You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2007/08/10 13:32:49 UTC
svn commit: r564559 [2/2] - /httpd/httpd/trunk/CHANGES
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?view=diff&rev=564559&r1=564558&r2=564559
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Aug 10 04:32:49 2007
@@ -1,6 +1,5 @@
-*- coding: utf-8 -*-
Changes with Apache 2.3.0
- [Remove entries to the current 2.0 and 2.2 section below, when backported]
*) mod_deflate: fix content_encoding detection in inflate_out filter
when it's not in response headers table.
@@ -759,15055 +758,18 @@
match for scheme and host, but case sensitive for the rest of
the path. [Jim Jagielski, Ruediger Pluem]
-Changes with Apache 2.1.9
- *) Add mod_authn_dbd (SQL-based authentication) [Nick Kew]
-
- *) mod_proxy_ajp: Do not spool the entire response from AJP backend before
- sending it up the filter chain. PR37100. [Ruediger Pluem]
-
- *) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which
- only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that
- subrequests to non local resources work again. [Ruediger Pluem]
-
- *) mod_proxy: Do not lowercase the entire worker name of a BalancerMember
- since this breaks case sensitive URI's. PR36906. [Ruediger Pluem]
-
- *) core: AddOutputFilterByType is ignored for proxied requests. PR31226.
- [Joe Orton, Ruediger Pluem]
-
- *) mod_proxy_http: Prevent data corruption of POST request bodies when
- client accesses proxied resources with SSL. PR37145.
- [Ruediger Pluem, William Rowe]
-
- *) mod_proxy_balancer: BalancerManager and proxies correctly handle
- member workers with paths. PR36816. [Ruediger Pluem, Jim Jagielski]
-
- *) mod_log_config: %{hextid}P will log the thread id in hex with APR
- versions 1.2.0 or higher. [Jeff Trawick]
-
- *) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as
- in 1.3. [Jeff Trawick]
-
- *) Support dbd connections tied to the conn_rec [Nick Kew]
-
- *) Move mod_dbd to /modules/database/ [Nick Kew]
-
- *) Move mod_filter and mod_charset_lite to /modules/filters/ [Nick Kew]
-
- *) Fix mod_dbd's config [Brian J. France <list firehawksystems.com>]
-
- *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL
- connections. PR36883.
- [William Barker <william.barker wilshire.com>, Ruediger Pluem]
-
- *) Elimiated the NET_TIME filter, restructuring the timeout logic.
- This provides a working mod_echo on all platforms, and ensures any
- custom protocol module is at least given an initial timeout value
- based on the <VirtualHost > context's Timeout directive.
- [William Rowe]
-
- *) mod_proxy: Run the request_status hook also if there are no free workers
- or all workers are in error state.
- [Ruediger Pluem, Brian Akins <brian.akins turner.com>]
-
- *) mod_proxy_balancer: mod_proxy_balancer does not handle sticky sessions
- with tomcat correctly. PR36507. [Ruediger Pluem]
-
- *) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which
- trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951.
- [Jeff Trawick, Ruediger Pluem]
-
- *) SECURITY: CVE-2005-2970 (cve.mitre.org)
- worker MPM: Fix a memory leak which can occur after an aborted
- connection in some limited circumstances. [Greg Ames]
-
- *) Doxygen fixup [Neale Ranns <neale ranns.org>, Ian Holsman]
-
- *) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing
- mod_dir from serving indexes correctly with mod_cache enabled.
- [Colm MacCarthaigh]
-
-Changes with Apache 2.1.8
-
- *) Fix lingering close implementation to match 1.3.x behaviour.
- PR 35292. [Joe Orton]
-
- *) mod_ssl: Support limited buffering of request bodies to allow
- per-location renegotiation to proceed. PR 12355. [Joe Orton]
-
- *) Fix regression since 2.0.x in AllowOverride Options handling.
- PR 35330. [kabe <kabe sra-tohoku.co.jp>]
-
- *) mod_ssl: Fix memory leak in ssl_util_algotypeof().
- PR 25659. [David Blake <dblake hp com>, Martin Kraemer]
-
- *) prefork, worker and event MPMs: Support a graceful-stop procedure:
- Server will wait until existing requests are finished or until
- "GracefulShutdownTimeout" number of seconds before exiting.
- [Colm MacCarthaigh, Ken Coar, Bill Stoddard]
-
- *) prefork, worker and event MPMs: Prevent children from holding open
- listening ports upon graceful restart or stop. PR 28167.
- [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
-
- *) SECURITY: CVE-2005-2700 (cve.mitre.org)
- mod_ssl: Fix a security issue where "SSLVerifyClient" was not
- enforced in per-location context if "SSLVerifyClient optional"
- was configured in the vhost configuration. [Joe Orton]
-
- *) mod_ssl: Catch parse errors from misconfigured or malformed
- CRLs. PR 36438. [Joe Orton]
-
- *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
- providers. Prevent problems when no Vhost containers were
- configured with proxy balancers. [Jim Jagielski]
-
- *) New provider function to list all available provider names in a
- specific group and version (ap_list_provider_names). [Jim Jagielski]
-
- *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a
- per-protocol, per-host and per-path basis. Intended for proxy
- configurations. [Colm MacCarthaigh]
-
- *) mod_disk_cache: Canonicalise the storage key, for improved hit/miss
- ratio. [Colm MacCarthaigh]
-
- *) mod_cgid: Append .PID to the script socket filename and remove the
- script socket on exit. [Colm MacCarthaigh, Jim Jagielski]
-
- *) mod_cgid: run the get_suexec_identity hook within the request-handler
- instead of within cgid. PR 36410. [Colm MacCarthaigh]
-
- *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use
- of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh]
-
-Changes with Apache 2.1.7
-
- *) SECURITY: CVE-2005-2491 (cve.mitre.org):
- Fix integer overflows in PCRE in quantifier parsing which could
- be triggered by a local user through use of a carefully-crafted
- regex in an .htaccess file. [Philip Hazel]
-
- *) mod_proxy/mod_proxy_balancer: Provide a simple, functional
- interface to add additional balancer lb selection methods
- without requiring code changes to mod_proxy/mod_proxy_balancer;
- these can be implemented via sub-modules now. [Jim Jagielski]
-
- *) mod_cache: Fix incorrectly served 304 responses when expired cache
- entity is valid, but cache is unwritable and headers cannot be
- updated. [Colm MacCarthaigh <colm stdlib.net>]
-
- *) mod_cache: Remove entities from the cache when re-validation
- receives a 404 or other content-no-longer-present error.
- [Rüdiger Plüm ruediger.pluem vodafone.com]
-
- *) mod_disk_cache: Properly remove files from cache when needed.
- [Rüdiger Plüm ruediger.pluem vodafone.com]
-
- *) mod_disk_cache: Support htcacheclean removing directories.
- [Andreas Steinmetz]
-
- *) htcacheclean: Add -t option to remove empty directories.
- [Colm MacCarthaigh <colm stdlib.net>]
-
- *) Remove the base href tag from mod_proxy_ftp, as it breaks relative
- links for clients not using an Authorization header. [Graham Leggett,
- Jon Snow <jsnow27 gatesec.net>]
-
- *) mod_cache: Restore the HTTP status of cached responses.
- [Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>]
-
- *) mod_cache: Store varied contents all in the same prefix for a varied URI.
- [Paul Querna]
-
- *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content
- filters. [Paul Querna]
-
- *) mod_negotiation: Correctly report 404 instead of 403 for missing files.
- [Paul Querna]
-
- *) new hook (request_status) that gets ran in proxy_handler just before
- the final return. This gives modules an opportunity to do something
- based on the proxy status. (minor MMN bump)
- [Brian Akins <bakins turner.com>, Ian Holsman]
-
- *) Add additional SSLSessionCache option, 'nonenotnull', which is
- similar to 'none' (disabling any external shared cache) but forces
- OpenSSL to provide a non-null session ID. [Jim Jagielski]
-
- *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
- [Paul Querna]
-
- *) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
- the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>]
-
- *) Fixed complaints about unpackaged files within the RPM build
- after changes to the config files. [Graham Leggett]
-
- *) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of
- just closing the socket, a HTTP request is made, to make sure the child is
- always awakened. [Paul Querna]
-
-Changes with Apache 2.1.6
-
- *) Fix htdbm password validation for records which included comments.
- [Eric Covener <covener gmail.com>]
-
- *) mod_cgid: Fix buffer overflow processing ScriptSock directive.
- [Steve Kemp <steve steve.org.uk>]
-
-Changes with Apache 2.1.5
-
- *) mod_ssl: Setting the Protocol to 'https' can replace the use of the
- 'SSLEngine on' command. [Paul Querna]
-
- *) core: Refactor the mapping of Accept Filters to Sockets. Add the
- AcceptFilter and Protocol directives to aid in mapping filter types.
- Extend the Listen directive to optionally take a protocol name.
- [Paul Querna]
-
- *) mod_disk_cache: Support storing multiple variations of one URL. PR 35211.
- [Paul Querna]
-
- *) mod_disk_cache: Atomically create the header data file. [Paul Querna]
-
- *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
- [Paul Querna]
-
- *) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'.
- [Paul Querna]
-
- *) mod_mime_magic: Handle CRLF-format magic files so that it works with
- the default installation on Windows. [Jeff Trawick]
-
- *) core: Allow multiple modules to register interest in a single
- configuration command. [Paul Querna]
-
- *) authn_provider_alias: Adds the configuration block tag
- <AuthnProviderAlias baseProvider Alias>
- Authentication directives contained within this block can be
- referenced as a new authProvider using the AuthBasicProvider or
- AuthDigestProvider directive. These directives will be merged in to
- the per_dir configuration just before the base provider is called.
