Skip to content
CHANGES 639 KiB
Newer Older
     be started on Unix because of such problems as bad permissions,
     bad shebang line, etc.  [Jeff Trawick]

  *) Fix 64-bit problem in mod_ssl input logic.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]
  *) Fix potential memory leaks in mod_deflate on malformed data.  PR 16046.
     [Justin Erenkrantz]

  *) Rewrite ap_xml_parse_input to use bucket brigades.  PR 16134.
     [Justin Erenkrantz]

Andre Malo's avatar
Andre Malo committed
  *) Fix segfault which occurred when a section in an included
     configuration file was not closed. PR 17093.  [André Malo]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Enhance the behavior of mod_isapi's WriteClient() callback to
     provide better emulation for isapi modules that presume that the
     first WriteClient() call may send status and headers.  An example
     of WriteClient() abuse is the foxisapi module, which relies on
     that assumpion and now works.  [William Rowe, Milan Kosina]

  *) Check the return value of ap_run_pre_connection(). So if the
     pre_connection phase fails (without setting c->aborted)
     ap_run_process_connection is not executed. [Stas Bekman]

  *) Fixed a problem with mod_ldap which caused it to fault when caching
     was disabled.  Needed to make sure that the code did not
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     attempt to use the cache if it didn't exist. Also fixed some memory
     leaks which were due to not releasing LDAP resources on error
     conditions.  [Brad Nicholes]
  *) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
     mod_rewrite proxied URLs will not be escaped accidentally by
     mod_proxy's fixup. PR 16368  [André Malo]

  *) While processing filters on internal redirects, remember seen EOS
     buckets also in the request structure of the redirect issuer(s). This
     prevents filters (such as mod_deflate) from adding garbage to the
     response. PR 14451.  [André Malo]

  *) suexec: Be more pedantic when cleaning environment. Clean it
     immediately after startup. PR 2790, 10449.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jeff Stewart <jws purdue.edu>, André Malo]

  *) Fix apxs to insert LoadModule directives only outside of sections.
     PR 8712, 9012.  [André Malo]

  *) Fix suexec compile error under SUNOS4, where strerror() doesn't
     exist. PR 5913, 9977.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jonathan W Miner <Jonathan.W.Miner lmco.com>]
  *) Fix If header parsing when a non-mod_dav lock token is passed to it.
     PR 16452.  [Justin Erenkrantz]

  *) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
     not specified. Now it assumes "/" as already documented. PR 16937.
     [André Malo]

  *) Try to log an error if a piped log program fails.  Try to
     restart a piped log program in more failure situations.  Fix an
     existing problem with error handling in piped_log_spawn().  Use
     new APR apr_proc_create() features to prevent Apache from starting
     on Unix* in most cases where a piped log program can be started,
     and add log messages for the other situations.  *Other platforms
     already failed Apache initialization if a piped log program
     couldn't be started.  PR 15761  [Jeff Trawick]

  *) Fix mod_cern_meta to not create empty metafiles when the
     metafile searched for does not exist.  PR 12353
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Owen Rees <owen_rees hp.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Introduce debugging symbols for Win32 release builds, both .pdb 
     and .dbg files (older debuggers and Dr. Watson-type utilities 
     on WinNT or Win9x don't support the newer .pdb flavor.)
     [Allen Edwards, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
Andre Malo's avatar
Andre Malo committed
  *) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
     information (and more). Related to PR 9076.  [André Malo]

  *) mod_file_cache: fix segfault serving mmaped cached files.
     [Bill Stoddard]

  *) mod_file_cache: fixed a segfault when multiple MMapFile directives
     were used.  PR 16313.  [Cliff Woolley]
  *) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
     an incompatible pointer type to mmap_bucket_destroy(void*).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Gerard Eviston <geviston bigpond.net.au>]
  *) Enable the -n name parameter on NetWare to allow the
     administrator to rename the Apache console screen
     [Brad Nicholes]
     
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fixed piped access logs on Win32 by disabling OTHER_CHILD
     support by default in APR.  More development is required
     to deploy OTHER_CHILD on Win32.  [William Rowe]

  *) Use saner default config values for suexec. PR 15713.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
     (or SymlinksIfOwnermatch) is set. PR 12395.  [André Malo]

  *) apxs: Include any special APR ld flags when linking the DSO.
     This resolves problems on AIX when building a DSO with apxs+gcc.
     [Jeff Trawick]

  *) Added character set support to mod_auth_LDAP to allow it to 
     convert extended characters used in the user ID to UTF-8 
     before authenticating against the LDAP directory. The new
     directive AuthLDAPCharsetConfig is used to specify the config
     file that contains the character set conversion table.
     [Brad Nicholes]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Don't remove the Content-Length from responses in mod_proxy
     PR: 8677 [Brian Pane]

  *) Ensure LDAP version is set to v3 on every bind. PR 14235.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Sergey A. Lipnevich <sergeyli pisem.net>]
  *) Fix mod_ldap to open an existing shared memory file should one
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     already exist. PR 12757. [Scooter Morris <scooter gene.com>,
  *) Fix the ulimit command used by apachectl on Tru64.  PR 13609.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]

