You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2007/08/10 13:32:38 UTC
svn commit: r564558 [2/2] - /httpd/httpd/branches/2.2.x/CHANGES
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=diff&rev=564558&r1=564557&r2=564558
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Aug 10 04:32:38 2007
@@ -1446,14062 +1446,10 @@
[Apache 2.1.0-dev includes those bug fixes and changes with the
Apache 2.0.xx tree as documented, and except as noted, below.]
-Changes with Apache 2.0.56
+Changes with Apache 2.0.x and later:
- *) Preserve the Content-Length header for a proxied HEAD response.
- PR 18757. [Greg Ames]
+ *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
- *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
- respond to OPTIONS directly rather than via server default.
- [Roy Fielding] PR 15242
+Changes with Apache 1.3.x and later:
-Changes with Apache 2.0.55
-
- *) SECURITY: CVE-2005-2088 (cve.mitre.org)
- proxy: Correctly handle the Transfer-Encoding and Content-Length
- headers. Discard the request Content-Length whenever T-E: chunked
- is used, always passing one of either C-L or T-E: chunked whenever
- the request includes a request body. Resolves an entire class of
- proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
-
- *) Added TraceEnable [on|off|extended] per-server directive to alter
- the behavior of the TRACE method. This addresses a flaw in proxy
- conformance to RFC 2616 - previously the proxy server would accept
- a TRACE request body although the RFC prohibited it. The default
- remains 'TraceEnable on'. [William Rowe]
-
- *) Add ap_log_cerror() for logging messages associated with particular
- client connections. [Jeff Trawick]
-
- *) Correct mod_cgid's argv[0] so that the full path can be delved by the
- invoked cgi application, to conform to the behavior of mod_cgi.
- [Pradeep Kumar S <pradeep.smani gmail.com>]
-
- *) mod_include: Fix possible environment variable corruption when
- using nested includes. PR 12655. [Joe Orton]
-
- *) Support the suppress-error-charset setting, as with Apache 1.3.x.
- PR 31274. [Jeff Trawick]
-
- *) EBCDIC: Handle chunked input from client or, with proxy, origin
- server. [Jeff Trawick]
-
- *) Fix bad globbing comparison which could result in getting
- a directory listing when a file was requested. PR 34512.
- [sean <infamous41md hotmail.com>]
-
- *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
- was called even if mod_auth_ldap_check_user_id() was not
- (or if it didn't succeed) for non-authoritative cases.
- [Jim Jagielski]
-
- *) SECURITY: CVE-2005-2728 (cve.mitre.org)
- Fix cases where the byterange filter would buffer responses
- into memory. PR 29962. [Joe Orton]
-
- *) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
- PR 15207. [Jim Jagielski]
-
- *) mod_ldap: Fix various shared memory cache handling bugs.
- PR 34209. [Joe Orton]
-
- *) Fix a file descriptor leak when starting piped loggers. PR 33748.
- [Joe Orton]
-
- *) mod_ldap: Avoid segfaults when opening connections if using a version
- of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
-
- *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
-
- *) SECURITY: CVE-2005-2088 (cve.mitre.org)
- core: If a request contains both Transfer-Encoding and Content-Length
- headers, remove the Content-Length, mitigating some HTTP Request
- Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
-
- *) proxy HTTP: If a response contains both Transfer-Encoding and a
- Content-Length, remove the Content-Length and don't reuse the
- connection, mitigating some HTTP Response Splitting attacks.
- [Jeff Trawick]
-
- *) Prevent hangs of child processes when writing to piped loggers at
- the time of graceful restart. PR 26467. [Jeff Trawick]
-
- *) SECURITY: CVE-2005-1268 (cve.mitre.org)
- mod_ssl: Fix off-by-one overflow whilst printing CRL information
- at "LogLevel debug" which could be triggered if configured
- to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]
-
- *) mod_userdir: Fix possible memory corruption issue. PR 34588.
- [David Leonard <dleonard vintela.com>]
-
- *) worker mpm: don't take down the whole server for a transient
- thread creation failure. PR 34514 [Greg Ames]
-
- *) mod_rewrite: use buffered I/O to improve performance with large
- RewriteMap txt: files. [Greg Ames]
-
- *) proxy HTTP: Rework the handling of request bodies to handle
- chunked input and input filters which modify content length, and
- avoid spooling arbitrary-sized request bodies in memory.
- PR 15859. [Jeff Trawick]
-
-Changes with Apache 2.0.54
-
- *) mod_cache: Add CacheIgnoreHeaders directive. PR 30399.
- [Rüdiger Plüm <r.pluem t-online.de>]
-
- *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
- the ldap socket connection timeout value.
- [Brad Nicholes]
-
- *) Correctly export all mod_dav public functions.
- [Branko Čibej <brane xbc.nu>]
-
- *) Add a build script to create a solaris package. [Graham Leggett]
-
- *) worker MPM: Fix a problem which could cause httpd processes to
- remain active after shutdown. [Jeff Trawick]
-
- *) Unix MPMs: Shut down the server more quickly when child processes are
- slow to exit. [Joe Orton, Jeff Trawick]
-
- *) Remove formatting characters from ap_log_error() calls. These
- were escaped as fallout from CVE-2003-0020.
- [Eric Covener <ecovener gmail.com>]
-
- *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418.
- [David Reid]
-
- *) htdigest: Fix permissions of created files. PR 33765. [Joe Orton]
-
- *) core_input_filter: Move buckets to a persistent brigade instead of
- creating a new brigade. This stop a memory leak when proxying a
- Streaming Media Server. PR 33382. [Paul Querna]
-
- *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid
- hiccups from additional path information passed in non-utf-8 format.
- [Richard Donkin <rd9 donkin.org]
-
-Changes with Apache 2.0.53
-
- *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
- [Max Bowsher <maxb ukf.net>]
-
- *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
- [Rici Lake <rici ricilake.net>]
-
- *) mod_proxy: Respect errors reported by pre_connection hooks.
- [Jeff Trawick]
-
- *) --with-module can now take more than one module to be statically
- linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
- If the <modtype>-subdirectory doesn't exist it will be created and
- populated with a standard Makefile.in. [Erik Abele]
-
- *) Fix the RPM spec file so that an RPM build now works. An RPM
- build now requires system installations of APR and APR-util.
- Remove some arbitrary moving around of binaries - the RPM now
- maps to the ASF build of httpd.
- [Graham Leggett]
-
- *) mod_dumpio, an I/O logging/dumping module, added to the
- modules/expermimental subdirectory. [Jim Jagielski]
-
- *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
- library handles special characters. PR 24437. [Jess Holle]
-
- *) Win32 MPM: Correct typo in debugging output. [William Rowe]
-
- *) conf: Remove AddDefaultCharset from the default configuration because
- setting a site-wide default does more harm than good. PR 23421.
- [Roy Fielding]
-
- *) Add charset to example CGI scripts. [Roy Fielding]
-
- *) mod_ssl: fail quickly if SSL connection is aborted rather than
- making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton]
-
- *) Remove compiled-in upper limit on LimitRequestFieldSize.
- [Bill Stoddard]
-
- *) Start keeping track of time-taken-to-process-request again for
- mod_status if ExtendedStatus is enabled. [Jim Jagielski]
-
- *) mod_proxy: Handle client-aborted connections correctly. PR 32443.
- [Janne Hietamäki, Joe Orton]
-
- *) Fix handling of files >2Gb on all platforms (or builds) where
- apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
-
- *) mod_include: Fix bug which could truncate variable expansions
- of N*64 characters by one byte. PR 32985. [Joe Orton]
-
- *) Correct handling of certain bucket types in ap_save_brigade, fixing
- possible segfaults in mod_cgi with #include virtual. PR 31247.
- [Joe Orton]
-
- *) Allow for the use of --with-module=foo:bar where the ./modules/foo
- directory is local only. Assumes, of course, that the required
- files are in ./modules/foo, but makes it easier to statically
- build/log "external" modules. [Jim Jagielski]
-
- *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
- ldap authorization only modules have access to the util_ldap
- user cache without having to require ldap authentication as well.
- PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
-
- *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
- allows the module to only authorize a user if the attribute value
- specified matches the value of the user object. PR 31913
- [Ryan Morgan <rmorgan pobox.com>]
-
- *) SECURITY: CVE-2004-0942 (cve.mitre.org)
- Fix for memory consumption DoS in handling of MIME folded request
- headers. [Joe Orton]
-
- *) SECURITY: CVE-2004-0885 (cve.mitre.org)
- mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
- bypassed during an SSL renegotiation. PR 31505.
- [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
-
- *) mod_ssl: Fail at startup rather than segfault at runtime if a
- client cert is configured with an encrypted private key.
- PR 24030. [Joe Orton]
-
- *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
- [Joe Orton]
-
- *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
- [Jeff Trawick]
-
- *) mod_cache: CacheDisable will only disable the URLs it was meant to
- disable, not all caching. PR 31128.
- [Edward Rudd <eddie omegaware.com>, Paul Querna]
-
- *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
- cache responses. [Justin Erenkrantz]
-
- *) mod_rewrite: Handle per-location rules when r->filename is unset.
- Previously this would segfault or simply not match as expected,
- depending on the platform. [Jeff Trawick]
-
- *) mod_rewrite: Fix 0 bytes write into random memory position.
- PR 31036. [André Malo]
-
- *) mod_disk_cache: Do not store aborted content. PR 21492.
- [Rüdiger Plüm <r.pluem t-online.de>]
-
- *) mod_disk_cache: Correctly store cached content type. PR 30278.
