You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fi...@apache.org on 2001/11/14 00:48:33 UTC
cvs commit: httpd-dist/binaries/win32 HEADER.html
fielding 01/11/13 15:48:33
Modified: . Announcement.html Announcement.txt HEADER.html
README.html
binaries/win32 HEADER.html
Log:
New module httpd-dist is for project-specific information under
www.apache.org/dist/httpd/
The changes in this commit were made by others on the live site.
Revision Changes Path
1.5 +264 -131 httpd-dist/Announcement.html
Index: Announcement.html
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- Announcement.html 2001/05/22 02:10:52 1.4
+++ Announcement.html 2001/11/13 23:48:33 1.5
@@ -1,158 +1,291 @@
-<HTML>
-<HEAD><TITLE>Apache 1.3.20 Released</TITLE></HEAD>
-<BODY BGCOLOR=white>
- <h1 align=center>Apache 1.3.20 Released</h1>
-
+<h1>Apache 1.3.22 Released</h1>
+
<p>The Apache Software Foundation and The Apache Server Project are
- pleased to announce the release of version 1.3.20 of the Apache HTTP
- server.</p>
-
-<p>This version of Apache is principally a security fix release which
- closes a problem under the Windows and OS/2 ports that would segfault
- the server in response to a carefully constructed URL. It also fixes
- some potential configuration quirks present in the 1.3.19 release.
- A summary of the new features is given at the end of this document.</p>
-
-<p>We consider Apache 1.3.20 to be the best version of Apache available
+ pleased to announce the release of version 1.3.22 of the Apache HTTP
+ server. Apache version 1.3.21 was never released; this Announcement
+ details the cumulative changes in 1.3.21 and 1.3.22.</p>
+
+<p>
+ This version of Apache is principally a security fix release which
+ closes some problems where a directory listing could be obtained
+ instead of the default index page.
+ A summary of the bug fixes and major new features is given at the
+ end of this document.
+ </p>
+
+<p> We consider Apache 1.3.22 to be the best version of Apache available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
- releases will be made in the 1.2.x family.</p>
-
-<p>Apache 1.3.20 is available for download from
-
-<blockquote>
- <a href="http://httpd.apache.org/dist/httpd/"
- >http://httpd.apache.org/dist/httpd/</a>
-</blockquote>
- Please see the <a href="http://httpd.apache.org/dist/httpd/CHANGES_1.3"
- >CHANGES_1.3</a> file in the same directory for a full list
- of changes.</p>
-
-<p>Binary distributions are available from
-<blockquote>
- <a href="http://httpd.apache.org/dist/httpd/binaries/"
- >http://httpd.apache.org/dist/httpd/binaries/</a>
-</blockquote>
+ releases will be made in the 1.2.x family.
+</p>
+<p>
+ Apache 1.3.22 is available for download from
+<pre>
+ http://httpd.apache.org/dist/httpd/
+</pre>
+<p>
+ Please see the CHANGES_1.3 file in the same directory for a full list
+ of changes.
+ </p>
+<p> Binary distributions are available from
+<pre>
+
+ http://httpd.apache.org/dist/httpd/binaries/
+</pre>
+</p>
+
+<p>
The source and binary distributions are also available via any of the
mirrors listed at
-<blockquote>
- <a href="http://www.apache.org/mirrors/">http://www.apache.org/mirrors/</a>
-</blockquote></p>
-
-<p>Apache 1.3.20 for Win32 and OS/2 corrects a serious denial of service
- vulnerability, and users are strongly discouraged from using any
- previous versions on those platforms.</p>
-
-<p>As of Apache 1.3.17, Win32 binary distributions are now based on the
- Microsoft Installer (.MSI) technology. This change occured in order
+<pre>
+
+ http://www.apache.org/mirrors/
+</pre>
+</p>
+
+<p>
+ As of Apache 1.3.17, Win32 binary distributions are now based on the
+ Microsoft Installer (.MSI) technology. This change occurred in order
to resolve the many problems WinME and Win2K users experienced with
- the older InstallShield-based installer .exe file. While development
+ the older InstallShield-based installer.exe file. While development
continues to make this new installation method more robust, questions
should be directed at the news:comp.infosystems.www.servers.ms-windows
- newsgroup.</p>
-
-<p>As of Apache 1.3.12 binary distributions contain all standard Apache
+ newsgroup.