  *) Change the ulimit command used by apachectl on AIX so that it
     works in all locales.  [Jeff Trawick]

  *) mod_ext_filter: Fix a problem building argument lists which 
     occasionally caused exec to fail.  PR 15491.  [Jeff Trawick]

Changes with Apache 2.0.44

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
     from Apache 1.3.  PR 14276
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Shane Holden <dpejesh yahoo.com>, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_mime: Workaround to prevent a segfault if r->filename=NULL
     [Brian Pane]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
  *) Reorder the definitions for mod_ldap and mod_auth_ldap within
     config.m4 to make sure the parent mod_ldap is defined first.
     This ensures that mod_ldap comes before mod_auth_ldap in the
     httpd.conf file, which is necessary for mod_auth_ldap to load.
     PR 14256  [Graham Leggett]

  *) Fix the building of cgi command lines when the query string
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     contains '='.  PR 13914  [Ville Skyttä <ville.skytta iki.fi>,
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
     implementation of MCacheMaxStreamingBuffer from mod_cache to
     mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
     lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should 
     eliminate the need for explicitly coding MCacheMaxStreamingBuffer
     in most configurations. [Bill Stoddard]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
     a redirect occurs. The code was passing a format string and
     integer to apr_pstrcat. Changed to apr_psprintf.
     [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
     as set by apr-util in util_ldap.c. This should allow mod_ldap
     to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     <somme oslo.westerngeco.slb.com>, Graham Leggett]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Fix critical bug in new --enable-v4-mapped configure option
     implementation which broke IPv4 listening sockets on some
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     systems.  [hiroyuki hanai <hanai imgsrc.co.jp>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     patterns [André Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add version string to provider API.  [Justin Erenkrantz]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) build: './configure && make' now works without an in-tree
     apr and apr-util. [Wilfredo Sanchez]

  *) mod_negotiation: Set the appropriate mime response headers
     (Content-Type, charset, Content-Language and Content-Encoding)
     for negotated type-map "Body:" responses (such as the error
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     pages.)  [André Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_log_config: Allow '%%' escaping in CustomLog format
     strings to insert a literal, single '%'.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [André Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_autoindex: AddDescription directives for directories
     now work as in Apache 1.3, where no trailing '/' is
     specified on the directory name.  Previously, the trailing
     '/' *had* to be specified, which was incompatible with
     Apache 1.3.  PR 7990  [Jeff Trawick]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix for PR 14556. The expiry calculations in mod_cache were
     trying to perform "now + ((date - lastmod) * factor)" where
     date == lastmod resulting in "now + 0". The code now follows
     the else path (using the default expiration) if date is
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]
Paul J. Reder's avatar
 
Paul J. Reder committed

  *) Use AP_DECLARE in the debug versions of ap_strXXX in case the
     default calling convention is not the same as the one used by
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     AP_DECLARE.  [Juan Rivera <Juan.Rivera citrix.com>]
  *) mod_cache: Don't cache response header fields designated
     as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]
  *) mod_cgid: Handle environment variables containing newlines.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 14550  [Piotr Czejkowski <apache czarny.eu.org>, Jeff
  *) Move mod_ext_filter out of experimental and into filters.
     [Jeff Trawick]

  *) Fixed a memory leak in mod_deflate with dynamic content.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 14321  [Ken Franken <kfranken decisionmark.com>]
  *) Add --[enable|disable]-v4-mapped configure option to control
     whether or not Apache expects to handle IPv4 connections
     on IPv6 listening sockets.  Either setting will work on 
     systems with the IPV6_V6ONLY socket option.  --enable-v4-mapped
     must be used on systems that always allow IPv4 connections on
     IPv6 listening sockets.  PR 14037 (Bugzilla), PR 7492 (Gnats)
     [Jeff Trawick]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) This fixes a problem where the underlying cache code
     indicated that there was one more element on the cache
     than there actually was. This happened since element 0
     exists but is not used. This code allocates the correct
     number of useable elements and reports the number of
     actually used elements. The previous code only allowed
     MCacheMaxObjectCount-1 objects to be stored in the
     cache. [Paul J. Reder]

  *) mod_setenvif: Add SERVER_ADDR special keyword to allow
     envariable setting according to the server IP address
     which received the request.  [Ken Coar]

  *) mod_cgid: Terminate CGI scripts when the client connection 
     drops.  PR 8388  [Jeff Trawick]

