You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jw...@apache.org on 2002/06/18 06:52:59 UTC
cvs commit: httpd-site/xdocs Announcement index.xml
jwoolley 2002/06/17 21:52:59
Modified: docs Announcement index.html
xdocs Announcement index.xml
Log:
getting ready to release 1.3.25 and 2.0.39
Revision Changes Path
1.11 +275 -167 httpd-site/docs/Announcement
Index: Announcement
===================================================================
RCS file: /home/cvs/httpd-site/docs/Announcement,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -u -r1.10 -r1.11
--- Announcement 6 May 2002 21:35:39 -0000 1.10
+++ Announcement 18 Jun 2002 04:52:58 -0000 1.11
@@ -1,11 +1,19 @@
-Apache 2.0.36 Released
+Apache 2.0.39 Released
---------------------------------------------
-The Apache HTTP Server Project is proud to announce the second public
+The Apache HTTP Server Project is proud to announce the third public
release of Apache 2.0. Apache 2.0 has been running on the Apache.org
website since December of 2000 and has proven to be very reliable.
+This version of Apache is principally a security and bug fix
+release. A summary of the bug fixes is given at the end of this document.
+Of particular note is that 2.0.39 addresses and fixes the issues noted
+in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
+in the handling of chunked transfer encoding. We would like to thank
+Mark Litchfield of ngssoftware.com for discovering and reporting the
+vulnerability.
+
Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
@@ -36,216 +44,316 @@
For more information and to download the release tarballs, please
visit http://httpd.apache.org/
-
-Changes with Apache 2.0.36
- *) Close sockets on worker MPM when doing a graceless restart.
- [Aaron Bannert]
+Changes since 2.0.36
+---------------------------------------------
- *) Reverted a minor optimization in mod_ssl.c that used the vhost ID
- as the session id context rather that a MD5 hash of that vhost ID,
- because it caused very long vhost id's to be unusable with mod_ssl.
- PR 8572. [Cliff Woolley]
+Changes with Apache 2.0.39
- *) Fix the link to the description of the CoredumpDirectory
- directive in the server-wide document. PR 8643. [Jeff Trawick]
+ *) Fixed a build problem in htpasswd.c on Win32.
+ [Guenter Knauf <ef...@gmx.net>, Cliff Woolley]
- *) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley]
+Changes with Apache 2.0.38
- *) Synced with remaining changes from mod_ssl 2.8.8-1.3.24:
- - Avoid SIGBUS on sparc machines with SHMCB session caches
- - Allow whitespace between the pipe and the name of the
- program in SSLLog "| /path/to/program". [Cliff Woolley]
+ *) Rewrite htpasswd to use APR. The removes the annoying warning about
+ tmpnam being unsafe. [Ryan Bloom]
- *) Introduce mod_ext_filter and mod_deflate experimental modules
- to the Win32 build (zlib sources must be in srclib\zlib.)
- [William Rowe]
+ *) We must set the MIME-type for .shtml files to text/html if we want them
+ to be parsed for SSI tags. Add the config for that to the default
+ config file so that it is easier to enable .shtml parsing.
+ [Dave Dyer <dd...@real-me.net>]
- *) Changes to the worker MPM's queue management and thread
- synchronization code to reduce mutex contention [Brian Pane]
+ *) Fixed a problem with 'make install' on ReliantUnix.
+ [Jean-frederic Clere <jf...@fujitsu-siemens.com>]
- *) Don't install *.in configuration files since we already install
- *-std.conf files. [Aaron Bannert]
+ *) Make the default_handler catch all requests that aren't served by
+ another handler. This also gets us to return a 404 if a directory
+ is requested, there is no DirectoryIndex, and mod_autoindex isn't
+ loaded. [Justin Erenkrantz]
- *) Many improvements to the threadpool MPM. [Aaron Bannert]
+ *) Fixed the handling of nested if-statements in shtml files.
+ PR 9866 [Brian Pane]
- *) Fix subreqs that are promoted via fast_redirect from having invalid
- frec->r structures. This would cause subtle errors later on in
- request processing such as seen in PR 7966. [Justin Erenkrantz]
+ *) Allow 'make install DESTDIR=/path'. This allows packagers to install
+ into a directory different from the one that was configured. This
+ also mirrors the root= feature from 1.3. We cannot use prefix=,
+ because both APR and APR-util resolve their installation paths at
+ configuration time. This means that there is no variable prefix
+ to replace. [Andreas Hasenack <an...@netbank.com.br>]
- *) More efficient pool recycling logic for the worker MPM [Brian Pane]
+ *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
+ These levels of AIX don't have a thundering herd problem with
+ accept(). [Jeff Trawick]
- *) Modify the worker MPM to not accept() new connections until
- there is an available worker thread. This prevents queued
- connections from starving for processing time while long-running
- connections were hogging all the available threads. [Aaron Bannert]
+ *) prefork MPM: Ignore mutex errors during graceful restart. For
+ certain types of mutexes (particularly SysV semaphores), we
+ should expect to occasionally fail to obtain or release the
+ mutex during restart processing. [Jeff Trawick]
- *) Convert the worker MPM's fdqueue from a LIFO back into a FIFO.
- [Aaron Bannert]
+ *) Fix install-bindist.sh so that it finds any perl instead of just
+ early perl 5.x versions. This is consistent with a build/install
+ from source, and it allows the perl scripts installed by a bindist
+ to work on systems with perl 5.6. [Jeff Trawick]
- *) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick]
+ *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
+ Tru64 (and probably some other platforms). [Jeff Trawick]
- *) Allow mod_unique_id to work on systems with no IPv4 address
- corresponding to their host name. [Jeff Trawick]
+ *) Allow CGI scripts to return their Content-Length. This also fixes a
+ hang on HEAD requests seen on certain platforms (such as FreeBSD).
+ [Justin Erenkrantz]
- *) Fix suexec behavior with user directories. PR 7810.
- [Colm <co...@redbrick.dcu.ie>]
+ *) Added log rotation based on file size to the RotateLog support
+ utility. [Brad Nicholes]
- *) Reject a blank UserDir directive since it is ambiguous. PR 8472.
+ *) Fix some casting in mod_rewrite which broke random maps.
+ PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]
+
+Changes with Apache 2.0.37
+
+ *) allow POST method over SSL when per-directory client cert
+ authentication is used with 'SSLOptions +OptRenegotiate' enabled
+ and a client cert was found in the ssl session cache.