+</p>
+<p>
+ As of Apache 1.3.12 binary distributions contain all standard Apache
modules as shared objects (if supported by the platform) and include
full source code. Installation is easily done by executing the
included install script. See the README.bindist and INSTALL.bindist
files for a complete explanation. Please note that the binary
distributions are only provided for your convenience and current
- distributions for specific platforms are not always available.</p>
-
-<p>For an overview of new features introduced after 1.2 please see
-<blockquote>
- <a href="http://httpd.apache.org/docs/new_features_1_3.html"
- >http://httpd.apache.org/docs/new_features_1_3.html</a>
-</blockquote></p>
-
+ distributions for specific platforms are not always available.
+</p>
+<p>
+ For an overview of new features introduced after 1.2 please see
+</p>
+<pre>
+ http://httpd.apache.org/docs/new_features_1_3.html
+</pre>
+<p>
In general, Apache 1.3 offers several substantial improvements over
version 1.2, including better performance, reliability and a wider
range of supported platforms, including Windows 95/98 and NT (which
- fall under the "Win32" label), OS/2, Netware, and TPE threaded platforms.
-
+ fall under the "Win32" label), OS2, Netware, and TPE threaded platforms.
+</p>
+<p>
Apache is the most popular web server in the known universe; over half
of the servers on the Internet are running Apache or one of its
variants.
-
-<p><strong>IMPORTANT NOTE FOR WIN32 USERS:</strong> Over the years, many
- users have come to trust Apache as a secure and stable server. It must
- be realized that the current Win32 code has not yet reached the levels
- of the Unix version, but is of acceptable quality. Win32 stability or
- security problems do not reflect on the Unix version.</p>
-
- <h1 align=center>Apache 1.3.20 Major changes</h1>
+</p>
+<p>
+ IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come
+ to trust Apache as a secure and stable server. It must be realized
+ that the current Win32 code has not yet reached the levels of the Unix
+ version, but is of acceptable quality. Win32 stability or security
+ problems do not reflect on the Unix version.
+</p>
+<h1>Apache 1.3.20 - 1.3.22 Major changes</h1>
+<h3>Security vulnerabilities</h3>
+
+ <ul>
+
+
+ <li>A vulnerability was found in the Win32 port of
+ Apache 1.3.20. A client submitting a very long URI
+ could cause a directory listing to be returned rather than
+ the default index page. A <samp>403 Forbidden</samp> will now
+ be returned CAN-2001-0729</li>
+
+ <li>A vulnerability was found in the <samp>split-logfile</samp> support
+ program. A request with a specially crafted <samp>Host:</samp>
+ header could allow any file with a <samp>.log</samp> extension on
+ the system to be written to. <a href="http://bugs.apache.org/index/full/7848">PR#7848</a> CAN-2001-0730</li>
+
+ <li>A vulnerability was found when <samp>Multiviews</samp>
+ are used to negotiate the directory index. In some
+ configurations, requesting a URI with a <samp>QUERY_STRING</samp> of
+ <samp>M=D</samp> could
+ return a directory listing rather than the expected index page.
+ CAN-2001-0731
+</li>
+
+ </ul>
+<p>
+ The security issues above have been assigned standardized names, CAN-
+ by the Common Vulnerabilities and Exposures project (cve.mitre.org)
+</p>
+
+<h3>New features</h3>
+ <p>
+ The main new features in 1.3.22 (compared to 1.3.20) are:
+ </p>
+ <ul>
+
+<li>The user manual has been updated. As well as a number of small
+fixes these updates include new translations into French and Japanese,
+a guide to using Apache httpd on Cygwin, a lexicon of Apache error messages,
+updated TPF documentation, and a comprehensive guide to using
+log files</li>
+
+<li>The user manual can now be moved out of the <samp>htdocs</samp>
+DocumentRoot
+during installation by invoking configure with the <samp>--manualdir=</samp>
+switch, to allow separation of on-line docs from regular contents.
+</li>
+
+<li>The supplied icons are now also distributed in PNG format</li>
+
+<li>A significant overhaul to the the Apache Bench program,
+<i>ab</i> has taken place, as first reported <a href="http://www.apacheweek.com/issues/01-04-20#dev">in April</a>.
