You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by st...@apache.org on 2003/01/20 23:40:16 UTC
cvs commit: httpd-dist Announcement2.html Announcement2.txt
striker 2003/01/20 14:40:16
Modified: . Announcement2.html Announcement2.txt
Log:
Update Announcements.
Revision Changes Path
1.30 +306 -119 httpd-dist/Announcement2.html
Index: Announcement2.html
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.html,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- Announcement2.html 3 Oct 2002 20:37:01 -0000 1.29
+++ Announcement2.html 20 Jan 2003 22:40:15 -0000 1.30
@@ -1,152 +1,339 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<HTML>
-<HEAD>
-<TITLE>Apache HTTP Server Project</TITLE>
-</HEAD>
+<html>
+<head>
+<title>Apache HTTP Server Project</title>
+</head>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
-<BODY
- BGCOLOR="#FFFFFF"
- TEXT="#000000"
- LINK="#0000FF"
- VLINK="#000080"
- ALINK="#FF0000"
+<body
+ bgcolor="#FFFFFF"
+ text="#000000"
+ link="#0000FF"
+ vlink="#000080"
+ alink="#FF0000"
>
-<IMG SRC="../../images/apache_sub.gif" ALT="">
+<img src="../../images/apache_sub.gif" alt="">
-<h1>Apache 2.0.43 Released</h1>
+<h1>Apache 2.0.44 Released</h1>
-<p>The Apache Software Foundation and The Apache Server Project are
- pleased to announce the sixth public release of the Apache 2.0
- HTTP Server. This Announcement notes the significant changes in
- 2.0.43, as compared to 2.0.42.</p>
+<p>The Apache Software Foundation and The Apache HTTP Server Project are
+ pleased to announce the seventh public release of the Apache 2.0
+ HTTP Server. This Announcement notes the significant changes in
+ 2.0.44 as compared to 2.0.43.</p>
<p>This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
- Of particular note is that 2.0.43 addresses and fixes two security
- vulnerabilities.</p>
+ Of particular note is that 2.0.44 addresses three security
+ vulnerabilities affecting the Windows platform.</p>
-<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840"
- >CAN-2002-0840 (cve.mitre.org)</a>: Apache is susceptible to a cross site
- scripting vulnerability in the default 404 page of any web server hosted
- on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for
- notification of this issue.</p>
-
-<p><a href="http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13025"
- >Bug ID 13025</a>: Apache would serve script source code for POST requests
- when the DAV On directive enabled mod_dav for a given resource. We thank
- Sander Holthaus for notification of this issue.</p>
+<p>VU#979793[1] Versions of Windows 9x and Me could be crashed by a malicious
+ request to Apache that contains a MS-DOS device name. This is a known
+ security issues in Microsoft Windows for a which a fix is available:
+ http://www.microsoft.com/technet/Security/Bulletin/ms00-017.asp
+ Apache 2.0.44 has also been patched to correctly filter MS-DOS device
+ names preventing the crash even if the Microsoft update is not applied
+ (cve.mitre.org:
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016">
+ CAN-2003-0016</a>).</p>
+
+ VU#825177[2] As a consequence of VU#979793, a remote attacker can
+ run arbitrary code on a server running Apache under Windows 9x and Me
+ by sending a carefully crafted POST request containing a MS-DOS device
+ name (cve.mitre.org:
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016">
+ CAN-2003-0016</a>).</p>
+
+ On Windows platforms Apache could be forced to serve unexpected files
+ by appending illegal characters such as '<' to the request URL
+ (cve.mitre.org:
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017">
+ CAN-2003-0017</a>).</p>
+
+<p>The Apache Software Foundation would like to thank Matthew Murphy and
+ Lionel Brits for the responsible reporting of these issues.</p>
+
+<p>The 2.0.44 release marks a change in the Apache release process and a new
+ level of stability in the 2.0 series. Beginning with this release, we
+ will make every effort to retain forward compatibility in the
+ configuration and module API, so that upgrading along the 2.0 series
+ should be much easier. This compatibility extends backwards to 2.0.42, so
+ users of that version or later should be able to upgrade without changing
+ configurations or updating DSO modules. (Users of earlier releases will
+ need to recompile all modules in order to upgrade to 2.0.44.)</p>
-<p>We consider this release to be the best version of Apache available
+<p> We consider this release to be the best version of Apache available
and encourage users of all prior versions to upgrade.</p>
-<p>Apache 2.0.43 is available for download from</p>
-<dl>
- <dd>http://www.apache.org/dist/httpd/</dd>
+<p>Apache 2.0.44 is available for download from</p>
+<dl>
+ <dd><a href="http://httpd.apache.org/download.cgi">
+ http://httpd.apache.org/download.cgi</a></dd>
</dl>
-<p>Please see the CHANGES_2.0 file in the same directory for a full list
- of changes.</p>
-
-<p>Binary distributions are available from</p>
-<dl>
- <dd>http://www.apache.org/dist/httpd/binaries/</dd>
-</dl>
-
-<p>The source and binary distributions are also available via any of the
- mirrors listed at</p>
-<dl>
- <dd>http://www.apache.org/mirrors/</dd>
-</dl>
+<p>Please see the CHANGES_2.0 file, linked from the above page, for
