Newer
Older
*) Fix bad globbing comparison which could result in getting
a directory listing when a file was requested. PR 34512.
[sean <infamous41md hotmail.com>]
*) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
was called even if mod_auth_ldap_check_user_id() was not
(or if it didn't succeed) for non-authoritative cases.
[Jim Jagielski]
*) SECURITY: CVE-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses
into memory. PR 29962. [Joe Orton]
*) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
PR 15207. [Jim Jagielski]
*) mod_ldap: Fix various shared memory cache handling bugs.
PR 34209. [Joe Orton]
*) Fix a file descriptor leak when starting piped loggers. PR 33748.
[Joe Orton]
*) mod_ldap: Avoid segfaults when opening connections if using a version
of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
*) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
*) SECURITY: CVE-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
*) Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. PR 26467. [Jeff Trawick]
*) SECURITY: CVE-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]
*) mod_userdir: Fix possible memory corruption issue. PR 34588.
[David Leonard <dleonard vintela.com>]
*) worker mpm: don't take down the whole server for a transient
thread creation failure. PR 34514 [Greg Ames]
*) mod_rewrite: use buffered I/O to improve performance with large
RewriteMap txt: files. [Greg Ames]
*) proxy HTTP: Rework the handling of request bodies to handle
chunked input and input filters which modify content length, and
avoid spooling arbitrary-sized request bodies in memory.
PR 15859. [Jeff Trawick]
[Rüdiger Plüm <r.pluem t-online.de>]
*) mod_ldap: Added the directive LDAPConnectionTimeout to configure
the ldap socket connection timeout value.
[Brad Nicholes]
*) Correctly export all mod_dav public functions.
[Branko Čibej <brane xbc.nu>]
*) Add a build script to create a solaris package. [Graham Leggett]
*) worker MPM: Fix a problem which could cause httpd processes to
remain active after shutdown. [Jeff Trawick]
*) Unix MPMs: Shut down the server more quickly when child processes are
slow to exit. [Joe Orton, Jeff Trawick]
*) Remove formatting characters from ap_log_error() calls. These
were escaped as fallout from CVE-2003-0020.
*) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418.
[David Reid]
*) htdigest: Fix permissions of created files. PR 33765. [Joe Orton]
*) core_input_filter: Move buckets to a persistent brigade instead of
creating a new brigade. This stop a memory leak when proxying a
Streaming Media Server. PR 33382. [Paul Querna]
*) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid
hiccups from additional path information passed in non-utf-8 format.
[Richard Donkin <rd9 donkin.org]
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
*) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
[Max Bowsher <maxb ukf.net>]
*) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
[Rici Lake <rici ricilake.net>]
*) mod_proxy: Respect errors reported by pre_connection hooks.
[Jeff Trawick]
*) --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and
populated with a standard Makefile.in. [Erik Abele]
*) Fix the RPM spec file so that an RPM build now works. An RPM
build now requires system installations of APR and APR-util.
Remove some arbitrary moving around of binaries - the RPM now
maps to the ASF build of httpd.
[Graham Leggett]
*) mod_dumpio, an I/O logging/dumping module, added to the
modules/expermimental subdirectory. [Jim Jagielski]
*) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
*) Win32 MPM: Correct typo in debugging output. [William Rowe]
*) conf: Remove AddDefaultCharset from the default configuration because
setting a site-wide default does more harm than good. PR 23421.
[Roy Fielding]
*) Add charset to example CGI scripts. [Roy Fielding]
*) mod_ssl: fail quickly if SSL connection is aborted rather than
making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton]
*) Remove compiled-in upper limit on LimitRequestFieldSize.
[Bill Stoddard]
*) Start keeping track of time-taken-to-process-request again for
mod_status if ExtendedStatus is enabled. [Jim Jagielski]
*) mod_proxy: Handle client-aborted connections correctly. PR 32443.