+The new Apache Bench includes fixes, additional statistics,
+csv and gnuplot output, and SSL support</li>
+
+<li>New directives have been added to the <samp>mod_usertrack</samp> module,
+The first, <samp>CookieDomain</samp>, can be used to customise the
+Domain attribute. The patch to add the <samp>CookieDomain</samp>
+directive was first submitted <a href="http://www.apacheweek.com/issues/99-07-30#137">over
+two years ago</a>. Historically <samp>mod_usertrack</samp> has used the
+obsolete Netscape cookie syntax. The new <samp>CookieStyle</samp>
+directive allows use of the RFC2109 or RFC2965 syntax instead.
+<a href="http://bugs.apache.org/index/full/5023">PR#5023</a>, <a href="http://bugs.apache.org/index/full/5920">PR#5920</a>, <a href="http://bugs.apache.org/index/full/6140">PR#6140</a>.</li>
+
+<li>The server will now display a warning if line-end comments (<samp>#</samp>)
+are found in the configuration file. Not all directives are able to
+handle comments on the same line</li>
+
+<li>A new directive, <samp>AcceptMutex</samp>,
+allows run-time configuration of the <a href="http://httpd.apache.org/docs/misc/perf-tuning.html#compiletime">mutex
+type</a> used for accept serialization, currently a compile-time only
+setting in 1.3. Since different types of mutex have different
+performance characteristics on different platforms, this directive
+will allow administrators to tune their Apache server more easily. The
+current list of possible methods is:
+uslock, pthread, sysvsem, fcntl, flock, os2sem, tpfcore, none.
+Not all platforms support all methods</li>
+
+<li>
+<samp>mod_auth</samp> has been enhanced to allow access to a document
+to be controlled based on the owner of the file being served.
+<samp>Require file-owner</samp> will only allow files to be served where
+the authenticated username matches the user that owns the document.
+<samp>Require file-group</samp> works in a similar way checking that
+the group matches</li>
+
+ </ul>
+
+ <p>
+ New features that relate to specific platforms:
+ </p>
+ <ul>
+
+<li>A new directive, <samp>AcceptFilter</samp>, has been added to control
+BSD accept filters at run-time. This should make it easier to move server
+binaries across different BSD machines without requiring recompilation.
+Support for accept filters was first added to version 1.3.14, the
+functionality can postpone the requirement for a child process to
+handle a new connection until an HTTP request has arrived,
+therefore increasing the number of connections that a given
+number of child processes can handle</li>
+
+<li>On Win32 <samp>mod_unique_id</samp>,
+<samp>mod_mime_magic</samp>, and the
+<samp>mod_vhost_alias</samp> modules are now enabled</li>
+
+<li>On Win32 the code to allow the server to run under Cygwin has had a
+number of fixes and updates. Cygwin support was first added to version
+1.3.20</li>
+
+<li>On Windows NT or 2000, the service display names can now be modified
+by the user (use the service control panel applet)</li>
+
+<li>On Win32 add a new option <samp>-W</samp> that can set up a service
+dependancy</li>
+
+<li>The server will now take advantage of recent improvements to
+the TPF operating system which include an enhanced system fork and exec,
+updates to allow non-blocking file descriptors,
+and an update to shutdown processing</li>
-<p>The primary security fix is:
-<ul>
- <li>A carefully constructed URI could cause the server to segfault on
- Win32 and OS/2, denying access to users until the error was cleared.
- This is resolved on both platforms, no server data vulnerability
- was identified for this denial of service exploit.
</ul>
-
-<p>The general bug fixes:
-<ul>
- <li>Eliminate a potential segfault if an invalid floating point value
- is passed to the ap_snprintf() function, on platforms supporting
- isnan() and isinf().
- <li>Fix a possible segfault at startup in the detection of a default
- ServerName or IP string when no ServerName was specified.
- <li>Fixed mod_proxy to retain empty headers, as allowed by RFC2068.
- <li>Properly resolve the location of ndbm on Linux and some glibc2
- builds, where ndbm.h is in the nonstandard db1/ subdir.
+</span><p>
+<h3>Bugs fixed</h3>
+<span class="body">
+ <p>
+ The following bugs were found in Apache 1.3.20 and have been
+ fixed in Apache 1.3.22:
+ </p>
+ <ul>
+
+<li>Under certain circumstances
+a child may crash due to a bug in <samp>mod_include</samp>.
