You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by st...@apache.org on 2004/03/19 21:56:23 UTC
cvs commit: httpd-dist Announcement2.html
striker 2004/03/19 12:56:23
Modified: . Announcement2.html
Log:
html'ify announcement
Revision Changes Path
1.44 +313 -183 httpd-dist/Announcement2.html
Index: Announcement2.html
===================================================================
RCS file: /home/cvs/httpd-dist/Announcement2.html,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- Announcement2.html 29 Oct 2003 14:47:08 -0000 1.43
+++ Announcement2.html 19 Mar 2004 20:56:23 -0000 1.44
@@ -3,7 +3,7 @@
<head>
<title>Apache HTTP Server Project</title>
</head>
-
+
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body
bgcolor="#FFFFFF"
@@ -13,39 +13,46 @@
alink="#FF0000"
>
<img src="../../images/apache_sub.gif" alt="">
+
+<h1>Apache HTTP Server 2.0.49 Released</h1>
-<h1>Apache HTTP Server 2.0.48 Released</h1>
-
-<p>The Apache Software Foundation and the Apache HTTP Server Project are
- pleased to announce the eleventh public release of the Apache 2.0
- HTTP Server. This Announcement notes the significant changes in
- 2.0.48 as compared to 2.0.47.</p>
+<p>The Apache Software Foundation and the The Apache HTTP Server Project are
+ pleased to announce the release of version 2.0.49 of the Apache HTTP
+ Server ("Apache"). This Announcement notes the significant changes
+ in 2.0.49 as compared to 2.0.48.</p>
<p>This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular
- note is that 2.0.48 addresses two security vulnerabilities:</p>
+ note is that 2.0.49 addresses three security vulnerabilities:</p>
-<p>mod_cgid mishandling of CGI redirect paths could result in CGI output
- going to the wrong client when a threaded MPM is used.<br>
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789">CAN-2003-0789</a>]</code></p>
-
-<p>A buffer overflow could occur in mod_alias and mod_rewrite when
- a regular expression with more than 9 captures is configured.<br>
- <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542">CAN-2003-0542</a>]</code></p>
+<p>When using multiple listening sockets, a denial of service attack
+ is possible on some platforms due to a race condition in the
+ handling of short-lived connections. This issue is known to affect
+ some versions of AIX, Solaris, and Tru64; it is known to not affect
+ FreeBSD or Linux.<br>
+ <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">CAN-2004-0174</a>]</code></p>
+
+<p>Arbitrary client-supplied strings can be written to the error log
+ which can allow exploits of certain terminal emulators.<br>
+ <code>[<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">CAN-2003-0020</a>]</code></p>
+
+<p>A remotely triggered memory leak in mod_ssl can allow a denial
+ of service attack due to excessive memory consumption.<br>
+ <code>[<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113">CAN-2004-0113</a>]</code></p>
<p>This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.</p>
-
-<p>Apache 2.0.48 is available for download from</p>
+
+<p>Apache 2.0.49 is available for download from</p>
<dl>
<dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
</dl>
-
+
<p>Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.</p>
-
+
<p>Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see</p>
@@ -53,186 +60,309 @@
<dd><a href="http://httpd.apache.org/docs-2.0/new_features_2_0.html">
http://httpd.apache.org/docs-2.0/new_features_2_0.html</a></dl>
</dl>
-
+
<p>When upgrading or installing this version of Apache, please keep
in mind the following:</p>
-
+
<p>If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.</p>
+
+
+<h2>Apache 2.0.49 Major changes</h2>
-
-<h2>Apache 2.0.48 Major changes</h2>
-
-<h3>Security vulnerabilities closed since Apache 2.0.47</h3>
+<h3>Security vulnerabilities closed since Apache 2.0.48</h3>
<ul>
- <li>SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
- the AF_UNIX socket used to communicate with the cgid daemon and
- the CGI script. [Jeff Trawick]</li>
-
- <li>SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
- mod_rewrite which occurred if one configured a regular expression
- with more than 9 captures. [André Malo]</li>
+ <li>SECURITY: CAN-2004-0174 (cve.mitre.org)
+ Fix starvation issue on listening sockets where a short-lived
+ connection on a rarely-accessed listening socket will cause a
+ child to hold the accept mutex and block out new connections until
+ another connection arrives on that rarely-accessed listening socket.
