You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jw...@apache.org on 2002/06/18 06:52:41 UTC
cvs commit: httpd-dist/binaries/win32 HEADER.html README.html
jwoolley 2002/06/17 21:52:41
Modified: . Announcement.html Announcement.txt
Announcement2.html Announcement2.txt HEADER.html
README.html
binaries/win32 HEADER.html README.html
Log:
moving up in the world
--getting ready to release 1.3.25 and 2.0.39
Revision Changes Path
1.8 +59 -64 httpd-dist/Announcement.html
Index: Announcement.html
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement.html,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -d -u -r1.7 -r1.8
--- Announcement.html 22 Mar 2002 18:12:58 -0000 1.7
+++ Announcement.html 18 Jun 2002 04:52:41 -0000 1.8
@@ -15,53 +15,46 @@
<IMG SRC="../../images/apache_sub.gif" ALT="">
-<h1>Apache 1.3.24 Released</h1>
+<h1>Apache 1.3.25 Released</h1>
<p>The Apache Software Foundation and The Apache Server Project are
- pleased to announce the release of version 1.3.24 of the Apache HTTP
- server. This Announcement notes the significant changes in 1.3.24.</p>
+ pleased to announce the release of version 1.3.25 of the Apache HTTP
+ Server. This Announcement notes the significant changes in 1.3.25.</p>
-<p>
- This version of Apache is principally a security and bug fix release.
- A summary of the bug fixes and major new features is given at the end
- of this document. Of particular note is that 1.3.24 addresses and
- fixes the issues noted in
- <A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061">
- CAN-2002-0061 (mitre.org)</A> regarding escaping
- of command line args on Win32. We would like to thank Ory Segal
- (ORY.SEGAL@SANCTUMINC.COM) for discovering and reporting the
- vulnerability.
- </p>
+<p>This version of Apache is principally a security and bug fix
+ release. A summary of the bug fixes is given at the end of this document.
+ Of particular note is that 1.3.25 addresses and fixes the issues noted
+ in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
+ CAN-2002-0392 (mitre.org)</a>
+ [<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
+ regarding a vulnerability in the handling of chunked transfer encoding.
+ We would like to thank Mark Litchfield of ngssoftware.com for discovering
+ and reporting the vulnerability.</p>
-<p> We consider Apache 1.3.24 to be the best version of Apache available
+<p>We consider Apache 1.3.25 to be the best version of Apache available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
- releases will be made in the 1.2.x family.
-</p>
-<p>
- Apache 1.3.24 is available for download from
+ releases will be made in the 1.2.x family.</p>
+
+<p>Apache 1.3.25 is available for download from</p>
<pre>
- http://httpd.apache.org/dist/httpd/
+
+ http://www.apache.org/dist/httpd/
</pre>
-<p>
- Please see the CHANGES_1.3 file in the same directory for a full list
- of changes.
- </p>
+<p>Please see the CHANGES_1.3 file in the same directory for a full list
+ of changes.</p>
<p> Binary distributions are available from
<pre>
- http://httpd.apache.org/dist/httpd/binaries/
+ http://www.apache.org/dist/httpd/binaries/
</pre>
-</p>
-<p>
- The source and binary distributions are also available via any of the
- mirrors listed at
+<p>The source and binary distributions are also available via any of the
+ mirrors listed at</p>
<pre>
http://www.apache.org/mirrors/
</pre>
-</p>
<p>
As of Apache 1.3.17, Win32 binary distributions are now based on the
@@ -105,63 +98,65 @@
version, but is of acceptable quality. Win32 stability or security
problems do not reflect on the Unix version.
</p>
-<h1>Apache 1.3.24 Major changes</h1>
+<h1>Apache 1.3.25 Major changes</h1>
<h3>Security vulnerabilities</h3>
<p>
- The main security vulnerabilities addressed in 1.3.24 are:
+ The main security vulnerabilities addressed in 1.3.25 are:
</p>
<ul>
- <li>Fix the security vulnerability noted in CAN-2002-0061 (mitre.org)
- regarding the escaping of command line args on Win32.</li>
- <li>Prevent invalid client hostnames from appearing in the log file.</li>
+ <li>Fix the security vulnerability noted in CAN-2002-0392 (mitre.org)
+ regarding the handling of chunked transfer encoding.</li>
</ul>
<h3>New features</h3>
<p>
- The main new features in 1.3.24 (compared to 1.3.23) are:
+ The main new features in 1.3.25 (compared to 1.3.24) are:
</p>
<ul>
-
- <li>Various <samp>mod_proxy</samp> improvements, such as the new
- <samp>ProxyIOBufferSize</samp> directive</li>
-
- <li>The new <samp>IgnoreCase</samp> keyword to the
- <samp>IndexOptions</samp> directive.</li>
+ <li>Add some popular types to the mime types magic file.</li>
</ul>
<p>
New features that relate to specific platforms:
</p>
<ul>
-
- <li>Added the module <samp>mod_log_nw</samp> to handle log rotation
- under NetWare</li>
+ <li>Unix: Added a '-F' flag which causes the supervisor process to
+ no longer fork down and detach and instead stay attached to
+ the tty - thus making live for automatic restart and exit checking
+ code easier.</li>
</ul>
<p>
<h3>Bugs fixed</h3>
<p>
- The following bugs were found in Apache 1.3.23 and have been fixed in
- Apache 1.3.24:
+ The following bugs were found in Apache 1.3.24 and have been fixed in
+ Apache 1.3.25:
</p>
<ul>
+ <li>Allow child processes sufficient time for cleanups but making
+ ap_select in reclaim_child_processes more "resistant" to
+ signal interupts.</li>
- <li>mod_rewrite's <samp>rnd</samp> was broken and has been fixed.</li>
- <li>The <samp>-S</samp> option of <samp>apxs</samp> was not able to
- handle quotes; also <samp>apxs</samp>
- is now rebuilt when options are changed.</li>
- <li>proxy now correctly handles <samp>Cookies</samp> and
- <samp>X-Cache</samp> headers.</li>
-</ul>
-<p>
- The following bugs relate to specific platforms:
-</p>
-<ul>
- <li>Fixed a problem in TPF when we were using the wrong subpool when
- opening the error log.</li>
- <li>pthread <samp>accept()</samp> mutexes on Solaris were broken
- (since we were not linking against pthread)</li>
+ <li>Fix for a problem in mod_rewrite which would lead to 400 Bad Request
+ responses for rewriting rules which resulted in a local path.
+ Note: This will also reject invalid requests as issued by
+ Netscape-4.x Roaming Profiles (on a DAV-enabled server)</li>
+ <li>Recognize platform-specific root directories (other than
+ leading slash) in mod_rewrite for filename rewrite rules.</li>
+
+ <li>Disallow anything but whitespace on the request line after the
+ HTTP/x.y protocol string to prevent arbitrary user input from
+ ending up in the access_log and error_log. Also control characters
+ are now escaped.</li>
+
+ <li>A large number of fixes in mod_proxy including: adding support
+ for dechunking chunked responses, correcting a timeout problem
+ which would force long or slow POST requests to close after 300
+ seconds, adding "X-Forwarded" headers, dealing correctly with the
+ multiple-cookie header bug, ability to handle unexpected
+ 100-continue responses sent during PUT or POST commands, and a
+ change to tighten up the Server header overwrite bugfix.</li>
</ul>
</BODY>
1.7 +48 -35 httpd-dist/Announcement.txt
Index: Announcement.txt
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement.txt,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -u -r1.6 -r1.7
--- Announcement.txt 22 Mar 2002 18:12:58 -0000 1.6
+++ Announcement.txt 18 Jun 2002 04:52:41 -0000 1.7
@@ -1,33 +1,33 @@
- Apache 1.3.24 Released
+ Apache 1.3.25 Released
The Apache Software Foundation and The Apache Server Project are
- pleased to announce the release of version 1.3.24 of the Apache HTTP
- server. This Announcement notes the significant changes in 1.3.24.
+ pleased to announce the release of version 1.3.25 of the Apache HTTP
+ Server. This Announcement notes the significant changes in 1.3.25.
- This version of Apache is principally a security and bug fix release.