[Janne Hietamäki, Joe Orton]
*) Fix handling of files >2Gb on all platforms (or builds) where
apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
*) mod_include: Fix bug which could truncate variable expansions
of N*64 characters by one byte. PR 32985. [Joe Orton]
*) Correct handling of certain bucket types in ap_save_brigade, fixing
possible segfaults in mod_cgi with #include virtual. PR 31247.
[Joe Orton]
*) Allow for the use of --with-module=foo:bar where the ./modules/foo
directory is local only. Assumes, of course, that the required
files are in ./modules/foo, but makes it easier to statically
build/log "external" modules. [Jim Jagielski]
*) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
ldap authorization only modules have access to the util_ldap
user cache without having to require ldap authentication as well.
PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
*) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
allows the module to only authorize a user if the attribute value
specified matches the value of the user object. PR 31913
[Ryan Morgan <rmorgan pobox.com>]
*) SECURITY: CVE-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]
*) SECURITY: CVE-2004-0885 (cve.mitre.org)
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
bypassed during an SSL renegotiation. PR 31505.
[Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
*) mod_ssl: Fail at startup rather than segfault at runtime if a
client cert is configured with an encrypted private key.
PR 24030. [Joe Orton]
*) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
[Joe Orton]
*) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
[Jeff Trawick]
*) mod_cache: CacheDisable will only disable the URLs it was meant to
disable, not all caching. PR 31128.
[Edward Rudd <eddie omegaware.com>, Paul Querna]
*) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
cache responses. [Justin Erenkrantz]
*) mod_rewrite: Handle per-location rules when r->filename is unset.
Previously this would segfault or simply not match as expected,
depending on the platform. [Jeff Trawick]
*) mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036. [André Malo]
*) mod_disk_cache: Do not store aborted content. PR 21492.
[Rüdiger Plüm <r.pluem t-online.de>]
*) mod_disk_cache: Correctly store cached content type. PR 30278.
[Rüdiger Plüm <r.pluem t-online.de>]
*) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
*) mod_ldap: fix a bogus error message to tell the user which file
is causing a potential problem with the LDAP shared memory cache.
PR 31431 [Graham Leggett]
*) SECURITY: CVE-2004-1834 (cve.mitre.org)
mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
*) Fix the re-linking issue when purging elements from the LDAP cache
*) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
*) Fix Expires handling in mod_cache. [Justin Erenkrantz]
*) Alter mod_expires to run at a different filter priority to allow
proper Expires storage by mod_cache. [Justin Erenkrantz]
*) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
*) Fix the global mutex crash when the global mutex is never allocated
due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
*) Fix a segfault in the LDAP cache when it is configured switched
off. [Jess Holle <jessh ptc.com>]
*) SECURITY: CVE-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. PR 31315. [Rici Lake <rici ricilake.net>]
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
*) mod_mem_cache: Fixed race condition causing segfault because of memory being
freed twice, or reused after being freed.
[J. Clar, W. Stoddard, G. Ames]
*) Add -l option to rotatelogs to let it use local time rather than
UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
*) mod_log_config: Fix a bug which prevented request completion time
from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
processing. PR 29696. [Alois Treindl <alois astro.ch>]
*) SECURITY: CVE-2004-0786 (cve.mitre.org)
Fix an input validation issue in apr-util which could be
triggered by malformed IPv6 literal addresses. [Joe Orton]
*) SECURITY: CVE-2004-0747 (cve.mitre.org)
Fix buffer overflow in expansion of environment variables in
configuration file parsing. [André Malo]
*) SECURITY: CVE-2004-0809 (cve.mitre.org)
mod_dav_fs: Fix a segfault in the handling of an indirect lock
refresh. PR 31183. [Joe Orton]
in the core. This allows for careful usage of recursive SSI.
[André Malo]
*) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
[chunyan sheng <shengperson yahoo.com>, André Malo]
*) Include directives no longer refuse to process symlinks on
directories. Instead there's now a maximum nesting level
of included directories (128 as distributed). This is configurable
at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
PR 28492. [André Malo]
*) Win32: apache -k start|restart|install|config can leave stranded
piped logger processes (eg, rotatelogs.exe) due to improper
server shutdown on these code paths.
