You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by st...@apache.org on 2002/09/25 00:31:10 UTC
cvs commit: httpd-site/xdocs Announcement index.xml
striker 2002/09/24 15:31:09
Modified: docs Announcement index.html
xdocs Announcement index.xml
Log:
Prepare for announcement of 2.0.42
Revision Changes Path
1.13 +158 -192 httpd-site/docs/Announcement
Index: Announcement
===================================================================
RCS file: /home/cvs/httpd-site/docs/Announcement,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- Announcement 9 Aug 2002 20:02:32 -0000 1.12
+++ Announcement 24 Sep 2002 22:31:08 -0000 1.13
@@ -1,224 +1,190 @@
+ Apache 2.0.42 Released
+--------------------------------------------
-Apache 2.0.40 Released
----------------------------------------------
+The Apache HTTP Server Project is proud to announce the fifth public
+release of Apache 2.0. This is primarily a bug-fix release, including
+updates to the experimental caching module, the removal of several
+memory leaks, and fixes for several segfaults, one of which could have
+been used as a denial-of-service against mod_dav. A complete list of
+the changes since 2.0.40 is given at the end of this document.
-The Apache HTTP Server Project is proud to announce the fourth public
-release of Apache 2.0. Apache 2.0 has been running on the apache.org
-website since December of 2000 and has proven to be very reliable.
-
-This version of Apache is principally a security and bug fix release.
-A summary of the changes is given at the end of this document. Of
-particular note is that 2.0.40 fixes the serious vulnerability noted in
-CAN-2002-0661 and the pair of path exposures in CAN-2002-0654 (mitre.org).
-We would like to thank Auriemma Luigi <bu...@sitoverde.com> for
-discovering and reporting the vulnerability and one of the path exposures
-and Jim Race <jr...@qualys.com> for reporting the other path exposure.
-Apache 2.0 offers numerous enhancements, improvements and performance
-boosts over the 1.3 codebase. The most visible and noteworthy addition
+Apache 2.0 offers numerous enhancements, improvements, and performance
+boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
-platform that supports both threads and processes. This has shown to
-improve the scalability of the Apache HTTP Server significantly in
+platform that supports both threads and processes. This has been shown
+to improve the scalability of the Apache HTTP Server significantly in
our testing. Apache 2.0 also includes support for filtered I/O. This
allows modules to modify the output of other modules before it is
sent to the client. We have also included support for IPv6 on any
platform that supports IPv6.
This version of Apache is known to work on many versions of Unix, BeOS,
-OS/2, Windows, and Netware. Because of many of the advancements in
-Apache 2.0, the initial release of Apache is expected to perform equally
-well on all supported platforms.
-
-There are new snapshots of the Apache httpd source available every 6
-hours from http://cvs.apache.org/snapshots/ - please download and test
-if you feel brave. We don't guarantee anything except that it will
-take up disk space, but if you have the time and skills, please
-give it a spin on your platforms.
+OS/2, Windows, and Netware. Because of the many advances in Apache
+2.0, it is expected to perform equally well on all supported platforms.
+Apache 2.0 has been running on the apache.org website since December
+of 2000 and has proven to be very reliable.
Apache has been the most popular web server on the Internet since
-April of 1996. The July 2002 Web Server Survey by Netcraft (see
+April of 1996. The August 2002 Web Server Survey by Netcraft (see
http://www.netcraft.com/survey/) found that more web servers were
-using Apache than any other software; Apache runs on more than 57%
+using Apache than any other software; Apache runs on more than 63%
of the web servers on the Internet.
+
+We consider this release to be the best version of Apache available
+and encourage users of all prior versions to upgrade. When doing so,
+please keep in mind the following:
+
+This release is not binary-compatible with previous releases, so all
+modules need to be recompiled in order to work with this version. For
+example, a module compiled to work with 2.0.40 will not work with 2.0.42.
+
+If you intend to use Apache with one of the threaded MPMs, you must
+ensure that the modules (and the libraries they depend on) that you
+will be using are thread-safe. Please contact the vendors of
+these modules to obtain this information.
+
+
For more information and to download the release tarballs, please
visit http://httpd.apache.org/
-Changes since 2.0.39
+Changes since 2.0.40
---------------------------------------------
- *) SECURITY: [CAN-2002-0661] Close a very significant security hole that
- applies only to the Win32, OS2 and Netware platforms. Unix was not
- affected, Cygwin may be affected. Certain URIs will bypass security
- and allow users to invoke or access any file depending on the system
- configuration. Without upgrading, a single .conf change will close
- the vulnerability. Add the following directive in the global server
- httpd.conf context before any other Alias or Redirect directives:
- RedirectMatch 400 "\\\.\."