  *) Rearrange OpenSSL engine initialization to support RAND 
     redirection on crypto accelerator. 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Frederic DONNAT <frederic.donnat zencod.com>]
  *) Always emit Vary header if mod_deflate is involved in the
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     request.  [Andre Malo <nd perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: Stop unsetting the 'empty' query string result with
     a NULL argument in ecb->lpszQueryString, eliminating segfaults
     for some ISAPI modules.  PR 14399
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Detlev Vendt <detlev.vendt brillit.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
     notification is received before the HttpExtensionProc() returns 
     HSE_STATUS_PENDING.  This only affected isapi .dll's configured 
     with the ISAPIFakeAsync on directive.  PR 11918
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [John DeSetto <jdesetto radiantsystems.com>, William Rowe]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_isapi: Fix the issue where all results from mod_isapi would
     run through the core die handler resulting in invalid responses
     or access log entries.  PR 10216 [William Rowe]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Improves the user friendliness of the CacheRoot processing
     over my last pass. This version avoids the pool allocations
     but doesn't avoid all of the runtime checks. It no longer
     terminates during post-config processing. An error is logged
     once per worker, indicating that the CacheRoot needs to be set.
     [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix a bug where we keep files open until the end of a 
     keepalive connection, which can result in:
     (24)Too many open files: file permissions deny server access
     especially on threaded servers.  [Greg Ames, Jeff Trawick]

  *) Fix a bug in which mod_proxy sent an invalid Content-Length
     when a proxied URL was invoked as a server-side include within
     a page generated in response to a form POST.  [Brian Pane]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Added code to process min and max file size directives and to
     init the expirychk flag in mod_disk_cache. Added a clarifying
     comment to cache_util.   [Paul J. Reder]

  *) The value emitted by ServerSignature now mimics the Server HTTP
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     header as controlled by ServerTokens.  [Francis Daly <deva daoine.org>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Gracefully handly retry situations in the SSL input filter,
     by following the SSL libraries' retry semantics.
     [William Rowe]

  *) Terminate CGI scripts when the client connection drops.  This
     fix only applies to some normal paths in mod_cgi.  mod_cgid
     is still busted.  PR 8388  [Jeff Trawick]

  *) Fix a bug where 416 "Range not satisfiable" was being
     returned for content that should have been redirected.
     [Greg Ames]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix memory leak in mod_ssl from internal SSL library allocations
     within SSL_get_peer_certificate and X509_get_pubkey.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Zvi Har'El <rl math.technion.ac.il>
      Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_ssl uses free() inappropriately in several places, to free
     memory which has been previously allocated inside OpenSSL.
     Such memory should be freed with OPENSSL_free(), not with free().
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Nadav Har'El <nyh math.technion.ac.il>,
      Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
  *) Emit a message to the error log when we return 404 because
     the URI contained '%2f'.  (This was previously nastily silent
     and difficult to debug.)  [Ken Coar]

  *) Fix streaming output from an nph- CGI script.  CGI:IRC now
     works.  PR 8482  [Jeff Trawick]

  *) More accurate logging of bytes sent in mod_logio when
     the client terminates the connection before the response
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     is completely sent  [Bojan Smojver <bojan rexursive.com>]
  *) Fix some problems in the perchild MPM.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jonas Eriksson <jonas webkonsulterna.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Change the CacheRoot processing to check for a required
     value at config time. This saves a lot of wasted processing
     if the mod_disk_cache module is loaded but no CacheRoot
     was provided. This fix also adds code to log an error
     and avoid useless pallocs and procesing when the computed
     cache file name cannot be opened. This also updates the
     docs accordingly.  [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Introduce the EnableSendfile directive, allowing users of NFS 
     shares to disable sendfile mechanics when they either fail
     outright or provide intermitantly corrupted data.  PR 
     [William Rowe]

  *) Resolve the error "An operation was attempted on something 
     that is not a socket.  : winnt_accept: AcceptEx failed. 
     Attempting to recover." for users of various firewall and
     anti-virus software on Windows.  PR 8325  [William Rowe]

  *) Add the ProxyBadHeader directive, which gives the admin some
     control on how mod_proxy should handle bogus HTTP headers from
     proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
     desired. [Jim Jagielski]

  *) Change the LDAP modules to export their symbols correctly
     during a Windows build. Add dsp files for Windows. Update
     README.ldap file for Windows build instructions.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Andre Schild <A.Schild aarboard.ch>]
  *) Performance improvements for the code that generates HTTP
     response headers  [Brian Pane]

  *) Add -S as a synonym for -t -DDUMP_VHOSTS.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
  *) Fix a bug with dbm rewrite maps which caused the wrong value to
     be used when the key was not found in the dbm.  PR 13204
     [Jeff Trawick]

  *) Fix a problem with streaming script output and mod_cgid.
     [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add ap_register_provider/ap_lookup_provider API.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [John K. Sterling <john sterls.com>, Justin Erenkrantz]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Changes with Apache 2.0.43

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CVE-2002-0840 (cve.mitre.org)
     HTML-escape the address produced by ap_server_signature() against
     this cross-site scripting vulnerability exposed by the directive
     'UseCanonicalName Off'.  Also HTML-escape the SERVER_NAME
     environment variable for CGI and SSI requests.  It's safe to
     escape as only the '<', '>', and '&' characters are affected,
     which won't appear in a valid hostname.  Reported by Matthew
     Murphy <mattmurphy kc.rr.com>.  [Brian Pane]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix a core dump in mod_cache when it attemtped to store uncopyable
     buckets. This happened, for instance, when a file to be cached
     contained SSI tags to execute a CGI script (passed as a pipe
     bucket). [Paul J. Reder]

