You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@hyperreal.com> on 1997/01/27 12:28:31 UTC
please post to usenet, someone...
Could someone post this to USENET? My news server's disk is currently
full (oh, dean.....) Thanks.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hyperreal.com http://www.apache.org http://www.organic.com/jobs
---------- Forwarded message ----------
Date: Mon, 27 Jan 1997 03:21:35 -0800 (PST)
From: Brian Behlendorf <br...@hyperreal.com>
To: apache-announce@apache.org
Subject: Apache 1.2b6 Released!
After a long month of grueling TCP sleuthing, bug tracking, and
security-hole-squishing, the sixth beta of Apache 1.2 has now been
released. Yet again, there are significant number of bugfixes and a few
enhancements - if you are running a beta of 1.2 at all, you should upgrade
to 1.2b6, for both stability and security reasons. We hope that there
will be only one more beta after this, as a release candidate, and if
there's no problems with that 1.2 final will be released. A complete list
of changes appears below.
Most significantly, we have replaced a majority of the calls to "sprintf"
to "snprintf", which should help prevent the type of stack-scribbling hole
as was found recently in mod_cookies. Because "snprintf" isn't in
libraries on all machines, we have provided our own snprintf utility - if
your platform has an "snprintf" routine which is considered stable and
robust, let us know at apache@apache.org and we will consider having it
use the native version on your platform. By default Apache will use its
own snprintf routine.
Another major bug fix involved tracking down the FIN_WAIT_2 problem many
of you have noted. This is a very complex problem, as it involves finding
and triggering related bugs in server and client TCP/IP kernel stacks and
client software. We think we have found the best solution, and have
instrumented error reporting to help track down related problems - if you
still have a problem with sockets hanging in FIN_WAIT_2 status let us
know. Note that some vendors, such as BSDI, have started supplying kernel
patches to force FIN_WAIT_2 connections to time out, which certainly helps
alleviate the problem.
Finally, the "suexec" functionality has been significantly enhanced,
incorporating fixes for both functionality and security. If you use the
setuid features of Apache at all you should upgrade.
There are many more fixes, but you get the idea. 1.2b5 was never publicly
released, we built it and then found a serious problem right after doing
so, and chose to fix the problem and release 1.2b6.
As usual, thank you for using Apache!
The Apache Group
http://www.apache.org/
####################
Changes with Apache 1.2b6
*) Allow whitespace in imagemap mapfile coordinates. [Marc Slemko]
*) Fix typo introduced in fix for potential infinite loop around
accept() in child_main(). This change caused the rev to 1.2b6.
1.2b5 was never a public beta.
Changes with Apache 1.2b5
*) Change KeepAlive semantics (On|Off instead of a number), add
MaxKeepAliveRequests directive. [Alexei Kosut]
*) Various NeXT compilation patches, as well as a change in
regex/regcomp.c since that file also used a NEXT define.
[Andreas Koenig]
*) Allow * to terminate the end of a directory match in mod_dir.
Allows /~* to match for both /~joe and /~joe/. [David Bronder]
*) Don't call can_exec() if suexec_enabled. Calling this requires
scripts executed by the suexec wrapper to be world executable, which
defeats one of the advantages of running the wrapper. [Randy Terbush]
*) Portability Fix: IRIX complained with 'make clean' about *pure* (removed)
[Jim Jagielski]
*) Migration from sprintf() to snprintf() to avoid buffer
overflows. [Marc Slemco]
*) Provide portable snprintf() implementation (ap_snprintf)
as well as *cvt family. [Jim Jagielski]
*) Portability Fix: NeXT lacks unistd.h so we wrap it's inclusion
[Jim Jagielski]
*) Remove mod_fastcgi.c from the distribution. This module appears
to be maintained more through the Open Market channels and should
continue to be easily available at http://www.fastcgi.com/
*) Fixed bug in modules/Makefile that wouldn't allow building in more
than one subdirectory (or cleaning, either). [Jeremy Laidman]
*) mod_info assumed that the config files were relative to ServerRoot.