- Reported by Auriemma Luigi <bu...@sitoverde.com>.
- [Brad Nicholes]
-
- *) SECURITY: Close a path-revealing exposure in multiview type
- map negotiation (such as the default error documents) where the
- module would report the full path of the typemapped .var file when
- multiple documents or no documents could be served based on the mime
- negotiation. Reported by Auriemma Luigi <bu...@sitoverde.com>.
- [CAN-2002-0654] [William Rowe]
-
- *) SECURITY: Close a path-revealing exposure in cgi/cgid when we
- fail to invoke a script. The modules would report "couldn't create
- child process /path-to-script/script.pl" revealing the full path
- of the script. Reported by Jim Race <jr...@qualys.com>.
- [CAN-2002-0654] [Bill Stoddard]
-
- *) Set aside the apr-iconv and apr_xlate() features for the Win32
- build of 2.0.40 so development can be completed. A patch, from
- <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
- will be available for those that wish to work with apr-iconv.
- [William Rowe]
-
- *) Fix proxy so that it is possible to access ftp: URLs via a proxy
- chain. [Peter Van Biesen <pe...@vlafo.be>]
-
- *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
- set to 1, so we can exclude things from the general case with
- browsermatch. [Ian Holsman, Andre Schild <A....@aarboard.ch>]
-
- *) Accept multiple leading /'s for requests within the DocumentRoot.
- PR 10946 [William Rowe, David Shane Holden <dp...@yahoo.com>]
-
- *) Solved the reports of .pdf byterange failures on Win32 alone.
- APR's sendfile for the win32 platform collapses header and trailer
- buffers into a single buffer. However, we destroyed the pointers
- to the header buffer if a trailer buffer was present. PR 10781
- [William Rowe]
-
- *) mod_ext_filter: Add the ability to enable or disable a filter via
- an environment variable. Add the ability to register a filter of
- type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
-
- *) Restore the ability to specify host names on Listen directives.
- PR 11030. [Jeff Trawick, David Shane Holden <dp...@yahoo.com>]
-
- *) When deciding on the default address family for listening sockets,
- make sure we can actually bind to an AF_INET6 socket before
- deciding that we should default to AF_INET6. This fixes a startup
- problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
-
- *) Replace usage of atol() to parse strings when we might want a
- larger-than-long value with apr_atoll(), which returns long long.
- This allows HTTPD to deal with larger files correctly.
- [Shantonu Sen <ss...@apple.com>]
-
- *) mod_ext_filter: Ignore any content-type parameters when checking if
- the response should be filtered. Previously, "intype=text/html"
- wouldn't match something like "text/html;charset=8859_1".
- [Jeff Trawick]
-
- *) mod_ext_filter: Set up environment variables for external programs.
- [Craig Sebenik <cr...@netapp.com>]
-
- *) Modified the HTTP_IN filter to immediately append the EOS (end of
- stream) bucket for C-L POST bodies, saving a roundtrip and allowing
- the caller to determine that no content remains without prefetching
- additional POST body. [William Rowe]
-
- *) Get proxy ftp to work over IPv6. [Shoichi Sakane <sa...@kame.net>]
-
- *) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <po...@suse.de>]
-
- *) Update SuSE layout. [Peter Poeml <po...@suse.de>]
-
- *) Changes to the internationalized error documents:
- Comment them out in the default config file to make the default
- install as simple as possible; Correct the english 500 error to
- be more understandable; Add a Swedish translation.
- [Thomas Sjogren <th...@northernsecurity.net>,
- Erik Abele <er...@codefaktor.de>, Rich Bowen, Joshua Slive]
-
- *) Increase the limit on file descriptors per process in apachectl.
- [Brian Pane]
-
- *) Fix a dependency error when building ApacheMonitor, so that Win32
- and MSVC now trust that the project is current (when it is).
- [James Cox <im...@php.net>]
-
- *) mod_ext_filter: don't segfault if content-type is not set. PR 10617.
- [Arthur P. Smith <ap...@aps.org>, Jeff Trawick]
-
- *) APR-Util Renames pending have been completed [Thom May]
-
- *) Performance improvements for the code that reads request
- headers (ap_rgetline_core() and related functions) [Brian Pane]
-
- *) Add a new directive: MaxMemFree. MaxMemFree makes it possible
- to configure the maximum amount of memory the allocators will
- hold on to for reuse. Anything over the MaxMemFree threshold
- will be free()d. This directive is useful when uncommon large
- peaks occur in memory usage. It should _not_ be used to mask
- defective modules' memory use. [Sander Striker]
-
- *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
- scripts would not result in a truncated response.