+
+ *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
+ session cache when there is no cert chain in the cache. prior to
+ the fix this situation would result in a FORBIDDEN response and
+ error message "Cannot find peer certificate chain"
+ [Doug MacEachern]
+
+ *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
+ one was already sent. PR 9644 [Jeff Trawick]
+
+ *) Fix the display of the default name for the mime types config
+ file. PR 9729 [Matthew Brecknell <mb...@orchestream.com>]
+
+ *) Fix the working directory *for WinNT/2K/XP services only* to
+ change to the Apache directory (one level above the location
+ of Apache.exe, in the case that Apache.exe resides in bin/.)
+ Solves the case of ServerRoot /foo paths where /foo was not
+ on the same drive as /winnt/system32. [William Rowe]
+
+ *) Make 2.0's "AcceptMutex" startup message now "completely"
+ match how 1.3 does it. [Jim Jagielski]
+
+ *) Implement a fixed size memory cache using a priority queue
+ [Ian Holsman]
+
+ *) Fix apxs to allow "apxs -q installbuilddir" and to allow
+ querying certain other variables from config_vars.mk. PR 9316
+ [Jeff Trawick]
+
+ *) Added the "detached" attribute to the cgi_exec_info_t internals
+ so that Win32 and Netware won't create a new window or console
+ for each CGI invoked. PR 8387
+ [Brad Nicholes, William Rowe]
+
+ *) Consolidated the command line parameters and attributes that are
+ manipulated by the optional function ap_cgi_build_command() in
+ mod_cgi into a single structure.
+ [Brad Nicholes]
+
+ *) Get rid of uninitialized value errors with "apxs -q" on certain
+ variables. [Stas Bekman <st...@stason.org>]
+
+ *) Fix apxs to allow it to work when the build directory is somewhere
+ besides server-root/build. PR 8453
+ [Jeff Trawick and a host of others]
+
+ *) Allow ap_discard_request_body to be called multiple times in the
+ same request. Essentially, ap_http_filter keeps track of whether
+ it has sent an EOS bucket up the stack, if so, it will only ever
+ send an EOS bucket for this request.
+ [Ryan Bloom, Justin Erenkrantz, Greg Stein]
+
+ *) Remove all special mod_ssl URIs. This also fixes the bug where
+ redirecting (.*) will allow an SSL protected page to be viewed
+ without SSL. [Ryan Bloom]
+
+ *) Fix the binary build install script so that the build logic
+ created by "apxs -g" will work when the user has a binary
+ build. [Jeff Trawick]
+
+ *) Allow instdso.sh to work with full paths to the shared module.
[Justin Erenkrantz]
- *) Make mod_mime use case-insensitive matching when examining
- extensions on all platforms. PR 8223. [Justin Erenkrantz]
+ *) NetWare: Enabled CGI functionality and added mod_cgi as a built
+ in module for NetWare [Brad Nicholes]
- *) Add an intelligent error message should no proxy submodules be
- valid to handle a request. PR 8407 [Graham Leggett]
+ *) Changed cgi and piped log behavior to accept 65536 characters
+ on Win32 (matching Linux) before deadlocking between outputing
+ client stdin, slurping the output from stdout and then the stderr
+ stream. PR 8179 [William Rowe]
- *) Major improvements in concurrent processing for AB by enabling
- non-blocking connect()s and preventing APR from doing blocking
- read()s. Also implement fatal error checking for apr_recv().
- [Aaron Bannert]
+ *) Fixed Win32 wintty.exe support to assure the window title is valid.
+ Elimiates possible gpfault or garbage title without the -t option.
+ [William Rowe]
- *) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe]
+ *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
+ brigades and input filters. [Justin Erenkrantz]
- *) Fix Win32 'short name' aliases in httpd.conf directives.
- PR 8009 [William Rowe]
+ *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
+ body. [Justin Erenkrantz]
+
+ *) NetWare: Piping log entries through RotateLogs using the
+ CustomLogs directive is finally supported now that we have
+ the pipes and spawning functionality working.
+ [Brad Nicholes]
- *) Fix generation of default httpd.conf when the layout paths are
- disjoint. PR 7979, 8227. [Justin Erenkrantz]
+ *) Detect overflow when reading the hex bytes forming a chunk line.
+ [Aaron Bannert]
- *) Swap downgrade-1.0 and force-response-1.0 conditional checks so
- that downgraded responses can have force-response. PR 8357.
+ *) Allow RewriteMap prg:'s to take command-line arguments. PR 8464.
+ [James Tait <JT...@wyrddreams.demon.co.uk>]
+
+ *) Correctly return 413 when an invalid chunk size is given on
+ input. Also modify ap_discard_request_body to not do anything
+ on sub-requests or when the connection will be dropped.
[Justin Erenkrantz]
- *) Fix perchild MPM so that it can be configured with the move to the
- experimental directory. [Scott Lamb <sl...@slamb.org>]
+ *) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.
+ [Cliff Woolley]
- *) Fix perchild MPM so that it uses ap_gname2id for groups instead of
- ap_uname2id. [Scott Lamb <sl...@slamb.org>]
+ *) Ensure that apr_brigade_write() flushes in all of the cases that
+ it should to avoid conditions in some modules that could cause
+ large amounts of data to be buffered. [Cliff Woolley]
- *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley]
+ *) Fix problem where mod_cache/mod_disk_cache was incorrectly
+ stripping the content_type from cached responses.
+ [Bill Stoddard]
- *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to
- explicitly tell the server that warning messages should be sent
- to the client in addition to being recorded in the error log.
- Prior to this change, ap_log_rerror() always sent warning
- messages to the client. In one case, a faulty CGI script caused
- the server to send a warning message to the client that contained
- the full path to the CGI script. This could be considered a
- minor security exposure. [Bill Stoddard]
+ *) apachectl passes through any httpd options. Note: apachectl
+ should be used in preference to httpd since it ensures that any
+ appropriate environment variables have been set up.
+ [Jeff Trawick]
- *) mod_autoindex output when SuppressRules was specified would
- omit the first carriage return so the first item in the list
- would appear to the right of the column headings instead of
- underneath them. PR 8016 [David Shane Holden <dp...@yahoo.com>]
+ *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
+ PR 7810 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Moved the call to apr_mmap_dup outside the error branch so
- that it would actually get called. This fixes a core dump
- at init everytime you use the MMapFile directive. PR 8314
- [Paul J. Reder]
+ *) Fix suexec execution of CGI scripts from mod_include.
+ PR 7791, 8291 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Trigger an error when a LoadModule directive attempts to
- load a module which is built-in. This is a common error when
- switching from a DSO build to a static build. [Jeff Trawick]
+ *) Fix segfaults at startup on some platforms when mod_auth_digest,
+ mod_suexec, or mod_ssl were used as DSO's due to the way they
+ were tracking the current init phase since DSO's get completely
+ unloaded and reloaded between phases. PR 9413.