+ With Apache 2.x there is no performance concern about enabling the
+ logic for platforms which don't need it, so it is enabled everywhere
+ except for Win32. [Jeff Trawick]</li>
+
+ <li>SECURITY: CAN-2004-0113 (cve.mitre.org)
+ mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
+ PR 27106. [Joe Orton]</li>
+
+ <li>SECURITY: CAN-2003-0020 (cve.mitre.org)
+ Escape arbitrary data before writing into the errorlog. Unescaped
+ errorlogs are still possible using the compile time switch
+ "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]</li>
</ul>
-
+
<h3>Bugs fixed and features added since Apache 2.0.47</h3>
<ul>
-
- <li>mod_include: fix segfault which occured if the filename was not
- set, for example, when processing some error conditions.
- PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo]</li>
-
- <li>fix the config parser to support <Foo>..</Foo> containers (no
- arguments in the opening tag) supported by httpd 1.3. Without
- this change mod_perl 2.0's <Perl> sections are broken.
- ["Philippe M. Chiasson" <gozer@cpan.org>]</li>
-
- <li>mod_cgid: fix a hash table corruption problem which could
- result in the wrong script being cleaned up at the end of a
- request. [Jeff Trawick]</li>
-
- <li>Update httpd-*.conf to be clearer in describing the connection
- between AddType and AddEncoding for defining the meaning of
- compressed file extensions. [Roy Fielding]</li>
-
- <li>mod_rewrite: Don't die silently when failing to open RewriteLogs.
- PR 23416. [André Malo]</li>
-
- <li>mod_rewrite: Fix mod_rewrite's support of the [P] option to send
- rewritten request using "proxy:". The code was adding multiple "proxy:"
- fields in the rewritten URI. PR: 13946.
- [Eider Oliveira <eider@bol.com.br>]</li>
-
- <li>cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
- expires as directed in RFC 2616.
- [Thomas Castelle <tcastelle@generali.fr>]</li>
-
- <li>Ensure that ssl-std.conf is generated at configure time, and switch
- to using the expanded config variables to work the same as
- httpd-std.conf PR: 19611
- [Thom May]</li>
-
- <li>mod_ssl: Fix segfaults after renegotiation failure. PR 21370
- [Hartmut Keil <Hartmut.Keil@adnovum.ch>]</li>
-
- <li>mod_autoindex: If a directory contains a file listed in the
- DirectoryIndex directive, the folder icon is no longer replaced
- by the icon of that file. PR 9587.
- [David Shane Holden <dpejesh@yahoo.com>]</li>
-
- <li>Fixed mod_usertrack to not get false positive matches on the
- user-tracking cookie's name. PR 16661.
- [Manni Wood <manniwood@planet-save.com>]</li>
-
- <li>mod_cache: Fix the cache code so that responses can be cached
- if they have an Expires header but no Etag or Last-Modified
- headers. PR 23130.
- [bjorn@exoweb.net]</li>
-
- <li>mod_log_config: Fix %b log format to write really "-" when 0 bytes
- were sent (e.g. with 304 or 204 response codes). [Astrid Ke�ler]</li>
-
- <li>Modify ap_get_client_block() to note if it has seen EOS.
- [Justin Erenkrantz]</li>
-
- <li>Fix a bug, where mod_deflate sometimes unconditionally compressed the
- content if the Accept-Encoding header contained only other tokens than
- "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]</li>
-
- <li>Avoid an infinite recursion, which occured if the name of an included
- config file or directory contained a wildcard character. PR 22194.
- [André Malo]</li>
-
- <li>mod_ssl: Fix a problem setting variables that represent the
- client certificate chain. PR 21371 [Jeff Trawick]</li>
-
- <li>Unix: Handle permissions settings for flock-based mutexes in
- unixd_set_global|proc_mutex_perms(). Allow the functions to be
- called for any type of mutex. PR 20312 [Jeff Trawick]</li>
-
- <li>ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]</li>
-
- <li>Fix a misleading message from the some of the threaded MPMs when
- MaxClients has to be lowered due to the setting of ServerLimit.
+
+ <li>mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]</li>
-
- <li>Lower the severity of the "listener thread didn't exit" message
- to debug, as it is of interest only to developers. PR 9011
+
+ <li>Win32: find_read_listeners was not correctly handling multiple
+ listeners on the Win32DisableAcceptEx path. [Bill Stoddard]</li>
+
+ <li>Fix bug in mod_usertrack when no CookieName is set. PR 24483.