+ a full list of changes.</p>
<p>Apache 2.0 offers numerous enhancements, improvements, and performance
- boosts over the 1.3 codebase. The most visible and noteworthy addition
- is the ability to run Apache in a hybrid thread/process mode on any
- platform that supports both threads and processes. This has been shown
- to improve the scalability of the Apache HTTP Server significantly in
- our testing. Apache 2.0 also includes support for filtered I/O. This
- allows modules to modify the output of other modules before it is
- sent to the client. We have also included support for IPv6 on any
- platform that supports IPv6.</p>
-
-<p>For an overview of new features introduced after 1.3 please see</p>
-<dl>
- <dd>http://httpd.apache.org/docs-2.0/new_features_2_0.html</dl>
+ boosts over the 1.3 codebase. For an overview of new features introduced
+ after 1.3 please see</p>
+<dl>
+ <dd><a href="http://httpd.apache.org/docs-2.0/new_features_2_0.html">
+ http://httpd.apache.org/docs-2.0/new_features_2_0.html</a></dl>
</dl>
-
-<p>This version of Apache is known to work on many versions of Unix, BeOS,
- OS/2, Windows, and Netware. Because of the many advances in Apache
- 2.0, it is expected to perform equally well on all supported platforms.
- Apache 2.0 has been running on the apache.org website since December
- of 2000 and has proven to be very reliable.</p>
-
-<p>When upgrading or installing this version of Apache, please keep
+
+<p>When upgrading or installing this version of Apache, please keep
in mind the following:</p>
-<p>This release is binary-compatible only with 2.0.42, and no other previous
- releases. All modules must be recompiled in order to work with this version.
- For example, a module compiled to work with 2.0.40 will not work with 2.0.43.</p>
-
-<p>This release does not include the new mod_logio, contrary to the
- documentation in the CHANGES and manual included in this release.
- That module will be included in the next public release of Apache 2.0.
- We regret the confusion.</p>
-
-<p>Users of this release on Darwin 6.1 (including Mac OS X 10.2, a.k.a. "Jaguar")
- must add --disable-ipv6 when invoking the ./configure script, to avoid
- a potential security exposure related to IPv6 support on that platform.</p>
-
<p>If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
- will be using are thread-safe. Please contact the vendors of
- these modules to obtain this information.</p>
-
-<p>IMPORTANT NOTE FOR APACHE USERS: Apache 2.0 has been structured for
- multiple operating systems from its inception, by introducing the
- Apache Portability Library and MPM modules. Users on non-Unix platforms
- are strongly encouraged to move up to Apache 2.0 for better performance,
- stability and security on their platforms.</p>
+ will be using are thread-safe. Please contact the vendors of these
+ modules to obtain this information.</p>
-<p>Apache is the most popular web server in the known universe; over half
- of the servers on the Internet are running Apache or one of its
- variants.</p>
+<h2>Apache 2.0.44 Major changes</h2>
-
-<h2>Apache 2.0.43 Major changes</h2>
-
-<h3>Security vulnerabilities closed since Apache 2.0.42</h3>
+<h3>Security vulnerabilities closed since Apache 2.0.43</h3>
<ul>
- <li>Fixed the security vulnerability noted in CAN-2002-0840 (cve.mitre.org)
- regarding a cross-site scripting vulnerability in the default error
- page when using wildcard DNS.</li>
+ <li>Fixed the security vulnerability noted in VU#979793: Apache vulnerable
+ to DoS via request for MS-DOS device on Windows 9x and Me.</li>
- <li>Prevent POST requests for CGI scripts from serving the source code
- when DAV is enabled on the location.</li>
+ <li>Fixed the security vulnerability noted in VU#825177: Apache allows
+ arbitrary code execution via crafted POST request containing MS-DOS
+ device name on Windows 9x and Me.</li>
+
+ <li>Fix CAN-2002-0017: On Windows platforms Apache could be forced to serve
+ unexpected files by appending illegal characters such as '<' to the
+ request URL.</li>
</ul>
-<h3>Bugs fixed since Apache 2.0.42</h3>
+<h3>Bugs fixed since Apache 2.0.43</h3>
<ul>
- <li>Fixed a core dump in mod_cache when it attemtped to store uncopyable
- buckets, such as a file containing SSI tags to execute a CGI script.</li>
-
- <li>Ensured that output already available is flushed to the network
- to help some streaming CGIs and other dynamically-generated content.</li>
-
- <li>Fixed a mutex problem in mod_ssl dbm session cache support.</li>
-
- <li>Allow the UserDir directive to accept a list of directories, as in 1.3.</li>
-
- <li>Changed SuExec to use the same default directory as the rest of the
- server, e.g. /usr/local/apache2.</li>
-
- <li>Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors.</li>
-
- <li>Pass the WWW-Authenticate header on a 4xx responses from the proxy.</li>
+ <li>mod_autoindex: Bring forward the IndexOptions IgnoreCase option
+ from Apache 1.3. PR 14276
+ [David Shane Holden <dpejesh@yahoo.com>, William Rowe]</li>
+
+ <li>mod_mime: Workaround to prevent a segfault if r->filename=NULL
+ [Brian Pane]</li>
+
+ <li>Reorder the definitions for mod_ldap and mod_auth_ldap within
+ config.m4 to make sure the parent mod_ldap is defined first.