+If a server uses an <samp>ErrorDocument</samp> for 404 (request not found)
+errors which points to a server-parsed HTML
+file which uses a <samp><!--#include virtual="file" --></samp>
+section, then a request containing %2f will result in a segfault. The
+segfault is harmless and does not cause a security problem, but is being
+triggered by the recent IIS worm</li>
+
+<li>The Multiviews functionality has been fixed
+to prevent <samp>mod_negotiation</samp>
+from serving any multiview variant that contains unknown
+filename extensions. <a href="http://bugs.apache.org/index/full/8130">PR#8130</a> </li>
+
+<li>Apache will prefer installed version of the Expat library over the bundled
+version. This fixes conflicts when multiple copies of the Expat library
+get loaded (notably when using mod_perl and XML::Parsers::Expat)</li>
+
+<li>
+<samp>UnsetEnv</samp> now works from the main body of a
+configuration file. <a href="http://bugs.apache.org/index/full/8254">PR#8254</a> </li>
+
+<li>When used as a reverse proxy any headers set by other
+modules (such as <samp>mod_usertrack</samp> or <samp>mod_securid</samp>)
+now get passed on to the back-end server. <a href="http://bugs.apache.org/index/full/6055">PR#6055</a>
+</li>
+
+<li>Server response headers can now be logged via the proxy. <a href="http://bugs.apache.org/index/full/7461">PR#7461</a> </li>
+
+<li>
+<samp>mod_proxy</samp> will now pay attention to HTTP headers that specify
+the request is not to be cached. <a href="http://bugs.apache.org/index/full/5668">PR#5668</a> </li>
+
+<li>When a client making a request via <samp>mod_proxy</samp> died
+unexpectedly, <samp>mod_proxy</samp> did not close its connection. <a href="http://bugs.apache.org/index/full/8090">PR#8090</a> </li>
+
+<li>The <samp>CacheForceCompletion</samp> directive has been fixed
+<a href="http://bugs.apache.org/index/full/7383">PR#7383</a> , <a href="http://bugs.apache.org/index/full/8067">PR#8067</a> , <a href="http://bugs.apache.org/index/full/6585">PR#6585</a> </li>
+
+<li>A memory leak has been fixed in the <samp>mod_mime_magic</samp> module</li>
+
+<li>A <samp>Satisfy All</samp> option has been added to the default container
+designed to stop access to <samp>.htaccess</samp> files. Without this
+directive, these files could still be fetched if they were within the
+scope of a <samp>Satisfy Any</samp> directive.</li>
</ul>
-
-<p>Win32 bug fixes:
+ <p>
+ The following bugs relate to specific platforms:
+ </p>
<ul>
- <li>Win32 now properly handles the SSI exec cmd tag. Due to argument
- parsing issues with spaces and slashes, cmd is interpreted as an
- executable file, not a long command line string.
- <li>Resolved a threading problem with WinNT/2K services, allowing
- modules such as mod_jserv and mod_perl to shut down cleanly.
- <li>Resolved stdin and stdout pipes for the parent Win32 service
- process, solving bugs such as "dup2(stdin) failed" when trying
- to use piped logs.
-</ul>
+<li>A number of fixes for NetWare have been added. These include: enabling
+long file names in <samp>htpasswd</samp> and <samp>htdigest</samp>,
+protection against ill behaved modules, better
+handling of abnormal shutdowns, dealing with the limited stack space
+during server side includes, and recognising special filenames such
+as <samp>proxy:http://</samp> correctly</li>
+
+<li>A shutdown hang could occur on Solaris when using lots of piped
+<samp>TransferLogs</samp> and at least one piped <samp>ErrorLog</samp>
+</li>
-<p>Netware specific bug fixes:
-<ul>
- <li>Netware initial screen allows the -s parameter to switch to the
- system console screen, warning messages during startup are now
- displayed.
- <li>Netware added '.' and '..' to the directory listing so mod_autoindex
- will now display the parent directory.
- <li>NetWare now shuts down cleanly in error conditions, such as a failure
- while reading the httpd.conf file.
-</ul>
+<li>On EBCDIC platforms a bug in the proxy module stopped SSL proxying
+working</li>
-<p>The main new features include:
-<ul>
- <li>Enhanced rotatelogs to allow a UTC offset to be specified, and
- the format logfile names with human-readable date/time stamps.
- <li>Added the NOESCAPE (NS) flag to RewriteRule, to disable *all*
- normal URI escaping. Note incautious use can give unexpected
- results or introduce security risks.
- <li>Added the '\' character to RewriteRule to allow escaping of
- special characters. Allows embedding of both the '$' and '%'
- characters in the results, so 'foo\$1' translates to 'foo$1'
- rather than 'foo\<value of $1>'.