- [Rüdiger Plüm <r.pluem t-online.de>]
-
- *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
- statistics display. PR 29216. [Graham Leggett]
-
- *) mod_ldap: fix a bogus error message to tell the user which file
- is causing a potential problem with the LDAP shared memory cache.
- PR 31431 [Graham Leggett]
-
- *) SECURITY: CVE-2004-1834 (cve.mitre.org)
- mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
-
- *) Fix the re-linking issue when purging elements from the LDAP cache
- PR 24801. [Jess Holle <jessh ptc.com>]
-
- *) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
-
- *) Fix Expires handling in mod_cache. [Justin Erenkrantz]
-
- *) Alter mod_expires to run at a different filter priority to allow
- proper Expires storage by mod_cache. [Justin Erenkrantz]
-
-Changes with Apache 2.0.52
-
- *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
-
- *) Fix the global mutex crash when the global mutex is never allocated
- due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
-
- *) Fix a segfault in the LDAP cache when it is configured switched
- off. [Jess Holle <jessh ptc.com>]
-
- *) SECURITY: CVE-2004-0811 (cve.mitre.org)
- Fix merging of the Satisfy directive, which was applied to
- the surrounding context and could allow access despite configured
- authentication. PR 31315. [Rici Lake <rici ricilake.net>]
-
- *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
- is enabled. Previously, such urls would still be rejected.
- [Jeff Trawick, Bill Stoddard]
-
- *) mod_mem_cache: Fixed race condition causing segfault because of memory being
- freed twice, or reused after being freed.
- [J. Clar, W. Stoddard, G. Ames]
-
- *) Add -l option to rotatelogs to let it use local time rather than
- UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
-
- *) mod_log_config: Fix a bug which prevented request completion time
- from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
- processing. PR 29696. [Alois Treindl <alois astro.ch>]
-
-Changes with Apache 2.0.51
-
- *) SECURITY: CVE-2004-0786 (cve.mitre.org)
- Fix an input validation issue in apr-util which could be
- triggered by malformed IPv6 literal addresses. [Joe Orton]
-
- *) SECURITY: CVE-2004-0747 (cve.mitre.org)
- Fix buffer overflow in expansion of environment variables in
- configuration file parsing. [André Malo]
-
- *) SECURITY: CVE-2004-0809 (cve.mitre.org)
- mod_dav_fs: Fix a segfault in the handling of an indirect lock
- refresh. PR 31183. [Joe Orton]
-
- *) mod_include no longer checks for recursion, because that's done
- in the core. This allows for careful usage of recursive SSI.
- [André Malo]
-
- *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
- [chunyan sheng <shengperson yahoo.com>, André Malo]
-
- *) Include directives no longer refuse to process symlinks on
- directories. Instead there's now a maximum nesting level
- of included directories (128 as distributed). This is configurable
- at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
- PR 28492. [André Malo]
-
- *) Win32: apache -k start|restart|install|config can leave stranded
- piped logger processes (eg, rotatelogs.exe) due to improper
- server shutdown on these code paths.
- [Bill Stoddard]
-
- *) SECURITY: CVE-2004-0751 (cve.mitre.org)
- mod_ssl: Fix a segfault in the SSL input filter which could be
- triggered if using "speculative" mode, for instance by a
- proxy request to an SSL server. PR 30134. [Joe Orton]
-
- *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
- PR 30464. [Joe Orton, Madhusudan Mathihalli]
-
- *) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
-
- *) Prevent CGI script output which includes a Content-Range header
- from being passed through the byterange filter. [Joe Orton]
-
- *) Satisfy directives now can be influenced by a surrounding <Limit>
- container. PR 14726. [André Malo]
-
- *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
- PR 27985. [André Malo]
-
- *) mod_disk_cache: Implement binary format for on-disk header files.
- [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
-
- *) mod_disk_cache: Optimize network performance of disk cache subsystem by
- allowing zero-copy (sendfile) writes and other miscellaneous fixes.
- [Justin Erenkrantz]
-
- *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
- switch to the provider API instead of hooks. [Justin Erenkrantz]
-
- *) mod_autoindex: Don't truncate the directory listing if a stat()
- call fails (for instance on a >2Gb file). PR 17357.
- [Joe Orton]
-
- *) Makefile fix: httpd is linked against LIBS given to the
- 'make' invocation. PR 7882. [Joe Orton]
-
- *) WinNT MPM: Fix a broken log message at termination. PR 28063.
- [Eider Oliveira <eider bol.com.br>]
-
- *) Prevent Win32 pool corruption at startup [Allan Edwards]
-
- *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
- chosen SSL environment variable. PR 20957.
- [Martin v. Loewis <martin v.loewis.de>]
-
- *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
- [Zvi Har'El <rl math.technion.ac.il>]
-
- *) apachectl: Fix a problem finding envvars if sbindir != bindir.
- PR 30723. [Friedrich Haubensak <hsk imb-jena.de>]
-
- *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]
-
- *) SECURITY: CVE-2004-0748 (cve.mitre.org)
- mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]
-
- *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
- PR 18989. [Joe Orton]
-
- *) mod_userdir: Ensure that the userdir identity is used for
- suexec userdir access in a virtual host which has suexec configured.
- PR 18156. [Joshua Slive]
-
- *) mod_rewrite no longer confuses the RewriteMap caches if
- different maps defined in different virtual hosts use the
- same map name. PR 26462. [André Malo]
-
- *) mod_setenvif: Remove "support" for Remote_User variable which
- never worked at all. PR 25725. [André Malo]
-
- *) Backport from 2.1 / Regression from 1.3: mod_headers now knows
- again the functionality of the ErrorHeader directive. But instead
- using this misnomer additional flags to the Header directive were
- introduced ("always" and "onsuccess", defaulting to the latter).
- PR 28657. [André Malo]
-
- *) Use the higher performing 'httpready' Accept Filter on all platforms
- except FreeBSD < 4.1.1. [Paul Querna]
-
- *) mod_usertrack: Escape the cookie name before pasting into the
- regexp. [André Malo]
-
- *) Extend the SetEnvIf directive to capture subexpressions of the
- matched value. [André Malo]
-
- *) Recursive Include directives no longer crash. The server stops
- including configuration files after a certain nesting level (128
- as distributed). This is configurable at compile time using the
- -DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]
-
- *) mod_dir: the trailing-slash behaviour is now configurable using the
- DirectorySlash directive. [André Malo]
-
- *) Allow proxying of resources that are invoked via DirectoryIndex.
- PR 14648, 15112, 29961. [André Malo]
-
- *) util_ldap: Switched the lock types on the shared memory cache
- from thread reader/writer locks to global mutexes in order to
- provide cross process cache protection. [Brad Nicholes]
-
- *) util_ldap: Reworked the cache locking scheme to eliminate duplicate
- cache entries in the credentials cache due to race conditions.
- [Brad Nicholes]
-
- *) util_ldap: Enhanced the util_ldap cache-info display to show more
- detail about the contents and current state of the cache.
- [Brad Nicholes]
-
- *) Enable the option to support anonymous shared memory in mod_ldap.
- This makes the cache work on Linux again. [Graham Leggett]
-
- *) Enable special ErrorDocument value 'default' which restores the
- canned server response for the scope of the directive.
- [Geoffrey Young, André Malo]
-
- *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
- is set in r->subprocess_env allow mismatched query strings to pass.
- PR 27758. [Paul Querna, Geoffrey Young]
-
- *) Accept URLs for the ServerAdmin directive. If the supplied
- argument is not recognized as an URL, assume it's a mail address.
- PR 28174. [André Malo, Paul Querna]
-
- *) initialize server arrays prior to calling ap_setup_prelinked_modules
- so that static modules can push Defines values when registering
- hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
-
- *) Small fix to allow reverse proxying to an ftp server. Previously
- an attempt to do this would try and connect to 0.0.0.0, regardless
- of the server specified. PR 24922
- [Pascal Terjan <pt...@linuxfr.org>]
-
- *) Add the NOTICE file to the rpm spec file in compliance with the
- Apache v2.0 license. [Graham Leggett]
-
- *) RPM spec file changes: changed default dependancy to link to db4
- instead of db3. Fixed complaints about unpackaged files.
- [Graham Leggett]
-
-Changes with Apache 2.0.50
-
- *) SECURITY: CVE-2004-0493 (cve.mitre.org)
- Close a denial of service vulnerability identified by Georgi
- Guninski which could lead to memory exhaustion with certain
- input data. [Jeff Trawick]
-
- *) mod_cgi: Handle output on stderr during script execution on Unix
- platforms; preventing deadlock when stderr output fills pipe buffer.
- Also fixes case where stderr from nph- scripts could be lost.
- PR 22030, 18348. [Joe Orton, Jeff Trawick]
-
- *) mod_alias now emits a warning if it detects overlapping *Alias*
- directives. [André Malo]
-
- *) mod_rewrite no longer turns forward proxy requests into reverse proxy
- requests. PR 28125 [ast domdv.de, André Malo]
-
- *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
- exported on Win32 and Netware as well (minor MMN bump). PR 28523.
- [Edward Rudd <eddie omegaware.com>, André Malo]
-
- *) Restore the ability to disable the use of AcceptEx on Win9x systems
- automatically (broken in 2.0.49). PR 28529. [André Malo]
-
- *) <VirtualHost myhost> now applies to all IP addresses for myhost
- instead of just the first one reported by the resolver. This
- corrects a regression since 1.3. [Jeff Trawick]
-
- *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
- against ServerRoot PR#26602 [Brad Nicholes]
-
- *) SECURITY: CVE-2004-0488 (cve.mitre.org)
- mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
- (trusted) client certificate subject DN which exceeds 6K in length.