+ This ensures that mod_ldap comes before mod_auth_ldap in the
+ httpd.conf file, which is necessary for mod_auth_ldap to load.
+ PR 14256 [Graham Leggett]</li>
+
+ <li>Fix the building of cgi command lines when the query string
+ contains '='. PR 13914 [Ville Skytt� <ville.skytta@iki.fi>,
+ Jeff Trawick]</li>
+
+ <li>Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
+ implementation of MCacheMaxStreamingBuffer from mod_cache to
+ mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
+ lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
+ eliminate the need for explicitly coding MCacheMaxStreamingBuffer
+ in most configurations. [Bill Stoddard]</li>
+
+ <li>Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
+ as set by apr-util in util_ldap.c. This should allow mod_ldap
+ to work with the Netscape/Mozilla LDAP library. [�yvin S�mme
+ <somme@oslo.westerngeco.slb.com>, Graham Leggett]</li>
+
+ <li>Fix critical bug in new --enable-v4-mapped configure option
+ implementation which broke IPv4 listening sockets on some
+ systems. [hiroyuki hanai <hanai@imgsrc.co.jp>]</li>
+
+ <li>mod_setenvif: Fix BrowserMatchNoCase support for non-regex
+ patterns [Andr� Malo <nd@perlig.de>]</li>
+
+ <li>Add version string to provider API. [Justin Erenkrantz]</li>
+
+ <li>mod_negotiation: Set the appropriate mime response headers
+ (Content-Type, charset, Content-Language and Content-Encoding)
+ for negotated type-map "Body:" responses (such as the error
+ pages.) [Andr� Malo <nd@perlig.de>]</li>
+
+ <li>mod_log_config: Allow '%%' escaping in CustomLog format
+ strings to insert a literal, single '%'.
+ [Andr� Malo <nd@perlig.de>]</li>
+
+ <li>mod_autoindex: AddDescription directives for directories
+ now work as in Apache 1.3, where no trailing '/' is
+ specified on the directory name. Previously, the trailing
+ '/' *had* to be specified, which was incompatible with
+ Apache 1.3. PR 7990 [Jeff Trawick]</li>
+
+ <li>Fix for PR 14556. The expiry calculations in mod_cache were
+ trying to perform "now + ((date - lastmod) * factor)" where
+ date == lastmod resulting in "now + 0". The code now follows
+ the else path (using the default expiration) if date is
+ equal to lastmod. [rx@armstrike.com (Sergey), Paul J. Reder]</li>
+
+ <li>Use AP_DECLARE in the debug versions of ap_strXXX in case the
+ default calling convention is not the same as the one used by
+ AP_DECLARE. [Juan Rivera <Juan.Rivera@citrix.com>]</li>
+
+ <li>mod_cache: Don't cache response header fields designated
+ as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
+ [Estrade Matthieu <estrade-m@ifrance.com>, Brian Pane]</li>
+
+ <li>mod_cgid: Handle environment variables containing newlines.
+ PR 14550 [Piotr Czejkowski <apache@czarny.eu.org>, Jeff
+ Trawick]</li>
+
+ <li>Move mod_ext_filter out of experimental and into filters.
+ [Jeff Trawick]</li>
+
+ <li>Fixed a memory leak in mod_deflate with dynamic content.
+ PR 14321 [Ken Franken <kfranken@decisionmark.com>]</li>
+
+ <li>Add --[enable|disable]-v4-mapped configure option to control
+ whether or not Apache expects to handle IPv4 connections
+ on IPv6 listening sockets. Either setting will work on
+ systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
+ must be used on systems that always allow IPv4 connections on
+ IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
+ [Jeff Trawick]</li>
+
+ <li>This fixes a problem where the underlying cache code
+ indicated that there was one more element on the cache
+ than there actually was. This happened since element 0
+ exists but is not used. This code allocates the correct
+ number of useable elements and reports the number of
+ actually used elements. The previous code only allowed
+ MCacheMaxObjectCount-1 objects to be stored in the
+ cache. [Paul J. Reder]</li>
+
+ <li>mod_setenvif: Add SERVER_ADDR special keyword to allow
+ envariable setting according to the server IP address
+ which received the request. [Ken Coar]</li>
+
+ <li>mod_cgid: Terminate CGI scripts when the client connection
+ drops. PR 8388 [Jeff Trawick]</li>
+
+ <li>Rearrange OpenSSL engine initialization to support RAND
+ redirection on crypto accelerator.