+ [Manni Wood <manniwood planet-save.com>]</li>
+
+ <li>Fix some piped log problems: bogus "piped log program '(null)'
+ failed" messages during restart and problem with the logger
+ respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]</li>
-
- <li>MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
- [Cliff Woolley, Jean-Jacques Clar]</li>
-
- <li>Install config.nice into the build/ directory to make
- minor version upgrades easier. [Joshua Slive]</li>
-
- <li>Fix mod_deflate so that it does not call deflate() without checking
- first whether it has something to deflate. (Currently this causes
- deflate to generate a fatal error according to the zlib spec.)
- PR 22259. [Stas Bekman]</li>
-
- <li>mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
- identity spoof is encountered.
- [Sander Striker]</li>
-
- <li>mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
- containing the .htaccess file is requested without a trailing slash.
- PR 20195. [André Malo]</li>
-
- <li>ab: Overlong credentials given via command line no longer clobber
- the buffer. [André Malo]</li>
-
- <li>mod_deflate: Don't attempt to hold all of the response until we're
- done. [Justin Erenkrantz]</li>
-
- <li>Assure that we block properly when reading input bodies with SSL.
- PR 19242. [David Deaves <David.Deaves@dd.id.au>, William Rowe]</li>
-
- <li>Update mime.types to include latest IANA and W3C types.
- [Roy Fielding]</li>
-
- <li>mod_ext_filter: Set additional environment variables for use by
- the external filter. PR 20944. [Andrew Ho, Jeff Trawick]</li>
-
- <li>Fix buildconf errors when libtool version changes. [Jeff Trawick]</li>
-
- <li>Remember an authenticated user during internal redirects if the
- redirection target is not access protected and pass it
- to scripts using the REDIRECT_REMOTE_USER environment variable.
- PR 10678, 11602. [André Malo]</li>
-
- <li>mod_include: Fix a trio of bugs that would cause various unusual
- sequences of parsed bytes to omit portions of the output stream.
- PR 21095. [Ron Park <ronald.park@cnet.com>,
- André Malo, Cliff Woolley]</li>
-
- <li>Update the header token parsing code to allow LWS between the
- token word and the ':' seperator. [PR 16520]
- [Kris Verbeeck <kris.verbeeck@advalvas.be>,
- Nicel KM <mnicel@yahoo.com>]</li>
-
- <li>Eliminate creation of a temporary table in ap_get_mime_headers_core()
- [Joe Schaefer <joe+gmane@sunstarsys.com>]</li>
-
- <li>Added FreeBSD directory layout. PR 21100.
- [Sander Holthaus <info@orangexl.com>, André Malo]</li>
-
- <li>Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
- response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo]</li>
-
- <li>mod_rewrite: Perform child initialization on the rewrite log lock.
- This fixes a log corruption issue when flock-based serialization
- is used (e.g., FreeBSD). [Jeff Trawick]</li>
-
- <li>Don't respect the Server header field as set by modules and CGIs.
- As with 1.3, for proxy requests any such field is from the origin
- server; otherwise it will have our server info as controlled by
- the ServerTokens directive. [Jeff Trawick]</li>
+
+ <li>Fixed file extensions for real media files and removed rpm extension
+ from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]</li>
+
+ <li>Remove compile-time length limit on request strings. Length is
+ now enforced solely with the LimitRequestLine config directive.
+ [Paul J. Reder]</li>
+
+ <li>mod_ssl: Send the Close Alert message to the peer before closing
+ the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]</li>
+
+ <li>mod_ssl: Fix bug in passphrase handling which could cause spurious
+ failures in SSL functions later. PR 21160. [Joe Orton]</li>
+
+ <li>mod_log_config: Fix corruption of buffered logs with threaded
+ MPMs. PR 25520. [Jeff Trawick]</li>
+
+ <li>Fix mod_include's expression parser to recognize strings correctly
+ even if they start with an escaped token. [André Malo]</li>
+
+ <li>Add fatal exception hook for use by diagnostic modules. The hook
+ is only available if the --enable-exception-hook configure parm
+ is used and the EnableExceptionHook directive has been set to
+ "on". [Jeff Trawick]</li>
+
+ <li>Allow mod_auth_digest to work with sub-requests with different
+ methods than the original request. PR 25040.
+ [Josh Dady <jpd indecisive.com>]</li>
+
+ <li>fix "Expected </Foo>> but saw </Foo>" errors in nested,
+ argumentless containers.
+ ["Philippe M. Chiasson" <gozer cpan.org>]</li>
+
+ <li>mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
+ [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]</li>
+
+ <li>mod_cgid: Restart the cgid daemon if it crashes. PR 19849
+ [Glenn Nielsen <glenn apache.org>]</li>
+
+ <li>The whole codebase was relicensed and is now available under
+ the Apache License, Version 2.0 (http://www.apache.org/licenses).