- A summary of the bug fixes and major new features is given at the end
- of this document. Of particular note is that 1.3.24 addresses and
- fixes the issues noted in CAN-2002-0061 (mitre.org) regarding escaping
- of command line args on Win32. We would like to thank Ory Segal
- <OR...@SANCTUMINC.COM> for discovering and reporting the
+ This version of Apache is principally a security and bug fix
+ release. A summary of the bug fixes is given at the end of this document.
+ Of particular note is that 1.3.25 addresses and fixes the issues noted
+ in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
+ in the handling of chunked transfer encoding. We would like to thank
+ Mark Litchfield of ngssoftware.com for discovering and reporting the
vulnerability.
- We consider Apache 1.3.24 to be the best version of Apache available
+ We consider Apache 1.3.25 to be the best version of Apache available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
- Apache 1.3.24 is available for download from
+ Apache 1.3.25 is available for download from
- http://httpd.apache.org/dist/httpd/
+ http://www.apache.org/dist/httpd/
Please see the CHANGES_1.3 file in the same directory for a full list
of changes.
Binary distributions are available from
- http://httpd.apache.org/dist/httpd/binaries/
+ http://www.apache.org/dist/httpd/binaries/
The source and binary distributions are also available via any of the
mirrors listed at
@@ -70,40 +70,53 @@
version, but is of acceptable quality. Win32 stability or security
problems do not reflect on the Unix version.
- Apache 1.3.24 Major changes
+ Apache 1.3.25 Major changes
Security vulnerabilities
- * Fix the security vulnerability noted in CAN-2002-0061 (mitre.org)
- regarding the escaping of command line args on Win32.
- * Prevent invalid client hostnames from appearing in the log file.
+ * Fix the security vulnerability noted in CAN-2002-0392 (mitre.org)
+ regarding the handling of chunked transfer encoding.
New features
- The main new features in 1.3.24 (compared to 1.3.23) are:
+ The main new features in 1.3.25 (compared to 1.3.24) are:
- * Various mod_proxy improvements, such as the new ProxyIOBufferSize
- directive.
- * The new ''IgnoreCase' keyword to the IndexOptions directive.
+ * Add some popular types to the mime types magic file.
New features that relate to specific platforms:
- * Added the module mod_log_nw to handle log rotation under NetWare.
+ * Unix: Added a '-F' flag which causes the supervisor process to
+ no longer fork down and detach and instead stay attached to
+ the tty - thus making live for automatic restart and exit checking
+ code easier.
Bugs fixed
- The following bugs were found in Apache 1.3.23 (or earlier) and have
- been fixed in Apache 1.3.24:
+ The following bugs were found in Apache 1.3.24 (or earlier) and have
+ been fixed in Apache 1.3.25:
- * mod_rewrite's 'rnd' was broken and has been fixed.
- * The '-S' option of 'apxs' was not able to handle quotes; also 'apxs'
- is now rebuilt when options are changed.
- * proxy now correctly handles Cookies and X-Cache headers.
+ * Allow child processes sufficient time for cleanups but making
+ ap_select in reclaim_child_processes more "resistant" to
+ signal interupts.
- The following bugs relate to specific platforms:
+ * Fix for a problem in mod_rewrite which would lead to 400 Bad Request
+ responses for rewriting rules which resulted in a local path.
+ Note: This will also reject invalid requests as issued by
+ Netscape-4.x Roaming Profiles (on a DAV-enabled server)
- * Fixed a problem in TPF when we were using the wrong subpool when
- opening the error log.
- * pthread accept() mutexes on Solaris were broken (since we were
- not linking against pthread)
+ * Recognize platform-specific root directories (other than
+ leading slash) in mod_rewrite for filename rewrite rules.
+
+ * Disallow anything but whitespace on the request line after the
+ HTTP/x.y protocol string to prevent arbitrary user input from
+ ending up in the access_log and error_log. Also control characters
+ are now escaped.
+
+ * A large number of fixes in mod_proxy including: adding support
+ for dechunking chunked responses, correcting a timeout problem
+ which would force long or slow POST requests to close after 300
+ seconds, adding "X-Forwarded" headers, dealing correctly with the
+ multiple-cookie header bug, ability to handle unexpected
+ 100-continue responses sent during PUT or POST commands, and a
+ change to tighten up the Server header overwrite bugfix.
1.20 +274 -167 httpd-dist/Announcement2.html
Index: Announcement2.html
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.html,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -d -u -r1.19 -r1.20
--- Announcement2.html 6 May 2002 21:14:47 -0000 1.19
+++ Announcement2.html 18 Jun 2002 04:52:41 -0000 1.20
@@ -14,12 +14,22 @@
>
<IMG SRC="../../images/apache_sub.gif" ALT="">
-<H2 ALIGN="CENTER">Apache 2.0.36 Released</H2>
+<H2 ALIGN="CENTER">Apache 2.0.39 Released</H2>
-<p>The Apache HTTP Server Project is proud to announce the second public
+<p>The Apache HTTP Server Project is proud to announce the third public
release of Apache 2.0. Apache 2.0 has been running on the Apache.org website
since December of 2000 and has proven to be very reliable.</p>
+<p>This version of Apache is principally a security and bug fix
+release. A summary of the bug fixes is given at the end of this document.
+Of particular note is that 2.0.39 addresses and fixes the issues noted
+in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
+CAN-2002-0392 (mitre.org)</a>
+[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
+regarding a vulnerability in the handling of chunked transfer encoding.
+We would like to thank Mark Litchfield of ngssoftware.com for discovering
+and reporting the vulnerability.</p>
+
<p>Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
@@ -51,220 +61,317 @@
visit http://httpd.apache.org/</p>
-<h3>Changes since 2.0.35</h3>
+<h3>Changes since 2.0.36</h3>
<pre>
+Changes with Apache 2.0.39
- *) Close sockets on worker MPM when doing a graceless restart.
- [Aaron Bannert]
+ *) Fixed a build problem in htpasswd.c on Win32.
+ [Guenter Knauf <ef...@gmx.net>, Cliff Woolley]
- *) Reverted a minor optimization in mod_ssl.c that used the vhost ID
- as the session id context rather that a MD5 hash of that vhost ID,
- because it caused very long vhost id's to be unusable with mod_ssl.
- PR 8572. [Cliff Woolley]
+Changes with Apache 2.0.38
- *) Fix the link to the description of the CoredumpDirectory
- directive in the server-wide document. PR 8643. [Jeff Trawick]
+ *) Rewrite htpasswd to use APR. The removes the annoying warning about
+ tmpnam being unsafe. [Ryan Bloom]
- *) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley]
+ *) We must set the MIME-type for .shtml files to text/html if we want them
+ to be parsed for SSI tags. Add the config for that to the default
+ config file so that it is easier to enable .shtml parsing.
+ [Dave Dyer <dd...@real-me.net>]
- *) Synced with remaining changes from mod_ssl 2.8.8-1.3.24:
- - Avoid SIGBUS on sparc machines with SHMCB session caches
- - Allow whitespace between the pipe and the name of the
- program in SSLLog "| /path/to/program". [Cliff Woolley]
+ *) Fixed a problem with 'make install' on ReliantUnix.
+ [Jean-frederic Clere <jf...@fujitsu-siemens.com>]
- *) Introduce mod_ext_filter and mod_deflate experimental modules
- to the Win32 build (zlib sources must be in srclib\zlib.)
- [William Rowe]
+ *) Make the default_handler catch all requests that aren't served by
+ another handler. This also gets us to return a 404 if a directory
+ is requested, there is no DirectoryIndex, and mod_autoindex isn't
+ loaded. [Justin Erenkrantz]
- *) Changes to the worker MPM's queue management and thread
- synchronization code to reduce mutex contention [Brian Pane]
+ *) Fixed the handling of nested if-statements in shtml files.