+ [Frederic DONNAT <frederic.donnat@zencod.com>]</li>
+
+ <li>Always emit Vary header if mod_deflate is involved in the
+ request. [Andre Malo <nd@perlig.de>]</li>
+
+ <li>mod_isapi: Stop unsetting the 'empty' query string result with
+ a NULL argument in ecb->lpszQueryString, eliminating segfaults
+ for some ISAPI modules. PR 14399
+ [Detlev Vendt <detlev.vendt@brillit.de>]</li>
+
+ <li>mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
+ notification is received before the HttpExtensionProc() returns
+ HSE_STATUS_PENDING. This only affected isapi .dll's configured
+ with the ISAPIFakeAsync on directive. PR 11918
+ [John DeSetto <jdesetto@radiantsystems.com>, William Rowe]</li>
+
+ <li>mod_isapi: Fix the issue where all results from mod_isapi would
+ run through the core die handler resulting in invalid responses
+ or access log entries. PR 10216 [William Rowe]</li>
+
+ <li>Improves the user friendliness of the CacheRoot processing
+ over my last pass. This version avoids the pool allocations
+ but doesn't avoid all of the runtime checks. It no longer
+ terminates during post-config processing. An error is logged
+ once per worker, indicating that the CacheRoot needs to be set.
+ [Paul J. Reder]</li>
+
+ <li>Fix a bug where we keep files open until the end of a
+ keepalive connection, which can result in:
+ (24)Too many open files: file permissions deny server access
+ especially on threaded servers. [Greg Ames, Jeff Trawick]</li>
+
+ <li>Fix a bug in which mod_proxy sent an invalid Content-Length
+ when a proxied URL was invoked as a server-side include within
+ a page generated in response to a form POST. [Brian Pane]</li>
+
+ <li>Added code to process min and max file size directives and to
+ init the expirychk flag in mod_disk_cache. Added a clarifying
+ comment to cache_util. [Paul J. Reder]</li>
+
+ <li>The value emitted by ServerSignature now mimics the Server HTTP
+ header as controlled by ServerTokens. [Francis Daly <deva@daoine.org>]</li>
+
+ <li>Gracefully handly retry situations in the SSL input filter,
+ by following the SSL libraries' retry semantics.
+ [William Rowe]</li>
+
+ <li>Terminate CGI scripts when the client connection drops. This
+ fix only applies to some normal paths in mod_cgi. mod_cgid
+ is still busted. PR 8388 [Jeff Trawick]</li>
+
+ <li>Fix a bug where 416 "Range not satisfiable" was being
+ returned for content that should have been redirected.
+ [Greg Ames]</li>
+
+ <li>Fix memory leak in mod_ssl from internal SSL library allocations
+ within SSL_get_peer_certificate and X509_get_pubkey.
+ [Zvi Har'El <rl@math.technion.ac.il>
+ Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>].</li>
+
+ <li>mod_ssl uses free() inappropriately in several places, to free
+ memory which has been previously allocated inside OpenSSL.
+ Such memory should be freed with OPENSSL_free(), not with free().
+ [Nadav Har'El <nyh@math.technion.ac.il>,
+ Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>].</li>
+
+ <li>Emit a message to the error log when we return 404 because
+ the URI contained '%2f'. (This was previously nastily silent
+ and difficult to debug.) [Ken Coar]</li>
+
+ <li>Fix streaming output from an nph- CGI script. CGI:IRC now
+ works. PR 8482 [Jeff Trawick]</li>
+
+ <li>More accurate logging of bytes sent in mod_logio when
+ the client terminates the connection before the response
+ is completely sent [Bojan Smojver <bojan@rexursive.com>]</li>
+
+ <li>Fix some problems in the perchild MPM.
+ [Jonas Eriksson <jonas@webkonsulterna.com>]</li>
+
+ <li>Change the CacheRoot processing to check for a required
+ value at config time. This saves a lot of wasted processing
+ if the mod_disk_cache module is loaded but no CacheRoot
+ was provided. This fix also adds code to log an error
+ and avoid useless pallocs and procesing when the computed
+ cache file name cannot be opened. This also updates the
+ docs accordingly. [Paul J. Reder]</li>
+
+ <li>Introduce the EnableSendfile directive, allowing users of NFS
+ shares to disable sendfile mechanics when they either fail
+ outright or provide intermitantly corrupted data.
+ [William Rowe]</li>
+
+ <li>Resolve the error "An operation was attempted on something
+ that is not a socket. : winnt_accept: AcceptEx failed.