- [Joe Orton]
-
- *) mod_dav_fs: Fix MKCOL response for missing parent collections, which
- caused issues for the Eclipse WebDAV extension.
- PR 29034. [Joe Orton]
-
- *) mod_deflate: Fix memory consumption (which was proportional to the
- response size). PR 29318. [Joe Orton]
-
- *) mod_ssl: Log the errors returned on failure to load or initialize
- a crypto accelerator engine. [Joe Orton]
-
- *) Allow RequestHeader directives to be conditional. PR 27951.
- [Vincent Deffontaines <vincent gryzor.com>, André Malo]
-
- *) Allow LimitRequestBody to be reset to unlimited. PR 29106
- [André Malo]
-
- *) Fix a bunch of cases where the return code of the regex compiler
- was not checked properly. This affects: mod_setenvif, mod_usertrack,
- mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
-
- *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
- small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
-
- *) Remove 2Gb log file size restriction on some 32-bit platforms.
- PR 13511. [Joe Orton]
-
- *) mod_logio no longer removes the EOS bucket. PR 27928.
- [Bojan Smojver <bojan rexursive.com>]
-
- *) htpasswd no longer refuses to process files that contain empty
- lines. [André Malo]
-
- *) Regression from 1.3: At startup, suexec now will be checked for
- availability, the setuid bit and user root. The works only if
- httpd is compiled with the shipped APR version (0.9.5).
- PR 28287. [André Malo]
-
- *) Unix MPMs: Stop dropping connections when the file descriptor
- is at least FD_SETSIZE. [Jeff Trawick]
-
- *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
-
- *) mod_isapi: send_response_header() failed to copy status string's
- last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
-
- *) Fix a segfault when requests for shared memory fails and returns
- NULL. Fix a segfault caused by a lack of bounds checking on the
- cache. PR 24801. [Graham Leggett]
-
- *) Throw an error message if an attempt is made to use the LDAPTrustedCA
- or LDAPTrustedCAType directives in a VirtualHost. PR 26390
- [Brad Nicholes]
-
- *) Fix a potential segfault if the bind password in the LDAP cache
- is NULL. PR 28250. [Jari Ahonen <jah progress.com>]
-
- *) Quotes cannot be used around require group and require dn
- directives, update the documentation to reflect this. Also add
- quotes around the dn and group within debug messages, to make it
- more obvious why authentication is failing if quotes are used in
- error. PR 19304. [Graham Leggett]
-
- *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
- from escaping filters twice when the backslash character is used.
- PR 24437. [Jess Holle <jessh ptc.com>]
-
- *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
- functions leave the connections in a sane state after errors have
- occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
- 27271 [Graham Leggett]
-
- *) mod_ldap calls ldap_simple_bind_s() to validate the user
- credentials. If the bind fails, the connection is left
- in an unbound state. Make sure that the ldap connection
- record is updated to show that the connection is no longer
- bound. [Brad Nicholes]
-
- *) Ensure that lines in the request which are too long are
- properly terminated before logging.
- [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
-
- *) Update the bind credentials for the cached LDAP connection to
- reflect the last bind. This prevents util_ldap from creating
- unnecessary connections rather than reusing cached connections.
- [Brad Nicholes]
-
- *) mod_isapi: GetServerVariable returned improperly terminated header
- fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
- [Jesse Pelton <jsp pkc.com>]
-
- *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
- size. PR 20617. [Jesse Pelton <jsp pkc.com>]
-
- *) mod_dav: Fix a problem that could cause crashes when manipulating
- locks on some platforms. [Jeff Trawick]
-
- *) mod_headers no longer crashes if an empty header value should
- be added. [André Malo]
-
- *) Fix segfault in mod_expires, which occured under certain
- circumstances. PR 28047. [André Malo]
-
- *) htpasswd: use apr_temp_dir_get() and general cleanup
- [Guenter Knauf <eflash gmx.net>, Thom May]
-
- *) mod_ssl: Fix memory leak in session cache handling. PR 26562
- [Madhusudan Mathihalli]
-
- *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
- a pool cleanup. PR 27945. [Joe Orton]
-
- *) Add forensic logging module (mod_log_forensic).
- [Ben Laurie]
-
- *) logresolve: Allow size of log line buffer to be overridden at
- build time (MAXLINE). PR 27793. [Jeff Trawick]
-
- *) Fix the comment delimiter in htdbm so that it correctly parses the
- username comment. Also add a terminate function to allow NetWare
- to pause the output before the screen is destroyed.
- [Guenter Knauf <eflash gmx.net>, Brad Nicholes]
-
- *) Fix crash when Apache was started with no Listen directives.
- [Michael Corcoran <mcorcoran warpsolutions.com>]
-
- *) core_output_filter: Fix bug that could result in sending
- garbage over the network when module handlers construct
- bucket brigades containing multiple file buckets all referencing
- the same open file descriptor. [Bojan Smojver]
-
- *) Fix memory corruption problem with ap_custom_response() function.
- The core per-dir config would later point to request pool data
- that would be reused for different purposes on different requests.
- [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
-
- *) Win32: Tweak worker thread accounting routines to eliminate
- server hang when number of Listen directives in httpd.conf
- is greater than or equal to the setting of ThreadsPerChild.
- [Bill Stoddard]
-
-Changes with Apache 2.0.49
-
- *) SECURITY: CVE-2004-0174 (cve.mitre.org)
- Fix starvation issue on listening sockets where a short-lived
- connection on a rarely-accessed listening socket will cause a
- child to hold the accept mutex and block out new connections until
- another connection arrives on that rarely-accessed listening socket.
- With Apache 2.x there is no performance concern about enabling the
- logic for platforms which don't need it, so it is enabled everywhere
- except for Win32. [Jeff Trawick]
-
- *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
- [Jeff Trawick]
-
- *) Win32: find_read_listeners was not correctly handling multiple
- listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
-
- *) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
- [Manni Wood <manniwood planet-save.com>]
-
- *) Fix some piped log problems: bogus "piped log program '(null)'
- failed" messages during restart and problem with the logger
- respawning again after Apache is stopped. PR 21648, PR 24805.
- [Jeff Trawick]
-
- *) Fixed file extensions for real media files and removed rpm extension
- from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
-
- *) Remove compile-time length limit on request strings. Length is
- now enforced solely with the LimitRequestLine config directive.
- [Paul J. Reder]
-
- *) mod_ssl: Send the Close Alert message to the peer before closing
- the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
-
- *) SECURITY: CVE-2004-0113 (cve.mitre.org)
- mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
- PR 27106. [Joe Orton]
-
- *) mod_ssl: Fix bug in passphrase handling which could cause spurious
- failures in SSL functions later. PR 21160. [Joe Orton]
-
- *) mod_log_config: Fix corruption of buffered logs with threaded
- MPMs. PR 25520. [Jeff Trawick]
-
- *) Fix mod_include's expression parser to recognize strings correctly
- even if they start with an escaped token. [André Malo]
-
- *) Add fatal exception hook for use by diagnostic modules. The hook
- is only available if the --enable-exception-hook configure parm
- is used and the EnableExceptionHook directive has been set to
- "on". [Jeff Trawick]
-
- *) Allow mod_auth_digest to work with sub-requests with different
- methods than the original request. PR 25040.
- [Josh Dady <jpd indecisive.com>]
-
- *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
- argumentless containers.
- ["Philippe M. Chiasson" <gozer cpan.org>]
-
- *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
- [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
-
- *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
- [Glenn Nielsen <glenn apache.org>]
-
- *) The whole codebase was relicensed and is now available under
- the Apache License, Version 2.0 (http://www.apache.org/licenses).
- [Apache Software Foundation]
-
- *) Fixed cache-removal order in mod_mem_cache.
- [Jean-Jacques Clar, Cliff Woolley]
-
- *) mod_setenvif: Fix the regex optimizer, which under circumstances
- treated the supplied regex as literal string. PR 24219.
- [André Malo]
-
- *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
- instead of mmn. [André Malo]
-
- *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
- could lead to a 400 (Bad Request) response. [André Malo]
-
- *) Keep focus of ITERATE and ITERATE2 on the current module when
- the module chooses to return DECLINE_CMD for the directive.
- PR 22299. [Geoffrey Young <geoff apache.org>]
-
- *) Add support for IMT minor-type wildcards (e.g., text/*) to
- ExpiresByType. PR#7991 [Ken Coar]
-
- *) Fix segfault in mod_mem_cache cache_insert() due to cache size
- becoming negative. PR: 21285, 21287
- [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
-
- *) core.c: If large file support is enabled, allow any file that is
- greater than AP_MAX_SENDFILE to be split into multiple buckets.
- This allows Apache to send files that are greater than 2gig.
- Otherwise we run into 32/64 bit type mismatches in the file size.
- [Brad Nicholes]
-
- *) proxy_http fix: mod_proxy hangs when both KeepAlive and
- ProxyErrorOverride are enabled, and a non-200 response without a
- body is generated by the backend server. (e.g.: a client makes a
- request containing the "If-Modified-Since" and "If-None-Match"
- headers, to which the backend server respond with status 304.)
- [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
-
- *) mod_dav: Reject requests which include an unescaped fragment in the
- Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
-
- *) Build array of allowed methods with proper dimensions, fixing
- possible memory corruption. [Jeff Trawick]
-
- *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
- PR 15057. [Otmar Lendl <lendl nic.at>]
-
- *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
- [Joe Orton]
-
- *) mod_usertrack no longer inspects the Cookie2 header for
- the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
-
- *) mod_usertrack no longer overwrites other cookies.