- [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
-
- *) Add a filter_init parameter to the filter registration functions
- so that a filter can execute arbitrary code before the handlers
- are invoked. This resolves a problem where mod_include requests
- would incorrectly return a 304. [Justin Erenkrantz]
-
- *) Fix a long-standing bug in 2.0, CGI scripts were being called
- with relative paths instead of absolute paths. Apache 1.3 used
- absolute paths for everything except for SuExec, this brings back
- that standard. [Ryan Bloom]
+Changes with Apache 2.0.42
+
+ *) mod_dav: Check for versioning hooks before using them.
+ [Greg Stein]
- *) Fix infinite loop due to two HTTP_IN filters being present for
- internally redirected requests. PR 10146. [Justin Erenkrantz]
+Changes with Apache 2.0.41
- *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
+ *) The protocol version (eg: HTTP/1.1) in the request line parsing
+ is now case insensitive. [Jim Jagielski]
+
+ *) Allow AddOutputFilterByType to add multiple filters per directive.
[Justin Erenkrantz]
- *) Fix mod_ext_filter to look in the main server for filter definitions
- when running in a vhost if the filter definition is not found in
- the vhost. PR 10147 [Jeff Trawick]
-
- *) Support WinNT CGI invocation through ScriptInterpreterSource
- 'registry' for script interpreter paths and names with non-ascii
- characters in the executable filepath. [William Rowe]
-
- *) Support the -w flag on to keep the Win32 console open on error.
- [William Rowe]
-
- *) Normalize the hostname value in the request_rec to all-lowercase
- [Perry Harrington <pe...@webcom.com>]
-
- *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
- extended characters (non US-ASCII) in non-utf8 format. This brings
- Win32 back into CGI/1.1 compliance, and leaves charset decoding up
- to the cgi application itself. [William Rowe]
-
- *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
- modules to bring them up to the current apr/apr-util APIs.
- [William Rowe]
+ *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz]
+
+ *) Fixed mod_disk_cache's generation of 304s
+ [Kris Verbeeck <Kr...@ubizen.com>]
+
+ *) Add support for using fnmatch patterns in the final path
+ segment of an Include statement (eg.. include /foo/bar/*.conf).
+ and remove the noise on stderr during config dir processing.
+ [Joe Orton <jo...@redhat.com>]
+
+ *) mod_cache: cache_storage.c. Add the hostname and any request
+ args to the key generated for caching. This provides a unique
+ key for each virtual host and for each request with unique
+ args. [Paul J. Reder, args code provided by Kris Verbeeck]
+
+ *) mod_cache: Do not cache responses to GET requests with query
+ URLs if the origin server does not explicitly provide an
+ Expires header on the response (RFC 2616 Section 13.9)
+ [Kris Verbeeck krisv@be.ubizen.com]
+
+ *) Fix memory leak in core_output_filter. [Justin Erenkrantz]
+
+ *) Update OpenSSL detection to work on Darwin.
+ [Sander Temme <sc...@covalent.net>]
+
+ *) Update the xslt and css to give the documentation a more
+ modern style.
+ [Andr� Malo <nd...@perlig.de>, Gernot Winkler <gr...@o3media.de>]
+
+ *) Fix some bucket memory leaks in the chunking code
+ [Joe Schaefer <jo...@sunstarsys.com>]
+
+ *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]
+
+ *) mod_cache: added support for caching streamed responses (proxy,
+ CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
+
+ *) Add image/x-icon to httpd.conf PR 10993.
+ [Ian Holsman, Peter Bieringer <pb...@bieringer.de>]
+
+ *) Fix FileETags none operation. PR 12207.
+ [Justin Erenkrantz, Andrew Ho <an...@tellme.com>]
- *) Fix segfault in mod_mem_cache most frequently observed when
- serving the same file to multiple clients on an MP machine.
+ *) Restored the experimental leader/followers MPM to working
+ condition and converted its thread synchronization from
+ mutexes to atomic CAS. [Brian Pane]
+
+ *) Fix Logic on non-html file removal in mod_deflate
+ [Kris Verbeeck <Kr...@ubizen.com>]
+
+ *) Fix "ab -g"'s truncated year: the last digit was cut off.
+ [Leon Brocard <ac...@astray.com>]
+
+ *) mod_rewrite can now sets cookies in err_headers, uses the correct
+ expiry date, and can now set the path as well
+ PR 12132,12181,12172.