+ Attempting to recover." for users of various firewall and
+ anti-virus software on Windows. PR 8325 [William Rowe]</li>
+
+ <li>Add the ProxyBadHeader directive, which gives the admin some
+ control on how mod_proxy should handle bogus HTTP headers from
+ proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
+ desired. [Jim Jagielski]</li>
+
+ <li>Change the LDAP modules to export their symbols correctly
+ during a Windows build. Add dsp files for Windows. Update
+ README.ldap file for Windows build instructions.
+ [Andre Schild <A.Schild@aarboard.ch>]</li>
+
+ <li>Performance improvements for the code that generates HTTP
+ response headers [Brian Pane]</li>
+
+ <li>Add -S as a synonym for -t -DDUMP_VHOSTS.
+ [Thom May <thom@planetarytramp.net>]</li>
+
+ <li>Fix a bug with dbm rewrite maps which caused the wrong value to
+ be used when the key was not found in the dbm. PR 13204
+ [Jeff Trawick]</li>
- <li>Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts.</li>
+ <li>Fix a problem with streaming script output and mod_cgid.
+ [Jeff Trawick]</li>
- <li>Add -p option to apxs to allow programs to be compiled with apxs.</li>
+ <li>Add ap_register_provider/ap_lookup_provider API.
+ [John K. Sterling <john@sterls.com>, Justin Erenkrantz]</li>
</ul>
-</BODY>
-</HTML>
+</body>
+</html>
1.24 +290 -110 httpd-dist/Announcement2.txt
Index: Announcement2.txt
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.txt,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- Announcement2.txt 3 Oct 2002 20:37:01 -0000 1.23
+++ Announcement2.txt 20 Jan 2003 22:40:15 -0000 1.24
@@ -1,135 +1,315 @@
- Apache 2.0.43 Released
+ Apache 2.0.44 Released
- The Apache Software Foundation and The Apache Server Project are
- pleased to announce the sixth public release of the Apache 2.0
- HTTP Server. This Announcement notes the significant changes in
- 2.0.43, as compared to 2.0.42.
+ The Apache Software Foundation and The Apache HTTP Server Project are
+ pleased to announce the seventh public release of the Apache 2.0
+ HTTP Server. This Announcement notes the significant changes in
+ 2.0.44 as compared to 2.0.43.
- This version of Apache is principally a security and bug fix release.
+ This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
- Of particular note is that 2.0.43 addresses and fixes two security
- vulnerabilities.
+ Of particular note is that 2.0.44 addresses three security
+ vulnerabilities affecting the Windows platform.
- CAN-2002-0840 (cve.mitre.org)[1]: Apache is susceptible to a cross site
- scripting vulnerability in the default 404 page of any web server hosted
- on a domain that allows wildcard DNS lookups. We thank Matthew Murphy
- for notification of this issue.
-
- Bug ID 13025[2]: Apache would serve script source code for POST requests
- when the DAV On directive enabled mod_dav for a given resource. We thank
- Sander Holthaus for notification of this issue.
+ VU#979793[1] Versions of Windows 9x and Me could be crashed by a malicious
+ request to Apache that contains a MS-DOS device name. This is a known
+ security issues in Microsoft Windows for a which a fix is available:
+ http://www.microsoft.com/technet/Security/Bulletin/ms00-017.asp
+ Apache 2.0.44 has also been patched to correctly filter MS-DOS device
+ names preventing the crash even if the Microsoft update is not applied
+ (cve.mitre.org: CAN-2003-0016).
+
+ VU#825177[2] As a consequence of VU#979793, a remote attacker can
+ run arbitrary code on a server running Apache under Windows 9x and Me
+ by sending a carefully crafted POST request containing a MS-DOS device
+ name (cve.mitre.org: CAN-2003-0016).
+
+ On Windows platforms Apache could be forced to serve unexpected files
+ by appending illegal characters such as '<' to the request URL
+ (cve.mitre.org: CAN-2003-0017).
+
+ The Apache Software Foundation would like to thank Matthew Murphy and
+ Lionel Brits for the responsible reporting of these issues.
+
+ The 2.0.44 release marks a change in the Apache release process and a new
+ level of stability in the 2.0 series. Beginning with this release, we
+ will make every effort to retain forward compatibility in the
+ configuration and module API, so that upgrading along the 2.0 series
+ should be much easier. This compatibility extends backwards to 2.0.42, so
+ users of that version or later should be able to upgrade without changing
+ configurations or updating DSO modules. (Users of earlier releases will
+ need to recompile all modules in order to upgrade to 2.0.44.)
We consider this release to be the best version of Apache available
and encourage users of all prior versions to upgrade.
- Apache 2.0.43 is available for download from
+ Apache 2.0.44 is available for download from
- http://www.apache.org/dist/httpd/
+ http://httpd.apache.org/download.cgi
- Please see the CHANGES_2.0 file in the same directory for a full list
- of changes.