+ PR 9866 [Brian Pane]
- *) Don't install *.in configuration files since we already install
- *-std.conf files. [Aaron Bannert]
+ *) Allow 'make install DESTDIR=/path'. This allows packagers to install
+ into a directory different from the one that was configured. This
+ also mirrors the root= feature from 1.3. We cannot use prefix=,
+ because both APR and APR-util resolve their installation paths at
+ configuration time. This means that there is no variable prefix
+ to replace. [Andreas Hasenack <an...@netbank.com.br>]
- *) Many improvements to the threadpool MPM. [Aaron Bannert]
+ *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
+ These levels of AIX don't have a thundering herd problem with
+ accept(). [Jeff Trawick]
- *) Fix subreqs that are promoted via fast_redirect from having invalid
- frec->r structures. This would cause subtle errors later on in
- request processing such as seen in PR 7966. [Justin Erenkrantz]
+ *) prefork MPM: Ignore mutex errors during graceful restart. For
+ certain types of mutexes (particularly SysV semaphores), we
+ should expect to occasionally fail to obtain or release the
+ mutex during restart processing. [Jeff Trawick]
- *) More efficient pool recycling logic for the worker MPM [Brian Pane]
+ *) Fix install-bindist.sh so that it finds any perl instead of just
+ early perl 5.x versions. This is consistent with a build/install
+ from source, and it allows the perl scripts installed by a bindist
+ to work on systems with perl 5.6. [Jeff Trawick]
- *) Modify the worker MPM to not accept() new connections until
- there is an available worker thread. This prevents queued
- connections from starving for processing time while long-running
- connections were hogging all the available threads. [Aaron Bannert]
+ *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
+ Tru64 (and probably some other platforms). [Jeff Trawick]
- *) Convert the worker MPM's fdqueue from a LIFO back into a FIFO.
- [Aaron Bannert]
+ *) Allow CGI scripts to return their Content-Length. This also fixes a
+ hang on HEAD requests seen on certain platforms (such as FreeBSD).
+ [Justin Erenkrantz]
- *) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick]
+ *) Added log rotation based on file size to the RotateLog support
+ utility. [Brad Nicholes]
- *) Allow mod_unique_id to work on systems with no IPv4 address
- corresponding to their host name. [Jeff Trawick]
+ *) Fix some casting in mod_rewrite which broke random maps.
+ PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]
- *) Fix suexec behavior with user directories. PR 7810.
- [Colm <co...@redbrick.dcu.ie>]
+Changes with Apache 2.0.37
- *) Reject a blank UserDir directive since it is ambiguous. PR 8472.
+ *) allow POST method over SSL when per-directory client cert
+ authentication is used with 'SSLOptions +OptRenegotiate' enabled
+ and a client cert was found in the ssl session cache.
+
+ *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
+ session cache when there is no cert chain in the cache. prior to
+ the fix this situation would result in a FORBIDDEN response and
+ error message "Cannot find peer certificate chain"
+ [Doug MacEachern]
+
+ *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
+ one was already sent. PR 9644 [Jeff Trawick]
+
+ *) Fix the display of the default name for the mime types config
+ file. PR 9729 [Matthew Brecknell <mb...@orchestream.com>]
+
+ *) Fix the working directory *for WinNT/2K/XP services only* to
+ change to the Apache directory (one level above the location
+ of Apache.exe, in the case that Apache.exe resides in bin/.)
+ Solves the case of ServerRoot /foo paths where /foo was not
+ on the same drive as /winnt/system32. [William Rowe]
+
+ *) Make 2.0's "AcceptMutex" startup message now "completely"
+ match how 1.3 does it. [Jim Jagielski]
+
+ *) Implement a fixed size memory cache using a priority queue
+ [Ian Holsman]
+
+ *) Fix apxs to allow "apxs -q installbuilddir" and to allow
+ querying certain other variables from config_vars.mk. PR 9316
+ [Jeff Trawick]
+
+ *) Added the "detached" attribute to the cgi_exec_info_t internals
+ so that Win32 and Netware won't create a new window or console
+ for each CGI invoked. PR 8387
+ [Brad Nicholes, William Rowe]
+
+ *) Consolidated the command line parameters and attributes that are
+ manipulated by the optional function ap_cgi_build_command() in
+ mod_cgi into a single structure.
+ [Brad Nicholes]
+
+ *) Get rid of uninitialized value errors with "apxs -q" on certain
+ variables. [Stas Bekman <st...@stason.org>]
+
+ *) Fix apxs to allow it to work when the build directory is somewhere
+ besides server-root/build. PR 8453
+ [Jeff Trawick and a host of others]
+
+ *) Allow ap_discard_request_body to be called multiple times in the
+ same request. Essentially, ap_http_filter keeps track of whether
+ it has sent an EOS bucket up the stack, if so, it will only ever
+ send an EOS bucket for this request.
+ [Ryan Bloom, Justin Erenkrantz, Greg Stein]
+
+ *) Remove all special mod_ssl URIs. This also fixes the bug where
+ redirecting (.*) will allow an SSL protected page to be viewed
+ without SSL. [Ryan Bloom]
+
+ *) Fix the binary build install script so that the build logic
+ created by "apxs -g" will work when the user has a binary
+ build. [Jeff Trawick]
+
+ *) Allow instdso.sh to work with full paths to the shared module.
[Justin Erenkrantz]
- *) Make mod_mime use case-insensitive matching when examining
- extensions on all platforms. PR 8223. [Justin Erenkrantz]
+ *) NetWare: Enabled CGI functionality and added mod_cgi as a built
+ in module for NetWare [Brad Nicholes]
- *) Add an intelligent error message should no proxy submodules be
- valid to handle a request. PR 8407 [Graham Leggett]
+ *) Changed cgi and piped log behavior to accept 65536 characters
+ on Win32 (matching Linux) before deadlocking between outputing
+ client stdin, slurping the output from stdout and then the stderr
+ stream. PR 8179 [William Rowe]
- *) Major improvements in concurrent processing for AB by enabling
- non-blocking connect()s and preventing APR from doing blocking
- read()s. Also implement fatal error checking for apr_recv().
- [Aaron Bannert]
+ *) Fixed Win32 wintty.exe support to assure the window title is valid.
+ Elimiates possible gpfault or garbage title without the -t option.
+ [William Rowe]
- *) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe]
+ *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
+ brigades and input filters. [Justin Erenkrantz]
- *) Fix Win32 'short name' aliases in httpd.conf directives.
- PR 8009 [William Rowe]
+ *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
+ body. [Justin Erenkrantz]
+
+ *) NetWare: Piping log entries through RotateLogs using the
+ CustomLogs directive is finally supported now that we have
+ the pipes and spawning functionality working.
+ [Brad Nicholes]
- *) Fix generation of default httpd.conf when the layout paths are
- disjoint. PR 7979, 8227. [Justin Erenkrantz]
+ *) Detect overflow when reading the hex bytes forming a chunk line.
+ [Aaron Bannert]
- *) Swap downgrade-1.0 and force-response-1.0 conditional checks so
- that downgraded responses can have force-response. PR 8357.
+ *) Allow RewriteMap prg:'s to take command-line arguments. PR 8464.
+ [James Tait <JT...@wyrddreams.demon.co.uk>]
+
+ *) Correctly return 413 when an invalid chunk size is given on
+ input. Also modify ap_discard_request_body to not do anything
+ on sub-requests or when the connection will be dropped.
[Justin Erenkrantz]
- *) Fix perchild MPM so that it can be configured with the move to the
- experimental directory. [Scott Lamb <sl...@slamb.org>]
+ *) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.
+ [Cliff Woolley]
- *) Fix perchild MPM so that it uses ap_gname2id for groups instead of
- ap_uname2id. [Scott Lamb <sl...@slamb.org>]
+ *) Ensure that apr_brigade_write() flushes in all of the cases that
+ it should to avoid conditions in some modules that could cause
+ large amounts of data to be buffered. [Cliff Woolley]
- *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley]
+ *) Fix problem where mod_cache/mod_disk_cache was incorrectly
+ stripping the content_type from cached responses.
+ [Bill Stoddard]
- *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to
- explicitly tell the server that warning messages should be sent
- to the client in addition to being recorded in the error log.
- Prior to this change, ap_log_rerror() always sent warning
- messages to the client. In one case, a faulty CGI script caused
- the server to send a warning message to the client that contained
- the full path to the CGI script. This could be considered a
- minor security exposure. [Bill Stoddard]
+ *) apachectl passes through any httpd options. Note: apachectl
+ should be used in preference to httpd since it ensures that any
+ appropriate environment variables have been set up.