+ [Tsuyoshi Sasamoto <na...@super.win.ne.jp>, Brad Nicholes]
- *) Change instdso.sh to use libtool --install everywhere and then
- clean up some stray files and symlinks that libtool leaves around
- on some platforms. This gets subversion building properly since
- it needed a re-link to be performed by libtool at install time,
- and the old instdso.sh logic to simply cp the DSO didn't handle
- that requirement. [Sander Striker]
+ *) Fix mod_include's handling of regular expressions in
+ "<!--#if" directives [Julius Gawlas <ju...@hp.com>]
- *) Allow VPATH builds to succeed when configured from an empty
- directory. [Thom May <th...@planetarytramp.net>]
+ *) Fix the worker MPM deadlock problem [Brian Pane]
- *) Fix 'control reaches end of non-void function' warning in
- server/log.c. [Ben Collins-Sussman <su...@collab.net>]
+ *) Modify the module documentation to allow for translations.
+ [Yoshiki Hayashi, Joshua Slive]
- *) Perchild MPM is now correctly deemed as experimental and is now
- located in server/mpm/experimental. [Justin Erenkrantz]
+ *) Fix a file permissions problem which prevented mod_disk_cache
+ from working on Unix. [Jeff Trawick]
- *) Fix segfault in mod_mem_cache when garbage collecting an expired
- cache entry. [Bill Stoddard]
+ *) Add "-k start|restart|graceful|stop" support to httpd for the Unix
+ MPMs. These have semantics very similar to the old apachectl
+ commands of the same name. [Justin Erenkrantz, Jeff Trawick]
- *) Introduced -E startup_logfile_name option to httpd to allow admins
- to begin logging errors immediately. This provides Win32 users
- an alternative to sending startup errors to the event viewer, and
- allows other daemon tool authors an alternative to logging to stderr.
- [William Rowe]
-
- *) Fix subreqs with non-defined Content-Types being served improperly.
- [Justin Erenkrantz]
+ *) Make sure that the runtime dir is created by make install.
+ PR 9233. [Jeff Trawick]
- *) Merge in latest GNU config.guess and config.sub files. PR 7818.
- [Justin Erenkrantz]
+ *) Fix an unusual set of ./configure arguments that could cause
+ mod_http to be built as a DSO, which it currently doesn't
+ support. PR 9244.
+ [Cliff Woolley, Robin Johnson <ro...@orbis-terrarum.net>]
- *) Move 100 - Continue support to the HTTP_IN filter so that filters
- are guaranteed to support 100 - Continue logic without any
- intervention. [Justin Erenkrantz]
+ *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
+ of the %X, %b and %B logformat options. PR 8253, 8996.
+ [Bill Stoddard]
- *) Add HTTP chunked input trailer support. [Justin Erenkrantz]
+ *) If content-encoding is already present, do not run deflate (PR 9222)
+ [Kazuhisa ASADA <ka...@asada.sytes.net>]
- *) Rename and export get_mime_headers as ap_get_mime_headers.
- [Justin Erenkrantz]
+ *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
+ It is currently ignored and it will be removed in a future release
+ of Apache. [Jeff Trawick]
- *) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz]
+ *) Removed documentation references to the no-longer-supported
+ "make certificate" feature of mod_ssl for Apache 1.3.x. Test
+ certificates, if truly desired, can be generated using openssl
+ commands. PR 8724. [Cliff Woolley]
- *) Properly substitute sbindir as httpd's location in apachectl. PR 7840.
- [Andreas Hasenack <an...@netbank.com.br>]
+ *) Remove SSLLog and SSLLogLevel directives in favor of having
+ mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
- *) Allow Win32 shebang scripts to follow the path (or omit the .exe
- suffix from the shebang command), and allow ScriptInterpreterSource
- Registry or RegistryStrict to override shebang lines, as 1.3 did.
- PR 8004 [William Rowe]
+ *) OS/390: LIBPATH no longer has to be manually uncommented in
+ envvars to get apachectl to set up httpd properly. [Jeff Trawick]
- *) worker MPM: Fix a situation where a child exited without releasing
- the accept mutex. Depending on the OS and mutex mechanism this
- could result in a hang. [Jeff Trawick]
+ *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
+ may now be specified to the <File/Directory > container, rather
+ than by vhost. [William Rowe]
- *) Update the instructions for how to get started with mod_example.
- [Stas Bekman]
+ *) mod_isapi: Experimental support for faux async support for ISAPI
+ modules. [William Rowe]
+
+ *) mod_isapi: Major refactoring of the code to rely on apr internals
+ rather than MS APIs (using our own mod_isapi.h headers for ISAPI
+ symbol definitions.) [William Rowe]
+
+ *) mod_isapi: Fixed the return string length from GetServerVariable
+ callback, it was not including the trailing null in the consumed
+ buffer size. This was particularly bad for Delphi 6.0 users.
+ PR 8934 [Sebastian Hantsch <se...@gmx.de>]
+
+ *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
+ [William Rowe]
+
+ *) Make apxs look in the correct directory for envvars. It was
+ broken when sbindir != bindir. PR 8869
+ [Andreas Sundstr�m <su...@zappa.cx>]
- *) Fix PidFile to default to rel_runtimedir instead of
- rel_logfiledir. PR 7841. [Andreas Hasenack <an...@netbank.com.br>]
+ *) Fix mod_deflate corruption when using multiple buckets. PR 9014.
+ [Asada Kazuhisa <ka...@asada.sytes.net>]
- *) Win32: Fix problem that caused rapid performance degradation
- when number of connecting clients exceeded ThreadsPerChild.
- [Bill Stoddard]
+ *) Performance enhancements for access logger when using
+ default timestamp formatting [Brian Pane]
- *) Fixed a segfault parsing large SSIs on non-mmap systems.
- [Brian Havard]
+ *) Added EnableMMAP config directive to enable the server
+ administrator to disable memory-mapping of delivered files
+ on a per-directory basis. [Brian Pane]
- *) Proxy was bombing out every second keepalive request, caused by a
- stray CRLF before the second response's status line. Proxy now
- tries to read one more line if it encounters a CRLF where it
- expected a status. PR 10010 [Graham Leggett]
+ *) Performance enhancements for mod_setenvif [Brian Pane]
- *) Deprecated the apr_lock.h API. Please see the following files
- for the improved thread and process locking and signaling:
- apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h,
- apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert]
+ *) Fix a mod_ssl build problem on OS/390. [Jeff Trawick]
- *) Change mod_status to use scoreboard accessor functions so it can
- be used in any MPM without having to be recompiled.