[Bill Stoddard]
*) SECURITY: CVE-2004-0751 (cve.mitre.org)
mod_ssl: Fix a segfault in the SSL input filter which could be
triggered if using "speculative" mode, for instance by a
proxy request to an SSL server. PR 30134. [Joe Orton]
*) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
PR 30464. [Joe Orton, Madhusudan Mathihalli]
*) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
*) Prevent CGI script output which includes a Content-Range header
from being passed through the byterange filter. [Joe Orton]
container. PR 14726. [André Malo]
*) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
PR 27985. [André Malo]
Bill Stoddard
committed
*) mod_disk_cache: Implement binary format for on-disk header files.
[Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
*) mod_disk_cache: Optimize network performance of disk cache subsystem by
allowing zero-copy (sendfile) writes and other miscellaneous fixes.
[Justin Erenkrantz]
*) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
switch to the provider API instead of hooks. [Justin Erenkrantz]
*) mod_autoindex: Don't truncate the directory listing if a stat()
call fails (for instance on a >2Gb file). PR 17357.
[Joe Orton]
*) Makefile fix: httpd is linked against LIBS given to the
'make' invocation. PR 7882. [Joe Orton]
*) WinNT MPM: Fix a broken log message at termination. PR 28063.
[Eider Oliveira <eider bol.com.br>]
*) Prevent Win32 pool corruption at startup [Allan Edwards]
*) mod_ssl: Add "SSLUserName" directive to set r->user based on a
chosen SSL environment variable. PR 20957.
[Martin v. Loewis <martin v.loewis.de>]
*) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
[Zvi Har'El <rl math.technion.ac.il>]
*) apachectl: Fix a problem finding envvars if sbindir != bindir.
PR 30723. [Friedrich Haubensak <hsk imb-jena.de>]
*) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]
*) SECURITY: CVE-2004-0748 (cve.mitre.org)
mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]
*) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
PR 18989. [Joe Orton]
*) mod_userdir: Ensure that the userdir identity is used for
suexec userdir access in a virtual host which has suexec configured.
PR 18156. [Joshua Slive]
*) mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [André Malo]
never worked at all. PR 25725. [André Malo]
*) Backport from 2.1 / Regression from 1.3: mod_headers now knows
again the functionality of the ErrorHeader directive. But instead
using this misnomer additional flags to the Header directive were
introduced ("always" and "onsuccess", defaulting to the latter).
PR 28657. [André Malo]
*) Use the higher performing 'httpready' Accept Filter on all platforms
except FreeBSD < 4.1.1. [Paul Querna]
regexp. [André Malo]
matched value. [André Malo]
*) Recursive Include directives no longer crash. The server stops
including configuration files after a certain nesting level (128
as distributed). This is configurable at compile time using the
-DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]
*) mod_dir: the trailing-slash behaviour is now configurable using the
DirectorySlash directive. [André Malo]
*) Allow proxying of resources that are invoked via DirectoryIndex.
PR 14648, 15112, 29961. [André Malo]
*) util_ldap: Switched the lock types on the shared memory cache
from thread reader/writer locks to global mutexes in order to
provide cross process cache protection. [Brad Nicholes]
*) util_ldap: Reworked the cache locking scheme to eliminate duplicate
cache entries in the credentials cache due to race conditions.
[Brad Nicholes]
*) util_ldap: Enhanced the util_ldap cache-info display to show more
detail about the contents and current state of the cache.
[Brad Nicholes]
*) Enable the option to support anonymous shared memory in mod_ldap.
This makes the cache work on Linux again. [Graham Leggett]
*) Enable special ErrorDocument value 'default' which restores the
canned server response for the scope of the directive.
[Geoffrey Young, André Malo]
*) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
is set in r->subprocess_env allow mismatched query strings to pass.