- PR 26002. [Scott Moore <apache nopdesign.com>]
-
- *) worker MPM: fix stack overlay bug that could cause the parent
- process to crash. [Jeff Trawick]
-
- *) Win32: Add Win32DisableAcceptEx directive. This Windows
- NT/2000/CP directive is useful to work around bugs in some
- third party layered service providers like virus scanners,
- VPN and firewall products, that do not properly handle
- WinSock 2 APIs. Use this directive if your server is issuing
- AcceptEx failed messages.
- [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
-
- *) Make REMOTE_PORT variable available in mod_rewrite.
- PR 25772. [André Malo]
-
- *) Fix a long delay with CGI requests and keepalive connections on
- AIX. [Jeff Trawick]
-
- *) mod_autoindex: Add 'XHTML' option in order to allow switching between
- HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
-
- *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
- [André Malo]
-
- *) mod_ssl: Advertise SSL library version as determined at run-time rather
- than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
-
- *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
- format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
-
- *) Fix build with parallel make. PR 24643. [Joe Orton]
-
- *) mod_rewrite: In external rewrite maps lookup keys containing
- a newline now cause a lookup failure. PR 14453.
- [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
-
- *) Backport major overhaul of mod_include's filter parser from 2.1.
- The new parser code is expected to be more robust and should
- catch all of the edge cases that were not handled by the previous one.
- The 2.1 external API changes were hidden by a wrapper which is
- expected to keep the API backwards compatible. [André Malo]
-
- *) Add a hook (insert_error_filter) to allow filters to re-insert
- themselves during processing of error responses. Enable mod_expires
- to use the new hook to include Expires headers in valid error
- responses. This addresses an RFC violation. It fixes PRs 19794,
- 24884, and 25123. [Paul J. Reder]
-
- *) Add Polish translation of error messages. PR 25101.
- [Tomasz Kepczynski <tomek jot23.org>]
-
- *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
- supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
- Bill Stoddard]
-
- *) Add mod_status hook to allow modules to add to the mod_status
- report. [Joe Orton]
-
- *) Fix htdbm to generate comment fields in DBM files correctly.
- [Justin Erenkrantz]
-
- *) mod_dav: Use bucket brigades when reading PUT data. This avoids
- problems if the data stream is modified by an input filter. PR 22104.
- [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
-
- *) Fix RewriteBase directive to not add double slashes. [André Malo]
-
- *) Improve 'configure --help' output for some modules. [Astrid Keßler]
-
- *) Correct UseCanonicalName Off to properly check incoming port number.
- [Jim Jagielski]
-
- *) Fix slow graceful restarts with prefork MPM. [Joe Orton]
-
- *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
- if any property values were set which defined namespaces these
- came out mangled in the PROPFIND response. PR 11637.
- [Amit Athavale <amit_athavale persistent.co.in>]
-
- *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
- the destination resource gives a 401. PR 15571. [Joe Orton]
-
- *) SECURITY: CVE-2003-0020 (cve.mitre.org)
- Escape arbitrary data before writing into the errorlog. Unescaped
- errorlogs are still possible using the compile time switch
- "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
-
- *) mod_autoindex / core: Don't fail to show filenames containing
- special characters like '%'. PR 13598. [André Malo]
-
- *) mod_status: Report total CPU time accurately when using a threaded
- MPM. PR 23795. [Jeff Trawick]
-
- *) Fix memory leak in handling of request bodies during reverse
- proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
-
- *) Win32 MPM: Implement MaxMemFree to enable setting an upper
- limit on the amount of storage used by the bucket brigades
- in each server thread. [Bill Stoddard]
-
- *) Modified the cache code to be header-location agnostic. Also
- fixed a number of other cache code bugs related to PR 15852.
- Includes a patch submitted by Sushma Rai <rsushma novell.com>.
- This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
- closing the PR since that is what they are using. [Paul J. Reder]
-
- *) complain via error_log when mod_include's INCLUDES filter is
- enabled, but the relevant Options flag allowing the filter to run
- for the specific resource wasn't set, so that the filter won't
- silently get skipped. next remove itself, so the warning will be
- logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
-
- *) mod_info: HTML escape configuration information so it displays
- correctly. PR 24232. [Thom May]
-
- *) Restore the ability to add a description for directories that
- don't contain an index file. (Broken in 2.0.48) [André Malo]
-
- *) Fix a problem with the display of empty variables ("SetEnv foo") in
- mod_include. PR 24734 [Markus Julen <mj zermatt.net>]
-
- *) mod_log_config: Log the minutes component of the timezone correctly.
- PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]
-
- *) mod_proxy: Fix cases where an invalid status-line could be sent
- to the client. PR 23998. [Joe Orton]
-
- *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
- are also loaded. [Joe Orton]
-
- *) mod_ssl: Use human-readable OpenSSL error strings in logs; use
- thread-safe interface for retrieving error strings. [Joe Orton]
-
- *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
- avoid reporting an Internal Server error if it is used without
- having been set in the httpd.conf file. PR: 23748, 24459
- [André Malo, Liam Quinn <liam htmlhelp.com>]
-
- *) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
- option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]
-
- *) mod_include no longer allows an ETag header on 304 responses.
- PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
-
- *) EBCDIC: Convert header fields to ASCII before sending (broken
- since 2.0.44). [Martin Kraemer]
-
- *) Fix the inability to log errors like exec failure in
- mod_ext_filter/mod_cgi script children. This was broken after
- such children stopped inheriting the error log handle.
- [Jeff Trawick]
-
- *) Fix mod_info to use the real config file name, not the default
- config file name. [Aryeh Katz <aryeh secured-services.com>]
-
- *) Set the scoreboard state to indicate logging prior to running
- logging hooks so that server-status will show 'L' for hung loggers
- instead of 'W'. [Jeff Trawick]
-
-Changes with Apache 2.0.48
-
- *) SECURITY: CVE-2003-0789 (cve.mitre.org)
- mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
- communicate with the cgid daemon and the CGI script.
- [Jeff Trawick]
-
- *) SECURITY: CVE-2003-0542 (cve.mitre.org)
- Fix buffer overflows in mod_alias and mod_rewrite which occurred
- if one configured a regular expression with more than 9 captures.
- [André Malo]
-
- *) mod_include: fix segfault which occured if the filename was not
- set, for example, when processing some error conditions.
- PR 23836. [Brian Akins <bakins web.turner.com>, André Malo]
-
- *) fix the config parser to support <Foo>..</Foo> containers (no
- arguments in the opening tag) supported by httpd 1.3. Without
- this change mod_perl 2.0's <Perl> sections are broken.
- ["Philippe M. Chiasson" <gozer cpan.org>]
-
- *) mod_cgid: fix a hash table corruption problem which could
- result in the wrong script being cleaned up at the end of a
- request. [Jeff Trawick]
-
- *) Update httpd-*.conf to be clearer in describing the connection
- between AddType and AddEncoding for defining the meaning of
- compressed file extensions. [Roy Fielding]
-
- *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
- PR 23416. [André Malo]
-
- *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
- rewritten request using "proxy:". The code was adding multiple "proxy:"
- fields in the rewritten URI. PR: 13946.
- [Eider Oliveira <eider bol.com.br>]
-
- *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
- expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
-
- *) Ensure that ssl-std.conf is generated at configure time, and switch
- to using the expanded config variables to work the same as
- httpd-std.conf PR: 19611
- [Thom May]
-
- *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
- [Hartmut Keil <Hartmut.Keil adnovum.ch>]
-
- *) mod_autoindex: If a directory contains a file listed in the
- DirectoryIndex directive, the folder icon is no longer replaced
- by the icon of that file. PR 9587.
- [David Shane Holden <dpejesh yahoo.com>]
-
- *) Fixed mod_usertrack to not get false positive matches on the
- user-tracking cookie's name. PR 16661.
- [Manni Wood <manniwood planet-save.com>]
-
- *) mod_cache: Fix the cache code so that responses can be cached
- if they have an Expires header but no Etag or Last-Modified
- headers. PR 23130.
- [<bjorn exoweb.net>]
-
- *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
- were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
-
- *) Modify ap_get_client_block() to note if it has seen EOS.
- [Justin Erenkrantz]
-
- *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
- content if the Accept-Encoding header contained only other tokens than
- "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
-
- *) Avoid an infinite recursion, which occured if the name of an included
- config file or directory contained a wildcard character. PR 22194.
- [André Malo]
-
- *) mod_ssl: Fix a problem setting variables that represent the
- client certificate chain. PR 21371 [Jeff Trawick]
-
- *) Unix: Handle permissions settings for flock-based mutexes in
- unixd_set_global|proc_mutex_perms(). Allow the functions to be
- called for any type of mutex. PR 20312 [Jeff Trawick]
-
- *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
-
- *) Fix a misleading message from the some of the threaded MPMs when
- MaxClients has to be lowered due to the setting of ServerLimit.
- [Jeff Trawick]
-
- *) Lower the severity of the "listener thread didn't exit" message
- to debug, as it is of interest only to developers. PR 9011
- [Jeff Trawick]
-
- *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
- [Cliff Woolley, Jean-Jacques Clar]
-
- *) Install config.nice into the build/ directory to make
- minor version upgrades easier. [Joshua Slive]
-
- *) Fix mod_deflate so that it does not call deflate() without checking
- first whether it has something to deflate. (Currently this causes
- deflate to generate a fatal error according to the zlib spec.)
- PR 22259. [Stas Bekman]
-
- *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
- identity spoof is encountered.
- [Sander Striker]
-
- *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
- containing the .htaccess file is requested without a trailing slash.
- PR 20195. [André Malo]
-
- *) ab: Overlong credentials given via command line no longer clobber
- the buffer. [André Malo]
-
- *) mod_deflate: Don't attempt to hold all of the response until we're
- done. [Justin Erenkrantz]
-
- *) Assure that we block properly when reading input bodies with SSL.