[Ken the Rodent]
*) CGI scripts called as an error document resulting from failed
CGI execution would hang waiting for POST'ed data. [Rob Hartill]
*) Log reason when mod_dir returns access HTTP_FORBIDDEN
[Ken the Rodent]
*) Properly check errno to prevent display of a directory index
when server receives a long enough URL to confuse stat().
[Marc Slemko]
*) Several security enhancements to suexec wrapper. It is _highly_
recommended that previously installed versions of the wrapper
be replaced with this version. [Randy Terbush, Jason Dour]
- ~user execution now properly restricted to ~user's home
directory and below.
- execution restricted to UID/GID > 100
- restrict passed environment to known variables
- call setgid() before initgroups() (portability fix)
- remove use of setenv() (portability fix)
*) Add HTTP/1.0 response forcing. [Ben Laurie]
*) Add access control via environment variables. [Ben Laurie]
*) Add rflush() function. [Alexei Kosut]
*) remove duplicate pcalloc() call in new_connection().
*) Fix incorrect comparison which could allow number of children =
MaxClients + 1 if less than HARD_SERVER_LIMIT. Also fix potential
problem if StartServers > HARD_SERVER_LIMIT. [Ed Korthof]
*) Updated support for OSes (MachTen, ULTRIX, Paragon, ISC, OpenBSD
AIX PS/2, CONVEXOS. [Jim Jagielski]
*) Replace instances of inet_ntoa() with inet_addr() for ProxyBlock.
It's more portable. [Martin Kraemer]
*) Replace references to make in Makefile.tmpl with $(MAKE).
[Chuck Murcko]
*) Add ProxyBlock directive w/IP address caching. Add IP address
caching to NoCache directive as well. ProxyBlock works with all
handlers; NoCache now also works with FTP for anonymous logins.
Still more code cleanup. [Chuck Murcko]
*) Add "header parse" API hook [Ben Laurie]
*) Fix byte ordering problems for REMOTE_PORT [Chuck Murcko]
*) suEXEC wrapper was freeing memory that had not been malloc'ed.
*) Correctly allow access and auth directives in <Files> sections in
server config files. [Alexei Kosut]
*) Fix bug with ServerPath that could cause certain files to be not
found by the server. [Alexei Kosut]
*) Fix handling of ErrorDocument so that it doesn't remove a trailing
double-quote from text and so that it properly checks for unsupported
status codes using the new index_of_response interface. [Roy Fielding]
*) Multiple fixes to the lingering_close code in order to avoid being
interrupted by a stray timeout, to avoid lingering on a connection
that has already been aborted or never really existed, to ensure that
we stop lingering as soon as any error condition is received, and to
prevent being stuck indefinitely if the read blocks. Also improves
reporting of error conditions. [Marc Slemko and Roy Fielding]
*) Fixed initialization of parameter structure for sigaction.
[mgyger@itr.ch, Adrian Filipi-Martin]
*) Fixed reinitializing the parameters before each call to accept and
select, and removed potential for infinite loop in accept.
[Roy Fielding, after useful PR from adrian@virginia.edu]
*) Fixed condition where, if a child fails to fork, the scoreboard would
continue to say SERVER_STARTING forever. Eventually, the main process
would refuse to start new children because count_idle_servers() will
count those SERVER_STARTING entries and will always report that there
are enough idle servers. [Phillip Vandry]
*) Fixed bug in bcwrite regarding failure to account for partial writes.
Avoided calling bflush() when the client is pipelining requests.
Removed unnecessary flushes from http_protocol. [Dean Gaudet]
*) Added description of "." mode in server-status [Jim Jagielski]
Re: please post to usenet, someone...
Posted by ra...@mail1.bellglobal.com.
Done (left your From info in there)
-Rasmus
Re: please post to usenet, someone...
Posted by Dean Gaudet <dg...@arctic.org>.
Hey! Why is it that people always try to post while an expire is running?
Too bad INN can't spool local posts while its disk is full.
Dean
On Mon, 27 Jan 1997, Brian Behlendorf wrote:
>
> Could someone post this to USENET? My news server's disk is currently
> full (oh, dean.....) Thanks.