  *) Ensure that output already available is flushed to the network
     when the content-length filter realizes that no new output will
     be available for a while.  This helps some streaming CGIs as
     well as some other dynamically-generated content.  [Jeff Trawick]

  *) Fix a mutex problem in mod_ssl session cache support which
     could lead to an infinite loop.  PR 12705  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CVE-2002-1156 (cve.mitre.org)
     Fix the exposure of CGI source when a POST request is sent to 
     a location where both DAV and CGI are enabled. [Ryan Bloom]
  *) Allow the UserDir directive to accept a list of directories.
     This matches what Apache 1.3 does.  Also add documentation for
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     this feature. [Jay Ball <jay veggiespam.com>]
Ian Holsman's avatar
Ian Holsman committed
  *) New Module: mod_logio. adds the ability to log bytes sent and
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     received. [Bojan Smojver <bojan rexursive.com>]
  *) SuExec needs to use the same default directory as the rest of
     server, namely /usr/local/apache2.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [SangBeom han <sbhan os.korea.ac.kr>]
  *) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thomas Bennett <thomas.bennett eds.com>, Graham Leggett]
  *) Make sure the contents of the WWW-Authenticate header is
     passed on a 4xx error by proxy. Previously all headers
     were dropped, resulting in the browser being unable to
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     authenticate. [Dr Richard Reiner <rreiner fscinternet.com>,
     Richard Danielli <rdanielli fscinternet.com>, Graham Wiseman
     <gwiseman fscinternet.com>, David Henderson
     <dhenderson fscinternet.com>]
  *) Make mod_cache's CacheMaxStreamingBuffer directive work
     properly for virtual hosts that override server-wide mod_cache
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     setttings.  [Matthieu Estrade <estrade-m ifrance.com>]
  *) Add -p option to apxs to allow programs to be compiled with apxs.
     [Justin Erenkrantz]

Sander Striker's avatar
Sander Striker committed
Changes with Apache 2.0.42

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2002-1593 (cve.mitre.org) [CERT VU#406121]
     mod_dav: Check for versioning hooks before using them.
Sander Striker's avatar
Sander Striker committed
     [Greg Stein]
Sander Striker's avatar
Sander Striker committed
Changes with Apache 2.0.41
  *) The protocol version (eg: HTTP/1.1) in the request line parsing
     is now case insensitive. [Jim Jagielski]

  *) Allow AddOutputFilterByType to add multiple filters per directive.
     [Justin Erenkrantz]

  *) Remove warnings with Sun's Forte compiler.  [Justin Erenkrantz]

  *) Fixed mod_disk_cache's generation of 304s
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
  *) Add support for using fnmatch patterns in the final path
     segment of an Include statement (eg.. include /foo/bar/*.conf).
     and remove the noise on stderr during config dir processing.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joe Orton <jorton redhat.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_cache: cache_storage.c. Add the hostname and any request
     args to the key generated for caching. This provides a unique
     key for each virtual host and for each request with unique
     args. [Paul J. Reder, args code provided by Kris Verbeeck]

  *) mod_cache: Do not cache responses to GET requests with query
     URLs if the origin server does not explicitly provide an
     Expires header on the response (RFC 2616 Section 13.9)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Kris Verbeeck <krisv be.ubizen.com>]
  *) Fix memory leak in core_output_filter.  [Justin Erenkrantz]

  *) Update OpenSSL detection to work on Darwin.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Sander Temme <sctemme covalent.net>]
  *) Update the xslt and css to give the documentation a more
     modern style.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [André Malo <nd perlig.de>, Gernot Winkler <greh o3media.de>]
  *) Fix some bucket memory leaks in the chunking code
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joe Schaefer <joe+apache sunstarsys.com>]
  *) Add ModMimeUsePathInfo directive.  [Justin Erenkrantz]

  *) mod_cache: added support for caching streamed responses (proxy,
     CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]

  *) Add image/x-icon to httpd.conf PR 10993.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ian Holsman, Peter Bieringer <pb bieringer.de>]
  *) Fix FileETags none operation.  PR 12207.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Justin Erenkrantz, Andrew Ho <andrew tellme.com>]
  *) Restored the experimental leader/followers MPM to working
     condition and converted its thread synchronization from
     mutexes to atomic CAS.  [Brian Pane]

  *) Fix Logic on non-html file removal in mod_deflate
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
Martin Kraemer's avatar
Martin Kraemer committed
  *) Fix "ab -g"'s truncated year: the last digit was cut off.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Leon Brocard <acme astray.com>]
  *) mod_rewrite can now sets cookies in err_headers, uses the correct
     expiry date, and can now set the path as well
     PR 12132,12181,12172.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ian Holsman / Rob Cromwell <apachechangelog robcromwell.com>]
  *) The content-length filter no longer tries to buffer up
     the entire output of a long-running request before sending
     anything to the client.  [Brian Pane]