+ [Jeff Trawick]
- *) mod_autoindex output when SuppressRules was specified would
- omit the first carriage return so the first item in the list
- would appear to the right of the column headings instead of
- underneath them. PR 8016 [David Shane Holden <dp...@yahoo.com>]
+ *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
+ PR 7810 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Moved the call to apr_mmap_dup outside the error branch so
- that it would actually get called. This fixes a core dump
- at init everytime you use the MMapFile directive. PR 8314
- [Paul J. Reder]
+ *) Fix suexec execution of CGI scripts from mod_include.
+ PR 7791, 8291 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Trigger an error when a LoadModule directive attempts to
- load a module which is built-in. This is a common error when
- switching from a DSO build to a static build. [Jeff Trawick]
+ *) Fix segfaults at startup on some platforms when mod_auth_digest,
+ mod_suexec, or mod_ssl were used as DSO's due to the way they
+ were tracking the current init phase since DSO's get completely
+ unloaded and reloaded between phases. PR 9413.
+ [Tsuyoshi Sasamoto <na...@super.win.ne.jp>, Brad Nicholes]
- *) Change instdso.sh to use libtool --install everywhere and then
- clean up some stray files and symlinks that libtool leaves around
- on some platforms. This gets subversion building properly since
- it needed a re-link to be performed by libtool at install time,
- and the old instdso.sh logic to simply cp the DSO didn't handle
- that requirement. [Sander Striker]
+ *) Fix mod_include's handling of regular expressions in
+ "<!--#if" directives [Julius Gawlas <ju...@hp.com>]
- *) Allow VPATH builds to succeed when configured from an empty
- directory. [Thom May <th...@planetarytramp.net>]
+ *) Fix the worker MPM deadlock problem [Brian Pane]
- *) Fix 'control reaches end of non-void function' warning in
- server/log.c. [Ben Collins-Sussman <su...@collab.net>]
+ *) Modify the module documentation to allow for translations.
+ [Yoshiki Hayashi, Joshua Slive]
- *) Perchild MPM is now correctly deemed as experimental and is now
- located in server/mpm/experimental. [Justin Erenkrantz]
+ *) Fix a file permissions problem which prevented mod_disk_cache
+ from working on Unix. [Jeff Trawick]
- *) Fix segfault in mod_mem_cache when garbage collecting an expired
- cache entry. [Bill Stoddard]
+ *) Add "-k start|restart|graceful|stop" support to httpd for the Unix
+ MPMs. These have semantics very similar to the old apachectl
+ commands of the same name. [Justin Erenkrantz, Jeff Trawick]
- *) Introduced -E startup_logfile_name option to httpd to allow admins
- to begin logging errors immediately. This provides Win32 users
- an alternative to sending startup errors to the event viewer, and
- allows other daemon tool authors an alternative to logging to stderr.
- [William Rowe]
-
- *) Fix subreqs with non-defined Content-Types being served improperly.
- [Justin Erenkrantz]
+ *) Make sure that the runtime dir is created by make install.
+ PR 9233. [Jeff Trawick]
- *) Merge in latest GNU config.guess and config.sub files. PR 7818.
- [Justin Erenkrantz]
+ *) Fix an unusual set of ./configure arguments that could cause
+ mod_http to be built as a DSO, which it currently doesn't
+ support. PR 9244.
+ [Cliff Woolley, Robin Johnson <ro...@orbis-terrarum.net>]
- *) Move 100 - Continue support to the HTTP_IN filter so that filters
- are guaranteed to support 100 - Continue logic without any
- intervention. [Justin Erenkrantz]
+ *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
+ of the %X, %b and %B logformat options. PR 8253, 8996.
+ [Bill Stoddard]
- *) Add HTTP chunked input trailer support. [Justin Erenkrantz]
+ *) If content-encoding is already present, do not run deflate (PR 9222)
+ [Kazuhisa ASADA <ka...@asada.sytes.net>]
- *) Rename and export get_mime_headers as ap_get_mime_headers.
- [Justin Erenkrantz]
+ *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
+ It is currently ignored and it will be removed in a future release
+ of Apache. [Jeff Trawick]
- *) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz]
+ *) Removed documentation references to the no-longer-supported
+ "make certificate" feature of mod_ssl for Apache 1.3.x. Test
+ certificates, if truly desired, can be generated using openssl
+ commands. PR 8724. [Cliff Woolley]
- *) Properly substitute sbindir as httpd's location in apachectl. PR 7840.
- [Andreas Hasenack <an...@netbank.com.br>]
+ *) Remove SSLLog and SSLLogLevel directives in favor of having
+ mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
- *) Allow Win32 shebang scripts to follow the path (or omit the .exe
- suffix from the shebang command), and allow ScriptInterpreterSource
- Registry or RegistryStrict to override shebang lines, as 1.3 did.
- PR 8004 [William Rowe]
+ *) OS/390: LIBPATH no longer has to be manually uncommented in
+ envvars to get apachectl to set up httpd properly. [Jeff Trawick]
- *) worker MPM: Fix a situation where a child exited without releasing
- the accept mutex. Depending on the OS and mutex mechanism this
- could result in a hang. [Jeff Trawick]
+ *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
+ may now be specified to the <File/Directory > container, rather
+ than by vhost. [William Rowe]
- *) Update the instructions for how to get started with mod_example.
- [Stas Bekman]
+ *) mod_isapi: Experimental support for faux async support for ISAPI
+ modules. [William Rowe]
+
+ *) mod_isapi: Major refactoring of the code to rely on apr internals
+ rather than MS APIs (using our own mod_isapi.h headers for ISAPI
+ symbol definitions.) [William Rowe]
+
+ *) mod_isapi: Fixed the return string length from GetServerVariable
+ callback, it was not including the trailing null in the consumed
+ buffer size. This was particularly bad for Delphi 6.0 users.
+ PR 8934 [Sebastian Hantsch <se...@gmx.de>]
+
+ *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
+ [William Rowe]
+
+ *) Make apxs look in the correct directory for envvars. It was
+ broken when sbindir != bindir. PR 8869
+ [Andreas Sundstr�m <su...@zappa.cx>]
- *) Fix PidFile to default to rel_runtimedir instead of
- rel_logfiledir. PR 7841. [Andreas Hasenack <an...@netbank.com.br>]
+ *) Fix mod_deflate corruption when using multiple buckets. PR 9014.
+ [Asada Kazuhisa <ka...@asada.sytes.net>]
- *) Win32: Fix problem that caused rapid performance degradation
- when number of connecting clients exceeded ThreadsPerChild.
- [Bill Stoddard]
+ *) Performance enhancements for access logger when using
+ default timestamp formatting [Brian Pane]
- *) Fixed a segfault parsing large SSIs on non-mmap systems.
- [Brian Havard]
+ *) Added EnableMMAP config directive to enable the server
+ administrator to disable memory-mapping of delivered files
+ on a per-directory basis. [Brian Pane]
- *) Proxy was bombing out every second keepalive request, caused by a
- stray CRLF before the second response's status line. Proxy now
- tries to read one more line if it encounters a CRLF where it
- expected a status. PR 10010 [Graham Leggett]
+ *) Performance enhancements for mod_setenvif [Brian Pane]
- *) Deprecated the apr_lock.h API. Please see the following files
- for the improved thread and process locking and signaling:
- apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h,
- apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert]
+ *) Fix a mod_ssl build problem on OS/390. [Jeff Trawick]
- *) Change mod_status to use scoreboard accessor functions so it can
- be used in any MPM without having to be recompiled.
- [Ryan Morgan <rm...@covalent.net>]
+ *) Fixed If-Modified-Since on Win32, which would give false positives
+ because of the sub-second resolution of file timestamps on that
+ platform. [Cliff Woolley]
- *) Fix parsing of some AP_DECLARE_DATA declarations so that the filter
- handle declarations are recognized. This fixes problems loading
- mod_autoindex on some platforms. [Brian Havard]
+ *) Reverse the hook ordering for mod_userdir and mod_alias so
+ that Alias/ScriptAlias will override Userdir. PR 8841
+ [Joshua Slive]
- *) add optional fixup hook to proxy [Daniel Lopez <da...@covalent.net>]
+ *) Move mod_deflate out of experimental and into filters.