- [Brad Nicholes]
-
- *) ap_getword_conf: Fix backslashes at the end of configuration directives.
- PR 34834. [Timo Viipuri <viipuri dlc.fi>]
-
- *) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml
- Provide module hooks for apr_dbd; optimise for httpd
- threaded and non-threaded arch [Nick Kew]
-
- *) ab: SSL support rewritten, improved, and enabled if SSL is enabled
- during the build; -f and -Z arguments added to specify SSL protocol
- options. [Masaoki Kobayashi <masaoki techfirm.co.jp>]
-
- *) mod_info: Show the Quick Handler [Paul Querna]
-
- *) mod_ldap: Add the directive LDAPVerifyServerCert to specify
- whether to force verification of the server certificate when
- establishing an SSL connection to the LDAP server.
- [Brad Nicholes]
-
- *) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name
- hook. [Paul Querna]
-
- *) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump)
- [Paul Querna]
-
- *) ap_get_local_host() rewritten for APR. [Jim Jagielski]
-
- *) Add the ap_vhost_iterate_given_conn function to expose the information
- used in Name Based Virtual Hosting. (minor MMN bump)
- [Paul Querna]
-
- *) Remove the never working ap_method_list_do and ap_method_list_vdo.
- [Paul Querna]
-
- *) Added makefile and doc for building mod_ssl on the NetWare
- platform. [Guenter Knauf, Brad Nicholes]
-
- *) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes
- applications that send the Vary Header themselves, and also apply
- mod_deflate as an output filter. [Paul Querna]
-
- *) Change the default (when not present in the config file) setting
- for UseCanonicalName to Off.
- [Joshua Slive]
-
- *) mod_userdir: The module no longer does any remapping unless the
- UserDir directive is present in the config file.
- [Joshua Slive]
-
- *) Massively simplify the distributed httpd.conf by removing
- many features and many directives that are at their default
- setting. Add a selection of example config excerpts for adding
- extra features in the conf/extra/ directory. Install the
- distributed config and the extra config examples in the
- conf/original/ directory during make install.
- [Joshua Slive, Justin Erenkrantz]
-
- *) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap,
- mod_userdir and mod_autoindex as shared modules rather than
- built-in modules within the NetWare build.
- [Brad Nicholes]
-
- *) Rename mod_imap to mod_imagemap.
- [Paul Querna]
-
- *) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap
- by changing the mod_ldap exported functions to optional functions.
- [Brad Nicholes]
-
-Changes with Apache 2.1.4
-
- *) Don't let a subrequest inherit headers describing the original request's
- body. [Greg Ames]
-
- *) Fix Windows CompContext buff size miscalculation
- [Allan Edwards]
-
- *) Add ReceiveBufferSize directive to control the TCP receive buffer.
- [Eric Covener <covener gmail.com>]
-
- *) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the
- end of the request body to work with really old HTTP servers.
- [Justin Erenkrantz]
-
- *) util_ldap: Keep track of the number of attributes retrieved from
- LDAP so that all the values can be properly cached even if the
- value is NULL. PR 33901 [Brad Nicholes]
-
- *) mod_cache: Fix error where incoming Cache-Control would be ignored.
- [Justin Erenkrantz]
-
- *) mod_cache: Correctly handle originally conditional requests.
- [Sander Striker]
-
- *) mod_disk_cache: Correctly update cached headers on revalidated responses.
- [Sander Striker, Justin Erenkrantz]
-
- *) worker MPM/mod_status: Support per-worker tracking of pid and
- generation in the scoreboard so that mod_status can accurately
- represent workers in processes which are gracefully terminating.
- (major MMN bump)
- [Jeff Trawick]
-
- *) Correctly export all mod_dav public functions.
- [Branko Čibej <brane xbc.nu>]
-
-Changes with Apache 2.1.3
-
- *) mod_ssl: Add ssl_ext_lookup optional function for accessing
- certificate extensions. [David Reid, Joe Orton]
-
- *) Add support for use of an external PCRE library; pass the
- --with-pcre flag to configure. PR 27550. [Joe Orton,
- Andres Salomon <dilinger voxel.net>]
-
- *) Renamed regex interfaces to be namespace-safe, and moved from
- pcreposix.h header to ap_regex.h: regex_t->ap_regex_t,
- regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions
- reg*->ap_reg*. PR 27550. [Andres Salomon <dilinger voxel.net>,
- Joe Orton]
-
- *) Only recompile buildmark.c when we have to relink httpd.
- [Justin Erenkrantz]
-
- *) mod_cache: Fix up handling of revalidated responses.
- [Justin Erenkrantz]
-
- *) mod_disk_cache: Properly load cached ETag from on-disk structures.
- [Justin Erenkrantz]
-
- *) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL
- to allow it to override the connection type set in mod_ldap. This
- parameter can be set to NONE, SSL or TLS | STARTTLS.
- [Brad Nicholes]
-
- *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
- [Max Bowsher <maxb ukf.net>]
-
- *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
- [Rici Lake <rici ricilake.net>]
-
- *) mod_proxy: Fix ap_proxy_canonenc API.
- PR 32459. [Jim Jagielski]
-
- *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive.
- [Justin Erenkrantz]
-
- *) Add --enable-pie flag to configure, to build httpd as a Position
- Independent Executable where supported (GCC/binutils).
- [Joe Orton]
-
- *) proxy_balancer: Add in load-balancing via weighted traffic
- byte count. [Jim Jagielski]
-
- *) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI
- scripts to be properly cached. [Justin Erenkrantz, Sander Striker]
-
- *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option()
- API for the setting of server and client SSL certificates. Replaced
- LDAPTrustedCA directive with LDAPTrustedGlobalCert and
- LDAPTrustedClientCert directives to correctly support global certs
- (CA certs / Netware client certs) and per connection client certs
- as supported by Netware, OpenLDAP and Netscape/Mozilla.
- [Graham Leggett]
-
- *) mod_cache: Remove unimplemented CacheForceCompletion directive.
- [Justin Erenkrantz]
-
- *) support/check_forensic: Fix temp file usage
- [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
-
- *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
- which can be used to configure a specific list of CA names to send
- in a client certificate request. PR 32848.
- [Tim Taylor <tim.taylor dfas.mil>]
-
- *) --with-module can now take more than one module to be statically
- linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
- If the <modtype>-subdirectory doesn't exist it will be created and
- populated with a standard Makefile.in. [Erik Abele]
-
- *) Remove some compiler warnings within the LDAP modules [Graham Leggett]
-
- *) Add a build script to create a solaris package. [Graham Leggett]
-
- *) ap_http_scheme() replaced with ap_http_method() - this function
- returns the scheme (http v.s. https).
- [William Rowe]
-
- *) mod_proxy: Fix a request corruption problem and a buffering problem
- which sometimes prevented proxy-sendchunks from working.
- [Jeff Trawick]
-
- *) Fix the RPM spec file so that an RPM build now works. An RPM
- build now requires system installations of APR and APR-util.
- [Graham Leggett]
-
- *) Significantly simplify the load balancer scheduling algorithm
- for the proxy BalancerMember weighting. loadfactors (lbfactors)
- are now normalized with respect to each other. [Jim Jagielski]
-
- *) mod_dumpio: Added to the available module suite; it is an
- I/O logging/dumping module. Placed in the (new) debug module
- subdirectory. mod_bucketeer moved to that directory as well.
- [Jim Jagielski]
-
- *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting
- of a connection until data is available.
- [Paul Querna]
-
-Changes with Apache 2.1.2
-
- *) mod_proxy: Respect errors reported by pre_connection hooks.
- [Jeff Trawick]
-
- *) core: Error out on sections that are missing an argument instead of
- silently consuming the section. PR 25460.
- [Geoffrey Young, Paul Querna]
-
- *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental.
-
- *) Upgraded PCRE to version 5.0. [Brian Pane]
-
- *) mod_cgid: Catch configuration problem where two web server instances
- share same ServerRoot but admin forgot to use ScriptSock.
- [Jeff Trawick]
-
- *) mod_cgi: Ensure that all stderr is logged for a script which returns
- a Location header to generate a non-local redirect. PR 20111.
- [Joe Orton]
-
- *) Added the Event MPM to more efficiently handle clients during a
- Keep Alive request.
- [Paul Querna, Greg Ames]
-
-Changes with Apache 2.1.1
-
- *) mod_proxy_http: Stream content better - always flush buffered data to
- the client before blocking waiting for new data. PR 19954.
- [Joe Orton]
-
- *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which
- will dump the filenames of all configured SSL certificates to stdout.
- [Joe Orton]
-
- *) mod_disk_cache: Remove a bunch of non-implemented garbage collection
- and cache size directives that are now available through htcacheclean.
- [Justin Erenkrantz]
-
- *) Add htcacheclean to support/ for assistance with mod_disk_cache.
- [Andreas Steinmetz]
-
- *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
- allows the module to authorize a user based on a complex LDAP
- search filter. [Brad Nicholes]
-
- *) mod_usertrack: Run the fixups hook before other modules.
- PR 29755. [Paul Querna]
-
- *) Allow mod_authnz_ldap authorization functionality to be used
- without requiring the user to also be authenticated through
- mod_authnz_ldap. This allows other authentication modules to
- take advantage of LDAP authorization only [PR 28253]
- [Jari Ahonen jah progress.com, Brad Nicholes]
-
- *) Log the client IP address when an error occurs disabling nagle on a
- connection, but log at a severity of debug since this error
- generally means that the connection was dropped before data was
- sent. Log the client IP address when reporting errors in the core
- output filter. [Jeff Trawick]
-
- *) core: Add a warning message if the request line read fails.