  *) Win32: Lower the default stack size from 1MB to 256K. This will
     allow around 8000 threads to be started per child process. 
     'EDITBIN /STACK:size apache.exe' can be used to change this 
     value directly in the apache.exe executable.
     [Bill Stoddard]

  *) Win32: Implement ThreadLimit directive in the Windows MPM.
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Remove CacheOn config directive since it is set but never checked.
     No sense wasting cycles on unused code. Besides, the only truly
     bug free code is deleted code. :)   [Paul J. Reder]

  *) BufferLogs are now run-time enabled, and the log_config now has 2 new
     callbacks to allow a 3rd party module to actually do the writing of the
     log file [Ian Holsman]

  *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [André Malo, Astrid Keßler <kess kess-net.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix a null pointer dereference in the merge_env_dir_configs
     function of the mod_env module. PR 11791
     [Paul J. Reder]

  *) New option to ServerTokens 'maj[or]'. Only show the major version
     Also Surfaced this directive in the standard config (default FULL)
     [Ian Holsman]

  *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
     maps.  The dbm type (e.g., ndbm, gdbm) can be specified on the
     RewriteMap directive.  PR 10644  [Jeff Trawick]
  *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
     pairs will no longer get out of sync with each other.  PR 9534
     [Cliff Woolley]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fixes required to get quoted and escaped command args working in
     mod_ext_filter. PR 11793 [Paul J. Reder]

  *) mod-proxy: handle proxied responses with no status lines
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [JD Silvester <jsilves uwo.ca>, Brett Huttley <brett huttley.net>]
Ian Holsman's avatar
Ian Holsman committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix bug where environment or command line arguments containing 
     non-ASCII-7 characters would cause the Win32 child process creation
     to fail.  PR 11854  [William Rowe]

  *) Bug #11213.. make module loading error messages more informative 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Ian Darwin <Ian779 darwinsys.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) thread safety & proxy-ftp [Alexey Panchenko <alexey liwest.ru>, Ian Holsman]
Ian Holsman's avatar
Ian Holsman committed

Bill Stoddard's avatar
Bill Stoddard committed
  *) mod_disk_cache works much better. This module should still
     be considered experimental. [Eric Prud'hommeaux]
  *) Performance improvement for keepalive requests: when setting
     aside a small file for potential concatenation with the next
     response on the connection, set aside the file descriptor rather
     than copying the file into the heap.  [Brian Pane]
Roy T. Fielding's avatar
Roy T. Fielding committed
  *) Modified version check on openssl so that it finds the executable
     first and then performs a check of the version, only warning the
     user if they chose, or we selected, an old version of OpenSSL.
     This change also allows the code to work for non-openssl libraries
     selected via the --with-ssl=dir option, which can override the
     automated library check in any case.  [Roy Fielding]

Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.40
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2002-0661 (cve.mitre.org) 
     Close a very significant security hole that 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     applies only to the Win32, OS2 and Netware platforms.  Unix was not 
     affected, Cygwin may be affected.  Certain URIs will bypass security
     and allow users to invoke or access any file depending on the system 
     configuration.  Without upgrading, a single .conf change will close 
     the vulnerability.  Add the following directive in the global server
     httpd.conf context before any other Alias or Redirect directives;
         RedirectMatch 400 "\\\.\."
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     Reported by Auriemma Luigi <bugtest sitoverde.com>.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Brad Nicholes]

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2002-0654 (cve.mitre.org)
     Close a path-revealing exposure in multiview type
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     map negotiation (such as the default error documents) where the
     module would report the full path of the typemapped .var file when
     multiple documents or no documents could be served based on the mime
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     negotiation.  Reported by Auriemma Luigi <bugtest sitoverde.com>.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2002-0654 (cve.mitre.org)
     Close a path-revealing exposure in cgi/cgid when we 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     fail to invoke a script.  The modules would report "couldn't create 
     child process /path-to-script/script.pl" revealing the full path
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     of the script.  Reported by Jim Race <jrace qualys.com>.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Set aside the apr-iconv and apr_xlate() features for the Win32
     build of 2.0.40 so development can be completed.  A patch, from
     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
     will be available for those that wish to work with apr-iconv.
     [William Rowe]

  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     chain. [Peter Van Biesen <peter.vanbiesen vlafo.be>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
     set to 1, so we can exclude things from the general case with
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     browsermatch. [Ian Holsman, Andre Schild <A.Schild aarboard.ch>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Accept multiple leading /'s for requests within the DocumentRoot.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 10946  [William Rowe, David Shane Holden <dpejesh yahoo.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Solved the reports of .pdf byterange failures on Win32 alone.
     APR's sendfile for the win32 platform collapses header and trailer
     buffers into a single buffer.  However, we destroyed the pointers
     to the header buffer if a trailer buffer was present.  PR 10781
     [William Rowe]