+ [Apache Software Foundation]</li>
+
+ <li>Fixed cache-removal order in mod_mem_cache.
+ [Jean-Jacques Clar, Cliff Woolley]</li>
+
+ <li>mod_setenvif: Fix the regex optimizer, which under circumstances
+ treated the supplied regex as literal string. PR 24219.
+ [André Malo]</li>
+
+ <li>ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
+ instead of mmn. [André Malo]</li>
+
+ <li>mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
+ could lead to a 400 (Bad Request) response. [André Malo]</li>
+
+ <li>Keep focus of ITERATE and ITERATE2 on the current module when
+ the module chooses to return DECLINE_CMD for the directive.
+ PR 22299. [Geoffrey Young <geoff apache.org>]</li>
+
+ <li>Add support for IMT minor-type wildcards (e.g., text/*) to
+ ExpiresByType. PR#7991 [Ken Coar]</li>
+
+ <li>Fix segfault in mod_mem_cache cache_insert() due to cache size
+ becoming negative. PR: 21285, 21287
+ [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]</li>
+
+ <li>core.c: If large file support is enabled, allow any file that is
+ greater than AP_MAX_SENDFILE to be split into multiple buckets.
+ This allows Apache to send files that are greater than 2gig.
+ Otherwise we run into 32/64 bit type mismatches in the file size.
+ [Brad Nicholes]</li>
+
+ <li>proxy_http fix: mod_proxy hangs when both KeepAlive and
+ ProxyErrorOverride are enabled, and a non-200 response without a
+ body is generated by the backend server. (e.g.: a client makes a
+ request containing the "If-Modified-Since" and "If-None-Match"
+ headers, to which the backend server respond with status 304.)
+ [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]</li>
+
+ <li>mod_dav: Reject requests which include an unescaped fragment in the
+ Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]</li>
+
+ <li>Build array of allowed methods with proper dimensions, fixing
+ possible memory corruption. [Jeff Trawick]</li>
+
+ <li>mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
+ PR 15057. [Otmar Lendl <lendl nic.at>]</li>
+
+ <li>mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
+ [Joe Orton]</li>
+
+ <li>mod_usertrack no longer inspects the Cookie2 header for
+ the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]</li>
+
+ <li>mod_usertrack no longer overwrites other cookies.
+ PR 26002. [Scott Moore <apache nopdesign.com>]</li>
+
+ <li>worker MPM: fix stack overlay bug that could cause the parent
+ process to crash. [Jeff Trawick]</li>
+
+ <li>Win32: Add Win32DisableAcceptEx directive. This Windows
+ NT/2000/XP directive is useful to work around bugs in some
+ third party layered service providers like virus scanners,
+ VPN and firewall products, that do not properly handle
+ WinSock 2 APIs. Use this directive if your server is issuing
+ AcceptEx failed messages.
+ [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]</li>
+
+ <li>Make REMOTE_PORT variable available in mod_rewrite.
+ PR 25772. [André Malo]</li>
+
+ <li>Fix a long delay with CGI requests and keepalive connections on
+ AIX. [Jeff Trawick]</li>
+
+ <li>mod_autoindex: Add 'XHTML' option in order to allow switching between
+ HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]</li>
+
+ <li>Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
+ [André Malo]</li>
+
+ <li>mod_ssl: Advertise SSL library version as determined at run-time rather
+ than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]</li>
+
+ <li>mod_ssl: Fix segfault on a non-SSL request if the 'c' log
+ format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]</li>
+
+ <li>Fix build with parallel make. PR 24643. [Joe Orton]</li>
+
+ <li>mod_rewrite: In external rewrite maps lookup keys containing
+ a newline now cause a lookup failure. PR 14453.
+ [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]</li>
+
+ <li>Backport major overhaul of mod_include's filter parser from 2.1.
+ The new parser code is expected to be more robust and should
+ catch all of the edge cases that were not handled by the previous one.
+ The 2.1 external API changes were hidden by a wrapper which is
+ expected to keep the API backwards compatible. [André Malo]</li>
+
+ <li>Add a hook (insert_error_filter) to allow filters to re-insert
+ themselves during processing of error responses. Enable mod_expires
+ to use the new hook to include Expires headers in valid error
+ responses. This addresses an RFC violation. It fixes PRs 19794,
+ 24884, and 25123. [Paul J. Reder]</li>
+
+ <li>Add Polish translation of error messages. PR 25101.
