept: AcceptEx failed.
+ Attempting to recover." for users of various firewall and
+ anti-virus software on Windows. PR 8325 [William Rowe]
+
+ *) Add the ProxyBadHeader directive, which gives the admin some
+ control on how mod_proxy should handle bogus HTTP headers from
+ proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
[... 5326 lines stripped ...]