  *) mod_ext_filter: Add the ability to enable or disable a filter via
     an environment variable.  Add the ability to register a filter of
     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]

  *) Restore the ability to specify host names on Listen directives.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh yahoo.com>]
  *) When deciding on the default address family for listening sockets, 
     make sure we can actually bind to an AF_INET6 socket before
     deciding that we should default to AF_INET6.  This fixes a startup
     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]

  *) Replace usage of atol() to parse strings when we might want a
     larger-than-long value with apr_atoll(), which returns long long.
     This allows HTTPD to deal with larger files correctly.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Shantonu Sen <ssen apple.com>]
  *) mod_ext_filter: Ignore any content-type parameters when checking if
     the response should be filtered.  Previously, "intype=text/html"
     wouldn't match something like "text/html;charset=8859_1".
     [Jeff Trawick]

  *) mod_ext_filter: Set up environment variables for external programs.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Craig Sebenik <craig netapp.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Modified the HTTP_IN filter to immediately append the EOS (end of
     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
     the caller to determine that no content remains without prefetching
     additional POST body.  [William Rowe]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane kame.net>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml suse.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Update SuSE layout.  [Peter Poeml <poeml suse.de>]
  *) Changes to the internationalized error documents:
     Comment them out in the default config file to make the default
     install as simple as possible; Correct the english 500 error to
     be more understandable; Add a Swedish translation.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thomas Sjogren <thomas northernsecurity.net>, 
      Erik Abele <erik codefaktor.de>, Rich Bowen, Joshua Slive]
  *) Increase the limit on file descriptors per process in apachectl.
     [Brian Pane]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix a dependency error when building ApacheMonitor, so that Win32
     and MSVC now trust that the project is current (when it is).
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [James Cox <imajes php.net>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Arthur P. Smith <apsmith aps.org>, Jeff Trawick]
Ian Holsman's avatar
Ian Holsman committed
  *) APR-Util Renames pending have been completed [Thom May]

  *) Performance improvements for the code that reads request
     headers (ap_rgetline_core() and related functions)  [Brian Pane]

  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
     to configure the maximum amount of memory the allocators will
     hold on to for reuse.  Anything over the MaxMemFree threshold
Jeff Trawick's avatar
Jeff Trawick committed
     will be free()d.  This directive is useful when uncommon large
     peaks occur in memory usage.  It should _not_ be used to mask
     defective modules' memory use.  [Sander Striker]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Cliff Woolley's avatar
Cliff Woolley committed
  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
     scripts would not result in a truncated response.
     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]

  *) Add a filter_init parameter to the filter registration functions
     so that a filter can execute arbitrary code before the handlers
     are invoked.  This resolves a problem where mod_include requests
     would incorrectly return a 304.  [Justin Erenkrantz]

  *) Fix a long-standing bug in 2.0, CGI scripts were being called
     with relative paths instead of absolute paths.  Apache 1.3 used
     absolute paths for everything except for SuExec, this brings back
     that standard.  [Ryan Bloom]

  *) Fix infinite loop due to two HTTP_IN filters being present for
     internally redirected requests.  PR 10146.  [Justin Erenkrantz]

  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
     [Justin Erenkrantz]

  *) Fix mod_ext_filter to look in the main server for filter definitions
     when running in a vhost if the filter definition is not found in
     the vhost.  PR 10147  [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Support WinNT CGI invocation through ScriptInterpreterSource 
     'registry' for script interpreter paths and names with non-ascii
     characters in the executable filepath.  [William Rowe]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Support the -w flag on to keep the Win32 console open on error.
     [William Rowe]

  *) Normalize the hostname value in the request_rec to all-lowercase
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Perry Harrington <pedward webcom.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     extended characters (non US-ASCII) in non-utf8 format.  This brings
     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
     to the cgi application itself.  [William Rowe]

  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
     modules to bring them up to the current apr/apr-util APIs.
     [William Rowe]

  *) Fix segfault in mod_mem_cache most frequently observed when
     serving the same file to multiple clients on an MP machine.
     [Bill Stoddard]
Cliff Woolley's avatar
Cliff Woolley committed

  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Brian Degenhardt <bmd mp3.com>, Ian Holsman]
  *) Fix perchild to work with apachectl by adding -k support to perchild.
     PR 10074  [Jeff Trawick]

  *) Fix a silly htpasswd.c logic error that incorrectly reported that
     both -c and -n had been used.  PR 9989  [Cliff Woolley]

  *) Fixed a mod_include error case in which no HTTP response was sent
     to the client if an shtml document contained an unterminated SSI
     directive [Brian Pane]

Cliff Woolley's avatar
Cliff Woolley committed
  *) Improve ap_get_client_block implementation by using APR-util brigade
     helper functions and relying on current filter assumptions.
     [Justin Erenkrantz]

Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.39

  *) Fixed a build problem in htpasswd.c on Win32.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Guenter Knauf <eflash gmx.net>, Cliff Woolley]
Cliff Woolley's avatar
Cliff Woolley committed

Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.38

  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
     tmpnam being unsafe.   [Ryan Bloom]

  *) We must set the MIME-type for .shtml files to text/html if we want them
     to be parsed for SSI tags.  Add the config for that to the default 
     config file so that it is easier to enable .shtml parsing.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Dave Dyer <ddyer real-me.net>]
  *) Fixed a problem with 'make install' on ReliantUnix.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Jean-frederic Clere <jfrederic.clere fujitsu-siemens.com>]
  *) Make the default_handler catch all requests that aren't served by
     another handler.  This also gets us to return a 404 if a directory
     is requested, there is no DirectoryIndex, and mod_autoindex isn't
     loaded.  [Justin Erenkrantz]

  *) Fixed the handling of nested if-statements in shtml files.
     PR 9866  [Brian Pane]

  *) Allow 'make install DESTDIR=/path'.  This allows packagers to install
     into a directory different from the one that was configured.  This 
     also mirrors the root= feature from 1.3.  We cannot use prefix=,
     because both APR and APR-util resolve their installation paths at 
     configuration time.  This means that there is no variable prefix 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     to replace.  [Andreas Hasenack <andreas netbank.com.br>]
  *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
     These levels of AIX don't have a thundering herd problem with
     accept().  [Jeff Trawick]

  *) prefork MPM: Ignore mutex errors during graceful restart.  For
     certain types of mutexes (particularly SysV semaphores), we
     should expect to occasionally fail to obtain or release the
     mutex during restart processing.  [Jeff Trawick]

  *) Fix install-bindist.sh so that it finds any perl instead of just
     early perl 5.x versions.  This is consistent with a build/install
     from source, and it allows the perl scripts installed by a bindist 
     to work on systems with perl 5.6.  [Jeff Trawick]

  *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
     Tru64 (and probably some other platforms).  [Jeff Trawick]

  *) Allow CGI scripts to return their Content-Length.  This also fixes a
     hang on HEAD requests seen on certain platforms (such as FreeBSD).
     [Justin Erenkrantz]

  *) Added log rotation based on file size to the RotateLog support
     utility. [Brad Nicholes]

  *) Fix some casting in mod_rewrite which broke random maps.
     PR 9770  [Allan Edwards, Greg Ames, Jeff Trawick]
Cliff Woolley's avatar
Cliff Woolley committed

Changes with Apache 2.0.37

Doug MacEachern's avatar
Doug MacEachern committed
  *) allow POST method over SSL when per-directory client cert
     authentication is used with 'SSLOptions +OptRenegotiate' enabled
     and a client cert was found in the ssl session cache.

Doug MacEachern's avatar
Doug MacEachern committed
  *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
     session cache when there is no cert chain in the cache.  prior to
     the fix this situation would result in a FORBIDDEN response and
     error message "Cannot find peer certificate chain"
     [Doug MacEachern]

  *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
     one was already sent.  PR 9644  [Jeff Trawick]

  *) Fix the display of the default name for the mime types config
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     file.  PR 9729  [Matthew Brecknell <mbrecknell orchestream.com>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix the working directory *for WinNT/2K/XP services only* to
     change to the Apache directory (one level above the location 
     of Apache.exe, in the case that Apache.exe resides in bin/.)
     Solves the case of ServerRoot /foo paths where /foo was not
     on the same drive as /winnt/system32.  [William Rowe]

  *) Make 2.0's "AcceptMutex" startup message now "completely"
     match how 1.3 does it. [Jim Jagielski]

  *) Implement a fixed size memory cache using a priority queue
     [Ian Holsman]

  *) Fix apxs to allow "apxs -q installbuilddir" and to allow
     querying certain other variables from config_vars.mk.  PR 9316  
     [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Added the "detached" attribute to the cgi_exec_info_t internals
     so that Win32 and Netware won't create a new window or console
     for each CGI invoked.  PR 8387
     [Brad Nicholes, William Rowe]

  *) Consolidated the command line parameters and attributes that are 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     manipulated by the optional function ap_cgi_build_command() in
     mod_cgi into a single structure.
  *) Get rid of uninitialized value errors with "apxs -q" on certain
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     variables.  [Stas Bekman <stas stason.org>]
  *) Fix apxs to allow it to work when the build directory is somewhere
     besides server-root/build.  PR 8453  
     [Jeff Trawick and a host of others]

  *) Allow ap_discard_request_body to be called multiple times in the
     same request.  Essentially, ap_http_filter keeps track of whether
     it has sent an EOS bucket up the stack, if so, it will only ever
     send an EOS bucket for this request.  
     [Ryan Bloom, Justin Erenkrantz, Greg Stein]

  *) Remove all special mod_ssl URIs.  This also fixes the bug where
     redirecting (.*) will allow an SSL protected page to be viewed
     without SSL.  [Ryan Bloom]

  *) Fix the binary build install script so that the build logic
     created by "apxs -g" will work when the user has a binary
     build.  [Jeff Trawick]