- PR 19242. [David Deaves <David.Deaves dd.id.au>, William Rowe]
-
- *) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
-
- *) mod_ext_filter: Set additional environment variables for use by
- the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
-
- *) Fix buildconf errors when libtool version changes. [Jeff Trawick]
-
- *) Remember an authenticated user during internal redirects if the
- redirection target is not access protected and pass it
- to scripts using the REDIRECT_REMOTE_USER environment variable.
- PR 10678, 11602. [André Malo]
-
- *) mod_include: Fix a trio of bugs that would cause various unusual
- sequences of parsed bytes to omit portions of the output stream.
- PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
-
- *) Update the header token parsing code to allow LWS between the
- token word and the ':' seperator. [PR 16520]
- [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
-
- *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
- [Joe Schaefer <joe+gmane sunstarsys.com>]
-
- *) Added FreeBSD directory layout. PR 21100.
- [Sander Holthaus <info orangexl.com>, André Malo]
-
- *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
- response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
-
- *) mod_rewrite: Perform child initialization on the rewrite log lock.
- This fixes a log corruption issue when flock-based serialization
- is used (e.g., FreeBSD). [Jeff Trawick]
-
- *) Don't respect the Server header field as set by modules and CGIs.
- As with 1.3, for proxy requests any such field is from the origin
- server; otherwise it will have our server info as controlled by
- the ServerTokens directive. [Jeff Trawick]
-
-Changes with Apache 2.0.47
-
- *) SECURITY: CVE-2003-0192 (cve.mitre.org)
- Fixed a bug whereby certain sequences of per-directory
- renegotiations and the SSLCipherSuite directive being used to
- upgrade from a weak ciphersuite to a strong one could result in
- the weak ciphersuite being used in place of the strong one.
- [Ben Laurie]
-
- *) SECURITY: CVE-2003-0253 (cve.mitre.org)
- Fixed a bug in prefork MPM causing temporary denial of service
- when accept() on a rarely accessed port returns certain errors.
- Reported by Saheed Akhtar <S.Akhtar talis.com>. [Jeff Trawick]
-
- *) SECURITY: CVE-2003-0254 (cve.mitre.org)
- Fixed a bug in ftp proxy causing denial of service when target
- host is IPv6 but proxy server can't create IPv6 socket. Fixed by
- the reporter. [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
-
- *) SECURITY [VU#379828] Prevent the server from crashing when entering
- infinite loops. The new LimitInternalRecursion directive configures
- limits of subsequent internal redirects and nested subrequests, after
- which the request will be aborted. PR 19753 (and probably others).
- [William Rowe, Jeff Trawick, André Malo]
-
- *) core_output_filter: don't split the brigade after a FLUSH bucket if
- it's the last bucket. This prevents creating unneccessary empty
- brigades which may not be destroyed until the end of a keepalive
- connection.
- [Juan Rivera <Juan.Rivera citrix.com>]
-
- *) Add support for "streamy" PROPFIND responses.
- [Ben Collins-Sussman <sussman collab.net>]
-
- *) mod_cgid: Eliminate a double-close of a socket. This resolves
- various operational problems in a threaded MPM, since on the
- second attempt to close the socket, the same descriptor was
- often already in use by another thread for another purpose.
- [Jeff Trawick]
-
- *) mod_negotiation: Introduce "prefer-language" environment variable,
- which allows to influence the negotiation process on request basis
- to prefer a certain language. [André Malo]
-
- *) Make mod_expires' ExpiresByType work properly, including for
- dynamically-generated documents. [Ken Coar, Bill Stoddard]
-
-Changes with Apache 2.0.46
-
- *) SECURITY: CVE-2003-0245 (cve.mitre.org)
- Fixed a bug causing apr_pvsprintf() to crash by sending an overly
- long string. This can be triggered remotely through mod_dav,
- mod_ssl, and other mechanisms.
- Reported by David Endler <DEndler iDefense.com>. [Joe Orton]
-
- *) SECURITY: CVE-2003-0189 (cve.mitre.org)
- Fixed a denial-of-service vulnerability affecting basic
- authentication on Unix platforms related to thread-safety in
- apr_password_validate().
- Reported by John Hughes <john.hughes entegrity.com>.
-
- *) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
- when a MKACTIVITY request comes in.
- [Ben Collins-Sussman <sussman collab.net>]
-
- *) Perform run-time query in apxs for apr and apr-util's includes.
- [Justin Erenkrantz]
-
- *) run libtool from the apr install directory (in case that is different
- from the apache install directory) [Jeff Trawick]
-
- *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
-
- *) If mod_mime_magic does not know the content-type, do not attempt to
- guess. PR 16908. [Andrew Gapon <agapon telcordia.com>]
-
- *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
- caching. PR 17864.
- [Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]
-
- *) Add a delete flag to htpasswd.
- [Thom May]
-
- *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
- now work scheme dependent and the query string will only be
- appended if supported by the particular scheme. [André Malo]
-
- *) Add another check for already compressed content in mod_deflate.
- PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
-
- *) Fixes for VPATH builds; copying special.mk and any future .mk files
- from the source tree as well as the build tree (now creates a usable
- configuration for apxs), and eliminated redundant -I'nclude paths.
- [William Rowe]
-
- *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
- for SSLC and OpenSSL toolkit compatibility. Still work remains to
- be done to cripple features based on the limitations of RSA's binary
- distribution of their SSL-C toolkit.
- [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
-
- *) Linux 2.4+: If Apache is started as root and you code
- CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
- [Greg Ames]
-
- *) ap_get_mime_headers_core: allocate space for the trailing null
- when folding is in effect.
- PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]
-
- *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
-
- *) mod_log_config: Add the ability to log the id of the thread
- processing the request via new %P formats. [Jeff Trawick]
-
- *) Use appropriate language codes for Czech (cs) and Traditional Chinese
- (zh-tw) in default config files. PR 9427. [André Malo]
-
- *) mod_auth_ldap: Use generic whitespace character class when parsing
- "require" directives, instead of literal spaces only. PR 17135.
- [André Malo]
-
- *) Hook mod_rewrite's type checker before mod_mime's one. That way the
- RewriteRule [T=...] Flag should work as expected now. PR 19626.
- [André Malo]
-
- *) htpasswd: Check the processed file on validity. If a line is not empty
- and not a comment, it must contain at least one colon. Otherwise exit
- with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]
-
- *) Fix a problem that caused httpd to be linked with incorrect flags
- on some platforms when mod_so was enabled by default, breaking
- DSOs on AIX. PR 19012 [Jeff Trawick]
-
- *) By default, use the same CC and CPP with which APR was built.
- The user can override with CC and CPP environment variables.
- [Jeff Trawick]
-
- *) Fix ap_construct_url() so that it surrounds IPv6 literal address
- strings with []. This fixes certain types of redirection.
- PR 19207. [Jeff Trawick]
-
- *) forward port of buffer overflow fixes for htdigest. [Thom May]
-
- *) Added AllowEncodedSlashes directive to permit control of whether
- the server will accept encoded slashes ('%2f') in the URI path.
- Default condition is off (the historical behaviour). This permits
- environments in which the path-info needs to contain encoded
- slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]
-
- *) When using Redirect in directory context, append requested query
- string if there's no one supplied by configuration. PR 10961.
- [André Malo]
-
- *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
- the pattern will not always match as desired. PR 12596.
- [André Malo]
-
- *) mod_autoindex now emits and accepts modern query string parameter
- delimiters (;). Thus column headers no longer contain unescaped
- ampersands. PR 10880 [André Malo]
-
- *) Enable ap_sock_disable_nagle for Windows. This along with the
- addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
- to be disabled for Windows. [Allan Edwards]
-
- *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
- This patch reverts us to pre-2.0.46 behavior, using the
- ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
- was never compiled on Win32. [Allan Edwards, William Rowe]
-
- *) Fix a build problem with passing unsupported --enable-layout
- args to apr and apr-util. This broke binbuild.sh as well as
- user-specified layout parameters. PR 18649 [Justin Erenkrantz,
- Jeff Trawick]
-
- *) If a Date response header was already set in the headers array,
- this value was ignored in favour of the current time. This meant
- that Date headers on proxied requests where rewritten when they
- should not have been. PR: 14376 [Graham Leggett]
-
- *) Add code to buildconf that produces an httpd.spec file from
- httpd.spec.in, using build/get-version.sh from APR.
- [Graham Leggett]
-
- *) Fixed a segfault when multiple ProxyBlock directives were used.
- PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
-
- *) SECURITY: CVE-2003-0134 (cve.mitre.org)
- OS2: Fix a Denial of Service vulnerability identified and
- reported by Robert Howard <rihoward rawbw.com> that where device
- names faulted the running OS2 worker process. The fix is
- actually in APR 0.9.4. [Brian Havard]
-
- *) SECURITY: CVE-2003-0083 (cve.mitre.org)
- Forward port: Escape special characters (especially control
- characters) in mod_log_config to make a clear distinction between
- client-supplied strings (with special characters) and server-side
- strings. This was already introduced in version 1.3.25.
- [André Malo]
-
- *) mod_deflate: Check also err_headers_out for an already set
- Content-Encoding: gzip header. This prevents gzip compressed content
- from a CGI script from being compressed once more. PR 17797.