- <li>Added the -V flag to suexec, to display the compile-time settings
- with which it was built. (Only valid for root or the HTTPD_USER
- username.)
- <li>Introduced EBCDIC conversion configuration options, controlling the
- conversion based on MIME type or file suffix.
- <li>Support for the Cygwin 1.x platform (a POSIX emulation layer for
- Win32 systems, see http://www.cygwin.com). Note this is an entirely
- different implementation than the native calls in the win32 port.
- <li>Support for building modules with apxs under Win32. cygwin builders
- must use a cygwin build of perl to avoid MSVC handling.
-</ul>
+<li>On Win32, <samp>mod_unique_id</samp> did not guarantee a unique ID
+due to threading</li>
-<hr>
- <TABLE WIDTH="100%" CELLSPACING=0 CELLPADDING=0>
- <TR><TD VALIGN=top ALIGN=left>Thank you for using Apache!</TD>
- <TD VALIGN=top ALIGN=right><A HREF="http://httpd.apache.org"
- ><IMG BORDER=0 SRC="apache_pb.gif" ALIGN=top></A></TD></TR>
- </TABLE>
-</BODY></HTML>
+<li>The Win32 Makefiles are now 100% compatible with the Microsoft Visual C++
+compiler versions 5,6,7</li>
+
+</ul>
1.4 +172 -99 httpd-dist/Announcement.txt
Index: Announcement.txt
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement.txt,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- Announcement.txt 2001/05/21 23:22:49 1.3
+++ Announcement.txt 2001/11/13 23:48:33 1.4
@@ -1,131 +1,204 @@
- Apache 1.3.20 Released
-
+ Apache 1.3.22 Released
+
The Apache Software Foundation and The Apache Server Project are
- pleased to announce the release of version 1.3.20 of the Apache HTTP
- server.
-
+ pleased to announce the release of version 1.3.22 of the Apache HTTP
+ server. Apache version 1.3.21 was never released; this Announcement
+ details the cumulative changes in 1.3.21 and 1.3.22.
+
This version of Apache is principally a security fix release which
- closes a problem under the Windows and OS2 ports that would segfault
- the server in response to a carefully constructed URL. It also fixes
- some potential configuration quirks present in the 1.3.19 release.
- A summary of the new features is given at the end of this document.
-
- We consider Apache 1.3.20 to be the best version of Apache available
+ closes some problems where a directory listing could be obtained
+ instead of the default index page. A summary of the bug fixes and major
+ new features is given at the end of this document.
+
+ We consider Apache 1.3.22 to be the best version of Apache available
and we strongly recommend that users of older versions, especially of
- the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
+ the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
-
- Apache 1.3.20 is available for download from
+
+ Apache 1.3.22 is available for download from
- http://httpd.apache.org/dist/httpd/
-
+ http://httpd.apache.org/dist/httpd/
+
Please see the CHANGES_1.3 file in the same directory for a full list
of changes.
-
+
Binary distributions are available from
-
- http://httpd.apache.org/dist/httpd/binaries/
-
+
+ http://httpd.apache.org/dist/httpd/binaries/
+
The source and binary distributions are also available via any of the
mirrors listed at
-
- http://www.apache.org/mirrors/
-
- Apache 1.3.20 for Win32 and OS2 corrects a serious denial of service
- vulnerability, and users are strongly discouraged from using any
- previous versions on those platforms.
-
+
+ http://www.apache.org/mirrors/
+
As of Apache 1.3.17, Win32 binary distributions are now based on the
- Microsoft Installer (.MSI) technology. This change occured in order
- to resolve the many problems WinME and Win2K users experienced with
- the older InstallShield-based installer .exe file. While development
+ Microsoft Installer (.MSI) technology. This change occurred in order to
+ resolve the many problems WinME and Win2K users experienced with the
+ older InstallShield-based installer.exe file. While development
continues to make this new installation method more robust, questions
should be directed at the news:comp.infosystems.www.servers.ms-windows
- newsgroup.
+ newsgroup.
As of Apache 1.3.12 binary distributions contain all standard Apache
modules as shared objects (if supported by the platform) and include
- full source code. Installation is easily done by executing the
- included install script. See the README.bindist and INSTALL.bindist
- files for a complete explanation. Please note that the binary
+ full source code. Installation is easily done by executing the
+ included install script. See the README.bindist and INSTALL.bindist
+ files for a complete explanation. Please note that the binary
distributions are only provided for your convenience and current
distributions for specific platforms are not always available.