- [Paul Querna]
-
- *) mod_rewrite: Removed the MaxRedirects option in favor of the
- core LimitInternalRecursion directive. [André Malo]
-
- *) mod_info: Added listing of the Request Hooks and added more build
- information like 'httpd -V' contains. Changed output to XHTML.
- [Paul Querna]
-
- *) mod_info: Rewrote config tree walk using a recursive function.
- Added ?config option. Added printout of config filename and line numbers.
- [Rici Lake <rici ricilake.net>, Paul Querna]
-
- *) mod_proxy: Fix type error that prevents proxy-sendchunks from working.
- [Justin Erenkrantz]
-
- *) mod_proxy: Fix data corruption by properly setting aside buckets.
- [Justin Erenkrantz]
-
- *) mod_proxy: If a request has a blank body and has a 0 Content-Length
- headers, pass that to the proxy. [Justin Erenkrantz]
-
- *) Recognize QSA flag in mod_rewrite again.
- [Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
-
- *) Restructured mod_auth_ldap to fit the new authentication model.
- The module is now called authnz_ldap and has been moved out of
- the modules/experimental area and into modules/aaa with the other
- auth modules. Both the authn_ldap provider and the authz_ldap
- handler are contained within the authnz_ldap module. The
- authz_ldap handler introduces 3 new "requires" values for handling
- authorization. These handlers are ldap-user, ldap-group and
- ldap-dn. [Brad Nicholes]
-
- *) Fix some compiler warnings in proxy
- [Geoffrey Young <ge...@modperlcookbook.org>]
-
- *) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the
- number of days until the client cert expires. [Joe Orton]
-
- *) Add test_config hook, run only if httpd is invoked using -t.
- [Joe Orton]
-
- *) Improve error handling for corrupted pid files. [Jeff Trawick]
-
- *) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD
- (for backwards compatibility):
- Avoids mod_ssl.h (not included in 2.0-HEAD) and
- use apr_socket_create_ex for 0.9.x
- [Mladen Turk]
-
- *) Added proxy_ajp.c module for proxy support to ajp:// backends.
- [Jean Frederic Clere]
-
- *) Fixes the build of proxy on Windows. Since the proxy_module is declared
- as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there
- is a LNK2001 error when building proxy_http. [Mladen Turk]
-
- *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
- [Graham Leggett]
-
- *) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz]
-
- *) perchild MPM: Fix thread safety problem in the use of longjmp().
- [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
-
- *) Add load balancer support to the scoreboard in preparation for
- load balancing support in mod_proxy. [Mladen Turk]
-
- *) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to
- allow a non-secure connection to be upgraded to secure connections
- [Brad Nicholes]
-
- *) core: Add Options= syntax to AllowOverride to specify which options
- may be overridden in .htaccess files. PR 29310.
- [Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna]
-
- *) ab: Handle long URLs with an error instead of an buffer overflow.
- PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna]
-
- *) mod_so, core: Add new command line options to print all loaded
- modules. '-t -D DUMP_MODULES' and '-M' will show all static
- and shared modules as loaded from the configuration file.
- [Paul Querna]
-
- *) mod_autoindex: Add ShowForbidden to IndexOptions to list files
- that are not shown because the subrequest returned 401 or 403.
- PR 10575. [Paul Querna]
-
- *) mod_headers: implement "Early" processing option in post_read_request
- to enable Header and RequestHeader directives to be used to set up
- testcases for pre-fixups request phases [Nick Kew]
-
- *) mod_proxy: multiple bugfixes, principally support cookies in
- ProxyPassReverse, and don't canonicalise URL passed to backend.
- Documentation correspondingly updated. [Nick Kew <nick webthing.com>]
-
- *) mod_deflate: support gzip flags in inflate_out_filter
- [Nick Kew <nick webthing.com>]
-
- *) Drop the ErrorHeader directive which turned out to be a misnomer.
- Instead there's a new optional flag for the Header directive
- ('always'), which keeps the former ErrorHeader functionality.
- [André Malo]
-
- *) mod_deflate: Don't deflate responses with zero length
- e.g. proxied 304's [Allan Edwards]
-
- *) <IfModule> now recognizes the module identifier in addition to the
- file name. PR 29003. [Edward Rudd <eddie omegaware.com>, André Malo]
-
- *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
- OpenSSL 0.9.7 flag which uses the server's cipher order rather
- than the client's. PR 28665.
- [Jim Schneider <jschneid netilla.com>]
-
- *) mod_ssl: Drop support for the CompatEnvVars argument to
- SSLOptions, which was never actually implemented in 2.0.
- [Joe Orton]
-
- *) Fix bug in mod_deflate that unconditionally sent deflate'd output
- even when Accept-Encoding is not present. [Justin Erenkrantz]
-
- *) Pass environment variables through to piped loggers and start
- them via the shell, resolving regressions since 1.3. PR 28815
- [Ken Coar, Jeff Trawick]
-
- *) External rewrite map responses are no longer limited to 2048
- bytes. [André Malo]
-
- *) Proxy server was deleting cookies that Apache had already
- assigned if the origin server had set any cookies. PR 27023.
- [Jim Jagielski]
-
- *) Removed old and unmaintained ap_add_named_module API and changed
- the following APIs to return an error instead of hard exiting:
- ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules,
- and ap_process_resource_config. [André Malo]
-
- *) mod_headers: Allow %% in header values to represent a literal %.
- [André Malo]
-
- *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions.
- [André Malo]
-
- *) mod_headers: Allow 'echo' also for ErrorHeaders. [André Malo]
-
- *) mod_deflate: New option for DEFLATE output file (force-gzip),
- new output filter 'INFLATE' for uncompressing responses.
- [Nick Kew <Nick at WebThing dot com>, Ian Holsman]
-
- *) Added new module mod_version, which provides version dependent
- configuration containers. [André Malo]
-
- *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
- format is used. PR 27787. [André Malo]
-
- *) Allow Digest providers to return AUTH_DENIED to propagate a 401
- status and terminate the provider chain prior to checking the password.
- [Geoffrey Young]
-
- *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
- Don't place script socket inside default server root instead of
- actual server root. PR 27886. [Jeff Trawick]
-
- *) mod_proxy: Fix handling of non-200 success status codes when
- "ProxyErrorOverride On" is configured. PR 20183.
- [Marcus Janson <marcus.janson tre.se>, Joe Orton]
-
- *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize
- directive (previously NetWare-only) to override default thread
- stack size for threads which handle client connections. Required
- for some third-party modules on platforms with small default
- thread stack size. [Jeff Trawick]
-
- *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic
- now populates r->user with the (possibly unauthenticated) user,
- and mod_auth_digest returns 500 when a provider returns
- AUTH_GENERAL_ERROR.
- [Geoffrey Young]
-
- *) The whole codebase was relicensed and is now available under
- the Apache License, Version 2.0 (http://www.apache.org/licenses).
- [Apache Software Foundation]
-
- *) Delete some make-generated files in the server directory during
- "make clean" processing. PR 26552. [Jeff Trawick]
-
- *) Add core version query function (ap_get_server_revision) and
- accompanying ap_version_t structure (minor MMN bump).
- [André Malo]
-
- *) mod_rewrite: EOLs sent by external rewritemaps are now consumed
- as whole. That way, on systems with more than one EOL character
- rewritemap programs no longer need to switch stdout to binary
- mode. PR 25635. [André Malo]
-
- *) mod_rewrite: Introduce the ability to force a content handler via
- the [handler=...] flag. [André Malo]
-
- *) mod_rewrite: Introduce the RewriteCond -x check, which returns
- true if the pattern is a file with execution permissions.
- [André Malo]
-
- *) mod_rewrite: Allow proxying and RewriteRules in directory context
- for subrequests. PR 14648, 15114. [André Malo]
-
- *) mod_rewrite: Allow setting of any valid HTTP response code.
- PR 25917. [André Malo]
-
- *) mod_rewrite: Cookie creation now works locale independent.
- [André Malo]
-
- *) mod_ssl: Add support for distributed session cache using 'distcache'.
- [Geoff Thorpe <geoff geoffthorpe.net>]
-
- *) mod_dav: Disallow requests with an unescaped hash character in
- the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
-
- *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration
- attaches a body to the 302 response and a wrong Content-Length header.
- PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]
-
- *) Bring ErrorHeader concept forward from 1.3, so that response
- header fields can be set for return even on errors or external
- redirects. [Ken Coar]
-
- *) Fix <Limit> and <LimitExcept> parsing to require a closing '>'
- in the initial container. PR 25414.
- [Geoffrey Young <geoff apache.org>]
-
- *) Clean up httpd -V output: Instead of displaying the MPM source
- directory, display the MPM name and some MPM properties.
- [Geoffrey Young <geoff apache.org>]
-
- *) mod_ssl/mod_status: Re-enable support for output of SSL session
- cache information in server-status page. [Joe Orton]
-
- *) mod_ssl: Remove the shmht session cache, shmcb should be used
- instead. [Joe Orton]
-
- *) mod_logio: Account for some bytes handed to the network layer prior to
- dropped connections. [Jeff Trawick]
-
- *) mod_autoindex: new directive IndexStyleSheet
- [Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]
-
- *) Fix uninitialized gprof directory name in prefork MPM. PR 24450.
- [Chris Knight <Christopher.D.Knight nasa.gov>]
-
- *) Log an error when requests for URIs which fail to map to a valid
- filesystem name are rejected with 403. [Jeff Trawick]
-
- *) Switch to APR 1.0 API.
-
- *) Major overhaul of mod_include's filter parser. The new parser code
- is expected to be more robust and should catch all of the edge cases
- that were not handled by the previous one. This includes a binary
- incompatible change of mod_include's external API. [André Malo]
-
- *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
- PR 14223. [André Malo]
-
- *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
- the current rewrite state was just used as lookup path, which lead to
- strange and often useless results. Related to PR 8493. [André Malo]
-
- *) Change Listen directive to bind to all addresses when a hostname is
- not specified. [Justin Erenkrantz]
-
- *) Correct failure with Listen directives on machines with IPv6 enabled.
