You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/06/28 00:30:18 UTC
CHANGES change
I am thinking of borrowing a sendmail idea and prefixing each change with:
SECURITY:
CONFIG:
PORT:
[nothing, for the rest]
I don't want to have a zillion classifications... I just want to be able
to note which are important and which aren't. To that end I also would
rearrange the 1.2.1 changes such that the security are first, followed by
the config, followed by the generic stuff, followed by the ports.
Here's the 1.2.1 changes for example.
Comments?
Dean
Changes with Apache 1.2.1
*) SECURITY: Don't serve file system objects unless they are plain files,
symlinks, or directories. This prevents local users from using pipes
or named sockets to invoke programs for an extremely crude form of
CGI. [Dean Gaudet]
*) SECURITY: HeaderName and ReadmeName were settable in .htaccess and
could contain "../" allowing a local user to "publish" any file on
the system. No slashes are allowed now. [Dean Gaudet]
*) SECURITY: It was possible to violate the symlink Options using mod_dir
(headers, readmes, titles), mod_negotiation (type maps), or
mod_cern_meta (meta files). [Dean Gaudet]
*) CONFIG: "HostnameLookups" now defaults to off because it is far better
for the net if we require people that actually need this data to
enable it. [Linus Torvalds]
*) Attempt to work around problems with third party libraries that do not
handle high numbered descriptors (examples include bind, and
solaris libc). On all systems apache attempts to keep all permanent
descriptors above 15 (called the low slack line). Solaris users
can also benefit from adding -DHIGH_SLACK_LINE=256 to EXTRA_CFLAGS
which keeps all non-FILE * descriptors above 255. On all systems
this should make supporting large numbers of vhosts with many open
log files more feasible. If this causes trouble please report it,
you can disable this workaround by adding -DNO_SLACK to EXTRA_CFLAGS.
[Dean Gaudet] various PRs
*) Related to the last entry, network sockets are now opened before
log files are opened. The only known case where this can cause
problems is under Solaris with many virtualhosts and many Listen
directives. But using -DHIGH_SLACK_LINE=256 described above will
work around this problem. [Dean Gaudet]
*) Improved unix error response logging. [Marc Slemko]
*) Update mod_rewrite from 3.0.5 to 3.0.6. New ruleflag
QSA=query_string_append. Also fixed a nasty bug in per-dir context:
when a URL http://... was used in concunction with a special
redirect flag, e.g. R=permanent, the permanent status was lost.
[Ronald Tschalaer <Ro...@psi.ch>, Ralf S. Engelschall]
*) If an object has multiple variants that are otherwise equal Apache
would prefer the last listed variant rather than the first.
[Paul Sutton] PR#94
*) "make clean" at the top level now removes *.o. [Dean Gaudet] PR#752
*) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding]
PR#566
*) pregsub had an off-by-1 in its error checking code. [Alexei Kosut]
*) PORT: Update Unixware support for 2.1.2.
[Lawrence Rosenman <le...@lerctr.org>] PR#511
*) PORT: NonStop-UX [Joachim Schmitz <sc...@tandem.com>] PR#327
*) PORT: Update ConvexOS support for 11.5.
[David DeSimone <fo...@convex.com>] PR#399
*) PORT: Support for dec cc compiler under ultrix.
["P. Alejandro Lopez-Valencia" <al...@ideam.gov.co>] PR#388
*) PORT: Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383