- [Ryan Morgan <rm...@covalent.net>]
+ *) Fixed If-Modified-Since on Win32, which would give false positives
+ because of the sub-second resolution of file timestamps on that
+ platform. [Cliff Woolley]
- *) Fix parsing of some AP_DECLARE_DATA declarations so that the filter
- handle declarations are recognized. This fixes problems loading
- mod_autoindex on some platforms. [Brian Havard]
+ *) Reverse the hook ordering for mod_userdir and mod_alias so
+ that Alias/ScriptAlias will override Userdir. PR 8841
+ [Joshua Slive]
- *) add optional fixup hook to proxy [Daniel Lopez <da...@covalent.net>]
+ *) Move mod_deflate out of experimental and into filters.
+ [Justin Erenkrantz]
- *) Remind the admin about the User and Group directives when we are
- unable to set permissions on a semaphore. PR 7812 [Jeff Trawick]
+ *) Get proxy CONNECT basically working. [Jeff Trawick]
- *) fix possible compilation problem in ssl_engine_kernel.c. PR 7802
- [Doug MacEachern]
+ *) Fix mod_rewrite hang when APR uses SysV Semaphores and
+ RewriteLogLevel is set to anything other than 0. PR: 8143
+ [Aaron Bannert, Cliff Woolley]
- *) fix possible infinite loop in mod_ssl triggered by certain
- netscape clients [Doug MacEachern]
+ *) Fix byterange requests from returning 416 when using dynamic data
+ (such as filters like mod_include). [Justin Erenkrantz]
- *) fix ProxyPass when frontend is https and backend is http
- [Doug MacEachern]
+ *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
+ to be extended by third-party modules via an optional function.
+ [Tahiry Ramanamampanoharana <no...@hotmail.com>, Cliff Woolley]
+
+ *) Fix mod_include expression parser's handling of unquoted strings
+ followed immediately by a closing paren. PR 8462. [Brian Pane]
+
+ *) Remove autom4te.cache in 'make distclean'.
+ [Thom May <th...@planetarytramp.net>]
+
+ *) Fix generated httpd.conf to respect layout for LoadModule lines.
+ PR 8170. [Thom May <th...@planetarytramp.net>]
+
+ *) Win32: During a graceful restart, threads in the new process
+ were accessing scoreboard slots still in use by active threads in
+ the the old process. [Bill Stoddard]
- *) Add DASL support to mod_dav
- [Sung Kim <hu...@cse.ucsc.edu>]
1.28 +26 -17 httpd-site/docs/index.html
Index: index.html
===================================================================
RCS file: /home/cvs/httpd-site/docs/index.html,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -d -u -r1.27 -r1.28
--- index.html 17 Jun 2002 18:27:12 -0000 1.27
+++ index.html 18 Jun 2002 04:52:58 -0000 1.28
@@ -60,8 +60,8 @@
<tr><td>
<blockquote>
<p>Apache has been the most popular web server on the Internet since
-April of 1996. The March 2002 <a href="http://www.netcraft.com/survey/">Netcraft Web Server Survey</a>
-found that 54% of the web sites on the Internet are using Apache, thus
+April of 1996. The May 2002 <a href="http://www.netcraft.com/survey/">Netcraft Web Server Survey</a>
+found that 56% of the web sites on the Internet are using Apache, thus
making it more widely used than all other web servers combined.</p>
<p>The Apache HTTP Server Project is an effort to develop and maintain
an open-source HTTP server for various modern desktop and server
@@ -88,14 +88,14 @@
<p>In most cases the outcome of the invalid request is that the child process
dealing with the request will terminate. At the least, this could help a
remote attacker launch a denial of service attack as the parent process
-will eventually have to replace the terminated child process and starting
+will eventually have to replace the terminated child process, and starting
new children uses non-trivial amounts of resources.</p>
<p>We were also notified today by ISS that they had published the same issue
which has forced the early release of this advisory. Please note that the
patch provided by ISS does not correct this vulnerability.</p>
-<p>The Apache Software Foundation are currently working on new releases that
-fix this issue; please stay tuned here at http://httpd.apache.org/ for
-updated versions as they become available.</p>
+<p>The Apache Software Foundation has released versions 1.3.25 and 2.0.39
+to address and fix this issue. These version are available for download;
+see below.</p>
<p align="center">
<a href="info/security_bulletin_20020617.txt">Full Advisory</a>
</p>
@@ -105,7 +105,7 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="2.0.36"><strong>Apache 2.0.36 Released</strong></a>
+ <a name="2.0.39"><strong>Apache 2.0.39 Released</strong></a>
</font>
</td></tr>
<tr><td>
@@ -113,6 +113,13 @@
<p>The Apache HTTP Server Project is proud to announce the second public
release of Apache 2.0. Apache 2.0 has been running on the Apache.org
website since December of 2000 and has proven to be very reliable.</p>
+<p>This version of Apache is principally a security and bug fix
+release. Of particular note is that 2.0.39 addresses and fixes the issues
+noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
+CAN-2002-0392 (mitre.org)</a>
+[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
+regarding a vulnerability in the handling of chunked transfer encoding as
+described above.</p>
<p>Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
@@ -132,9 +139,9 @@
take up disk space, but if you have the time and skills, please
give it a spin on your platforms.</p>
<p align="center">
-<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.36</a> |
+<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.39</a> |
<a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.36</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.39</a>
</p>
</blockquote>
</td></tr>
@@ -142,24 +149,26 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
- <a name="1.3.24"><strong>Apache 1.3.24 Released</strong></a>
+ <a name="1.3.25"><strong>Apache 1.3.25 Released</strong></a>
</font>
</td></tr>
<tr><td>
<blockquote>
<p>The Apache Group is pleased to announce the <a href="http://www.apache.org/dist/httpd/Announcement.html">release of the
-1.3.24 version of the Apache HTTP server</a>.</p>
-<p>Apache 1.3.24 is principally a security and bug fix release.
-Of particular note is that 1.3.24 addresses and fixes the issues noted in
-<A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061">
-CAN-2002-0061 (mitre.org)</A> regarding escaping of command line args on Win32.