+ [Ian Holsman / Rob Cromwell <ap...@robcromwell.com>]
+
+ *) The content-length filter no longer tries to buffer up
+ the entire output of a long-running request before sending
+ anything to the client. [Brian Pane]
+
+ *) Win32: Lower the default stack size from 1MB to 256K. This will
+ allow around 8000 threads to be started per child process.
+ 'EDITBIN /STACK:size apache.exe' can be used to change this
+ value directly in the apache.exe executable.
[Bill Stoddard]
- *) mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])
- [Brian Degenhardt <bm...@mp3.com>, Ian Holsman]
+ *) Win32: Implement ThreadLimit directive in the Windows MPM.
+ [Bill Stoddard]
- *) Fix perchild to work with apachectl by adding -k support to perchild.
- PR 10074 [Jeff Trawick]
+ *) Remove CacheOn config directive since it is set but never checked.
+ No sense wasting cycles on unused code. Besides, the only truly
+ bug free code is deleted code. :) [Paul J. Reder]
- *) Fix a silly htpasswd.c logic error that incorrectly reported that
- both -c and -n had been used. PR 9989 [Cliff Woolley]
+ *) BufferLogs are now run-time enabled, and the log_config now has 2 new
+ callbacks to allow a 3rd party module to actually do the writing of the
+ log file [Ian Holsman]
- *) Fixed a mod_include error case in which no HTTP response was sent
- to the client if an shtml document contained an unterminated SSI
- directive [Brian Pane]
+ *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
+ [Andr� Malo, Astrid Ke�ler <ke...@kess-net.de>]
- *) Improve ap_get_client_block implementation by using APR-util brigade
- helper functions and relying on current filter assumptions.
- [Justin Erenkrantz]
+ *) Fix Segfault in mod_cache. [Kris Verbeeck <Kr...@ubizen.com>]
+
+ *) Fix a null pointer dereference in the merge_env_dir_configs
+ function of the mod_env module. PR 11791
+ [Paul J. Reder]
+
+ *) New option to ServerTokens 'maj[or]'. Only show the major version
+ Also Surfaced this directive in the standard config (default FULL)
+ [Ian Holsman]
+
+ *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
+ maps. The dbm type (e.g., ndbm, gdbm) can be specified on the
+ RewriteMap directive. PR 10644 [Jeff Trawick]
+
+ *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
+ pairs will no longer get out of sync with each other. PR 9534
+ [Cliff Woolley]
+
+ *) Fixes required to get quoted and escaped command args working in
+ mod_ext_filter. PR 11793 [Paul J. Reder]
+
+ *) mod-proxy: handle proxied responses with no status lines
+ [JD Silvester <js...@uwo.ca>, Brett Huttley <br...@huttley.net>]
+
+ *) Fix bug where environment or command line arguments containing
+ non-ASCII-7 characters would cause the Win32 child process creation
+ to fail. PR 11854 [William Rowe]
+
+ *) Bug #11213.. make module loading error messages more informative
+ [Ian Darwin <Ia...@darwinsys.com>]
+
+ *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]
+
+ *) mod_disk_cache works much better. This module should still
+ be considered experimental. [Eric Prud'hommeaux]
+
+ *) Performance improvement for keepalive requests: when setting
+ aside a small file for potential concatenation with the next
+ response on the connection, set aside the file descriptor rather
+ than copying the file into the heap. [Brian Pane]
1.45 +4 -13 httpd-site/docs/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/httpd-site/docs/index.html,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- index.html 17 Sep 2002 14:41:30 -0000 1.44
+++ index.html 24 Sep 2002 22:31:08 -0000 1.45
@@ -142,27 +142,18 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="2.0.40"><strong>Apache 2.0.40 Released</strong></a>
+ <a name="2.0.40"><strong>Apache 2.0.42 Released</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
-<p>The Apache HTTP Server Project is proud to announce the fourth public
+<p>The Apache HTTP Server Project is proud to announce the fifth public
release of Apache 2.0. Apache 2.0 has been running on the apache.org
website since December of 2000 and has proven to be very reliable.</p>
-<p>This version of Apache is principally a security and bug fix release.
-Of particular note is that 2.0.40 fixes the serious vulnerability noted in
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661">
-CAN-2002-0661</a> and the pair of path exposures in
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0654">
-CAN-2002-0654</a> (mitre.org).