+ [Justin Erenkrantz]
- *) Remind the admin about the User and Group directives when we are
- unable to set permissions on a semaphore. PR 7812 [Jeff Trawick]
+ *) Get proxy CONNECT basically working. [Jeff Trawick]
- *) fix possible compilation problem in ssl_engine_kernel.c. PR 7802
- [Doug MacEachern]
+ *) Fix mod_rewrite hang when APR uses SysV Semaphores and
+ RewriteLogLevel is set to anything other than 0. PR: 8143
+ [Aaron Bannert, Cliff Woolley]
- *) fix possible infinite loop in mod_ssl triggered by certain
- netscape clients [Doug MacEachern]
+ *) Fix byterange requests from returning 416 when using dynamic data
+ (such as filters like mod_include). [Justin Erenkrantz]
- *) fix ProxyPass when frontend is https and backend is http
- [Doug MacEachern]
+ *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
+ to be extended by third-party modules via an optional function.
+ [Tahiry Ramanamampanoharana <no...@hotmail.com>, Cliff Woolley]
- *) Add DASL support to mod_dav
- [Sung Kim <hu...@cse.ucsc.edu>]
+ *) Fix mod_include expression parser's handling of unquoted strings
+ followed immediately by a closing paren. PR 8462. [Brian Pane]
+
+ *) Remove autom4te.cache in 'make distclean'.
+ [Thom May <th...@planetarytramp.net>]
+
+ *) Fix generated httpd.conf to respect layout for LoadModule lines.
+ PR 8170. [Thom May <th...@planetarytramp.net>]
+
+ *) Win32: During a graceful restart, threads in the new process
+ were accessing scoreboard slots still in use by active threads in
+ the the old process. [Bill Stoddard]
</pre>
1.18 +275 -167 httpd-dist/Announcement2.txt
Index: Announcement2.txt
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.txt,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -u -r1.17 -r1.18
--- Announcement2.txt 6 May 2002 21:14:48 -0000 1.17
+++ Announcement2.txt 18 Jun 2002 04:52:41 -0000 1.18
@@ -1,11 +1,19 @@
-Apache 2.0.36 Released
+Apache 2.0.39 Released
---------------------------------------------
-The Apache HTTP Server Project is proud to announce the second public
+The Apache HTTP Server Project is proud to announce the third public
release of Apache 2.0. Apache 2.0 has been running on the Apache.org
website since December of 2000 and has proven to be very reliable.
+This version of Apache is principally a security and bug fix
+release. A summary of the bug fixes is given at the end of this document.
+Of particular note is that 2.0.39 addresses and fixes the issues noted
+in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
+in the handling of chunked transfer encoding. We would like to thank
+Mark Litchfield of ngssoftware.com for discovering and reporting the
+vulnerability.
+
Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
@@ -36,216 +44,316 @@
For more information and to download the release tarballs, please
visit http://httpd.apache.org/
-
-Changes with Apache 2.0.36
- *) Close sockets on worker MPM when doing a graceless restart.
- [Aaron Bannert]
+Changes since 2.0.36
+---------------------------------------------
- *) Reverted a minor optimization in mod_ssl.c that used the vhost ID
- as the session id context rather that a MD5 hash of that vhost ID,
- because it caused very long vhost id's to be unusable with mod_ssl.
- PR 8572. [Cliff Woolley]
+Changes with Apache 2.0.39
- *) Fix the link to the description of the CoredumpDirectory
- directive in the server-wide document. PR 8643. [Jeff Trawick]
+ *) Fixed a build problem in htpasswd.c on Win32.
+ [Guenter Knauf <ef...@gmx.net>, Cliff Woolley]
- *) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley]
+Changes with Apache 2.0.38
- *) Synced with remaining changes from mod_ssl 2.8.8-1.3.24:
- - Avoid SIGBUS on sparc machines with SHMCB session caches
- - Allow whitespace between the pipe and the name of the
- program in SSLLog "| /path/to/program". [Cliff Woolley]
+ *) Rewrite htpasswd to use APR. The removes the annoying warning about
+ tmpnam being unsafe. [Ryan Bloom]
- *) Introduce mod_ext_filter and mod_deflate experimental modules
- to the Win32 build (zlib sources must be in srclib\zlib.)
- [William Rowe]
+ *) We must set the MIME-type for .shtml files to text/html if we want them
+ to be parsed for SSI tags. Add the config for that to the default
+ config file so that it is easier to enable .shtml parsing.
+ [Dave Dyer <dd...@real-me.net>]
- *) Changes to the worker MPM's queue management and thread
- synchronization code to reduce mutex contention [Brian Pane]
+ *) Fixed a problem with 'make install' on ReliantUnix.
+ [Jean-frederic Clere <jf...@fujitsu-siemens.com>]
- *) Don't install *.in configuration files since we already install
- *-std.conf files. [Aaron Bannert]
+ *) Make the default_handler catch all requests that aren't served by
+ another handler. This also gets us to return a 404 if a directory
+ is requested, there is no DirectoryIndex, and mod_autoindex isn't
+ loaded. [Justin Erenkrantz]
- *) Many improvements to the threadpool MPM. [Aaron Bannert]
+ *) Fixed the handling of nested if-statements in shtml files.
+ PR 9866 [Brian Pane]
- *) Fix subreqs that are promoted via fast_redirect from having invalid
- frec->r structures. This would cause subtle errors later on in
- request processing such as seen in PR 7966. [Justin Erenkrantz]
+ *) Allow 'make install DESTDIR=/path'. This allows packagers to install
+ into a directory different from the one that was configured. This
+ also mirrors the root= feature from 1.3. We cannot use prefix=,
+ because both APR and APR-util resolve their installation paths at
+ configuration time. This means that there is no variable prefix
+ to replace. [Andreas Hasenack <an...@netbank.com.br>]
- *) More efficient pool recycling logic for the worker MPM [Brian Pane]
+ *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
+ These levels of AIX don't have a thundering herd problem with
+ accept(). [Jeff Trawick]
- *) Modify the worker MPM to not accept() new connections until
- there is an available worker thread. This prevents queued
- connections from starving for processing time while long-running
- connections were hogging all the available threads. [Aaron Bannert]
+ *) prefork MPM: Ignore mutex errors during graceful restart. For
+ certain types of mutexes (particularly SysV semaphores), we
+ should expect to occasionally fail to obtain or release the
+ mutex during restart processing. [Jeff Trawick]
- *) Convert the worker MPM's fdqueue from a LIFO back into a FIFO.
- [Aaron Bannert]
+ *) Fix install-bindist.sh so that it finds any perl instead of just
+ early perl 5.x versions. This is consistent with a build/install
+ from source, and it allows the perl scripts installed by a bindist
+ to work on systems with perl 5.6. [Jeff Trawick]
- *) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick]
+ *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
+ Tru64 (and probably some other platforms). [Jeff Trawick]
- *) Allow mod_unique_id to work on systems with no IPv4 address
- corresponding to their host name. [Jeff Trawick]
+ *) Allow CGI scripts to return their Content-Length. This also fixes a
+ hang on HEAD requests seen on certain platforms (such as FreeBSD).
+ [Justin Erenkrantz]
- *) Fix suexec behavior with user directories. PR 7810.
- [Colm <co...@redbrick.dcu.ie>]
+ *) Added log rotation based on file size to the RotateLog support
+ utility. [Brad Nicholes]
- *) Reject a blank UserDir directive since it is ambiguous. PR 8472.
+ *) Fix some casting in mod_rewrite which broke random maps.
+ PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]
+
+Changes with Apache 2.0.37
+
+ *) allow POST method over SSL when per-directory client cert
+ authentication is used with 'SSLOptions +OptRenegotiate' enabled
+ and a client cert was found in the ssl session cache.
+
+ *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
+ session cache when there is no cert chain in the cache. prior to
+ the fix this situation would result in a FORBIDDEN response and
+ error message "Cannot find peer certificate chain"
+ [Doug MacEachern]
+
+ *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
+ one was already sent. PR 9644 [Jeff Trawick]
+
+ *) Fix the display of the default name for the mime types config
+ file. PR 9729 [Matthew Brecknell <mb...@orchestream.com>]
+
+ *) Fix the working directory *for WinNT/2K/XP services only* to
+ change to the Apache directory (one level above the location
+ of Apache.exe, in the case that Apache.exe resides in bin/.)