- [André Malo]
-
-Changes with Apache 2.0.45
-
- *) Fix possible segfaults under obscure error conditions within the
- cgid daemon. [Jeff Trawick, William Rowe]
-
- *) SECURITY: CVE-2003-0132 (cve.mitre.org)
- Close a Denial of Service vulnerability identified by David
- Endler <DEndler iDefense.com> on all platforms. An unlimited
- stream of newlines were acceptable between requests where each
- <lf> would allocate an 80 byte buffer, leading very quickly to
- memory exahustion. [Brian Pane]
-
- *) Added an rpm build script.
- [Graham Leggett, Joe Orton <jorton redhat.com>]
-
- *) Simpler, faster code path for request header scanning [Brian Pane]
-
- *) SECURITY: Eliminated leaks of several file descriptors to child
- processes, such as CGI scripts. This fix depends on the APR library
- release 0.9.2 or later (0.9.3 was distributed with the httpd
- source tarball for Apache 2.0.45.) PR 17206
- [Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]
-
- *) Fix path handling of mod_rewrite, especially on non-unix systems.
- There was some confusion between local paths and URL paths.
- PR 12902. [André Malo]
-
- *) Prevent endless loops of internal redirects in mod_rewrite by
- aborting after exceeding a limit of internal redirects. The
- limit defaults to 10 and can be changed using the RewriteOptions
- directive. PR 17462. [André Malo]
-
- *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
- all worker threads are busy.
- [Igor Nazarenko <igor_nazarenko hotmail.com>]
-
- *) Keep the subrequest filter in place when a subrequest is
- redirected. PR 15423. [Jeff Trawick]
-
- *) you can now specify the compression level for mod_deflate.
- [Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>,
- Michael Schroepl <Michael.Schroepl telekurs.de>]
-
- *) mod_deflate: Extend the DeflateFilterNote directive to
- allow accurate logging of the filter's in- and outstream.
- [André Malo]
-
- *) Allow SSLMutex to select/use the full range of APR locking
- mechanisms available to it. Also, fix the bug that SSLMutex uses
- APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski,
- Martin Kutschker <martin.t.kutschker blackbox.net>]
-
- *) Restore the ability of htdigest.exe to create files that contain
- more than one user. PR 12910. [André Malo]
-
- *) Improve binary compatibility of the core between debug (aka
- maintainer-mode) and a non-debug compile.
- [Sander Striker]
-
- *) mod_usertrack: don't set the cookie in subrequests. This works
- around the problem that cookies were set twice during fast internal
- redirects. PR 13211. [André Malo]
-
- *) mod_autoindex no longer forgets output format and enabled version
- sort in linked column headers. [André Malo]
-
- *) Use .sv instead of .se as extension for Swedish documents in the
- default configuration. PR 12877. [André Malo]
-
- *) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
- and standardized the LDAP SSL support across the various LDAP SDKs.
- Isolated the SSL functionality to mod_ldap rather than speading it
- across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA
- and LDAPTrustedCAType directives to mod_ldap to allow for a more
- common method of specifying the SSL certificate.
- [Dave Ward, Brad Nicholes]
-
- *) Fixed mod_ssl's SSLCertificateChain initialization to no longer
- skip the first cert of the chain by default. This misbehavior
- was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]
-
- *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
- be started on Unix because of such problems as bad permissions,
- bad shebang line, etc. [Jeff Trawick]
-
- *) Fix 64-bit problem in mod_ssl input logic.
- [Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]
-
- *) Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
- [Justin Erenkrantz]
-
- *) Rewrite ap_xml_parse_input to use bucket brigades. PR 16134.
- [Justin Erenkrantz]
-
- *) Fix segfault which occurred when a section in an included
- configuration file was not closed. PR 17093. [André Malo]
-
- *) Enhance the behavior of mod_isapi's WriteClient() callback to
- provide better emulation for isapi modules that presume that the
- first WriteClient() call may send status and headers. An example
- of WriteClient() abuse is the foxisapi module, which relies on
- that assumpion and now works. [William Rowe, Milan Kosina]
-
- *) Check the return value of ap_run_pre_connection(). So if the
- pre_connection phase fails (without setting c->aborted)
- ap_run_process_connection is not executed. [Stas Bekman]
-
- *) Fixed a problem with mod_ldap which caused it to fault when caching
- was disabled. Needed to make sure that the code did not
- attempt to use the cache if it didn't exist. Also fixed some memory
- leaks which were due to not releasing LDAP resources on error
- conditions. [Brad Nicholes]
-
- *) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
- mod_rewrite proxied URLs will not be escaped accidentally by
- mod_proxy's fixup. PR 16368 [André Malo]
-
- *) While processing filters on internal redirects, remember seen EOS
- buckets also in the request structure of the redirect issuer(s). This
- prevents filters (such as mod_deflate) from adding garbage to the
- response. PR 14451. [André Malo]
-
- *) suexec: Be more pedantic when cleaning environment. Clean it
- immediately after startup. PR 2790, 10449.
- [Jeff Stewart <jws purdue.edu>, André Malo]
-
- *) Fix apxs to insert LoadModule directives only outside of sections.
- PR 8712, 9012. [André Malo]
-
- *) Fix suexec compile error under SUNOS4, where strerror() doesn't
- exist. PR 5913, 9977.
- [Jonathan W Miner <Jonathan.W.Miner lmco.com>]
-
- *) Fix If header parsing when a non-mod_dav lock token is passed to it.
- PR 16452. [Justin Erenkrantz]
-
- *) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
- not specified. Now it assumes "/" as already documented. PR 16937.
- [André Malo]
-
- *) Try to log an error if a piped log program fails. Try to
- restart a piped log program in more failure situations. Fix an
- existing problem with error handling in piped_log_spawn(). Use
- new APR apr_proc_create() features to prevent Apache from starting
- on Unix* in most cases where a piped log program can be started,
- and add log messages for the other situations. *Other platforms
- already failed Apache initialization if a piped log program
- couldn't be started. PR 15761 [Jeff Trawick]
-
- *) Fix mod_cern_meta to not create empty metafiles when the
- metafile searched for does not exist. PR 12353
- [Owen Rees <owen_rees hp.com>]
-
- *) Introduce debugging symbols for Win32 release builds, both .pdb
- and .dbg files (older debuggers and Dr. Watson-type utilities
- on WinNT or Win9x don't support the newer .pdb flavor.)
- [Allen Edwards, William Rowe]
-
- *) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
- information (and more). Related to PR 9076. [André Malo]
-
- *) mod_file_cache: fix segfault serving mmaped cached files.
- [Bill Stoddard]
-
- *) mod_file_cache: fixed a segfault when multiple MMapFile directives
- were used. PR 16313. [Cliff Woolley]
-
- *) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
- an incompatible pointer type to mmap_bucket_destroy(void*).
- [Gerard Eviston <geviston bigpond.net.au>]
-
- *) Enable the -n name parameter on NetWare to allow the
- administrator to rename the Apache console screen
- [Brad Nicholes]
-
- *) Fixed piped access logs on Win32 by disabling OTHER_CHILD
- support by default in APR. More development is required
- to deploy OTHER_CHILD on Win32. [William Rowe]
-
- *) Use saner default config values for suexec. PR 15713.
- [Thom May <thom planetarytramp.net>]
-
- *) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
- (or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]
-
- *) apxs: Include any special APR ld flags when linking the DSO.
- This resolves problems on AIX when building a DSO with apxs+gcc.
- [Jeff Trawick]
-
- *) Added character set support to mod_auth_LDAP to allow it to
- convert extended characters used in the user ID to UTF-8
- before authenticating against the LDAP directory. The new
- directive AuthLDAPCharsetConfig is used to specify the config
- file that contains the character set conversion table.
- [Brad Nicholes]
-
- *) Don't remove the Content-Length from responses in mod_proxy
- PR: 8677 [Brian Pane]
-
- *) Ensure LDAP version is set to v3 on every bind. PR 14235.
- [Sergey A. Lipnevich <sergeyli pisem.net>]
-
- *) Fix mod_ldap to open an existing shared memory file should one
- already exist. PR 12757. [Scooter Morris <scooter gene.com>,
- Graham Leggett]
-
- *) Fix the ulimit command used by apachectl on Tru64. PR 13609.
- [Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]
-
- *) Change the ulimit command used by apachectl on AIX so that it
- works in all locales. [Jeff Trawick]
-
- *) mod_ext_filter: Fix a problem building argument lists which
- occasionally caused exec to fail. PR 15491. [Jeff Trawick]
-
-Changes with Apache 2.0.44
-
- *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
- from Apache 1.3. PR 14276
- [David Shane Holden <dpejesh yahoo.com>, William Rowe]
-
- *) mod_mime: Workaround to prevent a segfault if r->filename=NULL
- [Brian Pane]
-
- *) Reorder the definitions for mod_ldap and mod_auth_ldap within
- config.m4 to make sure the parent mod_ldap is defined first.
- This ensures that mod_ldap comes before mod_auth_ldap in the
- httpd.conf file, which is necessary for mod_auth_ldap to load.
- PR 14256 [Graham Leggett]
-
- *) Fix the building of cgi command lines when the query string
- contains '='. PR 13914 [Ville Skyttä <ville.skytta iki.fi>,
- Jeff Trawick]
-
- *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
- implementation of MCacheMaxStreamingBuffer from mod_cache to
- mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
- lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
- eliminate the need for explicitly coding MCacheMaxStreamingBuffer
- in most configurations. [Bill Stoddard]
-
- *) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
- a redirect occurs. The code was passing a format string and
- integer to apr_pstrcat. Changed to apr_psprintf.