-
- Binary distributions are available from
-
- http://www.apache.org/dist/httpd/binaries/
-
- The source and binary distributions are also available via any of the
- mirrors listed at
-
- http://www.apache.org/mirrors/
+ Please see the CHANGES_2.0 file, linked from the above page, for
+ a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
- boosts over the 1.3 codebase. The most visible and noteworthy addition
- is the ability to run Apache in a hybrid thread/process mode on any
- platform that supports both threads and processes. This has been shown
- to improve the scalability of the Apache HTTP Server significantly in
- our testing. Apache 2.0 also includes support for filtered I/O. This
- allows modules to modify the output of other modules before it is
- sent to the client. We have also included support for IPv6 on any
- platform that supports IPv6.
-
- For an overview of new features introduced after 1.3 please see
-
- http://httpd.apache.org/docs-2.0/new_features_2_0.html
-
- This version of Apache is known to work on many versions of Unix, BeOS,
- OS/2, Windows, and Netware. Because of the many advances in Apache
- 2.0, it is expected to perform equally well on all supported platforms.
- Apache 2.0 has been running on the apache.org website since December
- of 2000 and has proven to be very reliable.
+ boosts over the 1.3 codebase. For an overview of new features introduced
+ after 1.3 please see
- When upgrading or installing this version of Apache, please keep
- in mind the following:
+ http://httpd.apache.org/docs-2.0/new_features_2_0.html
- This release is binary-compatible only with 2.0.42, and no other previous
- releases. All modules must be recompiled in order to work with this
- version. For example, a module compiled to work with 2.0.40 will not
- work with 2.0.43.
-
- This release does not include the new mod_logio, contrary to the
- documentation in the CHANGES and manual included in this release.
- That module will be included in the next public release of Apache 2.0.
- We regret the confusion.
-
- Users of this release on Darwin 6.1 (including Mac OS X 10.2, a.k.a.
- "Jaguar") must add --disable-ipv6 when invoking the ./configure script,
- to avoid a potential security exposure related to IPv6 support on that
- platform.
+ When upgrading or installing this version of Apache, please keep
+ in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
- will be using are thread-safe. Please contact the vendors of
- these modules to obtain this information.
-
- IMPORTANT NOTE FOR APACHE USERS: Apache 2.0 has been structured for
- multiple operating systems from its inception, by introducing the
- Apache Portability Library and MPM modules. Users on non-Unix platforms
- are strongly encouraged to move up to Apache 2.0 for better performance,
- stability and security on their platforms.
-
- Apache is the most popular web server in the known universe; over half
- of the servers on the Internet are running Apache or one of its
- variants.
-
-
-
- Apache 2.0.43 Major changes
-
- Security vulnerabilities closed since Apache 2.0.42
-
- * Fixed the security vulnerability noted in CAN-2002-0840 (cve.mitre.org)
- regarding a cross-site scripting vulnerability in the default error
- page when using wildcard DNS.
-
- * Prevent POST requests for CGI scripts from serving the source code
- when DAV is enabled on the location.
-
- Bugs fixed since Apache 2.0.42
-
- * Fixed a core dump in mod_cache when it attemtped to store uncopyable
- buckets, such as a file containing SSI tags to execute a CGI script.
-
- * Ensured that output already available is flushed to the network
- to help some streaming CGIs and other dynamically-generated content.
-
- * Fixed a mutex problem in mod_ssl dbm session cache support.
-
- * Allow the UserDir directive to accept a list of directories, as in 1.3.
-
- * Changed SuExec to use the same default directory as the rest of the
- server, e.g. /usr/local/apache2.
+ will be using are thread-safe. Please contact the vendors of these
+ modules to obtain this information.
- * Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors.
- * Pass the WWW-Authenticate header on a 4xx responses from the proxy.
+ Apache 2.0.44 Major changes
- * Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts.
+ Security vulnerabilities closed since Apache 2.0.43
- * Add -p option to apxs to allow programs to be compiled with apxs.
+ *) Fixed the security vulnerability noted in VU#979793: Apache vulnerable
+ to DoS via request for MS-DOS device on Windows 9x and Me.
+
+ *) Fixed the security vulnerability noted in VU#825177: Apache allows
+ arbitrary code execution via crafted POST request containing MS-DOS
+ device name on Windows 9x and Me.
+
+ *) Fix CAN-2002-0017: On Windows platforms Apache could be forced to serve
+ unexpected files by appending illegal characters such as '<' to the
+ request URL.
+
+ Bugs fixed since Apache 2.0.43
+
+ *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
+ from Apache 1.3. PR 14276
+ [David Shane Holden <dp...@yahoo.com>, William Rowe]
+
+ *) mod_mime: Workaround to prevent a segfault if r->filename=NULL
+ [Brian Pane]
+
+ *) Reorder the definitions for mod_ldap and mod_auth_ldap within
+ config.m4 to make sure the parent mod_ldap is defined first.