PR 27758. [Paul Querna, Geoffrey Young]
*) Accept URLs for the ServerAdmin directive. If the supplied
argument is not recognized as an URL, assume it's a mail address.
PR 28174. [André Malo, Paul Querna]
*) initialize server arrays prior to calling ap_setup_prelinked_modules
so that static modules can push Defines values when registering
hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
*) Small fix to allow reverse proxying to an ftp server. Previously
an attempt to do this would try and connect to 0.0.0.0, regardless
of the server specified. PR 24922
[Pascal Terjan <pterjan@linuxfr.org>]
*) Add the NOTICE file to the rpm spec file in compliance with the
Apache v2.0 license. [Graham Leggett]
*) RPM spec file changes: changed default dependancy to link to db4
instead of db3. Fixed complaints about unpackaged files.
[Graham Leggett]
*) SECURITY: CVE-2004-0493 (cve.mitre.org)
Close a denial of service vulnerability identified by Georgi
Guninski which could lead to memory exhaustion with certain
input data. [Jeff Trawick]
*) mod_cgi: Handle output on stderr during script execution on Unix
platforms; preventing deadlock when stderr output fills pipe buffer.
Also fixes case where stderr from nph- scripts could be lost.
PR 22030, 18348. [Joe Orton, Jeff Trawick]
directives. [André Malo]
*) mod_rewrite no longer turns forward proxy requests into reverse proxy
requests. PR 28125 [ast domdv.de, André Malo]
*) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
exported on Win32 and Netware as well (minor MMN bump). PR 28523.
[Edward Rudd <eddie omegaware.com>, André Malo]
*) Restore the ability to disable the use of AcceptEx on Win9x systems
automatically (broken in 2.0.49). PR 28529. [André Malo]
*) <VirtualHost myhost> now applies to all IP addresses for myhost
instead of just the first one reported by the resolver. This
corrects a regression since 1.3. [Jeff Trawick]
*) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
against ServerRoot PR#26602 [Brad Nicholes]
*) SECURITY: CVE-2004-0488 (cve.mitre.org)
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[Joe Orton]
*) mod_dav_fs: Fix MKCOL response for missing parent collections, which
caused issues for the Eclipse WebDAV extension.
PR 29034. [Joe Orton]
*) mod_deflate: Fix memory consumption (which was proportional to the
response size). PR 29318. [Joe Orton]
*) mod_ssl: Log the errors returned on failure to load or initialize
a crypto accelerator engine. [Joe Orton]
[Vincent Deffontaines <vincent gryzor.com>, André Malo]
[André Malo]
*) Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects: mod_setenvif, mod_usertrack,
mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
*) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
*) Remove 2Gb log file size restriction on some 32-bit platforms.
PR 13511. [Joe Orton]
*) mod_logio no longer removes the EOS bucket. PR 27928.
[Bojan Smojver <bojan rexursive.com>]
*) htpasswd no longer refuses to process files that contain empty
lines. [André Malo]
*) Regression from 1.3: At startup, suexec now will be checked for
availability, the setuid bit and user root. The works only if
httpd is compiled with the shipped APR version (0.9.5).
PR 28287. [André Malo]
*) Unix MPMs: Stop dropping connections when the file descriptor
is at least FD_SETSIZE. [Jeff Trawick]
*) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
*) mod_isapi: send_response_header() failed to copy status string's
last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
*) Fix a segfault when requests for shared memory fails and returns
NULL. Fix a segfault caused by a lack of bounds checking on the
*) Throw an error message if an attempt is made to use the LDAPTrustedCA
or LDAPTrustedCAType directives in a VirtualHost. PR 26390
[Brad Nicholes]
*) Fix a potential segfault if the bind password in the LDAP cache
*) Quotes cannot be used around require group and require dn
directives, update the documentation to reflect this. Also add
quotes around the dn and group within debug messages, to make it
more obvious why authentication is failing if quotes are used in
*) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
from escaping filters twice when the backslash character is used.