-</p>
+1.3.25 version of the Apache HTTP Server</a>.</p>
+<p>This version of Apache is principally a security and bug fix
+release. Of particular note is that 1.3.25 addresses and fixes the issues
+noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
+CAN-2002-0392 (mitre.org)</a>
+[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
+regarding a vulnerability in the handling of chunked transfer encoding as
+described above.</p>
<p align="center">
<a href="http://www.apache.org/dist/httpd/">Download Apache 1.3</a> |
<a href="docs/windows.html">Apache for Win32</a> |
<a href="docs/new_features_1_3.html">New Features in Apache 1.3</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.24</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.25</a>
</p>
</blockquote>
</td></tr>
1.7 +275 -167 httpd-site/xdocs/Announcement
Index: Announcement
===================================================================
RCS file: /home/cvs/httpd-site/xdocs/Announcement,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -u -r1.6 -r1.7
--- Announcement 6 May 2002 21:35:39 -0000 1.6
+++ Announcement 18 Jun 2002 04:52:59 -0000 1.7
@@ -1,11 +1,19 @@
-Apache 2.0.36 Released
+Apache 2.0.39 Released
---------------------------------------------
-The Apache HTTP Server Project is proud to announce the second public
+The Apache HTTP Server Project is proud to announce the third public
release of Apache 2.0. Apache 2.0 has been running on the Apache.org
website since December of 2000 and has proven to be very reliable.
+This version of Apache is principally a security and bug fix
+release. A summary of the bug fixes is given at the end of this document.
+Of particular note is that 2.0.39 addresses and fixes the issues noted
+in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
+in the handling of chunked transfer encoding. We would like to thank
+Mark Litchfield of ngssoftware.com for discovering and reporting the
+vulnerability.
+
Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
@@ -36,216 +44,316 @@
For more information and to download the release tarballs, please
visit http://httpd.apache.org/
-
-Changes with Apache 2.0.36
- *) Close sockets on worker MPM when doing a graceless restart.
- [Aaron Bannert]
+Changes since 2.0.36
+---------------------------------------------
- *) Reverted a minor optimization in mod_ssl.c that used the vhost ID
- as the session id context rather that a MD5 hash of that vhost ID,
- because it caused very long vhost id's to be unusable with mod_ssl.
- PR 8572. [Cliff Woolley]
+Changes with Apache 2.0.39
- *) Fix the link to the description of the CoredumpDirectory
- directive in the server-wide document. PR 8643. [Jeff Trawick]
+ *) Fixed a build problem in htpasswd.c on Win32.
+ [Guenter Knauf <ef...@gmx.net>, Cliff Woolley]
- *) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley]
+Changes with Apache 2.0.38
- *) Synced with remaining changes from mod_ssl 2.8.8-1.3.24:
- - Avoid SIGBUS on sparc machines with SHMCB session caches
- - Allow whitespace between the pipe and the name of the
- program in SSLLog "| /path/to/program". [Cliff Woolley]
+ *) Rewrite htpasswd to use APR. The removes the annoying warning about
+ tmpnam being unsafe. [Ryan Bloom]
- *) Introduce mod_ext_filter and mod_deflate experimental modules
- to the Win32 build (zlib sources must be in srclib\zlib.)
- [William Rowe]
+ *) We must set the MIME-type for .shtml files to text/html if we want them
+ to be parsed for SSI tags. Add the config for that to the default
+ config file so that it is easier to enable .shtml parsing.
+ [Dave Dyer <dd...@real-me.net>]
- *) Changes to the worker MPM's queue management and thread
- synchronization code to reduce mutex contention [Brian Pane]
+ *) Fixed a problem with 'make install' on ReliantUnix.
+ [Jean-frederic Clere <jf...@fujitsu-siemens.com>]
- *) Don't install *.in configuration files since we already install
- *-std.conf files. [Aaron Bannert]
+ *) Make the default_handler catch all requests that aren't served by
+ another handler. This also gets us to return a 404 if a directory
+ is requested, there is no DirectoryIndex, and mod_autoindex isn't
+ loaded. [Justin Erenkrantz]
- *) Many improvements to the threadpool MPM. [Aaron Bannert]
+ *) Fixed the handling of nested if-statements in shtml files.
+ PR 9866 [Brian Pane]
- *) Fix subreqs that are promoted via fast_redirect from having invalid
- frec->r structures. This would cause subtle errors later on in
- request processing such as seen in PR 7966. [Justin Erenkrantz]
+ *) Allow 'make install DESTDIR=/path'. This allows packagers to install
+ into a directory different from the one that was configured. This
+ also mirrors the root= feature from 1.3. We cannot use prefix=,
+ because both APR and APR-util resolve their installation paths at
+ configuration time. This means that there is no variable prefix
+ to replace. [Andreas Hasenack <an...@netbank.com.br>]
- *) More efficient pool recycling logic for the worker MPM [Brian Pane]
+ *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
+ These levels of AIX don't have a thundering herd problem with
+ accept(). [Jeff Trawick]
- *) Modify the worker MPM to not accept() new connections until
- there is an available worker thread. This prevents queued
- connections from starving for processing time while long-running
- connections were hogging all the available threads. [Aaron Bannert]
+ *) prefork MPM: Ignore mutex errors during graceful restart. For
+ certain types of mutexes (particularly SysV semaphores), we
+ should expect to occasionally fail to obtain or release the
+ mutex during restart processing. [Jeff Trawick]
- *) Convert the worker MPM's fdqueue from a LIFO back into a FIFO.
- [Aaron Bannert]
+ *) Fix install-bindist.sh so that it finds any perl instead of just
+ early perl 5.x versions. This is consistent with a build/install
+ from source, and it allows the perl scripts installed by a bindist
+ to work on systems with perl 5.6. [Jeff Trawick]
- *) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick]
+ *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
+ Tru64 (and probably some other platforms). [Jeff Trawick]
- *) Allow mod_unique_id to work on systems with no IPv4 address
- corresponding to their host name. [Jeff Trawick]
+ *) Allow CGI scripts to return their Content-Length. This also fixes a
+ hang on HEAD requests seen on certain platforms (such as FreeBSD).
+ [Justin Erenkrantz]
- *) Fix suexec behavior with user directories. PR 7810.
- [Colm <co...@redbrick.dcu.ie>]
+ *) Added log rotation based on file size to the RotateLog support
+ utility. [Brad Nicholes]
- *) Reject a blank UserDir directive since it is ambiguous. PR 8472.
+ *) Fix some casting in mod_rewrite which broke random maps.
+ PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]
+
+Changes with Apache 2.0.37
+
+ *) allow POST method over SSL when per-directory client cert
+ authentication is used with 'SSLOptions +OptRenegotiate' enabled
+ and a client cert was found in the ssl session cache.