+ This ensures that mod_ldap comes before mod_auth_ldap in the
+ httpd.conf file, which is necessary for mod_auth_ldap to load.
+ PR 14256 [Graham Leggett]
+
+ *) Fix the building of cgi command lines when the query string
+ contains '='. PR 13914 [Ville Skytt� <vi...@iki.fi>,
+ Jeff Trawick]
+
+ *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
+ implementation of MCacheMaxStreamingBuffer from mod_cache to
+ mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
+ lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
+ eliminate the need for explicitly coding MCacheMaxStreamingBuffer
+ in most configurations. [Bill Stoddard]
+
+ *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
+ as set by apr-util in util_ldap.c. This should allow mod_ldap
+ to work with the Netscape/Mozilla LDAP library. [�yvin S�mme
+ <so...@oslo.westerngeco.slb.com>, Graham Leggett]
+
+ *) Fix critical bug in new --enable-v4-mapped configure option
+ implementation which broke IPv4 listening sockets on some
+ systems. [hiroyuki hanai <ha...@imgsrc.co.jp>]
+
+ *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
+ patterns [Andr� Malo <nd...@perlig.de>]
+
+ *) Add version string to provider API. [Justin Erenkrantz]
+
+ *) mod_negotiation: Set the appropriate mime response headers
+ (Content-Type, charset, Content-Language and Content-Encoding)
+ for negotated type-map "Body:" responses (such as the error
+ pages.) [Andr� Malo <nd...@perlig.de>]
+
+ *) mod_log_config: Allow '%%' escaping in CustomLog format
+ strings to insert a literal, single '%'.
+ [Andr� Malo <nd...@perlig.de>]
+
+ *) mod_autoindex: AddDescription directives for directories
+ now work as in Apache 1.3, where no trailing '/' is
+ specified on the directory name. Previously, the trailing
+ '/' *had* to be specified, which was incompatible with
+ Apache 1.3. PR 7990 [Jeff Trawick]
+
+ *) Fix for PR 14556. The expiry calculations in mod_cache were
+ trying to perform "now + ((date - lastmod) * factor)" where
+ date == lastmod resulting in "now + 0". The code now follows
+ the else path (using the default expiration) if date is
+ equal to lastmod. [rx@armstrike.com (Sergey), Paul J. Reder]
+
+ *) Use AP_DECLARE in the debug versions of ap_strXXX in case the
+ default calling convention is not the same as the one used by
+ AP_DECLARE. [Juan Rivera <Ju...@citrix.com>]
+
+ *) mod_cache: Don't cache response header fields designated
+ as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
+ [Estrade Matthieu <es...@ifrance.com>, Brian Pane]
+
+ *) mod_cgid: Handle environment variables containing newlines.
+ PR 14550 [Piotr Czejkowski <ap...@czarny.eu.org>, Jeff
+ Trawick]
+
+ *) Move mod_ext_filter out of experimental and into filters.
+ [Jeff Trawick]
+
+ *) Fixed a memory leak in mod_deflate with dynamic content.
+ PR 14321 [Ken Franken <kf...@decisionmark.com>]
+
+ *) Add --[enable|disable]-v4-mapped configure option to control
+ whether or not Apache expects to handle IPv4 connections
+ on IPv6 listening sockets. Either setting will work on
+ systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
+ must be used on systems that always allow IPv4 connections on
+ IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
+ [Jeff Trawick]
+
+ *) This fixes a problem where the underlying cache code
+ indicated that there was one more element on the cache
+ than there actually was. This happened since element 0
+ exists but is not used. This code allocates the correct
+ number of useable elements and reports the number of
+ actually used elements. The previous code only allowed
+ MCacheMaxObjectCount-1 objects to be stored in the
+ cache. [Paul J. Reder]
+
+ *) mod_setenvif: Add SERVER_ADDR special keyword to allow
+ envariable setting according to the server IP address
+ which received the request. [Ken Coar]
+
+ *) mod_cgid: Terminate CGI scripts when the client connection
+ drops. PR 8388 [Jeff Trawick]
+
+ *) Rearrange OpenSSL engine initialization to support RAND
+ redirection on crypto accelerator.
+ [Frederic DONNAT <fr...@zencod.com>]
+
+ *) Always emit Vary header if mod_deflate is involved in the
+ request. [Andre Malo <nd...@perlig.de>]
+
+ *) mod_isapi: Stop unsetting the 'empty' query string result with
+ a NULL argument in ecb->lpszQueryString, eliminating segfaults
+ for some ISAPI modules. PR 14399
+ [Detlev Vendt <de...@brillit.de>]
+
+ *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
+ notification is received before the HttpExtensionProc() returns
+ HSE_STATUS_PENDING. This only affected isapi .dll's configured
+ with the ISAPIFakeAsync on directive. PR 11918
+ [John DeSetto <jd...@radiantsystems.com>, William Rowe]
+
+ *) mod_isapi: Fix the issue where all results from mod_isapi would
+ run through the core die handler resulting in invalid responses
+ or access log entries. PR 10216 [William Rowe]
+
+ *) Improves the user friendliness of the CacheRoot processing
+ over my last pass. This version avoids the pool allocations
+ but doesn't avoid all of the runtime checks. It no longer
+ terminates during post-config processing. An error is logged
+ once per worker, indicating that the CacheRoot needs to be set.