*) Overhaul handling of LDAP error conditions, so that the util_ldap_*
functions leave the connections in a sane state after errors have
occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
27271 [Graham Leggett]
*) mod_ldap calls ldap_simple_bind_s() to validate the user
credentials. If the bind fails, the connection is left
in an unbound state. Make sure that the ldap connection
record is updated to show that the connection is no longer
bound. [Brad Nicholes]
*) Ensure that lines in the request which are too long are
properly terminated before logging.
[Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
*) Update the bind credentials for the cached LDAP connection to
reflect the last bind. This prevents util_ldap from creating
unnecessary connections rather than reusing cached connections.
[Brad Nicholes]
*) mod_isapi: GetServerVariable returned improperly terminated header
fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
[Jesse Pelton <jsp pkc.com>]
*) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
size. PR 20617. [Jesse Pelton <jsp pkc.com>]
*) mod_dav: Fix a problem that could cause crashes when manipulating
locks on some platforms. [Jeff Trawick]
be added. [André Malo]
circumstances. PR 28047. [André Malo]
*) htpasswd: use apr_temp_dir_get() and general cleanup
[Guenter Knauf <eflash gmx.net>, Thom May]
*) mod_ssl: Fix memory leak in session cache handling. PR 26562
[Madhusudan Mathihalli]
*) mod_ssl: Fix potential segfaults when performing SSL shutdown from
a pool cleanup. PR 27945. [Joe Orton]
*) Add forensic logging module (mod_log_forensic).
[Ben Laurie]
*) logresolve: Allow size of log line buffer to be overridden at
build time (MAXLINE). PR 27793. [Jeff Trawick]
*) Fix the comment delimiter in htdbm so that it correctly parses the
username comment. Also add a terminate function to allow NetWare
to pause the output before the screen is destroyed.
[Guenter Knauf <eflash gmx.net>, Brad Nicholes]
*) Fix crash when Apache was started with no Listen directives.
[Michael Corcoran <mcorcoran warpsolutions.com>]
*) core_output_filter: Fix bug that could result in sending
garbage over the network when module handlers construct
bucket brigades containing multiple file buckets all referencing
the same open file descriptor. [Bojan Smojver]
*) Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
[Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
*) Win32: Tweak worker thread accounting routines to eliminate
server hang when number of Listen directives in httpd.conf
is greater than or equal to the setting of ThreadsPerChild.
[Bill Stoddard]
*) SECURITY: CVE-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]
*) Win32: find_read_listeners was not correctly handling multiple
listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
[Manni Wood <manniwood planet-save.com>]
*) Fix some piped log problems: bogus "piped log program '(null)'
failed" messages during restart and problem with the logger
respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]
*) Fixed file extensions for real media files and removed rpm extension
from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
*) Remove compile-time length limit on request strings. Length is
now enforced solely with the LimitRequestLine config directive.
[Paul J. Reder]
*) mod_ssl: Send the Close Alert message to the peer before closing
the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
*) SECURITY: CVE-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) mod_ssl: Fix bug in passphrase handling which could cause spurious
failures in SSL functions later. PR 21160. [Joe Orton]
*) mod_log_config: Fix corruption of buffered logs with threaded
MPMs. PR 25520. [Jeff Trawick]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [André Malo]
*) Add fatal exception hook for use by diagnostic modules. The hook
is only available if the --enable-exception-hook configure parm
is used and the EnableExceptionHook directive has been set to
"on". [Jeff Trawick]
*) Allow mod_auth_digest to work with sub-requests with different
methods than the original request. PR 25040.
[Josh Dady <jpd indecisive.com>]
*) fix "Expected </Foo>> but saw </Foo>" errors in nested,
argumentless containers.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
[Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
[Glenn Nielsen <glenn apache.org>]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]
*) mod_setenvif: Fix the regex optimizer, which under circumstances
treated the supplied regex as literal string. PR 24219.
[André Malo]
instead of mmn. [André Malo]
*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
could lead to a 400 (Bad Request) response. [André Malo]
*) Keep focus of ITERATE and ITERATE2 on the current module when
the module chooses to return DECLINE_CMD for the directive.