+
+ *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
+ session cache when there is no cert chain in the cache. prior to
+ the fix this situation would result in a FORBIDDEN response and
+ error message "Cannot find peer certificate chain"
+ [Doug MacEachern]
+
+ *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
+ one was already sent. PR 9644 [Jeff Trawick]
+
+ *) Fix the display of the default name for the mime types config
+ file. PR 9729 [Matthew Brecknell <mb...@orchestream.com>]
+
+ *) Fix the working directory *for WinNT/2K/XP services only* to
+ change to the Apache directory (one level above the location
+ of Apache.exe, in the case that Apache.exe resides in bin/.)
+ Solves the case of ServerRoot /foo paths where /foo was not
+ on the same drive as /winnt/system32. [William Rowe]
+
+ *) Make 2.0's "AcceptMutex" startup message now "completely"
+ match how 1.3 does it. [Jim Jagielski]
+
+ *) Implement a fixed size memory cache using a priority queue
+ [Ian Holsman]
+
+ *) Fix apxs to allow "apxs -q installbuilddir" and to allow
+ querying certain other variables from config_vars.mk. PR 9316
+ [Jeff Trawick]
+
+ *) Added the "detached" attribute to the cgi_exec_info_t internals
+ so that Win32 and Netware won't create a new window or console
+ for each CGI invoked. PR 8387
+ [Brad Nicholes, William Rowe]
+
+ *) Consolidated the command line parameters and attributes that are
+ manipulated by the optional function ap_cgi_build_command() in
+ mod_cgi into a single structure.
+ [Brad Nicholes]
+
+ *) Get rid of uninitialized value errors with "apxs -q" on certain
+ variables. [Stas Bekman <st...@stason.org>]
+
+ *) Fix apxs to allow it to work when the build directory is somewhere
+ besides server-root/build. PR 8453
+ [Jeff Trawick and a host of others]
+
+ *) Allow ap_discard_request_body to be called multiple times in the
+ same request. Essentially, ap_http_filter keeps track of whether
+ it has sent an EOS bucket up the stack, if so, it will only ever
+ send an EOS bucket for this request.
+ [Ryan Bloom, Justin Erenkrantz, Greg Stein]
+
+ *) Remove all special mod_ssl URIs. This also fixes the bug where
+ redirecting (.*) will allow an SSL protected page to be viewed
+ without SSL. [Ryan Bloom]
+
+ *) Fix the binary build install script so that the build logic
+ created by "apxs -g" will work when the user has a binary
+ build. [Jeff Trawick]
+
+ *) Allow instdso.sh to work with full paths to the shared module.
[Justin Erenkrantz]
- *) Make mod_mime use case-insensitive matching when examining
- extensions on all platforms. PR 8223. [Justin Erenkrantz]
+ *) NetWare: Enabled CGI functionality and added mod_cgi as a built
+ in module for NetWare [Brad Nicholes]
- *) Add an intelligent error message should no proxy submodules be
- valid to handle a request. PR 8407 [Graham Leggett]
+ *) Changed cgi and piped log behavior to accept 65536 characters
+ on Win32 (matching Linux) before deadlocking between outputing
+ client stdin, slurping the output from stdout and then the stderr
+ stream. PR 8179 [William Rowe]
- *) Major improvements in concurrent processing for AB by enabling
- non-blocking connect()s and preventing APR from doing blocking
- read()s. Also implement fatal error checking for apr_recv().
- [Aaron Bannert]
+ *) Fixed Win32 wintty.exe support to assure the window title is valid.
+ Elimiates possible gpfault or garbage title without the -t option.
+ [William Rowe]
- *) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe]
+ *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
+ brigades and input filters. [Justin Erenkrantz]
- *) Fix Win32 'short name' aliases in httpd.conf directives.
- PR 8009 [William Rowe]
+ *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
+ body. [Justin Erenkrantz]
+
+ *) NetWare: Piping log entries through RotateLogs using the
+ CustomLogs directive is finally supported now that we have
+ the pipes and spawning functionality working.
+ [Brad Nicholes]
- *) Fix generation of default httpd.conf when the layout paths are
- disjoint. PR 7979, 8227. [Justin Erenkrantz]
+ *) Detect overflow when reading the hex bytes forming a chunk line.
+ [Aaron Bannert]
- *) Swap downgrade-1.0 and force-response-1.0 conditional checks so
- that downgraded responses can have force-response. PR 8357.
+ *) Allow RewriteMap prg:'s to take command-line arguments. PR 8464.
+ [James Tait <JT...@wyrddreams.demon.co.uk>]
+
+ *) Correctly return 413 when an invalid chunk size is given on
+ input. Also modify ap_discard_request_body to not do anything
+ on sub-requests or when the connection will be dropped.
[Justin Erenkrantz]
- *) Fix perchild MPM so that it can be configured with the move to the
- experimental directory. [Scott Lamb <sl...@slamb.org>]
+ *) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.
+ [Cliff Woolley]
- *) Fix perchild MPM so that it uses ap_gname2id for groups instead of
- ap_uname2id. [Scott Lamb <sl...@slamb.org>]
+ *) Ensure that apr_brigade_write() flushes in all of the cases that
+ it should to avoid conditions in some modules that could cause
+ large amounts of data to be buffered. [Cliff Woolley]
- *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley]
+ *) Fix problem where mod_cache/mod_disk_cache was incorrectly
+ stripping the content_type from cached responses.
+ [Bill Stoddard]
- *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to
- explicitly tell the server that warning messages should be sent
- to the client in addition to being recorded in the error log.
- Prior to this change, ap_log_rerror() always sent warning
- messages to the client. In one case, a faulty CGI script caused
- the server to send a warning message to the client that contained
- the full path to the CGI script. This could be considered a
- minor security exposure. [Bill Stoddard]
+ *) apachectl passes through any httpd options. Note: apachectl
+ should be used in preference to httpd since it ensures that any
+ appropriate environment variables have been set up.
+ [Jeff Trawick]
- *) mod_autoindex output when SuppressRules was specified would
- omit the first carriage return so the first item in the list
- would appear to the right of the column headings instead of
- underneath them. PR 8016 [David Shane Holden <dp...@yahoo.com>]
+ *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
+ PR 7810 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Moved the call to apr_mmap_dup outside the error branch so
- that it would actually get called. This fixes a core dump
- at init everytime you use the MMapFile directive. PR 8314
- [Paul J. Reder]
+ *) Fix suexec execution of CGI scripts from mod_include.
+ PR 7791, 8291 [Colm MacCarthaigh <co...@redbrick.dcu.ie>]
- *) Trigger an error when a LoadModule directive attempts to
- load a module which is built-in. This is a common error when
- switching from a DSO build to a static build. [Jeff Trawick]
+ *) Fix segfaults at startup on some platforms when mod_auth_digest,
+ mod_suexec, or mod_ssl were used as DSO's due to the way they
+ were tracking the current init phase since DSO's get completely
+ unloaded and reloaded between phases. PR 9413.