+ [Paul J. Reder]
+
+ *) Fix a bug where we keep files open until the end of a
+ keepalive connection, which can result in:
+ (24)Too many open files: file permissions deny server access
+ especially on threaded servers. [Greg Ames, Jeff Trawick]
+
+ *) Fix a bug in which mod_proxy sent an invalid Content-Length
+ when a proxied URL was invoked as a server-side include within
+ a page generated in response to a form POST. [Brian Pane]
+
+ *) Added code to process min and max file size directives and to
+ init the expirychk flag in mod_disk_cache. Added a clarifying
+ comment to cache_util. [Paul J. Reder]
+
+ *) The value emitted by ServerSignature now mimics the Server HTTP
+ header as controlled by ServerTokens. [Francis Daly <de...@daoine.org>]
+
+ *) Gracefully handly retry situations in the SSL input filter,
+ by following the SSL libraries' retry semantics.
+ [William Rowe]
+
+ *) Terminate CGI scripts when the client connection drops. This
+ fix only applies to some normal paths in mod_cgi. mod_cgid
+ is still busted. PR 8388 [Jeff Trawick]
+
+ *) Fix a bug where 416 "Range not satisfiable" was being
+ returned for content that should have been redirected.
+ [Greg Ames]
+
+ *) Fix memory leak in mod_ssl from internal SSL library allocations
+ within SSL_get_peer_certificate and X509_get_pubkey.
+ [Zvi Har'El <rl...@math.technion.ac.il>
+ Madhusudan Mathihalli <ma...@hp.com>].
+
+ *) mod_ssl uses free() inappropriately in several places, to free
+ memory which has been previously allocated inside OpenSSL.
+ Such memory should be freed with OPENSSL_free(), not with free().
+ [Nadav Har'El <ny...@math.technion.ac.il>,
+ Madhusudan Mathihalli <ma...@hp.com>].
+
+ *) Emit a message to the error log when we return 404 because
+ the URI contained '%2f'. (This was previously nastily silent
+ and difficult to debug.) [Ken Coar]
+
+ *) Fix streaming output from an nph- CGI script. CGI:IRC now
+ works. PR 8482 [Jeff Trawick]
+
+ *) More accurate logging of bytes sent in mod_logio when
+ the client terminates the connection before the response
+ is completely sent [Bojan Smojver <bo...@rexursive.com>]
+
+ *) Fix some problems in the perchild MPM.
+ [Jonas Eriksson <jo...@webkonsulterna.com>]
+
+ *) Change the CacheRoot processing to check for a required
+ value at config time. This saves a lot of wasted processing
+ if the mod_disk_cache module is loaded but no CacheRoot
+ was provided. This fix also adds code to log an error
+ and avoid useless pallocs and procesing when the computed
+ cache file name cannot be opened. This also updates the
+ docs accordingly. [Paul J. Reder]
+
+ *) Introduce the EnableSendfile directive, allowing users of NFS
+ shares to disable sendfile mechanics when they either fail
+ outright or provide intermitantly corrupted data. PR
+ [William Rowe]
+
+ *) Resolve the error "An operation was attempted on something
+ that is not a socket. : winnt_accept: AcceptEx failed.
+ Attempting to recover." for users of various firewall and
+ anti-virus software on Windows. PR 8325 [William Rowe]
+
+ *) Add the ProxyBadHeader directive, which gives the admin some
+ control on how mod_proxy should handle bogus HTTP headers from
+ proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
+ desired. [Jim Jagielski]
+
+ *) Change the LDAP modules to export their symbols correctly
+ during a Windows build. Add dsp files for Windows. Update
+ README.ldap file for Windows build instructions.
+ [Andre Schild <A....@aarboard.ch>]
+
+ *) Performance improvements for the code that generates HTTP
+ response headers [Brian Pane]
+
+ *) Add -S as a synonym for -t -DDUMP_VHOSTS.
+ [Thom May <th...@planetarytramp.net>]
+
+ *) Fix a bug with dbm rewrite maps which caused the wrong value to
+ be used when the key was not found in the dbm. PR 13204
+ [Jeff Trawick]
+
+ *) Fix a problem with streaming script output and mod_cgid.
+ [Jeff Trawick]
- References
+ *) Add ap_register_provider/ap_lookup_provider API.
+ [John K. Sterling <jo...@sterls.com>, Justin Erenkrantz]
- [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
- [2] http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13025
+ References
+ [1,2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016
+ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017