- [Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz]
-
- *) Fix a link failure in mod_ssl when the OpenSSL libraries contain
- the ENGINE functions but the engine header files are missing.
- [Cliff Woolley]
-
- *) mod_rewrite: RewriteRules in server context using the force
- type feature [T=...] no longer disable MultiViews. [André Malo]
-
- *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
- [André Malo]
-
- *) mod_authz_groupfile: Strip trailing spaces of group names. This
- hopefully saves some hours of searching for typos. PR 12863.
- [André Malo]
-
- *) mod_actions: Propagate the handler name to the action script via
- the REDIRECT_HANDLER environment variable. [André Malo]
-
- *) mod_actions: Introduce the "virtual" modifier to the Action directive,
- which allows the use of handlers for virtual locations. PR 8431.
- [André Malo]
-
- *) mod_speling: Recognize AcceptPathInfo setting for the particular
- location. Default is to reject path information. PR 21059.
- [André Malo]
-
- *) mod_ext_filter: Add the ability to filter request bodies.
- [Philipp Reisner <philipp.reisner linbit.com>]
-
- *) Fix some broken log messages in WinNT MPM.
- [Juan Rivera <Juan.Rivera citrix.com>]
-
- *) prefork MPM: Use the right permissions for the directory created
- for gprof support. [Jim Carlson <jcarlson jnous.com>]
-
- *) Fix a compile failure with recent OpenSSL and picky compilers
- (e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick]
-
- *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
- the INCLUDE path to be defined properly.
- PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>]
-
- *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
-
- *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
- autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc).
- [Geoff Thorpe <geoff geoffthorpe.net>]
-
- *) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
- [Ian Holsman, André Malo]
-
- *) mod_negotiation: quality values are now parsed independent from
- the current locale. level values are now really parsed as integers.
- PR 17564. [André Malo]
-
- *) Extend mod_negotiation to evaluate the environment variables
- no-gzip and gzip-only-text/html the same way as mod_deflate does.
- [André Malo]
-
- *) mod_rewrite: Fix some problems reporting errors with mapping
- programs (RewriteMap prg:/something). [Jeff Trawick]
-
- *) Return 413 if chunk-ext-header is too long rather than reading from
- the truncated line. PR 15857. [Justin Erenkrantz]
-
- *) Allow restart of httpd to occur even with syntax errors in the config
- file. PR 16813. [Justin Erenkrantz]
-
- *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679.
- [Justin Erenkrantz]
-
- *) Remove files on 'make distclean' that should be. PR 15592.
- [Justin Erenkrantz]
-
- *) Allow apachectl to perform status with links and elinks as well.
- [Justin Erenkrantz]
-
- *) mod_log_config change optional hook to return previous handler
- [Ian Holsman]
-
- *) Forward port of mod_actions' ability to handle arbitrary methods
- with the Script directive. [André Malo]
-
- *) Let suexec send a message to stderr, if it failed or its policy
- was violated. This message appears in the error log and allows
- for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo]
-
- *) Modify buildconf to copy all required files into httpd's tree.
- [Thom May <thom planetarytramp.net>]
-
- *) Allow mod_dav to do weak entity comparison functions.
- [Justin Erenkrantz]
-
- *) Move RFC 1413 ident requests from core to new module mod_ident.
- [André Malo]
-
- *) Add mod_authz_owner - a forward port of "Require file-owner"
- and "Require file-group", which was already present in version
- 1.3.21. [André Malo]
-
- *) Add mod_dav_lock - a generic subset of the DAV locking implementation.
- [Justin Erenkrantz]
-
- *) Replace some of the mutex locking in the worker MPM with
- atomic operations for higher concurrency. [Brian Pane]
-
- *) Allow 'make depend' to work with non-GCC compilers.
- [Justin Erenkrantz]
-
- *) If an httpd.conf has commented out AddModule directives,
- apxs -i -a will add an un-commented AddModule directive for
- the new module, which breaks the config.
- PR: 11212 [Joe Orton]
-
- *) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz]
-
- *) Move the check of the Expect request header field after the hook
- for ap_post_read_request, since that is the only opportunity for
- modules to handle Expect extensions. [Justin Erenkrantz]
-
- *) Rewrite of aaa modules to an authn/authz model.
- [Dirk-Willem van Gulik, Justin Erenkrantz]
-
-
- [Apache 2.1.0-dev includes those bug fixes and changes with the
- Apache 2.0.xx tree as documented, and except as noted, below.]
-
-Changes with Apache 2.0.56
-
- *) SECURITY: CVE-2005-3357 (cve.mitre.org)
- mod_ssl: Fix a possible crash during access control checks if a
- non-SSL request is processed for an SSL vhost (such as the
- "HTTP request received on SSL port" error message when an 400
- ErrorDocument is configured, or if using "SSLEngine optional").
- PR 37791. [Rüdiger Plüm, Joe Orton]
-
- *) SECURITY: CVE-2005-3352 (cve.mitre.org)
- mod_imap: Escape untrusted referer header before outputting in HTML
- to avoid potential cross-site scripting. Change also made to
- ap_escape_html so we escape quotes. Reported by JPCERT.
- [Mark Cox]
-
- *) mod_speling: Stop crashing with certain non-file requests.
- [Jeff Trawick]
-
- *) keep the Content-Length header for a HEAD with no response body.
- PR 18757 [Greg Ames]
-
- *) Modify apr[util] .h detection to avoid breakage on VPATH builds
- using Solaris make (amoung others) and avoid breakage in ./buildconf
- when srclib/apr[-util] are symlinks rather than directories proper.
- [William Rowe]
-
- *) Avoid server-driven negotiation when a CGI script has emitted an
- explicit "Status:" header. PR 38070. [Nick Kew]
-
- *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
- format is used. PR 27787. [André Malo]
-
- *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
- [Justin Erenkrantz]
-
- *) mod_cache: Correctly handle responses with a 301 status. PR 37347.
- [Paul Querna]
-
- *) mod_proxy_http: Prevent data corruption of POST request bodies when
- client accesses proxied resources with SSL. PR 37145.
- [Ruediger Pluem, William Rowe]
-
- *) Elimiated the NET_TIME filter, restructuring the timeout logic.
- This provides a working mod_echo on all platforms, and ensures any
- custom protocol module is at least given an initial timeout value
- based on the <VirtualHost > context's Timeout directive.
- [William Rowe]
-
- *) mod_ssl: Correct issue where mod_ssl does not pick up the
- ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton]
-
- *) Document the ReceiveBufferSize change done in r157583 [Murray
- Nesbitt <mu...@cpan.org>]
-
- *) mod_deflate: Merge the Vary header, instead of Setting it. Fixes
- applications that send the Vary Header themselves. PR 37559.
- [Paul Querna]
-
- *) mod_dav: Fix a null pointer dereference in an error code path during the
- handling of MKCOL. [Ghassan Misherghi <ghassanm ucdavis.edu>]
-
- *) mod_mime_magic: Handle CRLF-format magic files so that it works with
- the default installation on Windows. [Jeff Trawick]
-
- *) Write message to error log if AuthGroupFile cannot be opened.
- PR 37566. [Rüdiger Plüm]
-
- *) Add ReceiveBufferSize directive to control the TCP receive buffer.
- [Eric Covener <covener gmail.com>]
-
- *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
- [Paul Querna]
-
- *) Remove the base href tag from proxy_ftp, as it breaks relative
- links for clients not using an Authorization header. [Graham Leggett,
- Jon Snow <jsnow27 gatesec.net>]
-
- *) http_request.c: Add missing va_end call. [André Malo]
-
- *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
- [Paul Querna]
-
- *) support/check_forensic: Fix temp file usage
- [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
-
- *) Chunk filter: Fix chunk filter to create correct chunks in the case that
- a flush bucket is surrounded by data buckets. [Ruediger Pluem]
-
- *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
- respond to OPTIONS directly rather than via server default.
- [Roy Fielding] PR 15242
-
- *) Added new module mod_version, which provides version dependent
- configuration containers. [André Malo]
-
- *) Add core version query function (ap_get_server_revision) and
- accompanying ap_version_t structure (minor MMN bump).
- [André Malo]
-
-Changes with Apache 2.0.55
-
- *) SECURITY: CVE-2005-2088 (cve.mitre.org)
- proxy: Correctly handle the Transfer-Encoding and Content-Length
- headers. Discard the request Content-Length whenever T-E: chunked
- is used, always passing one of either C-L or T-E: chunked whenever
- the request includes a request body. Resolves an entire class of
- proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
-
- *) Added TraceEnable [on|off|extended] per-server directive to alter
- the behavior of the TRACE method. This addresses a flaw in proxy
- conformance to RFC 2616 - previously the proxy server would accept
- a TRACE request body although the RFC prohibited it. The default
- remains 'TraceEnable on'. [William Rowe]
-
- *) Add ap_log_cerror() for logging messages associated with particular
- client connections. [Jeff Trawick]
-
- *) Correct mod_cgid's argv[0] so that the full path can be delved by the
- invoked cgi application, to conform to the behavior of mod_cgi.
- [Pradeep Kumar S <pradeep.smani gmail.com>]
-
- *) mod_include: Fix possible environment variable corruption when
- using nested includes. PR 12655. [Joe Orton]
-
- *) Support the suppress-error-charset setting, as with Apache 1.3.x.