+ Solves the case of ServerRoot /foo paths where /foo was not
+ on the same drive as /winnt/system32. [William Rowe]
+
+ *) Make 2.0's "AcceptMutex" startup message now "completely"
+ match how 1.3 does it. [Jim Jagielski]
+
+ *) Implement a fixed size memory cache using a priority queue
+ [Ian Holsman]
+
+ *) Fix apxs to allow "apxs -q installbuilddir" and to allow
+ querying certain other variables from config_vars.mk. PR 9316
+ [Jeff Trawick]
+
+ *) Added the "detached" attribute to the cgi_exec_info_t internals
+ so that Win32 and Netware won't create a new window or console
+ for each CGI invoked. PR 8387
+ [Brad Nicholes, William Rowe]
+
+ *) Consolidated the command line parameters and attributes that are
+ manipulated by the optional function ap_cgi_build_command() in
+ mod_cgi into a single structure.
+ [Brad Nicholes]
+
+ *) Get rid of uninitialized value errors with "apxs -q" on certain
+ variables. [Stas Bekman <st...@stason.org>]
+
+ *) Fix apxs to allow it to work when the build directory is somewhere
+ besides server-root/build. PR 8453
+ [Jeff Trawick and a host of others]
+
+ *) Allow ap_discard_request_body to be called multiple times in the
+ same request. Essentially, ap_http_filter keeps track of whether
+ it has sent an EOS bucket up the stack, if so, it will only ever
+ send an EOS bucket for this request.
+ [Ryan Bloom, Justin Erenkrantz, Greg Stein]
+
+ *) Remove all special mod_ssl URIs. This also fixes the bug where
+ redirecting (.*) will allow an SSL protected page to be viewed
+ without SSL. [Ryan Bloom]
+
+ *) Fix the binary build install script so that the build logic
+ created by "apxs -g" will work when the user has a binary
+ build. [Jeff Trawick]
+
+ *) Allow instdso.sh to work with full paths to the shared module.
[Justin Erenkrantz]
- *) Make mod_mime use case-insensitive matching when examining
- extensions on all platforms. PR 8223. [Justin Erenkrantz]
+ *) NetWare: Enabled CGI functionality and added mod_cgi as a built
+ in module for NetWare [Brad Nicholes]
- *) Add an intelligent error message should no proxy submodules be
- valid to handle a request. PR 8407 [Graham Leggett]
+ *) Changed cgi and piped log behavior to accept 65536 characters
+ on Win32 (matching Linux) before deadlocking between outputing
+ client stdin, slurping the output from stdout and then the stderr
+ stream. PR 8179 [William Rowe]
- *) Major improvements in concurrent processing for AB by enabling
- non-blocking connect()s and preventing APR from doing blocking
- read()s. Also implement fatal error checking for apr_recv().
- [Aaron Bannert]
+ *) Fixed Win32 wintty.exe support to assure the window title is valid.
+ Elimiates possible gpfault or garbage title without the -t option.
+ [William Rowe]
- *) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe]
+ *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
+ brigades and input filters. [Justin Erenkrantz]
- *) Fix Win32 'short name' aliases in httpd.conf directives.
- PR 8009 [William Rowe]
+ *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
+ body. [Justin Erenkrantz]
+
+ *) NetWare: Piping log entries through RotateLogs using the
+ CustomLogs directive is finally supported now that we have
+ the pipes and spawning functionality working.
+ [Brad Nicholes]
- *) Fix generation of default httpd.conf when the layout paths are
- disjoint. PR 7979, 8227. [Justin Erenkrantz]
+ *) Detect overflow when reading the hex bytes forming a chunk line.
+ [Aaron Bannert]
- *) Swap downgrade-1.0 and force-response-1.0 conditional checks so
- that downgraded responses can have force-response. PR 8357.
+ *) Allow RewriteMap prg:'s to take command-line arguments. PR 8464.
+ [James Tait <JT...@wyrddreams.demon.co.uk>]
+
+ *) Correctly return 413 when an invalid chunk size is given on
+ input. Also modify ap_discard_request_body to not do anything
+ on sub-requests or when the connection will be dropped.
[Justin Erenkrantz]
- *) Fix perchild MPM so that it can be configured with the move to the
- experimental directory. [Scott Lamb <sl...@slamb.org>]
+ *) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.
+ [Cliff Woolley]
- *) Fix perchild MPM so that it uses ap_gname2id for groups instead of
- ap_uname2id. [Scott Lamb <sl...@slamb.org>]
+ *) Ensure that apr_brigade_write() flushes in all of the cases that
+ it should to avoid conditions in some modules that could cause
+ large amounts of data to be buffered. [Cliff Woolley]
- *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley]
+ *) Fix problem where mod_cache/mod_disk_cache was incorrectly
+ stripping the content_type from cached responses.
+ [Bill Stoddard]
- *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to
- explicitly tell the server that warning messages should be sent
- to the client in addition to being recorded in the error log.
- Prior to this change, ap_log_rerror() always sent warning
- messages to the client. In one case, a faulty CGI script caused
- the server to send a warning message to the client that contained
- the full path to the CGI script. This could be considered a
- minor security exposure. [Bill Stoddard]
+ *) apachectl passes through any httpd options. Note: apachectl
+ should be used in preference to httpd since it ensures that any
+ appropriate environment variables have been set up.
+ [Jeff Trawick]
- *) mod_autoindex output when SuppressRules was specified would
- omit the first carriage return so the first item in the list
- would appear to the right of the column headings instead of
- underneath them. PR 8016 [David Shane Holden <dp...@yahoo.com>]
+ *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
+ PR 7810 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Moved the call to apr_mmap_dup outside the error branch so
- that it would actually get called. This fixes a core dump
- at init everytime you use the MMapFile directive. PR 8314
- [Paul J. Reder]
+ *) Fix suexec execution of CGI scripts from mod_include.
+ PR 7791, 8291 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Trigger an error when a LoadModule directive attempts to
- load a module which is built-in. This is a common error when
- switching from a DSO build to a static build. [Jeff Trawick]
+ *) Fix segfaults at startup on some platforms when mod_auth_digest,
+ mod_suexec, or mod_ssl were used as DSO's due to the way they
+ were tracking the current init phase since DSO's get completely
+ unloaded and reloaded between phases. PR 9413.
+ [Tsuyoshi Sasamoto <na...@super.win.ne.jp>, Brad Nicholes]
- *) Change instdso.sh to use libtool --install everywhere and then
- clean up some stray files and symlinks that libtool leaves around
- on some platforms. This gets subversion building properly since
- it needed a re-link to be performed by libtool at install time,
- and the old instdso.sh logic to simply cp the DSO didn't handle
- that requirement. [Sander Striker]
+ *) Fix mod_include's handling of regular expressions in
+ "<!--#if" directives [Julius Gawlas <ju...@hp.com>]
- *) Allow VPATH builds to succeed when configured from an empty
- directory. [Thom May <th...@planetarytramp.net>]
+ *) Fix the worker MPM deadlock problem [Brian Pane]
- *) Fix 'control reaches end of non-void function' warning in
- server/log.c. [Ben Collins-Sussman <su...@collab.net>]
+ *) Modify the module documentation to allow for translations.
+ [Yoshiki Hayashi, Joshua Slive]
- *) Perchild MPM is now correctly deemed as experimental and is now
- located in server/mpm/experimental. [Justin Erenkrantz]
+ *) Fix a file permissions problem which prevented mod_disk_cache
+ from working on Unix. [Jeff Trawick]
- *) Fix segfault in mod_mem_cache when garbage collecting an expired
- cache entry. [Bill Stoddard]
+ *) Add "-k start|restart|graceful|stop" support to httpd for the Unix
+ MPMs. These have semantics very similar to the old apachectl
+ commands of the same name. [Justin Erenkrantz, Jeff Trawick]
- *) Introduced -E startup_logfile_name option to httpd to allow admins
- to begin logging errors immediately. This provides Win32 users
- an alternative to sending startup errors to the event viewer, and
- allows other daemon tool authors an alternative to logging to stderr.