-We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
-discovering and reporting the vulnerability and one of the path exposures
-and Jim Race <jrace@qualys.com> for reporting the other path exposure.</p>
<p align="center">
-<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.40</a> |
+<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.42</a> |
<a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.40</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.42</a>
</p>
</blockquote>
</td></tr>
1.9 +158 -192 httpd-site/xdocs/Announcement
Index: Announcement
===================================================================
RCS file: /home/cvs/httpd-site/xdocs/Announcement,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- Announcement 9 Aug 2002 20:02:33 -0000 1.8
+++ Announcement 24 Sep 2002 22:31:09 -0000 1.9
@@ -1,224 +1,190 @@
+ Apache 2.0.42 Released
+--------------------------------------------
-Apache 2.0.40 Released
----------------------------------------------
+The Apache HTTP Server Project is proud to announce the fifth public
+release of Apache 2.0. This is primarily a bug-fix release, including
+updates to the experimental caching module, the removal of several
+memory leaks, and fixes for several segfaults, one of which could have
+been used as a denial-of-service against mod_dav. A complete list of
+the changes since 2.0.40 is given at the end of this document.
-The Apache HTTP Server Project is proud to announce the fourth public
-release of Apache 2.0. Apache 2.0 has been running on the apache.org
-website since December of 2000 and has proven to be very reliable.
-
-This version of Apache is principally a security and bug fix release.
-A summary of the changes is given at the end of this document. Of
-particular note is that 2.0.40 fixes the serious vulnerability noted in
-CAN-2002-0661 and the pair of path exposures in CAN-2002-0654 (mitre.org).
-We would like to thank Auriemma Luigi <bu...@sitoverde.com> for
-discovering and reporting the vulnerability and one of the path exposures
-and Jim Race <jr...@qualys.com> for reporting the other path exposure.
-Apache 2.0 offers numerous enhancements, improvements and performance
-boosts over the 1.3 codebase. The most visible and noteworthy addition
+Apache 2.0 offers numerous enhancements, improvements, and performance
+boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
-platform that supports both threads and processes. This has shown to
-improve the scalability of the Apache HTTP Server significantly in
+platform that supports both threads and processes. This has been shown
+to improve the scalability of the Apache HTTP Server significantly in
our testing. Apache 2.0 also includes support for filtered I/O. This
allows modules to modify the output of other modules before it is
sent to the client. We have also included support for IPv6 on any
platform that supports IPv6.
This version of Apache is known to work on many versions of Unix, BeOS,
-OS/2, Windows, and Netware. Because of many of the advancements in
-Apache 2.0, the initial release of Apache is expected to perform equally
-well on all supported platforms.
-
-There are new snapshots of the Apache httpd source available every 6
-hours from http://cvs.apache.org/snapshots/ - please download and test
-if you feel brave. We don't guarantee anything except that it will
-take up disk space, but if you have the time and skills, please
-give it a spin on your platforms.
+OS/2, Windows, and Netware. Because of the many advances in Apache
+2.0, it is expected to perform equally well on all supported platforms.
+Apache 2.0 has been running on the apache.org website since December
+of 2000 and has proven to be very reliable.
Apache has been the most popular web server on the Internet since
-April of 1996. The July 2002 Web Server Survey by Netcraft (see
+April of 1996. The August 2002 Web Server Survey by Netcraft (see
http://www.netcraft.com/survey/) found that more web servers were
-using Apache than any other software; Apache runs on more than 57%
+using Apache than any other software; Apache runs on more than 63%
of the web servers on the Internet.
+
+We consider this release to be the best version of Apache available
+and encourage users of all prior versions to upgrade. When doing so,
+please keep in mind the following:
+
+This release is not binary-compatible with previous releases, so all
+modules need to be recompiled in order to work with this version. For
+example, a module compiled to work with 2.0.40 will not work with 2.0.42.
+
+If you intend to use Apache with one of the threaded MPMs, you must
+ensure that the modules (and the libraries they depend on) that you
+will be using are thread-safe. Please contact the vendors of
+these modules to obtain this information.
+
+
For more information and to download the release tarballs, please
visit http://httpd.apache.org/
-Changes since 2.0.39
+Changes since 2.0.40
---------------------------------------------
- *) SECURITY: [CAN-2002-0661] Close a very significant security hole that
- applies only to the Win32, OS2 and Netware platforms. Unix was not
- affected, Cygwin may be affected. Certain URIs will bypass security
- and allow users to invoke or access any file depending on the system
- configuration. Without upgrading, a single .conf change will close
- the vulnerability. Add the following directive in the global server
- httpd.conf context before any other Alias or Redirect directives:
- RedirectMatch 400 "\\\.\."