PR 22299. [Geoffrey Young <geoff apache.org>]
*) Add support for IMT minor-type wildcards (e.g., text/*) to
ExpiresByType. PR#7991 [Ken Coar]
*) Fix segfault in mod_mem_cache cache_insert() due to cache size
becoming negative. PR: 21285, 21287
[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
*) core.c: If large file support is enabled, allow any file that is
greater than AP_MAX_SENDFILE to be split into multiple buckets.
This allows Apache to send files that are greater than 2gig.
Otherwise we run into 32/64 bit type mismatches in the file size.
[Brad Nicholes]
*) proxy_http fix: mod_proxy hangs when both KeepAlive and
ProxyErrorOverride are enabled, and a non-200 response without a
body is generated by the backend server. (e.g.: a client makes a
request containing the "If-Modified-Since" and "If-None-Match"
headers, to which the backend server respond with status 304.)
[Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
*) mod_dav: Reject requests which include an unescaped fragment in the
Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) Build array of allowed methods with proper dimensions, fixing
possible memory corruption. [Jeff Trawick]
*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
PR 15057. [Otmar Lendl <lendl nic.at>]
*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
[Joe Orton]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore <apache nopdesign.com>]
*) worker MPM: fix stack overlay bug that could cause the parent
process to crash. [Jeff Trawick]
*) Win32: Add Win32DisableAcceptEx directive. This Windows
NT/2000/CP directive is useful to work around bugs in some
third party layered service providers like virus scanners,
VPN and firewall products, that do not properly handle
WinSock 2 APIs. Use this directive if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
PR 25772. [André Malo]
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
*) mod_autoindex: Add 'XHTML' option in order to allow switching between
HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
[André Malo]
*) mod_ssl: Advertise SSL library version as determined at run-time rather
than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
*) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
*) Fix build with parallel make. PR 24643. [Joe Orton]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
*) Backport major overhaul of mod_include's filter parser from 2.1.
The new parser code is expected to be more robust and should
catch all of the edge cases that were not handled by the previous one.
The 2.1 external API changes were hidden by a wrapper which is
expected to keep the API backwards compatible. [André Malo]
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski <tomek jot23.org>]
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix htdbm to generate comment fields in DBM files correctly.
[Justin Erenkrantz]
*) mod_dav: Use bucket brigades when reading PUT data. This avoids
problems if the data stream is modified by an input filter. PR 22104.
[Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
*) Fix RewriteBase directive to not add double slashes. [André Malo]
*) Improve 'configure --help' output for some modules. [Astrid Keßler]
*) Correct UseCanonicalName Off to properly check incoming port number.
[Jim Jagielski]
*) Fix slow graceful restarts with prefork MPM. [Joe Orton]
*) Fix a problem with namespace mappings being dropped in mod_dav_fs;
if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale <amit_athavale persistent.co.in>]
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
*) SECURITY: CVE-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]
*) mod_status: Report total CPU time accurately when using a threaded
MPM. PR 23795. [Jeff Trawick]
*) Fix memory leak in handling of request bodies during reverse
proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
*) Win32 MPM: Implement MaxMemFree to enable setting an upper
limit on the amount of storage used by the bucket brigades
in each server thread. [Bill Stoddard]
*) Modified the cache code to be header-location agnostic. Also
fixed a number of other cache code bugs related to PR 15852.
Includes a patch submitted by Sushma Rai <rsushma novell.com>.
This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
closing the PR since that is what they are using. [Paul J. Reder]
*) complain via error_log when mod_include's INCLUDES filter is
enabled, but the relevant Options flag allowing the filter to run
for the specific resource wasn't set, so that the filter won't
silently get skipped. next remove itself, so the warning will be
logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
*) mod_info: HTML escape configuration information so it displays
correctly. PR 24232. [Thom May]
*) Restore the ability to add a description for directories that
don't contain an index file. (Broken in 2.0.48) [André Malo]
*) Fix a problem with the display of empty variables ("SetEnv foo") in
mod_include. PR 24734 [Markus Julen <mj zermatt.net>]
*) mod_log_config: Log the minutes component of the timezone correctly.
PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]
*) mod_proxy: Fix cases where an invalid status-line could be sent
to the client. PR 23998. [Joe Orton]
*) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
are also loaded. [Joe Orton]
*) mod_ssl: Use human-readable OpenSSL error strings in logs; use
thread-safe interface for retrieving error strings. [Joe Orton]
*) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
avoid reporting an Internal Server error if it is used without
having been set in the httpd.conf file. PR: 23748, 24459
[André Malo, Liam Quinn <liam htmlhelp.com>]
*) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]
*) mod_include no longer allows an ETag header on 304 responses.
PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
*) EBCDIC: Convert header fields to ASCII before sending (broken
since 2.0.44). [Martin Kraemer]
*) Fix the inability to log errors like exec failure in
mod_ext_filter/mod_cgi script children. This was broken after
such children stopped inheriting the error log handle.
[Jeff Trawick]
*) Fix mod_info to use the real config file name, not the default
*) Set the scoreboard state to indicate logging prior to running
logging hooks so that server-status will show 'L' for hung loggers
instead of 'W'. [Jeff Trawick]
Changes with Apache 2.0.48
*) SECURITY: CVE-2003-0789 (cve.mitre.org)
mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
communicate with the cgid daemon and the CGI script.
[Jeff Trawick]
*) SECURITY: CVE-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred
if one configured a regular expression with more than 9 captures.
[André Malo]
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins web.turner.com>, André Malo]
*) fix the config parser to support <Foo>..</Foo> containers (no
arguments in the opening tag) supported by httpd 1.3. Without
this change mod_perl 2.0's <Perl> sections are broken.
*) mod_cgid: fix a hash table corruption problem which could
result in the wrong script being cleaned up at the end of a
request. [Jeff Trawick]
*) Update httpd-*.conf to be clearer in describing the connection
between AddType and AddEncoding for defining the meaning of
compressed file extensions. [Roy Fielding]
*) mod_rewrite: Don't die silently when failing to open RewriteLogs.
PR 23416. [André Malo]
rewritten request using "proxy:". The code was adding multiple "proxy:"
fields in the rewritten URI. PR: 13946.
*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
*) mod_autoindex: If a directory contains a file listed in the
DirectoryIndex directive, the folder icon is no longer replaced
by the icon of that file. PR 9587.
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
*) mod_cache: Fix the cache code so that responses can be cached
if they have an Expires header but no Etag or Last-Modified
headers. PR 23130.
*) mod_log_config: Fix %b log format to write really "-" when 0 bytes
were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
*) Modify ap_get_client_block() to note if it has seen EOS.
[Justin Erenkrantz]
*) Fix a bug, where mod_deflate sometimes unconditionally compressed the
content if the Accept-Encoding header contained only other tokens than
"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
*) Avoid an infinite recursion, which occured if the name of an included
config file or directory contained a wildcard character. PR 22194.
[André Malo]
*) mod_ssl: Fix a problem setting variables that represent the
client certificate chain. PR 21371 [Jeff Trawick]
*) Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex. PR 20312 [Jeff Trawick]
*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
*) Fix a misleading message from the some of the threaded MPMs when
MaxClients has to be lowered due to the setting of ServerLimit.
[Jeff Trawick]
*) Lower the severity of the "listener thread didn't exit" message
to debug, as it is of interest only to developers. PR 9011
[Jeff Trawick]
*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]
*) Install config.nice into the build/ directory to make
minor version upgrades easier. [Joshua Slive]
*) Fix mod_deflate so that it does not call deflate() without checking
first whether it has something to deflate. (Currently this causes
deflate to generate a fatal error according to the zlib spec.)
PR 22259. [Stas Bekman]
*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.