- PR 31274. [Jeff Trawick]
-
- *) EBCDIC: Handle chunked input from client or, with proxy, origin
- server. [Jeff Trawick]
-
- *) Fix bad globbing comparison which could result in getting
- a directory listing when a file was requested. PR 34512.
- [sean <infamous41md hotmail.com>]
-
- *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
- was called even if mod_auth_ldap_check_user_id() was not
- (or if it didn't succeed) for non-authoritative cases.
- [Jim Jagielski]
-
- *) SECURITY: CVE-2005-2728 (cve.mitre.org)
- Fix cases where the byterange filter would buffer responses
- into memory. PR 29962. [Joe Orton]
-
- *) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
- PR 15207. [Jim Jagielski]
-
- *) mod_ldap: Fix various shared memory cache handling bugs.
- PR 34209. [Joe Orton]
-
- *) Fix a file descriptor leak when starting piped loggers. PR 33748.
- [Joe Orton]
-
- *) mod_ldap: Avoid segfaults when opening connections if using a version
- of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
-
- *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
-
- *) SECURITY: CVE-2005-2088 (cve.mitre.org)
- core: If a request contains both Transfer-Encoding and Content-Length
- headers, remove the Content-Length, mitigating some HTTP Request
- Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
-
- *) proxy HTTP: If a response contains both Transfer-Encoding and a
- Content-Length, remove the Content-Length and don't reuse the
- connection, mitigating some HTTP Response Splitting attacks.
- [Jeff Trawick]
-
- *) Prevent hangs of child processes when writing to piped loggers at
- the time of graceful restart. PR 26467. [Jeff Trawick]
-
- *) SECURITY: CVE-2005-1268 (cve.mitre.org)
- mod_ssl: Fix off-by-one overflow whilst printing CRL information
- at "LogLevel debug" which could be triggered if configured
- to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]
-
- *) mod_userdir: Fix possible memory corruption issue. PR 34588.
- [David Leonard <dleonard vintela.com>]
-
- *) worker mpm: don't take down the whole server for a transient
- thread creation failure. PR 34514 [Greg Ames]
-
- *) mod_rewrite: use buffered I/O to improve performance with large
- RewriteMap txt: files. [Greg Ames]
-
- *) proxy HTTP: Rework the handling of request bodies to handle
- chunked input and input filters which modify content length, and
- avoid spooling arbitrary-sized request bodies in memory.
- PR 15859. [Jeff Trawick]
-
-Changes with Apache 2.0.54
-
- *) mod_cache: Add CacheIgnoreHeaders directive. PR 30399.
- [Rüdiger Plüm <r.pluem t-online.de>]
-
- *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
- the ldap socket connection timeout value.
- [Brad Nicholes]
-
- *) Correctly export all mod_dav public functions.
- [Branko Čibej <brane xbc.nu>]
-
- *) Add a build script to create a solaris package. [Graham Leggett]
-
- *) worker MPM: Fix a problem which could cause httpd processes to
- remain active after shutdown. [Jeff Trawick]
-
- *) Unix MPMs: Shut down the server more quickly when child processes are
- slow to exit. [Joe Orton, Jeff Trawick]
-
- *) Remove formatting characters from ap_log_error() calls. These
- were escaped as fallout from CVE-2003-0020.
- [Eric Covener <ecovener gmail.com>]
-
- *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418.
- [David Reid]
-
- *) htdigest: Fix permissions of created files. PR 33765. [Joe Orton]
-
- *) core_input_filter: Move buckets to a persistent brigade instead of
- creating a new brigade. This stop a memory leak when proxying a
- Streaming Media Server. PR 33382. [Paul Querna]
-
- *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid
- hiccups from additional path information passed in non-utf-8 format.
- [Richard Donkin <rd9 donkin.org]
-
-Changes with Apache 2.0.53
-
- *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
- [Max Bowsher <maxb ukf.net>]
-
- *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
- [Rici Lake <rici ricilake.net>]
-
- *) mod_proxy: Respect errors reported by pre_connection hooks.
- [Jeff Trawick]
-
- *) --with-module can now take more than one module to be statically
- linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
- If the <modtype>-subdirectory doesn't exist it will be created and
- populated with a standard Makefile.in. [Erik Abele]
-
- *) Fix the RPM spec file so that an RPM build now works. An RPM
- build now requires system installations of APR and APR-util.
- Remove some arbitrary moving around of binaries - the RPM now
- maps to the ASF build of httpd.
- [Graham Leggett]
-
- *) mod_dumpio, an I/O logging/dumping module, added to the
- modules/expermimental subdirectory. [Jim Jagielski]
-
- *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
- library handles special characters. PR 24437. [Jess Holle]
-
- *) Win32 MPM: Correct typo in debugging output. [William Rowe]
-
- *) conf: Remove AddDefaultCharset from the default configuration because
- setting a site-wide default does more harm than good. PR 23421.
- [Roy Fielding]
-
- *) Add charset to example CGI scripts. [Roy Fielding]
-
- *) mod_ssl: fail quickly if SSL connection is aborted rather than
- making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton]
-
- *) Remove compiled-in upper limit on LimitRequestFieldSize.
- [Bill Stoddard]
-
- *) Start keeping track of time-taken-to-process-request again for
- mod_status if ExtendedStatus is enabled. [Jim Jagielski]
-
- *) mod_proxy: Handle client-aborted connections correctly. PR 32443.
- [Janne Hietamäki, Joe Orton]
-
- *) Fix handling of files >2Gb on all platforms (or builds) where
- apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
-
- *) mod_include: Fix bug which could truncate variable expansions
- of N*64 characters by one byte. PR 32985. [Joe Orton]
-
- *) Correct handling of certain bucket types in ap_save_brigade, fixing
- possible segfaults in mod_cgi with #include virtual. PR 31247.
- [Joe Orton]
-
- *) Allow for the use of --with-module=foo:bar where the ./modules/foo
- directory is local only. Assumes, of course, that the required
- files are in ./modules/foo, but makes it easier to statically
- build/log "external" modules. [Jim Jagielski]
-
- *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
- ldap authorization only modules have access to the util_ldap
- user cache without having to require ldap authentication as well.
- PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
-
- *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
- allows the module to only authorize a user if the attribute value
- specified matches the value of the user object. PR 31913
- [Ryan Morgan <rmorgan pobox.com>]
-
- *) SECURITY: CVE-2004-0942 (cve.mitre.org)
- Fix for memory consumption DoS in handling of MIME folded request
- headers. [Joe Orton]
-
- *) SECURITY: CVE-2004-0885 (cve.mitre.org)
- mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
- bypassed during an SSL renegotiation. PR 31505.
- [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
-
- *) mod_ssl: Fail at startup rather than segfault at runtime if a
- client cert is configured with an encrypted private key.
- PR 24030. [Joe Orton]
-
- *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
- [Joe Orton]
-
- *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
- [Jeff Trawick]
-
- *) mod_cache: CacheDisable will only disable the URLs it was meant to
- disable, not all caching. PR 31128.
- [Edward Rudd <eddie omegaware.com>, Paul Querna]
-
- *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
- cache responses. [Justin Erenkrantz]
-
- *) mod_rewrite: Handle per-location rules when r->filename is unset.
- Previously this would segfault or simply not match as expected,
- depending on the platform. [Jeff Trawick]
-
- *) mod_rewrite: Fix 0 bytes write into random memory position.
- PR 31036. [André Malo]
-
- *) mod_disk_cache: Do not store aborted content. PR 21492.
- [Rüdiger Plüm <r.pluem t-online.de>]
-
- *) mod_disk_cache: Correctly store cached content type. PR 30278.
- [Rüdiger Plüm <r.pluem t-online.de>]
-
- *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
- statistics display. PR 29216. [Graham Leggett]
-
- *) mod_ldap: fix a bogus error message to tell the user which file
- is causing a potential problem with the LDAP shared memory cache.
- PR 31431 [Graham Leggett]
-
- *) SECURITY: CVE-2004-1834 (cve.mitre.org)
- mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
-
- *) Fix the re-linking issue when purging elements from the LDAP cache
- PR 24801. [Jess Holle <jessh ptc.com>]
-
- *) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
-
- *) Fix Expires handling in mod_cache. [Justin Erenkrantz]
-
- *) Alter mod_expires to run at a different filter priority to allow
- proper Expires storage by mod_cache. [Justin Erenkrantz]
-
-Changes with Apache 2.0.52
-
- *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
-
- *) Fix the global mutex crash when the global mutex is never allocated
- due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
-
- *) Fix a segfault in the LDAP cache when it is configured switched
- off. [Jess Holle <jessh ptc.com>]
-
- *) SECURITY: CVE-2004-0811 (cve.mitre.org)
- Fix merging of the Satisfy directive, which was applied to
- the surrounding context and could allow access despite configured
- authentication. PR 31315. [Rici Lake <rici ricilake.net>]
-
- *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
- is enabled. Previously, such urls would still be rejected.
- [Jeff Trawick, Bill Stoddard]
-
- *) mod_mem_cache: Fixed race condition causing segfault because of memory being
- freed twice, or reused after being freed.
- [J. Clar, W. Stoddard, G. Ames]
-
- *) Add -l option to rotatelogs to let it use local time rather than
- UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
-
- *) mod_log_config: Fix a bug which prevented request completion time
- from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
- processing. PR 29696. [Alois Treindl <alois astro.ch>]
-
-Changes with Apache 2.0.51
-
- *) SECURITY: CVE-2004-0786 (cve.mitre.org)
- Fix an input validation issue in apr-util which could be
- triggered by malformed IPv6 literal addresses. [Joe Orton]
-
- *) SECURITY: CVE-2004-0747 (cve.mitre.org)
- Fix buffer overflow in expansion of environment variables in
- configuration file parsing. [André Malo]
-
- *) SECURITY: CVE-2004-0809 (cve.mitre.org)
- mod_dav_fs: Fix a segfault in the handling of an indirect lock
- refresh. PR 31183. [Joe Orton]
-
- *) mod_include no longer checks for recursion, because that's done
- in the core. This allows for careful usage of recursive SSI.