- Reported by Auriemma Luigi <bu...@sitoverde.com>.
- [Brad Nicholes]
-
- *) SECURITY: Close a path-revealing exposure in multiview type
- map negotiation (such as the default error documents) where the
- module would report the full path of the typemapped .var file when
- multiple documents or no documents could be served based on the mime
- negotiation. Reported by Auriemma Luigi <bu...@sitoverde.com>.
- [CAN-2002-0654] [William Rowe]
-
- *) SECURITY: Close a path-revealing exposure in cgi/cgid when we
- fail to invoke a script. The modules would report "couldn't create
- child process /path-to-script/script.pl" revealing the full path
- of the script. Reported by Jim Race <jr...@qualys.com>.
- [CAN-2002-0654] [Bill Stoddard]
-
- *) Set aside the apr-iconv and apr_xlate() features for the Win32
- build of 2.0.40 so development can be completed. A patch, from
- <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
- will be available for those that wish to work with apr-iconv.
- [William Rowe]
-
- *) Fix proxy so that it is possible to access ftp: URLs via a proxy
- chain. [Peter Van Biesen <pe...@vlafo.be>]
-
- *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
- set to 1, so we can exclude things from the general case with
- browsermatch. [Ian Holsman, Andre Schild <A....@aarboard.ch>]
-
- *) Accept multiple leading /'s for requests within the DocumentRoot.
- PR 10946 [William Rowe, David Shane Holden <dp...@yahoo.com>]
-
- *) Solved the reports of .pdf byterange failures on Win32 alone.
- APR's sendfile for the win32 platform collapses header and trailer
- buffers into a single buffer. However, we destroyed the pointers
- to the header buffer if a trailer buffer was present. PR 10781
- [William Rowe]
-
- *) mod_ext_filter: Add the ability to enable or disable a filter via
- an environment variable. Add the ability to register a filter of
- type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
-
- *) Restore the ability to specify host names on Listen directives.
- PR 11030. [Jeff Trawick, David Shane Holden <dp...@yahoo.com>]
-
- *) When deciding on the default address family for listening sockets,
- make sure we can actually bind to an AF_INET6 socket before
- deciding that we should default to AF_INET6. This fixes a startup
- problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
-
- *) Replace usage of atol() to parse strings when we might want a
- larger-than-long value with apr_atoll(), which returns long long.
- This allows HTTPD to deal with larger files correctly.
- [Shantonu Sen <ss...@apple.com>]
-
- *) mod_ext_filter: Ignore any content-type parameters when checking if
- the response should be filtered. Previously, "intype=text/html"
- wouldn't match something like "text/html;charset=8859_1".
- [Jeff Trawick]
-
- *) mod_ext_filter: Set up environment variables for external programs.
- [Craig Sebenik <cr...@netapp.com>]
-
- *) Modified the HTTP_IN filter to immediately append the EOS (end of
- stream) bucket for C-L POST bodies, saving a roundtrip and allowing
- the caller to determine that no content remains without prefetching
- additional POST body. [William Rowe]
-
- *) Get proxy ftp to work over IPv6. [Shoichi Sakane <sa...@kame.net>]
-
- *) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <po...@suse.de>]
-
- *) Update SuSE layout. [Peter Poeml <po...@suse.de>]
-
- *) Changes to the internationalized error documents:
- Comment them out in the default config file to make the default
- install as simple as possible; Correct the english 500 error to
- be more understandable; Add a Swedish translation.
- [Thomas Sjogren <th...@northernsecurity.net>,
- Erik Abele <er...@codefaktor.de>, Rich Bowen, Joshua Slive]
-
- *) Increase the limit on file descriptors per process in apachectl.
- [Brian Pane]
-
- *) Fix a dependency error when building ApacheMonitor, so that Win32
- and MSVC now trust that the project is current (when it is).
- [James Cox <im...@php.net>]
-
- *) mod_ext_filter: don't segfault if content-type is not set. PR 10617.
- [Arthur P. Smith <ap...@aps.org>, Jeff Trawick]
-
- *) APR-Util Renames pending have been completed [Thom May]
-
- *) Performance improvements for the code that reads request
- headers (ap_rgetline_core() and related functions) [Brian Pane]
-
- *) Add a new directive: MaxMemFree. MaxMemFree makes it possible
- to configure the maximum amount of memory the allocators will
- hold on to for reuse. Anything over the MaxMemFree threshold
- will be free()d. This directive is useful when uncommon large
- peaks occur in memory usage. It should _not_ be used to mask
- defective modules' memory use. [Sander Striker]
-
- *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
- scripts would not result in a truncated response.