+ [Tsuyoshi Sasamoto <na...@super.win.ne.jp>, Brad Nicholes]
- *) Change instdso.sh to use libtool --install everywhere and then
- clean up some stray files and symlinks that libtool leaves around
- on some platforms. This gets subversion building properly since
- it needed a re-link to be performed by libtool at install time,
- and the old instdso.sh logic to simply cp the DSO didn't handle
- that requirement. [Sander Striker]
+ *) Fix mod_include's handling of regular expressions in
+ "<!--#if" directives [Julius Gawlas <ju...@hp.com>]
- *) Allow VPATH builds to succeed when configured from an empty
- directory. [Thom May <th...@planetarytramp.net>]
+ *) Fix the worker MPM deadlock problem [Brian Pane]
- *) Fix 'control reaches end of non-void function' warning in
- server/log.c. [Ben Collins-Sussman <su...@collab.net>]
+ *) Modify the module documentation to allow for translations.
+ [Yoshiki Hayashi, Joshua Slive]
- *) Perchild MPM is now correctly deemed as experimental and is now
- located in server/mpm/experimental. [Justin Erenkrantz]
+ *) Fix a file permissions problem which prevented mod_disk_cache
+ from working on Unix. [Jeff Trawick]
- *) Fix segfault in mod_mem_cache when garbage collecting an expired
- cache entry. [Bill Stoddard]
+ *) Add "-k start|restart|graceful|stop" support to httpd for the Unix
+ MPMs. These have semantics very similar to the old apachectl
+ commands of the same name. [Justin Erenkrantz, Jeff Trawick]
- *) Introduced -E startup_logfile_name option to httpd to allow admins
- to begin logging errors immediately. This provides Win32 users
- an alternative to sending startup errors to the event viewer, and
- allows other daemon tool authors an alternative to logging to stderr.
- [William Rowe]
-
- *) Fix subreqs with non-defined Content-Types being served improperly.
- [Justin Erenkrantz]
+ *) Make sure that the runtime dir is created by make install.
+ PR 9233. [Jeff Trawick]
- *) Merge in latest GNU config.guess and config.sub files. PR 7818.
- [Justin Erenkrantz]
+ *) Fix an unusual set of ./configure arguments that could cause
+ mod_http to be built as a DSO, which it currently doesn't
+ support. PR 9244.
+ [Cliff Woolley, Robin Johnson <ro...@orbis-terrarum.net>]
- *) Move 100 - Continue support to the HTTP_IN filter so that filters
- are guaranteed to support 100 - Continue logic without any
- intervention. [Justin Erenkrantz]
+ *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
+ of the %X, %b and %B logformat options. PR 8253, 8996.
+ [Bill Stoddard]
- *) Add HTTP chunked input trailer support. [Justin Erenkrantz]
+ *) If content-encoding is already present, do not run deflate (PR 9222)
+ [Kazuhisa ASADA <ka...@asada.sytes.net>]
- *) Rename and export get_mime_headers as ap_get_mime_headers.
- [Justin Erenkrantz]
+ *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
+ It is currently ignored and it will be removed in a future release
+ of Apache. [Jeff Trawick]
- *) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz]
+ *) Removed documentation references to the no-longer-supported
+ "make certificate" feature of mod_ssl for Apache 1.3.x. Test
+ certificates, if truly desired, can be generated using openssl
+ commands. PR 8724. [Cliff Woolley]
- *) Properly substitute sbindir as httpd's location in apachectl. PR 7840.
- [Andreas Hasenack <an...@netbank.com.br>]
+ *) Remove SSLLog and SSLLogLevel directives in favor of having
+ mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
- *) Allow Win32 shebang scripts to follow the path (or omit the .exe
- suffix from the shebang command), and allow ScriptInterpreterSource
- Registry or RegistryStrict to override shebang lines, as 1.3 did.
- PR 8004 [William Rowe]
+ *) OS/390: LIBPATH no longer has to be manually uncommented in
+ envvars to get apachectl to set up httpd properly. [Jeff Trawick]
- *) worker MPM: Fix a situation where a child exited without releasing
- the accept mutex. Depending on the OS and mutex mechanism this
- could result in a hang. [Jeff Trawick]
+ *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
+ may now be specified to the <File/Directory > container, rather
+ than by vhost. [William Rowe]
- *) Update the instructions for how to get started with mod_example.
- [Stas Bekman]
+ *) mod_isapi: Experimental support for faux async support for ISAPI
+ modules. [William Rowe]
+
+ *) mod_isapi: Major refactoring of the code to rely on apr internals
+ rather than MS APIs (using our own mod_isapi.h headers for ISAPI
+ symbol definitions.) [William Rowe]
+
+ *) mod_isapi: Fixed the return string length from GetServerVariable
+ callback, it was not including the trailing null in the consumed
+ buffer size. This was particularly bad for Delphi 6.0 users.
+ PR 8934 [Sebastian Hantsch <se...@gmx.de>]
+
+ *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
+ [William Rowe]
+
+ *) Make apxs look in the correct directory for envvars. It was
+ broken when sbindir != bindir. PR 8869
+ [Andreas Sundstr�m <su...@zappa.cx>]
- *) Fix PidFile to default to rel_runtimedir instead of
- rel_logfiledir. PR 7841. [Andreas Hasenack <an...@netbank.com.br>]
+ *) Fix mod_deflate corruption when using multiple buckets. PR 9014.
+ [Asada Kazuhisa <ka...@asada.sytes.net>]
- *) Win32: Fix problem that caused rapid performance degradation
- when number of connecting clients exceeded ThreadsPerChild.
- [Bill Stoddard]
+ *) Performance enhancements for access logger when using
+ default timestamp formatting [Brian Pane]
- *) Fixed a segfault parsing large SSIs on non-mmap systems.
- [Brian Havard]
+ *) Added EnableMMAP config directive to enable the server
+ administrator to disable memory-mapping of delivered files
+ on a per-directory basis. [Brian Pane]
- *) Proxy was bombing out every second keepalive request, caused by a
- stray CRLF before the second response's status line. Proxy now
- tries to read one more line if it encounters a CRLF where it
- expected a status. PR 10010 [Graham Leggett]
+ *) Performance enhancements for mod_setenvif [Brian Pane]
- *) Deprecated the apr_lock.h API. Please see the following files
- for the improved thread and process locking and signaling:
- apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h,
- apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert]
+ *) Fix a mod_ssl build problem on OS/390. [Jeff Trawick]
- *) Change mod_status to use scoreboard accessor functions so it can
- be used in any MPM without having to be recompiled.