- [Paul J. Reder]
-
- *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
- as set by apr-util in util_ldap.c. This should allow mod_ldap
- to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
- <somme oslo.westerngeco.slb.com>, Graham Leggett]
-
- *) Fix critical bug in new --enable-v4-mapped configure option
- implementation which broke IPv4 listening sockets on some
- systems. [hiroyuki hanai <hanai imgsrc.co.jp>]
-
- *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
- patterns [André Malo <nd perlig.de>]
-
- *) Add version string to provider API. [Justin Erenkrantz]
-
- *) build: './configure && make' now works without an in-tree
- apr and apr-util. [Wilfredo Sanchez]
-
- *) mod_negotiation: Set the appropriate mime response headers
- (Content-Type, charset, Content-Language and Content-Encoding)
- for negotated type-map "Body:" responses (such as the error
- pages.) [André Malo <nd perlig.de>]
-
- *) mod_log_config: Allow '%%' escaping in CustomLog format
- strings to insert a literal, single '%'.
- [André Malo <nd perlig.de>]
-
- *) mod_autoindex: AddDescription directives for directories
- now work as in Apache 1.3, where no trailing '/' is
- specified on the directory name. Previously, the trailing
- '/' *had* to be specified, which was incompatible with
- Apache 1.3. PR 7990 [Jeff Trawick]
-
- *) Fix for PR 14556. The expiry calculations in mod_cache were
- trying to perform "now + ((date - lastmod) * factor)" where
- date == lastmod resulting in "now + 0". The code now follows
- the else path (using the default expiration) if date is
- equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]
-
- *) Use AP_DECLARE in the debug versions of ap_strXXX in case the
- default calling convention is not the same as the one used by
- AP_DECLARE. [Juan Rivera <Juan.Rivera citrix.com>]
-
- *) mod_cache: Don't cache response header fields designated
- as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
- [Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]
-
- *) mod_cgid: Handle environment variables containing newlines.
- PR 14550 [Piotr Czejkowski <apache czarny.eu.org>, Jeff
- Trawick]
-
- *) Move mod_ext_filter out of experimental and into filters.
- [Jeff Trawick]
-
- *) Fixed a memory leak in mod_deflate with dynamic content.
- PR 14321 [Ken Franken <kfranken decisionmark.com>]
-
- *) Add --[enable|disable]-v4-mapped configure option to control
- whether or not Apache expects to handle IPv4 connections
- on IPv6 listening sockets. Either setting will work on
- systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
- must be used on systems that always allow IPv4 connections on
- IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
- [Jeff Trawick]
-
- *) This fixes a problem where the underlying cache code
- indicated that there was one more element on the cache
- than there actually was. This happened since element 0
- exists but is not used. This code allocates the correct
- number of useable elements and reports the number of
- actually used elements. The previous code only allowed
- MCacheMaxObjectCount-1 objects to be stored in the
- cache. [Paul J. Reder]
-
- *) mod_setenvif: Add SERVER_ADDR special keyword to allow
- envariable setting according to the server IP address
- which received the request. [Ken Coar]
-
- *) mod_cgid: Terminate CGI scripts when the client connection
- drops. PR 8388 [Jeff Trawick]
-
- *) Rearrange OpenSSL engine initialization to support RAND
- redirection on crypto accelerator.
- [Frederic DONNAT <frederic.donnat zencod.com>]
-
- *) Always emit Vary header if mod_deflate is involved in the
- request. [André Malo <nd perlig.de>]
-
- *) mod_isapi: Stop unsetting the 'empty' query string result with
- a NULL argument in ecb->lpszQueryString, eliminating segfaults
- for some ISAPI modules. PR 14399
- [Detlev Vendt <detlev.vendt brillit.de>]
-
- *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
- notification is received before the HttpExtensionProc() returns
- HSE_STATUS_PENDING. This only affected isapi .dll's configured
- with the ISAPIFakeAsync on directive. PR 11918
- [John DeSetto <jdesetto radiantsystems.com>, William Rowe]
-
- *) mod_isapi: Fix the issue where all results from mod_isapi would
- run through the core die handler resulting in invalid responses
- or access log entries. PR 10216 [William Rowe]
-
- *) Improves the user friendliness of the CacheRoot processing
- over my last pass. This version avoids the pool allocations
- but doesn't avoid all of the runtime checks. It no longer
- terminates during post-config processing. An error is logged
- once per worker, indicating that the CacheRoot needs to be set.
- [Paul J. Reder]
-
- *) Fix a bug where we keep files open until the end of a
- keepalive connection, which can result in:
- (24)Too many open files: file permissions deny server access
- especially on threaded servers. [Greg Ames, Jeff Trawick]
-
- *) Fix a bug in which mod_proxy sent an invalid Content-Length
- when a proxied URL was invoked as a server-side include within
- a page generated in response to a form POST. [Brian Pane]
-
- *) Added code to process min and max file size directives and to
- init the expirychk flag in mod_disk_cache. Added a clarifying
- comment to cache_util. [Paul J. Reder]
-
- *) The value emitted by ServerSignature now mimics the Server HTTP
- header as controlled by ServerTokens. [Francis Daly <deva daoine.org>]
-
- *) Gracefully handly retry situations in the SSL input filter,
- by following the SSL libraries' retry semantics.
- [William Rowe]
-
- *) Terminate CGI scripts when the client connection drops. This
- fix only applies to some normal paths in mod_cgi. mod_cgid
- is still busted. PR 8388 [Jeff Trawick]
-
- *) Fix a bug where 416 "Range not satisfiable" was being
- returned for content that should have been redirected.
- [Greg Ames]
-
- *) Fix memory leak in mod_ssl from internal SSL library allocations
- within SSL_get_peer_certificate and X509_get_pubkey.
- [Zvi Har'El <rl math.technion.ac.il>
- Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
-
- *) mod_ssl uses free() inappropriately in several places, to free
- memory which has been previously allocated inside OpenSSL.
- Such memory should be freed with OPENSSL_free(), not with free().
- [Nadav Har'El <nyh math.technion.ac.il>,
- Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
-
- *) Emit a message to the error log when we return 404 because
- the URI contained '%2f'. (This was previously nastily silent
- and difficult to debug.) [Ken Coar]
-
- *) Fix streaming output from an nph- CGI script. CGI:IRC now
- works. PR 8482 [Jeff Trawick]
-
- *) More accurate logging of bytes sent in mod_logio when
- the client terminates the connection before the response
- is completely sent [Bojan Smojver <bojan rexursive.com>]
-
- *) Fix some problems in the perchild MPM.
- [Jonas Eriksson <jonas webkonsulterna.com>]
-
- *) Change the CacheRoot processing to check for a required
- value at config time. This saves a lot of wasted processing
- if the mod_disk_cache module is loaded but no CacheRoot
- was provided. This fix also adds code to log an error
- and avoid useless pallocs and procesing when the computed
- cache file name cannot be opened. This also updates the
- docs accordingly. [Paul J. Reder]
-
- *) Introduce the EnableSendfile directive, allowing users of NFS
- shares to disable sendfile mechanics when they either fail
- outright or provide intermitantly corrupted data. PR
- [William Rowe]
-
- *) Resolve the error "An operation was attempted on something
- that is not a socket. : winnt_accept: AcceptEx failed.
- Attempting to recover." for users of various firewall and
- anti-virus software on Windows. PR 8325 [William Rowe]
-
- *) Add the ProxyBadHeader directive, which gives the admin some
- control on how mod_proxy should handle bogus HTTP headers from
- proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
- desired. [Jim Jagielski]
-
- *) Change the LDAP modules to export their symbols correctly
- during a Windows build. Add dsp files for Windows. Update
- README.ldap file for Windows build instructions.
- [Andre Schild <A.Schild aarboard.ch>]
-
- *) Performance improvements for the code that generates HTTP
- response headers [Brian Pane]
-
- *) Add -S as a synonym for -t -DDUMP_VHOSTS.
- [Thom May <thom planetarytramp.net>]
-
- *) Fix a bug with dbm rewrite maps which caused the wrong value to
- be used when the key was not found in the dbm. PR 13204
- [Jeff Trawick]
-
- *) Fix a problem with streaming script output and mod_cgid.
- [Jeff Trawick]
-
- *) Add ap_register_provider/ap_lookup_provider API.
- [John K. Sterling <john sterls.com>, Justin Erenkrantz]
-
-Changes with Apache 2.0.43
-
- *) SECURITY: CVE-2002-0840 (cve.mitre.org)
- HTML-escape the address produced by ap_server_signature() against
- this cross-site scripting vulnerability exposed by the directive
- 'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME
- environment variable for CGI and SSI requests. It's safe to
- escape as only the '<', '>', and '&' characters are affected,
- which won't appear in a valid hostname. Reported by Matthew
- Murphy <mattmurphy kc.rr.com>. [Brian Pane]
-
- *) Fix a core dump in mod_cache when it attemtped to store uncopyable
- buckets. This happened, for instance, when a file to be cached
- contained SSI tags to execute a CGI script (passed as a pipe
- bucket). [Paul J. Reder]
-
- *) Ensure that output already available is flushed to the network
- when the content-length filter realizes that no new output will
- be available for a while. This helps some streaming CGIs as
- well as some other dynamically-generated content. [Jeff Trawick]
-
- *) Fix a mutex problem in mod_ssl session cache support which
- could lead to an infinite loop. PR 12705
- [Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
-
- *) SECURITY: CVE-2002-1156 (cve.mitre.org)
- Fix the exposure of CGI source when a POST request is sent to
- a location where both DAV and CGI are enabled. [Ryan Bloom]
-
- *) Allow the UserDir directive to accept a list of directories.
- This matches what Apache 1.3 does. Also add documentation for
- this feature. [Jay Ball <jay veggiespam.com>]
-
- *) New Module: mod_logio. adds the ability to log bytes sent and
- received. [Bojan Smojver <bojan rexursive.com>]
-
- *) SuExec needs to use the same default directory as the rest of
- server, namely /usr/local/apache2.