- [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
-
- *) Add a filter_init parameter to the filter registration functions
- so that a filter can execute arbitrary code before the handlers
- are invoked. This resolves a problem where mod_include requests
- would incorrectly return a 304. [Justin Erenkrantz]
-
- *) Fix a long-standing bug in 2.0, CGI scripts were being called
- with relative paths instead of absolute paths. Apache 1.3 used
- absolute paths for everything except for SuExec, this brings back
- that standard. [Ryan Bloom]
+Changes with Apache 2.0.42
+
+ *) mod_dav: Check for versioning hooks before using them.
+ [Greg Stein]
- *) Fix infinite loop due to two HTTP_IN filters being present for
- internally redirected requests. PR 10146. [Justin Erenkrantz]
+Changes with Apache 2.0.41
- *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
+ *) The protocol version (eg: HTTP/1.1) in the request line parsing
+ is now case insensitive. [Jim Jagielski]
+
+ *) Allow AddOutputFilterByType to add multiple filters per directive.
[Justin Erenkrantz]
- *) Fix mod_ext_filter to look in the main server for filter definitions
- when running in a vhost if the filter definition is not found in
- the vhost. PR 10147 [Jeff Trawick]
-
- *) Support WinNT CGI invocation through ScriptInterpreterSource
- 'registry' for script interpreter paths and names with non-ascii
- characters in the executable filepath. [William Rowe]
-
- *) Support the -w flag on to keep the Win32 console open on error.
- [William Rowe]
-
- *) Normalize the hostname value in the request_rec to all-lowercase
- [Perry Harrington <pe...@webcom.com>]
-
- *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
- extended characters (non US-ASCII) in non-utf8 format. This brings
- Win32 back into CGI/1.1 compliance, and leaves charset decoding up
- to the cgi application itself. [William Rowe]
-
- *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
- modules to bring them up to the current apr/apr-util APIs.
- [William Rowe]
+ *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz]
+
+ *) Fixed mod_disk_cache's generation of 304s
+ [Kris Verbeeck <Kr...@ubizen.com>]
+
+ *) Add support for using fnmatch patterns in the final path
+ segment of an Include statement (eg.. include /foo/bar/*.conf).
+ and remove the noise on stderr during config dir processing.
+ [Joe Orton <jo...@redhat.com>]
+
+ *) mod_cache: cache_storage.c. Add the hostname and any request
+ args to the key generated for caching. This provides a unique
+ key for each virtual host and for each request with unique
+ args. [Paul J. Reder, args code provided by Kris Verbeeck]
+
+ *) mod_cache: Do not cache responses to GET requests with query
+ URLs if the origin server does not explicitly provide an
+ Expires header on the response (RFC 2616 Section 13.9)
+ [Kris Verbeeck krisv@be.ubizen.com]
+
+ *) Fix memory leak in core_output_filter. [Justin Erenkrantz]
+
+ *) Update OpenSSL detection to work on Darwin.
+ [Sander Temme <sc...@covalent.net>]
+
+ *) Update the xslt and css to give the documentation a more
+ modern style.
+ [Andr� Malo <nd...@perlig.de>, Gernot Winkler <gr...@o3media.de>]
+
+ *) Fix some bucket memory leaks in the chunking code
+ [Joe Schaefer <jo...@sunstarsys.com>]
+
+ *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]
+
+ *) mod_cache: added support for caching streamed responses (proxy,
+ CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
+
+ *) Add image/x-icon to httpd.conf PR 10993.
+ [Ian Holsman, Peter Bieringer <pb...@bieringer.de>]
+
+ *) Fix FileETags none operation. PR 12207.
+ [Justin Erenkrantz, Andrew Ho <an...@tellme.com>]
- *) Fix segfault in mod_mem_cache most frequently observed when
- serving the same file to multiple clients on an MP machine.
+ *) Restored the experimental leader/followers MPM to working
+ condition and converted its thread synchronization from
+ mutexes to atomic CAS. [Brian Pane]
+
+ *) Fix Logic on non-html file removal in mod_deflate
+ [Kris Verbeeck <Kr...@ubizen.com>]
+
+ *) Fix "ab -g"'s truncated year: the last digit was cut off.
+ [Leon Brocard <ac...@astray.com>]
+
+ *) mod_rewrite can now sets cookies in err_headers, uses the correct
+ expiry date, and can now set the path as well
+ PR 12132,12181,12172.