- [Ryan Morgan <rm...@covalent.net>]
+ *) Fixed If-Modified-Since on Win32, which would give false positives
+ because of the sub-second resolution of file timestamps on that
+ platform. [Cliff Woolley]
- *) Fix parsing of some AP_DECLARE_DATA declarations so that the filter
- handle declarations are recognized. This fixes problems loading
- mod_autoindex on some platforms. [Brian Havard]
+ *) Reverse the hook ordering for mod_userdir and mod_alias so
+ that Alias/ScriptAlias will override Userdir. PR 8841
+ [Joshua Slive]
- *) add optional fixup hook to proxy [Daniel Lopez <da...@covalent.net>]
+ *) Move mod_deflate out of experimental and into filters.
+ [Justin Erenkrantz]
- *) Remind the admin about the User and Group directives when we are
- unable to set permissions on a semaphore. PR 7812 [Jeff Trawick]
+ *) Get proxy CONNECT basically working. [Jeff Trawick]
- *) fix possible compilation problem in ssl_engine_kernel.c. PR 7802
- [Doug MacEachern]
+ *) Fix mod_rewrite hang when APR uses SysV Semaphores and
+ RewriteLogLevel is set to anything other than 0. PR: 8143
+ [Aaron Bannert, Cliff Woolley]
- *) fix possible infinite loop in mod_ssl triggered by certain
- netscape clients [Doug MacEachern]
+ *) Fix byterange requests from returning 416 when using dynamic data
+ (such as filters like mod_include). [Justin Erenkrantz]
- *) fix ProxyPass when frontend is https and backend is http
- [Doug MacEachern]
+ *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
+ to be extended by third-party modules via an optional function.
+ [Tahiry Ramanamampanoharana <no...@hotmail.com>, Cliff Woolley]
+
+ *) Fix mod_include expression parser's handling of unquoted strings
+ followed immediately by a closing paren. PR 8462. [Brian Pane]
+
+ *) Remove autom4te.cache in 'make distclean'.
+ [Thom May <th...@planetarytramp.net>]
+
+ *) Fix generated httpd.conf to respect layout for LoadModule lines.
+ PR 8170. [Thom May <th...@planetarytramp.net>]
+
+ *) Win32: During a graceful restart, threads in the new process
+ were accessing scoreboard slots still in use by active threads in
+ the the old process. [Bill Stoddard]
- *) Add DASL support to mod_dav
- [Sung Kim <hu...@cse.ucsc.edu>]
1.17 +29 -19 httpd-site/xdocs/index.xml
Index: index.xml
===================================================================
RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -u -r1.16 -r1.17
--- index.xml 17 Jun 2002 18:27:12 -0000 1.16
+++ index.xml 18 Jun 2002 04:52:59 -0000 1.17
@@ -9,9 +9,9 @@
<title>The Number One HTTP Server On The Internet</title>
<p>Apache has been the most popular web server on the Internet since
-April of 1996. The March 2002 <a
+April of 1996. The May 2002 <a
href="http://www.netcraft.com/survey/">Netcraft Web Server Survey</a>
-found that 54% of the web sites on the Internet are using Apache, thus
+found that 56% of the web sites on the Internet are using Apache, thus
making it more widely used than all other web servers combined.</p>
<p>The Apache HTTP Server Project is an effort to develop and maintain
@@ -37,29 +37,37 @@
<p>In most cases the outcome of the invalid request is that the child process
dealing with the request will terminate. At the least, this could help a
remote attacker launch a denial of service attack as the parent process
-will eventually have to replace the terminated child process and starting
+will eventually have to replace the terminated child process, and starting
new children uses non-trivial amounts of resources.</p>
<p>We were also notified today by ISS that they had published the same issue
which has forced the early release of this advisory. Please note that the
patch provided by ISS does not correct this vulnerability.</p>
-<p>The Apache Software Foundation are currently working on new releases that
-fix this issue; please stay tuned here at http://httpd.apache.org/ for
-updated versions as they become available.</p>
+<p>The Apache Software Foundation has released versions 1.3.25 and 2.0.39
+to address and fix this issue. These version are available for download;
+see below.</p>
<p align="center">
<a href="info/security_bulletin_20020617.txt">Full Advisory</a>
</p>
</section>
-<section id="2.0.36">
-<title>Apache 2.0.36 Released</title>
+<section id="2.0.39">
+<title>Apache 2.0.39 Released</title>
<p>The Apache HTTP Server Project is proud to announce the second public
release of Apache 2.0. Apache 2.0 has been running on the Apache.org
website since December of 2000 and has proven to be very reliable.</p>
+<p>This version of Apache is principally a security and bug fix
+release. Of particular note is that 2.0.39 addresses and fixes the issues
+noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
+CAN-2002-0392 (mitre.org)</a>
+[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
+regarding a vulnerability in the handling of chunked transfer encoding as
+described above.</p>
+
<p>Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
@@ -82,32 +90,34 @@
give it a spin on your platforms.</p>
<p align="center">
-<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.36</a> |
+<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.39</a> |
<a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.36</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.39</a>
</p>
</section>
-<section id="1.3.24">
-<title>Apache 1.3.24 Released</title>
+<section id="1.3.25">
+<title>Apache 1.3.25 Released</title>
<p>The Apache Group is pleased to announce the <a
href="http://www.apache.org/dist/httpd/Announcement.html">release of the
-1.3.24 version of the Apache HTTP server</a>.</p>
+1.3.25 version of the Apache HTTP Server</a>.</p>
-<p>Apache 1.3.24 is principally a security and bug fix release.
-Of particular note is that 1.3.24 addresses and fixes the issues noted in
-<A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061">
-CAN-2002-0061 (mitre.org)</A> regarding escaping of command line args on Win32.
-</p>
+<p>This version of Apache is principally a security and bug fix
+release. Of particular note is that 1.3.25 addresses and fixes the issues
+noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
+CAN-2002-0392 (mitre.org)</a>
+[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
+regarding a vulnerability in the handling of chunked transfer encoding as
+described above.</p>
<p align="center">
<a href="http://www.apache.org/dist/httpd/">Download Apache 1.3</a> |
<a href="docs/windows.html">Apache for Win32</a> |
<a href="docs/new_features_1_3.html">New Features in Apache 1.3</a> |
-<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.24</a>
+<a href="http://www.apache.org/dist/httpd/CHANGES_1.3">ChangeLog for 1.3.25</a>
</p>
</section>