  *) Allow instdso.sh to work with full paths to the shared module.
     [Justin Erenkrantz]

  *) NetWare: Enabled CGI functionality and added mod_cgi as a built
     in module for NetWare  [Brad Nicholes]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Changed cgi and piped log behavior to accept 65536 characters
     on Win32 (matching Linux) before deadlocking between outputing
     client stdin, slurping the output from stdout and then the stderr
     stream.  PR 8179  [William Rowe]

  *) Fixed Win32 wintty.exe support to assure the window title is valid.
     Elimiates possible gpfault or garbage title without the -t option.
     [William Rowe]

  *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
     brigades and input filters.  [Justin Erenkrantz]
  *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
     body.  [Justin Erenkrantz]
    
  *) NetWare: Piping log entries through RotateLogs using the 
     CustomLogs directive is finally supported now that we have 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     the pipes and spawning functionality working.
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CVE-2002-0392 (cve.mitre.org) [CERT VU#944335]
Bill Stoddard's avatar
Bill Stoddard committed
     Detect overflow when reading the hex bytes forming a chunk line.
  *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [James Tait <JTait wyrddreams.demon.co.uk>]
  *) Correctly return 413 when an invalid chunk size is given on
     input.  Also modify ap_discard_request_body to not do anything
     on sub-requests or when the connection will be dropped.
     [Justin Erenkrantz]

  *) Fix the TIME_* SSL var lookups to be threadsafe.  PR 9469.
     [Cliff Woolley]

  *) Ensure that apr_brigade_write() flushes in all of the cases that
     it should to avoid conditions in some modules that could cause
     large amounts of data to be buffered.  [Cliff Woolley]

  *) Fix problem where mod_cache/mod_disk_cache was incorrectly
     stripping the content_type from cached responses.
     [Bill Stoddard]
Jeff Trawick's avatar
Jeff Trawick committed

  *) apachectl passes through any httpd options.  Note: apachectl
     should be used in preference to httpd since it ensures that any
     appropriate environment variables have been set up.
     [Jeff Trawick]

  *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 7810  [Colm MacCarthaigh <colmmacc redbrick.dcu.ie>]
  *) Fix suexec execution of CGI scripts from mod_include.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 7791, 8291  [Colm MacCarthaigh <colmmacc redbrick.dcu.ie>]
  *) Fix segfaults at startup on some platforms when mod_auth_digest,
     mod_suexec, or mod_ssl were used as DSO's due to the way they
     were tracking the current init phase since DSO's get completely
     unloaded and reloaded between phases.  PR 9413.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Tsuyoshi Sasamoto <nazonazo super.win.ne.jp>, Brad Nicholes]
  *) Fix mod_include's handling of regular expressions in
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     "<!--#if" directives [Julius Gawlas <julius_gawlas hp.com>]
  *) Fix the worker MPM deadlock problem  [Brian Pane]

  *) Modify the module documentation to allow for translations.
     [Yoshiki Hayashi, Joshua Slive]

  *) Fix a file permissions problem which prevented mod_disk_cache
     from working on Unix.  [Jeff Trawick]

  *) Add "-k start|restart|graceful|stop" support to httpd for the Unix 
     MPMs.  These have semantics very similar to the old apachectl 
     commands of the same name.  [Justin Erenkrantz, Jeff Trawick]
  *) Make sure that the runtime dir is created by make install.
     PR 9233.  [Jeff Trawick]

Cliff Woolley's avatar
Cliff Woolley committed
  *) Fix an unusual set of ./configure arguments that could cause
     mod_http to be built as a DSO, which it currently doesn't
     support.  PR 9244.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Cliff Woolley, Robin Johnson <robbat2 orbis-terrarum.net>]
  *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
     of the %X, %b and %B logformat options. PR 8253, 8996.
     [Bill Stoddard]
Ian Holsman's avatar
Ian Holsman committed
  *) If content-encoding is already present, do not run deflate (PR 9222)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Kazuhisa ASADA <kaz asada.sytes.net>]
Ian Holsman's avatar
Ian Holsman committed

  *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
     It is currently ignored and it will be removed in a future release
     of Apache.  [Jeff Trawick]

  *) Removed documentation references to the no-longer-supported
     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
     certificates, if truly desired, can be generated using openssl
     commands.  PR 8724.  [Cliff Woolley]

  *) Remove SSLLog and SSLLogLevel directives in favor of having
     mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]

  *) OS/390: LIBPATH no longer has to be manually uncommented in
     envvars to get apachectl to set up httpd properly.  [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
     may now be specified to the <File/Directory > container, rather
     than by vhost.  [William Rowe]

  *) mod_isapi: Experimental support for faux async support for ISAPI
     modules.  [William Rowe]

  *) mod_isapi: Major refactoring of the code to rely on apr internals
     rather than MS APIs (using our own mod_isapi.h headers for ISAPI
     symbol definitions.)  [William Rowe]

  *) mod_isapi: Fixed the return string length from GetServerVariable