- [André Malo]
-
- *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
- [chunyan sheng <shengperson yahoo.com>, André Malo]
-
- *) Include directives no longer refuse to process symlinks on
- directories. Instead there's now a maximum nesting level
- of included directories (128 as distributed). This is configurable
- at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
- PR 28492. [André Malo]
-
- *) Win32: apache -k start|restart|install|config can leave stranded
- piped logger processes (eg, rotatelogs.exe) due to improper
- server shutdown on these code paths.
- [Bill Stoddard]
-
- *) SECURITY: CVE-2004-0751 (cve.mitre.org)
- mod_ssl: Fix a segfault in the SSL input filter which could be
- triggered if using "speculative" mode, for instance by a
- proxy request to an SSL server. PR 30134. [Joe Orton]
-
- *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
- PR 30464. [Joe Orton, Madhusudan Mathihalli]
-
- *) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
-
- *) Prevent CGI script output which includes a Content-Range header
- from being passed through the byterange filter. [Joe Orton]
-
- *) Satisfy directives now can be influenced by a surrounding <Limit>
- container. PR 14726. [André Malo]
-
- *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
- PR 27985. [André Malo]
-
- *) mod_disk_cache: Implement binary format for on-disk header files.
- [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
-
- *) mod_disk_cache: Optimize network performance of disk cache subsystem by
- allowing zero-copy (sendfile) writes and other miscellaneous fixes.
- [Justin Erenkrantz]
-
- *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
- switch to the provider API instead of hooks. [Justin Erenkrantz]
-
- *) mod_autoindex: Don't truncate the directory listing if a stat()
- call fails (for instance on a >2Gb file). PR 17357.
- [Joe Orton]
-
- *) Makefile fix: httpd is linked against LIBS given to the
- 'make' invocation. PR 7882. [Joe Orton]
-
- *) WinNT MPM: Fix a broken log message at termination. PR 28063.
- [Eider Oliveira <eider bol.com.br>]
-
- *) Prevent Win32 pool corruption at startup [Allan Edwards]
-
- *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
- chosen SSL environment variable. PR 20957.
- [Martin v. Loewis <martin v.loewis.de>]
-
- *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
- [Zvi Har'El <rl math.technion.ac.il>]
-
- *) apachectl: Fix a problem finding envvars if sbindir != bindir.
- PR 30723. [Friedrich Haubensak <hsk imb-jena.de>]
-
- *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]
-
- *) SECURITY: CVE-2004-0748 (cve.mitre.org)
- mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]
-
- *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
- PR 18989. [Joe Orton]
-
- *) mod_userdir: Ensure that the userdir identity is used for
- suexec userdir access in a virtual host which has suexec configured.
- PR 18156. [Joshua Slive]
-
- *) mod_rewrite no longer confuses the RewriteMap caches if
- different maps defined in different virtual hosts use the
- same map name. PR 26462. [André Malo]
-
- *) mod_setenvif: Remove "support" for Remote_User variable which
- never worked at all. PR 25725. [André Malo]
-
- *) Backport from 2.1 / Regression from 1.3: mod_headers now knows
- again the functionality of the ErrorHeader directive. But instead
- using this misnomer additional flags to the Header directive were
- introduced ("always" and "onsuccess", defaulting to the latter).
- PR 28657. [André Malo]
-
- *) Use the higher performing 'httpready' Accept Filter on all platforms
- except FreeBSD < 4.1.1. [Paul Querna]
-
- *) mod_usertrack: Escape the cookie name before pasting into the
- regexp. [André Malo]
-
- *) Extend the SetEnvIf directive to capture subexpressions of the
- matched value. [André Malo]
-
- *) Recursive Include directives no longer crash. The server stops
- including configuration files after a certain nesting level (128
- as distributed). This is configurable at compile time using the
- -DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]
-
- *) mod_dir: the trailing-slash behaviour is now configurable using the
- DirectorySlash directive. [André Malo]
-
- *) Allow proxying of resources that are invoked via DirectoryIndex.
- PR 14648, 15112, 29961. [André Malo]
-
- *) util_ldap: Switched the lock types on the shared memory cache
- from thread reader/writer locks to global mutexes in order to
- provide cross process cache protection. [Brad Nicholes]
-
- *) util_ldap: Reworked the cache locking scheme to eliminate duplicate
- cache entries in the credentials cache due to race conditions.
- [Brad Nicholes]
-
- *) util_ldap: Enhanced the util_ldap cache-info display to show more
- detail about the contents and current state of the cache.
- [Brad Nicholes]
-
- *) Enable the option to support anonymous shared memory in mod_ldap.
- This makes the cache work on Linux again. [Graham Leggett]
-
- *) Enable special ErrorDocument value 'default' which restores the
- canned server response for the scope of the directive.
- [Geoffrey Young, André Malo]
-
- *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
- is set in r->subprocess_env allow mismatched query strings to pass.
- PR 27758. [Paul Querna, Geoffrey Young]
-
- *) Accept URLs for the ServerAdmin directive. If the supplied
- argument is not recognized as an URL, assume it's a mail address.
- PR 28174. [André Malo, Paul Querna]
-
- *) initialize server arrays prior to calling ap_setup_prelinked_modules
- so that static modules can push Defines values when registering
- hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
-
- *) Small fix to allow reverse proxying to an ftp server. Previously
- an attempt to do this would try and connect to 0.0.0.0, regardless
- of the server specified. PR 24922
- [Pascal Terjan <pt...@linuxfr.org>]
-
- *) Add the NOTICE file to the rpm spec file in compliance with the
- Apache v2.0 license. [Graham Leggett]
-
- *) RPM spec file changes: changed default dependancy to link to db4
- instead of db3. Fixed complaints about unpackaged files.
- [Graham Leggett]
-
-Changes with Apache 2.0.50
-
- *) SECURITY: CVE-2004-0493 (cve.mitre.org)
- Close a denial of service vulnerability identified by Georgi
- Guninski which could lead to memory exhaustion with certain
- input data. [Jeff Trawick]
-
- *) mod_cgi: Handle output on stderr during script execution on Unix
- platforms; preventing deadlock when stderr output fills pipe buffer.
- Also fixes case where stderr from nph- scripts could be lost.
- PR 22030, 18348. [Joe Orton, Jeff Trawick]
-
- *) mod_alias now emits a warning if it detects overlapping *Alias*
- directives. [André Malo]
-
- *) mod_rewrite no longer turns forward proxy requests into reverse proxy
- requests. PR 28125 [ast domdv.de, André Malo]
-
- *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
- exported on Win32 and Netware as well (minor MMN bump). PR 28523.
- [Edward Rudd <eddie omegaware.com>, André Malo]
-
- *) Restore the ability to disable the use of AcceptEx on Win9x systems
- automatically (broken in 2.0.49). PR 28529. [André Malo]
-
- *) <VirtualHost myhost> now applies to all IP addresses for myhost
- instead of just the first one reported by the resolver. This
- corrects a regression since 1.3. [Jeff Trawick]
-
- *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
- against ServerRoot PR#26602 [Brad Nicholes]
-
- *) SECURITY: CVE-2004-0488 (cve.mitre.org)
- mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
- (trusted) client certificate subject DN which exceeds 6K in length.
- [Joe Orton]
-
- *) mod_dav_fs: Fix MKCOL response for missing parent collections, which
- caused issues for the Eclipse WebDAV extension.
- PR 29034. [Joe Orton]
-
- *) mod_deflate: Fix memory consumption (which was proportional to the
- response size). PR 29318. [Joe Orton]
-
- *) mod_ssl: Log the errors returned on failure to load or initialize
- a crypto accelerator engine. [Joe Orton]
-
- *) Allow RequestHeader directives to be conditional. PR 27951.
- [Vincent Deffontaines <vincent gryzor.com>, André Malo]
-
- *) Allow LimitRequestBody to be reset to unlimited. PR 29106
- [André Malo]
-
- *) Fix a bunch of cases where the return code of the regex compiler
- was not checked properly. This affects: mod_setenvif, mod_usertrack,
- mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
-
- *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
- small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
-
- *) Remove 2Gb log file size restriction on some 32-bit platforms.
- PR 13511. [Joe Orton]
-
- *) mod_logio no longer removes the EOS bucket. PR 27928.
- [Bojan Smojver <bojan rexursive.com>]
-
- *) htpasswd no longer refuses to process files that contain empty
- lines. [André Malo]
-
- *) Regression from 1.3: At startup, suexec now will be checked for
- availability, the setuid bit and user root. The works only if
- httpd is compiled with the shipped APR version (0.9.5).
- PR 28287. [André Malo]
-
- *) Unix MPMs: Stop dropping connections when the file descriptor
- is at least FD_SETSIZE. [Jeff Trawick]
-
- *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
-
- *) mod_isapi: send_response_header() failed to copy status string's
- last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
-
- *) Fix a segfault when requests for shared memory fails and returns
- NULL. Fix a segfault caused by a lack of bounds checking on the
- cache. PR 24801. [Graham Leggett]
-
- *) Throw an error message if an attempt is made to use the LDAPTrustedCA
- or LDAPTrustedCAType directives in a VirtualHost. PR 26390
- [Brad Nicholes]
-
- *) Fix a potential segfault if the bind password in the LDAP cache
- is NULL. PR 28250. [Jari Ahonen <jah progress.com>]
-
- *) Quotes cannot be used around require group and require dn
- directives, update the documentation to reflect this. Also add
- quotes around the dn and group within debug messages, to make it
- more obvious why authentication is failing if quotes are used in
- error. PR 19304. [Graham Leggett]
-
- *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
- from escaping filters twice when the backslash character is used.