-
+
For an overview of new features introduced after 1.2 please see
- http://httpd.apache.org/docs/new_features_1_3.html
-
+ http://httpd.apache.org/docs/new_features_1_3.html
+
In general, Apache 1.3 offers several substantial improvements over
version 1.2, including better performance, reliability and a wider
- range of supported platforms, including Windows 95/98 and NT (which
- fall under the "Win32" label), OS2, Netware, and TPE threaded platforms.
-
+ range of supported platforms, including Windows NT and 2000 (which
+ fall under the "Win32" label), OS2, Netware, and TPE threaded
+ platforms.
+
Apache is the most popular web server in the known universe; over half
of the servers on the Internet are running Apache or one of its
variants.
-
+
IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have come
to trust Apache as a secure and stable server. It must be realized
that the current Win32 code has not yet reached the levels of the Unix
- version, but is of acceptable quality. Win32 stability or security
+ version, but is of acceptable quality. Win32 stability or security
problems do not reflect on the Unix version.
-
- Apache 1.3.20 Major changes
+
+ Apache 1.3.20 - 1.3.22 Major changes
- The primary security fix is:
- * A carefully constructed URI could cause the server to segfault on
- Win32 and OS2, denying access to users until the error was cleared.
- This is resolved on both platforms, no server data vulnerability
- was identified for this denial of service exploit.
-
- The general bug fixes:
- * Eliminate a potential segfault if an invalid floating point value
- is passed to the ap_snprintf() function, on platforms supporting
- isnan() and isinf().
- * Fix a possible segfault at startup in the detection of a default
- ServerName or IP string when no ServerName was specified.
- * Fixed mod_proxy to retain empty headers, as allowed by RFC2068.
- * Properly resolve the location of ndbm on Linux and some glibc2
- builds, where ndbm.h is in the nonstandard db1/ subdir.
-
- Win32 bug fixes:
- * Win32 now properly handles the SSI exec cmd tag. Due to argument
- parsing issues with spaces and slashes, cmd is interpreted as an
- executable file, not a long command line string.
- * Resolved a threading problem with WinNT/2K services, allowing
- modules such as mod_jserv and mod_perl to shut down cleanly.
- * Resolved stdin and stdout pipes for the parent Win32 service
- process, solving bugs such as "dup2(stdin) failed" when trying
- to use piped logs.
-
- Netware specific bug fixes:
- * Netware initial screen allows the -s parameter to switch to the
- system console screen, warning messages during startup are now
- displayed.
- * Netware added '.' and '..' to the directory listing so mod_autoindex
- will now display the parent directory.
- * NetWare now shuts down cleanly in error conditions, such as a failure
- while reading the httpd.conf file.
-
- The main new features include:
- * Enhanced rotatelogs to allow a UTC offset to be specified, and
- the format logfile names with human-readable date/time stamps.
- * Added the NOESCAPE (NS) flag to RewriteRule, to disable *all*
- normal URI escaping. Note incautious use can give unexpected
- results or introduce security risks.
- * Added the '\' character to RewriteRule to allow escaping of
- special characters. Allows embedding of both the '$' and '%'
- characters in the results, so 'foo\$1' translates to 'foo$1'
- rather than 'foo\<value of $1>'.
- * Added the -V flag to suexec, to display the compile-time settings
- with which it was built. (Only valid for root or the HTTPD_USER
- username.)
- * Introduced EBCDIC conversion configuration options, controlling the
- conversion based on MIME type or file suffix.
- * Support for the Cygwin 1.x platform (a POSIX emulation layer for
- Win32 systems, see http://www.cygwin.com). Note this is an entirely
- different implementation than the native calls in the win32 port.
- * Support for building modules with apxs under Win32. cygwin builders
- must use a cygwin build of perl to avoid MSVC handling.
+ Security vulnerabilities
+ * A vulnerability was found in the Win32 port of Apache 1.3.20. A
+ client submitting a very long URI could cause a directory listing
+ to be returned rather than the default index page. A 403 Forbidden
+ will now be returned. CAN-2001-0729
+ * A vulnerability was found in the split-logfile support program. A
+ request with a specially crafted Host: header could allow any file
+ with a .log extension on the system to be written to. PR#7848
+ CAN-2001-0730
+ * A vulnerability was found when Multiviews are used to negotiate
+ the directory index. In some configurations, requesting a URI with
+ a QUERY_STRING of M=D could return a directory listing rather than
+ the expected index page. CAN-2001-0731
+
+ The security issues above have been assigned standardized names, CAN-
+ by the Common Vulnerabilities and Exposures project (cve.mitre.org)
+
+ New features
+
+ The main new features in 1.3.22 (compared to 1.3.20) are:
+ * The user manual has been updated. As well as a number of small
+ fixes these updates include new translations into French and
+ Japanese, a guide to using Apache httpd on Cygwin, a lexicon of
+ Apache error messages, updated TPF documentation, and a
+ comprehensive guide to using log files
+ * The user manual can now be moved out of the htdocs DocumentRoot
+ during installation by invoking configure with the --manualdir=
+ switch, to allow separation of on-line docs from regular contents.