- [William Rowe]
-
- *) Fix subreqs with non-defined Content-Types being served improperly.
- [Justin Erenkrantz]
+ *) Make sure that the runtime dir is created by make install.
+ PR 9233. [Jeff Trawick]
- *) Merge in latest GNU config.guess and config.sub files. PR 7818.
- [Justin Erenkrantz]
+ *) Fix an unusual set of ./configure arguments that could cause
+ mod_http to be built as a DSO, which it currently doesn't
+ support. PR 9244.
+ [Cliff Woolley, Robin Johnson <ro...@orbis-terrarum.net>]
- *) Move 100 - Continue support to the HTTP_IN filter so that filters
- are guaranteed to support 100 - Continue logic without any
- intervention. [Justin Erenkrantz]
+ *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
+ of the %X, %b and %B logformat options. PR 8253, 8996.
+ [Bill Stoddard]
- *) Add HTTP chunked input trailer support. [Justin Erenkrantz]
+ *) If content-encoding is already present, do not run deflate (PR 9222)
+ [Kazuhisa ASADA <ka...@asada.sytes.net>]
- *) Rename and export get_mime_headers as ap_get_mime_headers.
- [Justin Erenkrantz]
+ *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
+ It is currently ignored and it will be removed in a future release
+ of Apache. [Jeff Trawick]
- *) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz]
+ *) Removed documentation references to the no-longer-supported
+ "make certificate" feature of mod_ssl for Apache 1.3.x. Test
+ certificates, if truly desired, can be generated using openssl
+ commands. PR 8724. [Cliff Woolley]
- *) Properly substitute sbindir as httpd's location in apachectl. PR 7840.
- [Andreas Hasenack <an...@netbank.com.br>]
+ *) Remove SSLLog and SSLLogLevel directives in favor of having
+ mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
- *) Allow Win32 shebang scripts to follow the path (or omit the .exe
- suffix from the shebang command), and allow ScriptInterpreterSource
- Registry or RegistryStrict to override shebang lines, as 1.3 did.
- PR 8004 [William Rowe]
+ *) OS/390: LIBPATH no longer has to be manually uncommented in
+ envvars to get apachectl to set up httpd properly. [Jeff Trawick]
- *) worker MPM: Fix a situation where a child exited without releasing
- the accept mutex. Depending on the OS and mutex mechanism this
- could result in a hang. [Jeff Trawick]
+ *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
+ may now be specified to the <File/Directory > container, rather
+ than by vhost. [William Rowe]
- *) Update the instructions for how to get started with mod_example.
- [Stas Bekman]
+ *) mod_isapi: Experimental support for faux async support for ISAPI
+ modules. [William Rowe]
+
+ *) mod_isapi: Major refactoring of the code to rely on apr internals
+ rather than MS APIs (using our own mod_isapi.h headers for ISAPI
+ symbol definitions.) [William Rowe]
+
+ *) mod_isapi: Fixed the return string length from GetServerVariable
+ callback, it was not including the trailing null in the consumed
+ buffer size. This was particularly bad for Delphi 6.0 users.
+ PR 8934 [Sebastian Hantsch <se...@gmx.de>]
+
+ *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
+ [William Rowe]
+
+ *) Make apxs look in the correct directory for envvars. It was
+ broken when sbindir != bindir. PR 8869
+ [Andreas Sundstr�m <su...@zappa.cx>]
- *) Fix PidFile to default to rel_runtimedir instead of
- rel_logfiledir. PR 7841. [Andreas Hasenack <an...@netbank.com.br>]
+ *) Fix mod_deflate corruption when using multiple buckets. PR 9014.
+ [Asada Kazuhisa <ka...@asada.sytes.net>]
- *) Win32: Fix problem that caused rapid performance degradation
- when number of connecting clients exceeded ThreadsPerChild.
- [Bill Stoddard]
+ *) Performance enhancements for access logger when using
+ default timestamp formatting [Brian Pane]
- *) Fixed a segfault parsing large SSIs on non-mmap systems.
- [Brian Havard]
+ *) Added EnableMMAP config directive to enable the server
+ administrator to disable memory-mapping of delivered files
+ on a per-directory basis. [Brian Pane]
- *) Proxy was bombing out every second keepalive request, caused by a
- stray CRLF before the second response's status line. Proxy now
- tries to read one more line if it encounters a CRLF where it
- expected a status. PR 10010 [Graham Leggett]
+ *) Performance enhancements for mod_setenvif [Brian Pane]
- *) Deprecated the apr_lock.h API. Please see the following files
- for the improved thread and process locking and signaling:
- apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h,
- apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert]
+ *) Fix a mod_ssl build problem on OS/390. [Jeff Trawick]
- *) Change mod_status to use scoreboard accessor functions so it can
- be used in any MPM without having to be recompiled.
- [Ryan Morgan <rm...@covalent.net>]
+ *) Fixed If-Modified-Since on Win32, which would give false positives
+ because of the sub-second resolution of file timestamps on that
+ platform. [Cliff Woolley]
- *) Fix parsing of some AP_DECLARE_DATA declarations so that the filter
- handle declarations are recognized. This fixes problems loading
- mod_autoindex on some platforms. [Brian Havard]
+ *) Reverse the hook ordering for mod_userdir and mod_alias so
+ that Alias/ScriptAlias will override Userdir. PR 8841
+ [Joshua Slive]
- *) add optional fixup hook to proxy [Daniel Lopez <da...@covalent.net>]
+ *) Move mod_deflate out of experimental and into filters.
+ [Justin Erenkrantz]
- *) Remind the admin about the User and Group directives when we are
- unable to set permissions on a semaphore. PR 7812 [Jeff Trawick]
+ *) Get proxy CONNECT basically working. [Jeff Trawick]
- *) fix possible compilation problem in ssl_engine_kernel.c. PR 7802
- [Doug MacEachern]
+ *) Fix mod_rewrite hang when APR uses SysV Semaphores and
+ RewriteLogLevel is set to anything other than 0. PR: 8143
+ [Aaron Bannert, Cliff Woolley]
- *) fix possible infinite loop in mod_ssl triggered by certain
- netscape clients [Doug MacEachern]
+ *) Fix byterange requests from returning 416 when using dynamic data
+ (such as filters like mod_include). [Justin Erenkrantz]
- *) fix ProxyPass when frontend is https and backend is http
- [Doug MacEachern]
+ *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
+ to be extended by third-party modules via an optional function.
+ [Tahiry Ramanamampanoharana <no...@hotmail.com>, Cliff Woolley]
+
+ *) Fix mod_include expression parser's handling of unquoted strings
+ followed immediately by a closing paren. PR 8462. [Brian Pane]
+
+ *) Remove autom4te.cache in 'make distclean'.
+ [Thom May <th...@planetarytramp.net>]
+
+ *) Fix generated httpd.conf to respect layout for LoadModule lines.
+ PR 8170. [Thom May <th...@planetarytramp.net>]
+
+ *) Win32: During a graceful restart, threads in the new process
+ were accessing scoreboard slots still in use by active threads in
+ the the old process. [Bill Stoddard]
- *) Add DASL support to mod_dav
- [Sung Kim <hu...@cse.ucsc.edu>]
1.25 +2 -2 httpd-dist/HEADER.html
Index: HEADER.html
===================================================================
RCS file: /home/cvs/httpd-dist/HEADER.html,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -d -u -r1.24 -r1.25
--- HEADER.html 22 May 2002 21:03:32 -0000 1.24
+++ HEADER.html 18 Jun 2002 04:52:41 -0000 1.25
@@ -12,8 +12,8 @@
<ul>
<li><a href="#mirrors">Download from your nearest mirror site!</a></li>
<li><a href="#binaries">Binary Releases</a></li>
-<li><a href="#apache20">Apache 2.0.36 is the best available version.</a></li>
-<li><a href="#apache13">Apache 1.3.24 is also available.</a></li>
+<li><a href="#apache20">Apache 2.0.39 is the best available version.</a></li>
+<li><a href="#apache13">Apache 1.3.25 is also available.</a></li>
<li><a href="#sig">PGP Signatures</a></li>
<li><a href="#patches">Official Patches</a></li>
<li><a href="#contrib">Contributed Patches/Modules/Code</a></li>
1.21 +22 -17 httpd-dist/README.html
Index: README.html
===================================================================
RCS file: /home/cvs/httpd-dist/README.html,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -u -r1.20 -r1.21
--- README.html 23 May 2002 19:23:14 -0000 1.20
+++ README.html 18 Jun 2002 04:52:41 -0000 1.21
@@ -12,37 +12,42 @@
Every binary distribution contains an install script. See README
for details.</p>
-<h2><a name="apache20"><a href="Announcement2.html">Apache 2.0.36</a>
+<h2><a name="apache20"><a href="Announcement2.html">Apache 2.0.39</a>
is the best available version.</a></h2>
-<p>Apache 2.0 add-in modules are not compatibile with Apache 1.3 modules.