+ [Ian Holsman / Rob Cromwell <ap...@robcromwell.com>]
+
+ *) The content-length filter no longer tries to buffer up
+ the entire output of a long-running request before sending
+ anything to the client. [Brian Pane]
+
+ *) Win32: Lower the default stack size from 1MB to 256K. This will
+ allow around 8000 threads to be started per child process.
+ 'EDITBIN /STACK:size apache.exe' can be used to change this
+ value directly in the apache.exe executable.
[Bill Stoddard]
- *) mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])
- [Brian Degenhardt <bm...@mp3.com>, Ian Holsman]
+ *) Win32: Implement ThreadLimit directive in the Windows MPM.
+ [Bill Stoddard]
- *) Fix perchild to work with apachectl by adding -k support to perchild.
- PR 10074 [Jeff Trawick]
+ *) Remove CacheOn config directive since it is set but never checked.
+ No sense wasting cycles on unused code. Besides, the only truly
+ bug free code is deleted code. :) [Paul J. Reder]
- *) Fix a silly htpasswd.c logic error that incorrectly reported that
- both -c and -n had been used. PR 9989 [Cliff Woolley]
+ *) BufferLogs are now run-time enabled, and the log_config now has 2 new
+ callbacks to allow a 3rd party module to actually do the writing of the
+ log file [Ian Holsman]
- *) Fixed a mod_include error case in which no HTTP response was sent
- to the client if an shtml document contained an unterminated SSI
- directive [Brian Pane]
+ *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
+ [Andr� Malo, Astrid Ke�ler <ke...@kess-net.de>]
- *) Improve ap_get_client_block implementation by using APR-util brigade
- helper functions and relying on current filter assumptions.
- [Justin Erenkrantz]
+ *) Fix Segfault in mod_cache. [Kris Verbeeck <Kr...@ubizen.com>]
+
+ *) Fix a null pointer dereference in the merge_env_dir_configs
+ function of the mod_env module. PR 11791
+ [Paul J. Reder]
+
+ *) New option to ServerTokens 'maj[or]'. Only show the major version
+ Also Surfaced this directive in the standard config (default FULL)
+ [Ian Holsman]
+
+ *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
+ maps. The dbm type (e.g., ndbm, gdbm) can be specified on the
+ RewriteMap directive. PR 10644 [Jeff Trawick]
+
+ *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
+ pairs will no longer get out of sync with each other. PR 9534
+ [Cliff Woolley]
+
+ *) Fixes required to get quoted and escaped command args working in
+ mod_ext_filter. PR 11793 [Paul J. Reder]
+
+ *) mod-proxy: handle proxied responses with no status lines
+ [JD Silvester <js...@uwo.ca>, Brett Huttley <br...@huttley.net>]
+
+ *) Fix bug where environment or command line arguments containing
+ non-ASCII-7 characters would cause the Win32 child process creation
+ to fail. PR 11854 [William Rowe]
+
+ *) Bug #11213.. make module loading error messages more informative
+ [Ian Darwin <Ia...@darwinsys.com>]
+
+ *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]
+
+ *) mod_disk_cache works much better. This module should still
+ be considered experimental. [Eric Prud'hommeaux]
+
+ *) Performance improvement for keepalive requests: when setting
+ aside a small file for potential concatenation with the next
+ response on the connection, set aside the file descriptor rather
+ than copying the file into the heap. [Brian Pane]
1.32 +5 -15 httpd-site/xdocs/index.xml
Index: index.xml
===================================================================
RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- index.xml 17 Sep 2002 14:41:30 -0000 1.31
+++ index.xml 24 Sep 2002 22:31:09 -0000 1.32
@@ -87,27 +87,17 @@
</ul>
</section>
-<section id="2.0.40">
-<title>Apache 2.0.40 Released</title>
+<section id="2.0.42">
+<title>Apache 2.0.42 Released</title>
-<p>The Apache HTTP Server Project is proud to announce the fourth public
+<p>The Apache HTTP Server Project is proud to announce the fifth public
release of Apache 2.0. Apache 2.0 has been running on the apache.org
website since December of 2000 and has proven to be very reliable.</p>
-<p>This version of Apache is principally a security and bug fix release.
-Of particular note is that 2.0.40 fixes the serious vulnerability noted in
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661">
-CAN-2002-0661</a> and the pair of path exposures in
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0654">
-CAN-2002-0654</a> (mitre.org).
-We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
-discovering and reporting the vulnerability and one of the path exposures
-and Jim Race <jrace@qualys.com> for reporting the other path exposure.</p>
-
<p align="center">
-<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.40</a> |
+<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.42</a> |
<a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.40</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.42</a>
</p>
</section>