+ * The supplied icons are now also distributed in PNG format
+ * A significant overhaul to the Apache Bench program, ab has taken
+ place, as first reported in April. The new Apache Bench includes
+ fixes, additional statistics, csv and gnuplot output, and some
+ SSL support
+ * New directives have been added to the mod_usertrack module, The
+ first, CookieDomain, can be used to customise the Domain
+ attribute. The patch to add the CookieDomain directive was first
+ submitted over two years ago. Historically mod_usertrack has used
+ the obsolete Netscape cookie syntax. The new CookieStyle directive
+ allows use of the RFC2109 or RFC2965 syntax instead. PR#5023,
+ PR#5920, PR#6140.
+ * The server will now display a warning if line-end comments (#) are
+ found in the configuration file. Not all directives are able to
+ handle comments on the same line
+ * A new directive, AcceptMutex, allows run-time configuration of the
+ mutex type used for accept serialization, currently a compile-time
+ only setting in 1.3. Since different types of mutex have different
+ performance characteristics on different platforms, this directive
+ will allow administrators to tune their Apache server more easily.
+ The current list of possible methods is: uslock, pthread, sysvsem,
+ fcntl, flock, os2sem, tpfcore, none. Not all platforms support all
+ methods
+ * mod_auth has been enhanced to allow access to a document to be
+ controlled based on the owner of the file being served. Require
+ file-owner will only allow files to be served where the
+ authenticated username matches the user that owns the document.
+ Require file-group works in a similar way checking that the group
+ matches
+
+ New features that relate to specific platforms:
+ * A new directive, AcceptFilter, has been added to control BSD
+ accept filters at run-time. This should make it easier to move
+ server binaries across different BSD machines without requiring
+ recompilation. Support for accept filters was first added to
+ version 1.3.14, the functionality can postpone the requirement for
+ a child process to handle a new connection until an HTTP request
+ has arrived, therefore increasing the number of connections that a
+ given number of child processes can handle
+ * On Win32 mod_unique_id, mod_mime_magic, and the mod_vhost_alias
+ modules are now enabled
+ * The Cygwin port includes a number of fixes and updates. Cygwin
+ support was first introduced in version 1.3.20
+ * On Windows 2000, the service display names can now be modified
+ by the user (use the service control panel applet)
+ * On Win32 a new option -W can be used to set up a dependency on
+ another service, see win_service.html
+ * The server will now take advantage of recent improvements to the
+ TPF operating system which include an enhanced system fork and
+ exec, updates to allow non-blocking file descriptors, and an
+ update to shutdown processing
+
+ Bugs fixed
+
+ The following bugs were found in Apache 1.3.20 and have been fixed in
+ Apache 1.3.22:
+ * Under certain circumstances a child may crash due to a bug in
+ mod_include. If a server uses an ErrorDocument for 404 (request
+ not found) errors which points to a server-parsed HTML file which
+ uses a <!--#include virtual="file" --> section, then a request
+ containing %2f will result in a segfault. The segfault is harmless
+ and does not cause a security problem, but is being triggered by
+ the recent IIS worm
+ * The Multiviews functionality has been fixed to prevent
+ mod_negotiation from serving any multiview variant that contains
+ unknown filename extensions. PR#8130
+ * Apache will prefer installed version of the Expat library over the
+ bundled version. This fixes conflicts when multiple copies of the
+ Expat library get loaded (notably when using mod_perl and
+ XML::Parsers::Expat)
+ * UnsetEnv now works from the main body of a configuration file.