- [SangBeom han <sbhan os.korea.ac.kr>]
-
- *) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
- [Thomas Bennett <thomas.bennett eds.com>, Graham Leggett]
-
- *) Make sure the contents of the WWW-Authenticate header is
- passed on a 4xx error by proxy. Previously all headers
- were dropped, resulting in the browser being unable to
- authenticate. [Dr Richard Reiner <rreiner fscinternet.com>,
- Richard Danielli <rdanielli fscinternet.com>, Graham Wiseman
- <gwiseman fscinternet.com>, David Henderson
- <dhenderson fscinternet.com>]
-
- *) Make mod_cache's CacheMaxStreamingBuffer directive work
- properly for virtual hosts that override server-wide mod_cache
- setttings. [Matthieu Estrade <estrade-m ifrance.com>]
-
- *) Add -p option to apxs to allow programs to be compiled with apxs.
- [Justin Erenkrantz]
-
-Changes with Apache 2.0.42
-
- *) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121]
- mod_dav: Check for versioning hooks before using them.
- [Greg Stein]
-
-Changes with Apache 2.0.41
-
- *) The protocol version (eg: HTTP/1.1) in the request line parsing
- is now case insensitive. [Jim Jagielski]
-
- *) Allow AddOutputFilterByType to add multiple filters per directive.
- [Justin Erenkrantz]
-
- *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz]
-
- *) Fixed mod_disk_cache's generation of 304s
- [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
-
- *) Add support for using fnmatch patterns in the final path
- segment of an Include statement (eg.. include /foo/bar/*.conf).
- and remove the noise on stderr during config dir processing.
- [Joe Orton <jorton redhat.com>]
-
- *) mod_cache: cache_storage.c. Add the hostname and any request
- args to the key generated for caching. This provides a unique
- key for each virtual host and for each request with unique
- args. [Paul J. Reder, args code provided by Kris Verbeeck]
-
- *) mod_cache: Do not cache responses to GET requests with query
- URLs if the origin server does not explicitly provide an
- Expires header on the response (RFC 2616 Section 13.9)
- [Kris Verbeeck <krisv be.ubizen.com>]
-
- *) Fix memory leak in core_output_filter. [Justin Erenkrantz]
-
- *) Update OpenSSL detection to work on Darwin.
- [Sander Temme <sctemme covalent.net>]
-
- *) Update the xslt and css to give the documentation a more
- modern style.
- [André Malo <nd perlig.de>, Gernot Winkler <greh o3media.de>]
-
- *) Fix some bucket memory leaks in the chunking code
- [Joe Schaefer <joe+apache sunstarsys.com>]
-
- *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]
-
- *) mod_cache: added support for caching streamed responses (proxy,
- CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
-
- *) Add image/x-icon to httpd.conf PR 10993.
- [Ian Holsman, Peter Bieringer <pb bieringer.de>]
-
- *) Fix FileETags none operation. PR 12207.
- [Justin Erenkrantz, Andrew Ho <andrew tellme.com>]
-
- *) Restored the experimental leader/followers MPM to working
- condition and converted its thread synchronization from
- mutexes to atomic CAS. [Brian Pane]
-
- *) Fix Logic on non-html file removal in mod_deflate
- [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
-
- *) Fix "ab -g"'s truncated year: the last digit was cut off.
- [Leon Brocard <acme astray.com>]
-
- *) mod_rewrite can now sets cookies in err_headers, uses the correct
- expiry date, and can now set the path as well
- PR 12132,12181,12172.
- [Ian Holsman / Rob Cromwell <apachechangelog robcromwell.com>]
-
- *) The content-length filter no longer tries to buffer up
- the entire output of a long-running request before sending
- anything to the client. [Brian Pane]
-
- *) Win32: Lower the default stack size from 1MB to 256K. This will
- allow around 8000 threads to be started per child process.
- 'EDITBIN /STACK:size apache.exe' can be used to change this
- value directly in the apache.exe executable.
- [Bill Stoddard]
-
- *) Win32: Implement ThreadLimit directive in the Windows MPM.
- [Bill Stoddard]
-
- *) Remove CacheOn config directive since it is set but never checked.
- No sense wasting cycles on unused code. Besides, the only truly
- bug free code is deleted code. :) [Paul J. Reder]
-
- *) BufferLogs are now run-time enabled, and the log_config now has 2 new
- callbacks to allow a 3rd party module to actually do the writing of the
- log file [Ian Holsman]
-
- *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
- [André Malo, Astrid Keßler <kess kess-net.de>]
-
- *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
-
- *) Fix a null pointer dereference in the merge_env_dir_configs
- function of the mod_env module. PR 11791
- [Paul J. Reder]
-
- *) New option to ServerTokens 'maj[or]'. Only show the major version
- Also Surfaced this directive in the standard config (default FULL)
- [Ian Holsman]
-
- *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
- maps. The dbm type (e.g., ndbm, gdbm) can be specified on the
- RewriteMap directive. PR 10644 [Jeff Trawick]
-
- *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
- pairs will no longer get out of sync with each other. PR 9534
- [Cliff Woolley]
-
- *) Fixes required to get quoted and escaped command args working in
- mod_ext_filter. PR 11793 [Paul J. Reder]
-
- *) mod-proxy: handle proxied responses with no status lines
- [JD Silvester <jsilves uwo.ca>, Brett Huttley <brett huttley.net>]
-
- *) Fix bug where environment or command line arguments containing
- non-ASCII-7 characters would cause the Win32 child process creation
- to fail. PR 11854 [William Rowe]
-
- *) Bug #11213.. make module loading error messages more informative
- [Ian Darwin <Ian779 darwinsys.com>]
-
- *) thread safety & proxy-ftp [Alexey Panchenko <alexey liwest.ru>, Ian Holsman]
-
- *) mod_disk_cache works much better. This module should still
- be considered experimental. [Eric Prud'hommeaux]
-
- *) Performance improvement for keepalive requests: when setting
- aside a small file for potential concatenation with the next
- response on the connection, set aside the file descriptor rather
- than copying the file into the heap. [Brian Pane]
-
- *) Modified version check on openssl so that it finds the executable
- first and then performs a check of the version, only warning the
- user if they chose, or we selected, an old version of OpenSSL.
- This change also allows the code to work for non-openssl libraries
- selected via the --with-ssl=dir option, which can override the
- automated library check in any case. [Roy Fielding]
-
-Changes with Apache 2.0.40
-
- *) SECURITY: CVE-2002-0661 (cve.mitre.org)
- Close a very significant security hole that
- applies only to the Win32, OS2 and Netware platforms. Unix was not
- affected, Cygwin may be affected. Certain URIs will bypass security
- and allow users to invoke or access any file depending on the system
- configuration. Without upgrading, a single .conf change will close
- the vulnerability. Add the following directive in the global server
- httpd.conf context before any other Alias or Redirect directives;
- RedirectMatch 400 "\\\.\."
- Reported by Auriemma Luigi <bugtest sitoverde.com>.
- [Brad Nicholes]
-
- *) SECURITY: CVE-2002-0654 (cve.mitre.org)
- Close a path-revealing exposure in multiview type
- map negotiation (such as the default error documents) where the
- module would report the full path of the typemapped .var file when
- multiple documents or no documents could be served based on the mime
- negotiation. Reported by Auriemma Luigi <bugtest sitoverde.com>.
- [William Rowe]
-
- *) SECURITY: CVE-2002-0654 (cve.mitre.org)
- Close a path-revealing exposure in cgi/cgid when we
- fail to invoke a script. The modules would report "couldn't create
- child process /path-to-script/script.pl" revealing the full path
- of the script. Reported by Jim Race <jrace qualys.com>.
- [Bill Stoddard]
-
- *) Set aside the apr-iconv and apr_xlate() features for the Win32
- build of 2.0.40 so development can be completed. A patch, from
- <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
- will be available for those that wish to work with apr-iconv.
- [William Rowe]
-
- *) Fix proxy so that it is possible to access ftp: URLs via a proxy
- chain. [Peter Van Biesen <peter.vanbiesen vlafo.be>]
-
- *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
- set to 1, so we can exclude things from the general case with
- browsermatch. [Ian Holsman, Andre Schild <A.Schild aarboard.ch>]
-
- *) Accept multiple leading /'s for requests within the DocumentRoot.
- PR 10946 [William Rowe, David Shane Holden <dpejesh yahoo.com>]
-
- *) Solved the reports of .pdf byterange failures on Win32 alone.
- APR's sendfile for the win32 platform collapses header and trailer
- buffers into a single buffer. However, we destroyed the pointers
- to the header buffer if a trailer buffer was present. PR 10781
- [William Rowe]
-
- *) mod_ext_filter: Add the ability to enable or disable a filter via
- an environment variable. Add the ability to register a filter of
- type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
-
- *) Restore the ability to specify host names on Listen directives.
- PR 11030. [Jeff Trawick, David Shane Holden <dpejesh yahoo.com>]
-
- *) When deciding on the default address family for listening sockets,
- make sure we can actually bind to an AF_INET6 socket before
- deciding that we should default to AF_INET6. This fixes a startup
- problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
-
- *) Replace usage of atol() to parse strings when we might want a
- larger-than-long value with apr_atoll(), which returns long long.
- This allows HTTPD to deal with larger files correctly.
- [Shantonu Sen <ssen apple.com>]
-
- *) mod_ext_filter: Ignore any content-type parameters when checking if
- the response should be filtered. Previously, "intype=text/html"
- wouldn't match something like "text/html;charset=8859_1".
- [Jeff Trawick]
-
[... 12040 lines stripped ...]