>
> Brian
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@hyperreal.com http://www.apache.org http://www.organic.com/jobs
>
> ---------- Forwarded message ----------
> Date: Mon, 27 Jan 1997 03:21:35 -0800 (PST)
> From: Brian Behlendorf <br...@hyperreal.com>
> To: apache-announce@apache.org
> Subject: Apache 1.2b6 Released!
>
>
> After a long month of grueling TCP sleuthing, bug tracking, and
> security-hole-squishing, the sixth beta of Apache 1.2 has now been
> released. Yet again, there are significant number of bugfixes and a few
> enhancements - if you are running a beta of 1.2 at all, you should upgrade
> to 1.2b6, for both stability and security reasons. We hope that there
> will be only one more beta after this, as a release candidate, and if
> there's no problems with that 1.2 final will be released. A complete list
> of changes appears below.
>
> Most significantly, we have replaced a majority of the calls to "sprintf"
> to "snprintf", which should help prevent the type of stack-scribbling hole
> as was found recently in mod_cookies. Because "snprintf" isn't in
> libraries on all machines, we have provided our own snprintf utility - if
> your platform has an "snprintf" routine which is considered stable and
> robust, let us know at apache@apache.org and we will consider having it
> use the native version on your platform. By default Apache will use its
> own snprintf routine.
>
> Another major bug fix involved tracking down the FIN_WAIT_2 problem many
> of you have noted. This is a very complex problem, as it involves finding
> and triggering related bugs in server and client TCP/IP kernel stacks and
> client software. We think we have found the best solution, and have
> instrumented error reporting to help track down related problems - if you
> still have a problem with sockets hanging in FIN_WAIT_2 status let us
> know. Note that some vendors, such as BSDI, have started supplying kernel
> patches to force FIN_WAIT_2 connections to time out, which certainly helps
> alleviate the problem.
>
> Finally, the "suexec" functionality has been significantly enhanced,
> incorporating fixes for both functionality and security. If you use the
> setuid features of Apache at all you should upgrade.
>
> There are many more fixes, but you get the idea. 1.2b5 was never publicly
> released, we built it and then found a serious problem right after doing
> so, and chose to fix the problem and release 1.2b6.
>
> As usual, thank you for using Apache!
>
> The Apache Group
> http://www.apache.org/
>
>
> ####################
>
> Changes with Apache 1.2b6
>
> *) Allow whitespace in imagemap mapfile coordinates. [Marc Slemko]
>
> *) Fix typo introduced in fix for potential infinite loop around
> accept() in child_main(). This change caused the rev to 1.2b6.
> 1.2b5 was never a public beta.
>
> Changes with Apache 1.2b5
>
> *) Change KeepAlive semantics (On|Off instead of a number), add
> MaxKeepAliveRequests directive. [Alexei Kosut]
>
> *) Various NeXT compilation patches, as well as a change in
> regex/regcomp.c since that file also used a NEXT define.
> [Andreas Koenig]
>
> *) Allow * to terminate the end of a directory match in mod_dir.
> Allows /~* to match for both /~joe and /~joe/. [David Bronder]
>
> *) Don't call can_exec() if suexec_enabled. Calling this requires
> scripts executed by the suexec wrapper to be world executable, which
> defeats one of the advantages of running the wrapper. [Randy Terbush]
>
> *) Portability Fix: IRIX complained with 'make clean' about *pure* (removed)
> [Jim Jagielski]
>
> *) Migration from sprintf() to snprintf() to avoid buffer
> overflows. [Marc Slemco]
>
> *) Provide portable snprintf() implementation (ap_snprintf)
> as well as *cvt family. [Jim Jagielski]
>
> *) Portability Fix: NeXT lacks unistd.h so we wrap it's inclusion
> [Jim Jagielski]
>
> *) Remove mod_fastcgi.c from the distribution. This module appears
> to be maintained more through the Open Market channels and should
> continue to be easily available at http://www.fastcgi.com/
>
> *) Fixed bug in modules/Makefile that wouldn't allow building in more
> than one subdirectory (or cleaning, either). [Jeremy Laidman]
>
> *) mod_info assumed that the config files were relative to ServerRoot.