+ PR#8254
+ * When used as a reverse proxy any headers set by other modules
+ (such as mod_usertrack or mod_securid) now get passed on to the
+ back-end server. PR#6055
+ * Server response headers can now be logged via the proxy. PR#7461
+ * mod_proxy will now pay attention to HTTP headers that specify the
+ request is not to be cached. PR#5668
+ * When a client making a request via mod_proxy died unexpectedly,
+ mod_proxy did not close its connection. PR#8090
+ * The CacheForceCompletion directive has been fixed PR#7383,
+ PR#8067, PR#6585
+ * A memory leak has been fixed in the mod_mime_magic module
+ * A Satisfy All option has been added to the default container
+ designed to stop access to .htaccess files. Without this
+ directive, these files could still be fetched if they were within
+ the scope of a Satisfy Any directive.
+
+ The following bugs relate to specific platforms:
+ * A number of fixes for NetWare have been added. These include:
+ enabling long file names in htpasswd and htdigest, protection
+ against ill behaved modules, better handling of abnormal
+ shutdowns, dealing with the limited stack space during server side
+ includes, and recognising special filenames such as proxy:http://
+ correctly
+ * A shutdown hang could occur on Solaris when using lots of piped
+ TransferLogs and at least one piped ErrorLog
+ * On EBCDIC platforms a bug in the proxy module stopped SSL proxying
+ working
+ * On Win32, mod_unique_id did not guarantee a unique ID due to
+ threading
+ * The Win32 Makefiles are now 100% compatible with the Microsoft
+ Visual C++ compiler versions 5,6,7
1.6 +1 -1 httpd-dist/HEADER.html
Index: HEADER.html
===================================================================
RCS file: /home/cvs/httpd-dist/HEADER.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- HEADER.html 2001/05/21 23:22:49 1.5
+++ HEADER.html 2001/11/13 23:48:33 1.6
@@ -8,7 +8,7 @@
<br>
<a href="http://www.apache.org/dyn/closer.cgi">Go here to find it.</a>
</p>
-<h2><a href="Announcement.html">Apache 1.3.20</a> is now available.</h2>
+<h2><a href="Announcement.html">Apache 1.3.22</a> is now available.</h2>
<p>
</p>
1.6 +1 -1 httpd-dist/README.html
Index: README.html
===================================================================
RCS file: /home/cvs/httpd-dist/README.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- README.html 2001/04/08 03:43:00 1.5
+++ README.html 2001/11/13 23:48:33 1.6
@@ -1,4 +1,4 @@
-<H2>Apache 2.0.16 Released as an beta</H2>
+<H2>Apache 2.0.16 Released as a beta</H2>
<P>Apache 2.0 betas are developer only releases with numerous
bugs and new features. Guaranteed to give you the best rollercoaster
1.10 +11 -6 httpd-dist/binaries/win32/HEADER.html
Index: HEADER.html
===================================================================
RCS file: /home/cvs/httpd-dist/binaries/win32/HEADER.html,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- HEADER.html 2001/09/03 15:19:22 1.9
+++ HEADER.html 2001/11/13 23:48:33 1.10
@@ -6,17 +6,22 @@
update your version of WinSock. stop and <a href="#winsock">read
this first.</a></p>
-<p>Where two versions are available, the -src.msi package includes the
- complete runtime and source files to build Apache as documented in the
- installed file htdocs/manual/win_compiling.html. The -no_src.msi
- package includes only the runtime, the source files are omitted from
- that package to speed up your download.</p>
+<p>As of Apache 1.3.22, we no longer distribute an installation package
+ that includes the source. The Apache HTTP Server source code is at
+ <a href="../../">/dist/httpd/</a> and is available as a .zip file
+ with DOS line endings (cr/lf pairs.)</p>
+<p>Also, as of Apache 1.3.22, a full setup package (.exe) containing the
+ Win9x/WinNT Microsoft System Installer installer is available. If the
+ Microsoft System Installer is already on the machine, there is no need
+ to download the .exe, save yourself 3MB and download the .msi package.</p>
+
<p><strong>Looking for an older version?</strong> Don't. There have
been a number of essential bug fixes and corrections to the evolving
support for Win32 under Apache. More critically, there was a potential
denial of service attack affecting only Win32 and OS2 that was closed
- with the release of 1.3.20. If you <em>must</em> run an earlier version,
+ with the release of 1.3.20. 1.3.22 fixes further problems. If you
+ <em>must</em> run an earlier version,
you must build Apache from sources and apply the bug fix.
<a href="http://www.apache.org/dist/httpd/patches/apply_to_1.3.19/fixfault_win32_os2-1.3.19.patch"
>fixfault_win32_os2-1.3.19.patch</a></p>