- PR 24437. [Jess Holle <jessh ptc.com>]
-
- *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
- functions leave the connections in a sane state after errors have
- occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
- 27271 [Graham Leggett]
-
- *) mod_ldap calls ldap_simple_bind_s() to validate the user
- credentials. If the bind fails, the connection is left
- in an unbound state. Make sure that the ldap connection
- record is updated to show that the connection is no longer
- bound. [Brad Nicholes]
-
- *) Ensure that lines in the request which are too long are
- properly terminated before logging.
- [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
-
- *) Update the bind credentials for the cached LDAP connection to
- reflect the last bind. This prevents util_ldap from creating
- unnecessary connections rather than reusing cached connections.
- [Brad Nicholes]
-
- *) mod_isapi: GetServerVariable returned improperly terminated header
- fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
- [Jesse Pelton <jsp pkc.com>]
-
- *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
- size. PR 20617. [Jesse Pelton <jsp pkc.com>]
-
- *) mod_dav: Fix a problem that could cause crashes when manipulating
- locks on some platforms. [Jeff Trawick]
-
- *) mod_headers no longer crashes if an empty header value should
- be added. [André Malo]
-
- *) Fix segfault in mod_expires, which occured under certain
- circumstances. PR 28047. [André Malo]
-
- *) htpasswd: use apr_temp_dir_get() and general cleanup
- [Guenter Knauf <eflash gmx.net>, Thom May]
-
- *) mod_ssl: Fix memory leak in session cache handling. PR 26562
- [Madhusudan Mathihalli]
-
- *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
- a pool cleanup. PR 27945. [Joe Orton]
-
- *) Add forensic logging module (mod_log_forensic).
- [Ben Laurie]
-
- *) logresolve: Allow size of log line buffer to be overridden at
- build time (MAXLINE). PR 27793. [Jeff Trawick]
-
- *) Fix the comment delimiter in htdbm so that it correctly parses the
- username comment. Also add a terminate function to allow NetWare
- to pause the output before the screen is destroyed.
- [Guenter Knauf <eflash gmx.net>, Brad Nicholes]
-
- *) Fix crash when Apache was started with no Listen directives.
- [Michael Corcoran <mcorcoran warpsolutions.com>]
-
- *) core_output_filter: Fix bug that could result in sending
- garbage over the network when module handlers construct
- bucket brigades containing multiple file buckets all referencing
- the same open file descriptor. [Bojan Smojver]
-
- *) Fix memory corruption problem with ap_custom_response() function.
- The core per-dir config would later point to request pool data
- that would be reused for different purposes on different requests.
- [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
-
- *) Win32: Tweak worker thread accounting routines to eliminate
- server hang when number of Listen directives in httpd.conf
- is greater than or equal to the setting of ThreadsPerChild.
- [Bill Stoddard]
-
-Changes with Apache 2.0.49
-
- *) SECURITY: CVE-2004-0174 (cve.mitre.org)
- Fix starvation issue on listening sockets where a short-lived
- connection on a rarely-accessed listening socket will cause a
- child to hold the accept mutex and block out new connections until
- another connection arrives on that rarely-accessed listening socket.
- With Apache 2.x there is no performance concern about enabling the
- logic for platforms which don't need it, so it is enabled everywhere
- except for Win32. [Jeff Trawick]
-
- *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
- [Jeff Trawick]
-
- *) Win32: find_read_listeners was not correctly handling multiple
- listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
-
- *) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
- [Manni Wood <manniwood planet-save.com>]
-
- *) Fix some piped log problems: bogus "piped log program '(null)'
- failed" messages during restart and problem with the logger
- respawning again after Apache is stopped. PR 21648, PR 24805.
- [Jeff Trawick]
-
- *) Fixed file extensions for real media files and removed rpm extension
- from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
-
- *) Remove compile-time length limit on request strings. Length is
- now enforced solely with the LimitRequestLine config directive.
- [Paul J. Reder]
-
- *) mod_ssl: Send the Close Alert message to the peer before closing
- the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
-
- *) SECURITY: CVE-2004-0113 (cve.mitre.org)
- mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
- PR 27106. [Joe Orton]
-
- *) mod_ssl: Fix bug in passphrase handling which could cause spurious
- failures in SSL functions later. PR 21160. [Joe Orton]
-
- *) mod_log_config: Fix corruption of buffered logs with threaded
- MPMs. PR 25520. [Jeff Trawick]
-
- *) Fix mod_include's expression parser to recognize strings correctly
- even if they start with an escaped token. [André Malo]
-
- *) Add fatal exception hook for use by diagnostic modules. The hook
- is only available if the --enable-exception-hook configure parm
- is used and the EnableExceptionHook directive has been set to
- "on". [Jeff Trawick]
-
- *) Allow mod_auth_digest to work with sub-requests with different
- methods than the original request. PR 25040.
- [Josh Dady <jpd indecisive.com>]
-
- *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
- argumentless containers.
- ["Philippe M. Chiasson" <gozer cpan.org>]
-
- *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
- [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
-
- *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
- [Glenn Nielsen <glenn apache.org>]
-
- *) The whole codebase was relicensed and is now available under
- the Apache License, Version 2.0 (http://www.apache.org/licenses).
- [Apache Software Foundation]
-
- *) Fixed cache-removal order in mod_mem_cache.
- [Jean-Jacques Clar, Cliff Woolley]
-
- *) mod_setenvif: Fix the regex optimizer, which under circumstances
- treated the supplied regex as literal string. PR 24219.
- [André Malo]
-
- *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
- instead of mmn. [André Malo]
-
- *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
- could lead to a 400 (Bad Request) response. [André Malo]
-
- *) Keep focus of ITERATE and ITERATE2 on the current module when
- the module chooses to return DECLINE_CMD for the directive.
- PR 22299. [Geoffrey Young <geoff apache.org>]
-
- *) Add support for IMT minor-type wildcards (e.g., text/*) to
- ExpiresByType. PR#7991 [Ken Coar]
-
- *) Fix segfault in mod_mem_cache cache_insert() due to cache size
- becoming negative. PR: 21285, 21287
- [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
-
- *) core.c: If large file support is enabled, allow any file that is
- greater than AP_MAX_SENDFILE to be split into multiple buckets.
- This allows Apache to send files that are greater than 2gig.
- Otherwise we run into 32/64 bit type mismatches in the file size.
- [Brad Nicholes]
-
- *) proxy_http fix: mod_proxy hangs when both KeepAlive and
- ProxyErrorOverride are enabled, and a non-200 response without a
- body is generated by the backend server. (e.g.: a client makes a
- request containing the "If-Modified-Since" and "If-None-Match"
- headers, to which the backend server respond with status 304.)
- [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
-
- *) mod_dav: Reject requests which include an unescaped fragment in the
- Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
-
- *) Build array of allowed methods with proper dimensions, fixing
- possible memory corruption. [Jeff Trawick]
-
- *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
- PR 15057. [Otmar Lendl <lendl nic.at>]
-
- *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
- [Joe Orton]
-
- *) mod_usertrack no longer inspects the Cookie2 header for
- the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
-
- *) mod_usertrack no longer overwrites other cookies.
- PR 26002. [Scott Moore <apache nopdesign.com>]
-
- *) worker MPM: fix stack overlay bug that could cause the parent
- process to crash. [Jeff Trawick]
-
- *) Win32: Add Win32DisableAcceptEx directive. This Windows
- NT/2000/CP directive is useful to work around bugs in some
- third party layered service providers like virus scanners,
- VPN and firewall products, that do not properly handle
- WinSock 2 APIs. Use this directive if your server is issuing
- AcceptEx failed messages.
- [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
-
- *) Make REMOTE_PORT variable available in mod_rewrite.
- PR 25772. [André Malo]
-
- *) Fix a long delay with CGI requests and keepalive connections on
- AIX. [Jeff Trawick]
-
- *) mod_autoindex: Add 'XHTML' option in order to allow switching between
- HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
-
- *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
- [André Malo]
-
- *) mod_ssl: Advertise SSL library version as determined at run-time rather
- than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
-
- *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
- format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
-
- *) Fix build with parallel make. PR 24643. [Joe Orton]
-
- *) mod_rewrite: In external rewrite maps lookup keys containing
- a newline now cause a lookup failure. PR 14453.
- [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
-
- *) Backport major overhaul of mod_include's filter parser from 2.1.
- The new parser code is expected to be more robust and should
- catch all of the edge cases that were not handled by the previous one.
- The 2.1 external API changes were hidden by a wrapper which is
- expected to keep the API backwards compatible. [André Malo]
-
- *) Add a hook (insert_error_filter) to allow filters to re-insert
- themselves during processing of error responses. Enable mod_expires
- to use the new hook to include Expires headers in valid error
- responses. This addresses an RFC violation. It fixes PRs 19794,
- 24884, and 25123. [Paul J. Reder]
-
- *) Add Polish translation of error messages. PR 25101.
- [Tomasz Kepczynski <tomek jot23.org>]
-
- *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
- supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
- Bill Stoddard]
-
- *) Add mod_status hook to allow modules to add to the mod_status
- report. [Joe Orton]
-
- *) Fix htdbm to generate comment fields in DBM files correctly.
- [Justin Erenkrantz]
-
- *) mod_dav: Use bucket brigades when reading PUT data. This avoids
- problems if the data stream is modified by an input filter. PR 22104.
- [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
-
- *) Fix RewriteBase directive to not add double slashes. [André Malo]
-
- *) Improve 'configure --help' output for some modules. [Astrid Keßler]
-
- *) Correct UseCanonicalName Off to properly check incoming port number.
