You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/06/28 00:30:18 UTC

CHANGES change

I am thinking of borrowing a sendmail idea and prefixing each change with:

SECURITY:
CONFIG:
PORT:
[nothing, for the rest]

I don't want to have a zillion classifications... I just want to be able
to note which are important and which aren't.  To that end I also would
rearrange the 1.2.1 changes such that the security are first, followed by
the config, followed by the generic stuff, followed by the ports.

Here's the 1.2.1 changes for example.

Comments?

Dean

Changes with Apache 1.2.1

  *) SECURITY: Don't serve file system objects unless they are plain files,
     symlinks, or directories.  This prevents local users from using pipes
     or named sockets to invoke programs for an extremely crude form of
     CGI.  [Dean Gaudet]

  *) SECURITY: HeaderName and ReadmeName were settable in .htaccess and
     could contain "../" allowing a local user to "publish" any file on
     the system.  No slashes are allowed now.  [Dean Gaudet]

  *) SECURITY: It was possible to violate the symlink Options using mod_dir
     (headers, readmes, titles), mod_negotiation (type maps), or
     mod_cern_meta (meta files).  [Dean Gaudet]

  *) CONFIG: "HostnameLookups" now defaults to off because it is far better
     for the net if we require people that actually need this data to
     enable it.  [Linus Torvalds]

  *) Attempt to work around problems with third party libraries that do not
     handle high numbered descriptors (examples include bind, and
     solaris libc).  On all systems apache attempts to keep all permanent
     descriptors above 15 (called the low slack line).  Solaris users
     can also benefit from adding -DHIGH_SLACK_LINE=256 to EXTRA_CFLAGS
     which keeps all non-FILE * descriptors above 255.  On all systems
     this should make supporting large numbers of vhosts with many open
     log files more feasible.  If this causes trouble please report it,
     you can disable this workaround by adding -DNO_SLACK to EXTRA_CFLAGS.
     [Dean Gaudet] various PRs

  *) Related to the last entry, network sockets are now opened before
     log files are opened.  The only known case where this can cause
     problems is under Solaris with many virtualhosts and many Listen
     directives.  But using -DHIGH_SLACK_LINE=256 described above will
     work around this problem.  [Dean Gaudet]

  *) Improved unix error response logging.  [Marc Slemko]

  *) Update mod_rewrite from 3.0.5 to 3.0.6.  New ruleflag
     QSA=query_string_append.  Also fixed a nasty bug in per-dir context:
     when a URL http://... was used in concunction with a special
     redirect flag, e.g. R=permanent, the permanent status was lost.
     [Ronald Tschalaer <Ro...@psi.ch>, Ralf S. Engelschall]

  *) If an object has multiple variants that are otherwise equal Apache
     would prefer the last listed variant rather than the first.
     [Paul Sutton] PR#94

  *) "make clean" at the top level now removes *.o.  [Dean Gaudet] PR#752

  *) mod_status dumps core in inetd mode.  [Marc Slemko and Roy Fielding]
     PR#566

  *) pregsub had an off-by-1 in its error checking code. [Alexei Kosut]

  *) PORT: Update Unixware support for 2.1.2.
     [Lawrence Rosenman <le...@lerctr.org>] PR#511

  *) PORT: NonStop-UX [Joachim Schmitz <sc...@tandem.com>] PR#327

  *) PORT: Update ConvexOS support for 11.5.
     [David DeSimone <fo...@convex.com>] PR#399

  *) PORT: Support for dec cc compiler under ultrix.
     ["P. Alejandro Lopez-Valencia" <al...@ideam.gov.co>] PR#388

  *) PORT: Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383