+<p>This release fixes a security problem as described in our recent
+ <a href="http://httpd.apache.org/info/security_bulletin_20020617.txt">
+ security bulletin</a>, and all users of Apache 2.0 are urged to
+ upgrade as soon as possible.</p>
+
+<p>Apache 2.0 add-in modules are not compatible with Apache 1.3 modules.
If you are running third party add-in modules, you will need to obtain
new modules written for Apache 2.0 from that third party before you
attempt to upgrade from Apache 1.3.</p>
<p>For details see the <A HREF="Announcement2.html">Official Announcement</A>.
- Check <a href="patches/apply_to_2.0.36/">here</a> to see if any patches
+ Check <a href="patches/apply_to_2.0.39/">here</a> to see if any patches
or other special instructions are necessary for building or running
- Apache 2.0.36 on your platform.</p>
+ Apache 2.0.39 on your platform.</p>
-<p>Note the -win32.zip version of Apache 2.0.36 is nearly identical to the
+<p>Note the -win32.zip version of Apache 2.0.39 is nearly identical to the
.tar.gz version. However, it offers sources in DOS/Windows CR/LF text
and includes the Win32 .mak files.</p>
-<h2><a name="apache13"><a href="Announcement.html">Apache 1.3.24</a>
+<h2><a name="apache13"><a href="Announcement.html">Apache 1.3.25</a>
is also available.</a></h2>
-<p>Apache 1.3.24 is the best available version of the 1.3 series, and is
- recommended over all previous 1.3 releases. Of particular note; 1.3.24
- addresses the vulnerability noted in
- <A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061">
- CAN-2002-0061</A>. For additional details, read the
- <a href="Announcement.html">Official Announcement</a> and see the
- <A HREF="CHANGES_1.3">CHANGES_1.3</A> file.</p>
+<p>Apache 1.3.25 is the best available version of the 1.3 series, and is
+ recommended over all previous 1.3 releases.</p>
-<p>Use the Apache 1.3.24 version if you need to use third party modules that
+<p>This release fixes a security problem as described in our recent
+ <a href="http://httpd.apache.org/info/security_bulletin_20020617.txt">
+ security bulletin</a>, and all users of Apache 1.3 and prior are urged to
+ upgrade as soon as possible.</p>
+
+<p>Use the Apache 1.3.25 version if you need to use third party modules that
are not yet available as an Apache 2.0 module. Apache 1.3 is not
- compatibile with Apache 2.0 modules.</p>
+ compatible with Apache 2.0 modules.</p>
<h2><a name="sig">PGP Signatures</a></h2>
@@ -55,10 +60,10 @@
<pre>Always signatures to validate package authenticity, <i>e.g.</i>,
% pgpk -a KEYS
-% pgpv apache_1.3.24.tar.gz.asc
+% pgpv apache_1.3.25.tar.gz.asc
<i>or</i>,
% pgp -ka KEYS
-% pgp apache_1.3.24.tar.gz.asc
+% pgp apache_1.3.25.tar.gz.asc
</PRE>
<p>We offer MD5 hashes as an alternative to validate the integrity
1.23 +2 -2 httpd-dist/binaries/win32/HEADER.html
Index: HEADER.html
===================================================================
RCS file: /home/cvs/httpd-dist/binaries/win32/HEADER.html,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -d -u -r1.22 -r1.23
--- HEADER.html 24 May 2002 21:23:11 -0000 1.22
+++ HEADER.html 18 Jun 2002 04:52:41 -0000 1.23
@@ -5,8 +5,8 @@
<li><a href="#mirrors">Download from your nearest mirror site!</a></li>
<li><a href="#winsock">Windows 95 Apache Users Read This First</a></li>
<li><a href="#xpbug">Windows XP Apache Users Read This First</a><br/></li>
-<li><a href="#stable" style="color:purple;">The current stable release is Apache 2.0.36</a><br/></li>
-<li><a href="#old" style="color:green;">The old stable release is Apache 1.3.24</a></li>
+<li><a href="#stable" style="color:purple;">The current stable release is Apache 2.0.39</a><br/></li>
+<li><a href="#old" style="color:green;">The old stable release is Apache 1.3.25</a></li>
<li><a href="#msi">MSI Binary Distribution Packages</a></li>
<li><a href="TROUBLESHOOTING.html">Troubleshooting MSI Installation Problems</a></li>
</ul>
1.22 +13 -7 httpd-dist/binaries/win32/README.html
Index: README.html
===================================================================
RCS file: /home/cvs/httpd-dist/binaries/win32/README.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -d -u -r1.21 -r1.22
--- README.html 29 May 2002 18:22:16 -0000 1.21
+++ README.html 18 Jun 2002 04:52:41 -0000 1.22
@@ -25,8 +25,8 @@
<p>If you will install Apache on Windows XP, be warned. There is a known bug
our users have identified; you may or may not encounter it yourself. It
- is mitigated, but possibly not eliminated, with the Apache 1.3.24 release.
- The effects of this bug within Apache 2.0 Beta have only been observed
+ is mitigated, but possibly not eliminated, as of the Apache 1.3.24 release.
+ The effects of this bug within Apache 2.0 have only been observed
in conjunction with https SSL/TLS connections, but could occur in other
contexts.</p>
@@ -48,15 +48,17 @@
>Q317949</a> addresses this bug, you should be able to obtain the hotfix
directly from Microsoft by citing this Knowledge Base article.</p>
-<h2><a name="stable"><div style="color:purple;">The current stable release is Apache 2.0.36</div></a></h2>
+<h2><a name="stable">The current stable release is Apache 2.0.39</a></h2>
-<p>Apache 2.0 is released for General Availability.
+<p>Apache 2.0 is released for General Availability.</p>
<p>The Apache Group is proud to announce the release the first GA release
of Apache 2.0. Apache 2.0 has been running on the Apache.org website
since December of 2000 and has proven to be very reliable.</p>
-<p>The Win32 MSI installer is available. The keep-window-open-on-error logic
+<p>A Win32 binary package for 2.0.39 will be made available shortly.</p>
+<!--
+<p>The Win32 MSI installer is available. The keep-window-open-on-error logic
does not work under 2.0.36; the -w flag is not recognized. This version
is only available at present in a -no_ssl flavor, due to ongoing questions
of strong crypto redistribution. When a binary build with mod_ssl compiled
@@ -71,8 +73,11 @@
to incorporate the source tree into the binary product tree. You will
find the source package in <a href="../../httpd-2.0.36-win32-src.zip"
>/dist/httpd/httpd-2.0.36-win32-src.zip</a>.</p>
+ -->
-<h2><a name="old">The old stable release is Apache 1.3.24</a></h2>
+<h2><a name="old">The old stable release is Apache 1.3.25</a></h2>
+
+<p>A Win32 binary package for 1.3.25 will be made available shortly.</p>
<p>Since Apache version 1.3.22, a full setup package (.exe) containing the
Win9x/WinNT Microsoft System Installer installer is available. If the
@@ -99,7 +104,8 @@
support for Win32 under Apache. Most critically, there were potential
denial of service attacks affecting Win32 that were closed with
the release of 1.3.22, and 1.3.24 closes a serious vulnerability
- in CGI invocation of .bat and .cmd scripts.</p>
+ in CGI invocation of .bat and .cmd scripts. 1.3.25 closes a serious
+ vulnerability in chunked transfer encoding as well.</p>
<p><strong>Do not report configuration or installation questions as
bugs!</strong> The <a href="http://httpd.apache.org/userslist.html">Apache