- [Jim Jagielski]
-
- *) Fix slow graceful restarts with prefork MPM. [Joe Orton]
-
- *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
- if any property values were set which defined namespaces these
- came out mangled in the PROPFIND response. PR 11637.
- [Amit Athavale <amit_athavale persistent.co.in>]
-
- *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
- the destination resource gives a 401. PR 15571. [Joe Orton]
-
- *) SECURITY: CVE-2003-0020 (cve.mitre.org)
- Escape arbitrary data before writing into the errorlog. Unescaped
- errorlogs are still possible using the compile time switch
- "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
-
- *) mod_autoindex / core: Don't fail to show filenames containing
- special characters like '%'. PR 13598. [André Malo]
-
- *) mod_status: Report total CPU time accurately when using a threaded
- MPM. PR 23795. [Jeff Trawick]
-
- *) Fix memory leak in handling of request bodies during reverse
- proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
-
- *) Win32 MPM: Implement MaxMemFree to enable setting an upper
- limit on the amount of storage used by the bucket brigades
- in each server thread. [Bill Stoddard]
-
- *) Modified the cache code to be header-location agnostic. Also
- fixed a number of other cache code bugs related to PR 15852.
- Includes a patch submitted by Sushma Rai <rsushma novell.com>.
- This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
- closing the PR since that is what they are using. [Paul J. Reder]
-
- *) complain via error_log when mod_include's INCLUDES filter is
- enabled, but the relevant Options flag allowing the filter to run
- for the specific resource wasn't set, so that the filter won't
- silently get skipped. next remove itself, so the warning will be
- logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
-
- *) mod_info: HTML escape configuration information so it displays
- correctly. PR 24232. [Thom May]
-
- *) Restore the ability to add a description for directories that
- don't contain an index file. (Broken in 2.0.48) [André Malo]
-
- *) Fix a problem with the display of empty variables ("SetEnv foo") in
- mod_include. PR 24734 [Markus Julen <mj zermatt.net>]
-
- *) mod_log_config: Log the minutes component of the timezone correctly.
- PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]
-
- *) mod_proxy: Fix cases where an invalid status-line could be sent
- to the client. PR 23998. [Joe Orton]
-
- *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
- are also loaded. [Joe Orton]
-
- *) mod_ssl: Use human-readable OpenSSL error strings in logs; use
- thread-safe interface for retrieving error strings. [Joe Orton]
-
- *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
- avoid reporting an Internal Server error if it is used without
- having been set in the httpd.conf file. PR: 23748, 24459
- [André Malo, Liam Quinn <liam htmlhelp.com>]
-
- *) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
- option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]
-
- *) mod_include no longer allows an ETag header on 304 responses.
- PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
-
- *) EBCDIC: Convert header fields to ASCII before sending (broken
- since 2.0.44). [Martin Kraemer]
-
- *) Fix the inability to log errors like exec failure in
- mod_ext_filter/mod_cgi script children. This was broken after
- such children stopped inheriting the error log handle.
- [Jeff Trawick]
-
- *) Fix mod_info to use the real config file name, not the default
- config file name. [Aryeh Katz <aryeh secured-services.com>]
-
- *) Set the scoreboard state to indicate logging prior to running
- logging hooks so that server-status will show 'L' for hung loggers
- instead of 'W'. [Jeff Trawick]
-
-Changes with Apache 2.0.48
-
- *) SECURITY: CVE-2003-0789 (cve.mitre.org)
- mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
- communicate with the cgid daemon and the CGI script.
- [Jeff Trawick]
-
- *) SECURITY: CVE-2003-0542 (cve.mitre.org)
- Fix buffer overflows in mod_alias and mod_rewrite which occurred
- if one configured a regular expression with more than 9 captures.
- [André Malo]
-
- *) mod_include: fix segfault which occured if the filename was not
- set, for example, when processing some error conditions.
- PR 23836. [Brian Akins <bakins web.turner.com>, André Malo]
-
- *) fix the config parser to support <Foo>..</Foo> containers (no
- arguments in the opening tag) supported by httpd 1.3. Without
- this change mod_perl 2.0's <Perl> sections are broken.
- ["Philippe M. Chiasson" <gozer cpan.org>]
-
- *) mod_cgid: fix a hash table corruption problem which could
- result in the wrong script being cleaned up at the end of a
- request. [Jeff Trawick]
-
- *) Update httpd-*.conf to be clearer in describing the connection
- between AddType and AddEncoding for defining the meaning of
- compressed file extensions. [Roy Fielding]
-
- *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
- PR 23416. [André Malo]
-
- *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
- rewritten request using "proxy:". The code was adding multiple "proxy:"
- fields in the rewritten URI. PR: 13946.
- [Eider Oliveira <eider bol.com.br>]
-
- *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
- expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
-
- *) Ensure that ssl-std.conf is generated at configure time, and switch
- to using the expanded config variables to work the same as
- httpd-std.conf PR: 19611
- [Thom May]
-
- *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
- [Hartmut Keil <Hartmut.Keil adnovum.ch>]
-
- *) mod_autoindex: If a directory contains a file listed in the
- DirectoryIndex directive, the folder icon is no longer replaced
- by the icon of that file. PR 9587.
- [David Shane Holden <dpejesh yahoo.com>]
-
- *) Fixed mod_usertrack to not get false positive matches on the
- user-tracking cookie's name. PR 16661.
- [Manni Wood <manniwood planet-save.com>]
-
- *) mod_cache: Fix the cache code so that responses can be cached
- if they have an Expires header but no Etag or Last-Modified
- headers. PR 23130.
- [<bjorn exoweb.net>]
-
- *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
- were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
-
- *) Modify ap_get_client_block() to note if it has seen EOS.
- [Justin Erenkrantz]
-
- *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
- content if the Accept-Encoding header contained only other tokens than
- "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
-
- *) Avoid an infinite recursion, which occured if the name of an included
- config file or directory contained a wildcard character. PR 22194.
- [André Malo]
-
- *) mod_ssl: Fix a problem setting variables that represent the
- client certificate chain. PR 21371 [Jeff Trawick]
-
- *) Unix: Handle permissions settings for flock-based mutexes in
- unixd_set_global|proc_mutex_perms(). Allow the functions to be
- called for any type of mutex. PR 20312 [Jeff Trawick]
-
- *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
-
- *) Fix a misleading message from the some of the threaded MPMs when
- MaxClients has to be lowered due to the setting of ServerLimit.
- [Jeff Trawick]
-
- *) Lower the severity of the "listener thread didn't exit" message
- to debug, as it is of interest only to developers. PR 9011
- [Jeff Trawick]
-
- *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
- [Cliff Woolley, Jean-Jacques Clar]
-
- *) Install config.nice into the build/ directory to make
- minor version upgrades easier. [Joshua Slive]
-
- *) Fix mod_deflate so that it does not call deflate() without checking
- first whether it has something to deflate. (Currently this causes
- deflate to generate a fatal error according to the zlib spec.)
- PR 22259. [Stas Bekman]
-
- *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
- identity spoof is encountered.
- [Sander Striker]
-
- *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
- containing the .htaccess file is requested without a trailing slash.
- PR 20195. [André Malo]
-
- *) ab: Overlong credentials given via command line no longer clobber
- the buffer. [André Malo]
-
- *) mod_deflate: Don't attempt to hold all of the response until we're
- done. [Justin Erenkrantz]
-
- *) Assure that we block properly when reading input bodies with SSL.
- PR 19242. [David Deaves <David.Deaves dd.id.au>, William Rowe]
-
- *) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
-
- *) mod_ext_filter: Set additional environment variables for use by
- the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
-
- *) Fix buildconf errors when libtool version changes. [Jeff Trawick]
-
- *) Remember an authenticated user during internal redirects if the
- redirection target is not access protected and pass it
- to scripts using the REDIRECT_REMOTE_USER environment variable.
- PR 10678, 11602. [André Malo]
-
- *) mod_include: Fix a trio of bugs that would cause various unusual
- sequences of parsed bytes to omit portions of the output stream.
- PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
-
- *) Update the header token parsing code to allow LWS between the
- token word and the ':' seperator. [PR 16520]
- [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
-
- *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
- [Joe Schaefer <joe+gmane sunstarsys.com>]
-
- *) Added FreeBSD directory layout. PR 21100.
- [Sander Holthaus <info orangexl.com>, André Malo]
-
- *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
- response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
-
- *) mod_rewrite: Perform child initialization on the rewrite log lock.
- This fixes a log corruption issue when flock-based serialization
- is used (e.g., FreeBSD). [Jeff Trawick]
-
- *) Don't respect the Server header field as set by modules and CGIs.
- As with 1.3, for proxy requests any such field is from the origin
- server; otherwise it will have our server info as controlled by
- the ServerTokens directive. [Jeff Trawick]
-
-Changes with Apache 2.0.47
-
- *) SECURITY: CVE-2003-0192 (cve.mitre.org)
- Fixed a bug whereby certain sequences of per-directory
- renegotiations and the SSLCipherSuite directive being used to
- upgrade from a weak ciphersuite to a strong one could result in
- the weak ciphersuite being used in place of the strong one.
- [Ben Laurie]
-
- *) SECURITY: CVE-2003-0253 (cve.mitre.org)
- Fixed a bug in prefork MPM causing temporary denial of service
- when accept() on a rarely accessed port returns certain errors.
- Reported by Saheed Akhtar <S.Akhtar talis.com>. [Jeff Trawick]
-
- *) SECURITY: CVE-2003-0254 (cve.mitre.org)
- Fixed a bug in ftp proxy causing denial of service when target
- host is IPv6 but proxy server can't create IPv6 socket. Fixed by
[... 12962 lines stripped ...]