> [Ken the Rodent]
>
> *) CGI scripts called as an error document resulting from failed
> CGI execution would hang waiting for POST'ed data. [Rob Hartill]
>
> *) Log reason when mod_dir returns access HTTP_FORBIDDEN
> [Ken the Rodent]
>
> *) Properly check errno to prevent display of a directory index
> when server receives a long enough URL to confuse stat().
> [Marc Slemko]
>
> *) Several security enhancements to suexec wrapper. It is _highly_
> recommended that previously installed versions of the wrapper
> be replaced with this version. [Randy Terbush, Jason Dour]
>
> - ~user execution now properly restricted to ~user's home
> directory and below.
> - execution restricted to UID/GID > 100
> - restrict passed environment to known variables
> - call setgid() before initgroups() (portability fix)
> - remove use of setenv() (portability fix)
>
> *) Add HTTP/1.0 response forcing. [Ben Laurie]
>
> *) Add access control via environment variables. [Ben Laurie]
>
> *) Add rflush() function. [Alexei Kosut]
>
> *) remove duplicate pcalloc() call in new_connection().
>
> *) Fix incorrect comparison which could allow number of children =
> MaxClients + 1 if less than HARD_SERVER_LIMIT. Also fix potential
> problem if StartServers > HARD_SERVER_LIMIT. [Ed Korthof]
>
> *) Updated support for OSes (MachTen, ULTRIX, Paragon, ISC, OpenBSD
> AIX PS/2, CONVEXOS. [Jim Jagielski]
>
> *) Replace instances of inet_ntoa() with inet_addr() for ProxyBlock.
> It's more portable. [Martin Kraemer]
>
> *) Replace references to make in Makefile.tmpl with $(MAKE).
> [Chuck Murcko]
>
> *) Add ProxyBlock directive w/IP address caching. Add IP address
> caching to NoCache directive as well. ProxyBlock works with all
> handlers; NoCache now also works with FTP for anonymous logins.
> Still more code cleanup. [Chuck Murcko]
>
> *) Add "header parse" API hook [Ben Laurie]
>
> *) Fix byte ordering problems for REMOTE_PORT [Chuck Murcko]
>
> *) suEXEC wrapper was freeing memory that had not been malloc'ed.
>
> *) Correctly allow access and auth directives in <Files> sections in
> server config files. [Alexei Kosut]
>
> *) Fix bug with ServerPath that could cause certain files to be not
> found by the server. [Alexei Kosut]
>
> *) Fix handling of ErrorDocument so that it doesn't remove a trailing
> double-quote from text and so that it properly checks for unsupported
> status codes using the new index_of_response interface. [Roy Fielding]
>
> *) Multiple fixes to the lingering_close code in order to avoid being
> interrupted by a stray timeout, to avoid lingering on a connection
> that has already been aborted or never really existed, to ensure that
> we stop lingering as soon as any error condition is received, and to
> prevent being stuck indefinitely if the read blocks. Also improves
> reporting of error conditions. [Marc Slemko and Roy Fielding]
>
> *) Fixed initialization of parameter structure for sigaction.
> [mgyger@itr.ch, Adrian Filipi-Martin]
>
> *) Fixed reinitializing the parameters before each call to accept and
> select, and removed potential for infinite loop in accept.
> [Roy Fielding, after useful PR from adrian@virginia.edu]
>
> *) Fixed condition where, if a child fails to fork, the scoreboard would
> continue to say SERVER_STARTING forever. Eventually, the main process
> would refuse to start new children because count_idle_servers() will
> count those SERVER_STARTING entries and will always report that there
> are enough idle servers. [Phillip Vandry]
>
> *) Fixed bug in bcwrite regarding failure to account for partial writes.
> Avoided calling bflush() when the client is pipelining requests.
> Removed unnecessary flushes from http_protocol. [Dean Gaudet]
>
> *) Added description of "." mode in server-status [Jim Jagielski]
>
>
>
>
>