+ [Tomasz Kepczynski <tomek jot23.org>]</li>
+
+ <li>Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
+ supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
+ Bill Stoddard]</li>
+
+ <li>Add mod_status hook to allow modules to add to the mod_status
+ report. [Joe Orton]</li>
+
+ <li>Fix htdbm to generate comment fields in DBM files correctly.
+ [Justin Erenkrantz]</li>
+
+ <li>mod_dav: Use bucket brigades when reading PUT data. This avoids
+ problems if the data stream is modified by an input filter. PR 22104.
+ [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]</li>
+
+ <li>Fix RewriteBase directive to not add double slashes. [André Malo]</li>
+
+ <li>Improve 'configure --help' output for some modules. [Astrid Ke�ler]</li>
+
+ <li>Correct UseCanonicalName Off to properly check incoming port number.
+ [Jim Jagielski]</li>
+
+ <li>Fix slow graceful restarts with prefork MPM. [Joe Orton]</li>
+
+ <li>Fix a problem with namespace mappings being dropped in mod_dav_fs;
+ if any property values were set which defined namespaces these
+ came out mangled in the PROPFIND response. PR 11637.
+ [Amit Athavale <amit_athavale persistent.co.in>]</li>
+
+ <li>mod_dav: Return a WWW-auth header for MOVE/COPY requests where
+ the destination resource gives a 401. PR 15571. [Joe Orton]</li>
+
+ <li>mod_autoindex / core: Don't fail to show filenames containing
+ special characters like '%'. PR 13598. [André Malo]</li>
+
+ <li>mod_status: Report total CPU time accurately when using a threaded
+ MPM. PR 23795. [Jeff Trawick]</li>
+
+ <li>Fix memory leak in handling of request bodies during reverse
+ proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]</li>
+
+ <li>Win32 MPM: Implement MaxMemFree to enable setting an upper
+ limit on the amount of storage used by the bucket brigades
+ in each server thread. [Bill Stoddard]</li>
+
+ <li>Modified the cache code to be header-location agnostic. Also
+ fixed a number of other cache code bugs related to PR 15852.
+ Includes a patch submitted by Sushma Rai <rsushma novell.com>.
+ This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
+ closing the PR since that is what they are using. [Paul J. Reder]</li>
+
+ <li>complain via error_log when mod_include's INCLUDES filter is
+ enabled, but the relevant Options flag allowing the filter to run
+ for the specific resource wasn't set, so that the filter won't
+ silently get skipped. next remove itself, so the warning will be
+ logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]</li>
+
+ <li>mod_info: HTML escape configuration information so it displays
+ correctly. PR 24232. [Thom May]</li>
+
+ <li>Restore the ability to add a description for directories that
+ don't contain an index file. (Broken in 2.0.48) [André Malo]</li>
+
+ <li>Fix a problem with the display of empty variables ("SetEnv foo") in
+ mod_include. PR 24734 [Markus Julen <mj zermatt.net>]</li>
+
+ <li>mod_log_config: Log the minutes component of the timezone correctly.
+ PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]</li>
+
+ <li>mod_proxy: Fix cases where an invalid status-line could be sent
+ to the client. PR 23998. [Joe Orton]</li>
+
+ <li>mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
+ are also loaded. [Joe Orton]</li>
+
+ <li>mod_ssl: Use human-readable OpenSSL error strings in logs; use
+ thread-safe interface for retrieving error strings. [Joe Orton]</li>
+
+ <li>mod_expires: Initialize ExpiresDefault to NULL instead of "" to
+ avoid reporting an Internal Server error if it is used without
+ having been set in the httpd.conf file. PR: 23748, 24459
+ [Andre Malo, Liam Quinn <liam htmlhelp.com>]</li>
+
+ <li>mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
+ option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]</li>
+
+ <li>mod_include no longer allows an ETag header on 304 responses.
+ PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]</li>
+
+ <li>EBCDIC: Convert header fields to ASCII before sending (broken
+ since 2.0.44). [Martin Kraemer]</li>
+
+ <li>Fix the inability to log errors like exec failure in
+ mod_ext_filter/mod_cgi script children. This was broken after
+ such children stopped inheriting the error log handle.
+ [Jeff Trawick]</li>
+
+ <li>Fix mod_info to use the real config file name, not the default
+ config file name. [Aryeh Katz <aryeh secured-services.com>]</li>
+
+ <li>Set the scoreboard state to indicate logging prior to running
+ logging hooks so that server-status will show 'L' for hung loggers
+ instead of 'W'. [Jeff Trawick]</li>
</ul>
-
+
</body>
</html>