Newer
Older
[Remove entries to the current 2.0 section below, when backported]
*) Fix the global mutex crash when the global mutex is never allocated due
to disabled/empty caches. [Jess Holle <jessh ptc.com>]
*) Fix a segfault in the LDAP cache purge. [Jess Holle <jessh ptc.com>]
*) mod_rewrite: Handle per-location rules when r->filename is unset.
Previously this would segfault or simply not match as expected,
depending on the platform. [Jeff Trawick]
*) Unix MPMs: Shut down the server more quickly when child processes are
slow to exit. [Joe Orton, Jeff Trawick]
*) mod_info: Added listing of the Request Hooks and added more build
information like 'httpd -V' contains. Changed output to XHTML.
[Paul Querna]
*) mod_info: Rewrote config tree walk using a recursive function.
Added ?config option. Added printout of config filename and line numbers.
[Rici Lake <rici ricilake.net>, Paul Querna]
*) mod_proxy: Fix type error that prevents proxy-sendchunks from working.
[Justin Erenkrantz]
*) mod_proxy: Fix data corruption by properly setting aside buckets.
[Justin Erenkrantz]
*) mod_proxy: If a request has a blank body and has a 0 Content-Length
headers, pass that to the proxy. [Justin Erenkrantz]
*) mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
[michael teitler <michael.teitler cetelem.fr>,
Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
*) Recognize QSA flag in mod_rewrite again.
[Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
*) Restructured mod_auth_ldap to fit the new authentication model.
The module is now called authnz_ldap and has been moved out of
the modules/experimental area and into modules/aaa with the other
auth modules. Both the authn_ldap provider and the authz_ldap
handler are contained within the authnz_ldap module. The
authz_ldap handler introduces 3 new "requires" values for handling
authorization. These handlers are ldap-user, ldap-group and
ldap-dn. [Brad Nicholes]
*) Fix some compiler warnings in proxy
[Geoffrey Young <geoff@modperlcookbook.org>]
*) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the
number of days until the client cert expires. [Joe Orton]
*) Add test_config hook, run only if httpd is invoked using -t.
[Joe Orton]
*) Improve error handling for corrupted pid files. [Jeff Trawick]
*) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD
(for backwards compatibility):
Avoids mod_ssl.h (not included in 2.0-HEAD) and
use apr_socket_create_ex for 0.9.x
[Mladen Turk]
*) Added proxy_ajp.c module for proxy support to ajp:// backends.
[Jean Frederic Clere]
*) Fixes the build of proxy on Windows. Since the proxy_module is declared
as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there
is a LNK2001 error when building proxy_http. [Mladen Turk]
*) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
[Graham Leggett]
Justin Erenkrantz
committed
*) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz]
*) perchild MPM: Fix thread safety problem in the use of longjmp().
[Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
*) Add load balancer support to the scoreboard in preparation for
load balancing support in mod_proxy. [Mladen Turk]
*) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to
allow a non-secure connection to be upgraded to secure connections
[Brad Nicholes]
*) core: Add Options= syntax to AllowOverride to specify which options
may be overridden in .htaccess files. PR 29310.
[Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna]
*) ab: Handle long URLs with an error instead of an buffer overflow.
PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna]
*) mod_so, core: Add new command line options to print all loaded
modules. '-t -D DUMP_MODULES' and '-M' will show all static
and shared modules as loaded from the configuration file.
[Paul Querna]
*) mod_autoindex: Add ShowForbidden to IndexOptions to list files
that are not shown because the subrequest returned 401 or 403.
PR 10575. [Paul Querna]
*) mod_headers: implement "Early" processing option in post_read_request
to enable Header and RequestHeader directives to be used to set up
testcases for pre-fixups request phases [Nick Kew]
*) mod_proxy: multiple bugfixes, principally support cookies in
ProxyPassReverse, and don't canonicalise URL passed to backend.
Documentation correspondingly updated. [Nick Kew <nick webthing.com>]
*) mod_deflate: support gzip flags in inflate_out_filter
[Nick Kew <nick webthing.com>]
*) Drop the ErrorHeader directive which turned out to be a misnomer.
Instead there's a new optional flag for the Header directive
('always'), which keeps the former ErrorHeader functionality.
[André Malo]
*) mod_deflate: Don't deflate responses with zero length
e.g. proxied 304's [Allan Edwards]
*) <IfModule> now recognizes the module identifier in addition to the
file name. PR 29003. [Edward Rudd <eddie omegaware.com>, André Malo]
*) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
OpenSSL 0.9.7 flag which uses the server's cipher order rather
than the client's. PR 28665.
[Jim Schneider <jschneid netilla.com>]
*) mod_ssl: Drop support for the CompatEnvVars argument to
SSLOptions, which was never actually implemented in 2.0.
[Joe Orton]
Justin Erenkrantz
committed
*) Fix bug in mod_deflate that unconditionally sent deflate'd output
even when Accept-Encoding is not present. [Justin Erenkrantz]
*) Pass environment variables through to piped loggers and start
them via the shell, resolving regressions since 1.3. PR 28815
[Ken Coar, Jeff Trawick]
Andre Malo
committed
*) External rewrite map responses are no longer limited to 2048
bytes. [André Malo]
*) Proxy server was deleting cookies that Apache had already
assigned if the origin server had set any cookies. PR 27023.
[Jim Jagielski]
*) Removed old and unmaintained ap_add_named_module API and changed
the following APIs to return an error instead of hard exiting:
ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules,
and ap_process_resource_config. [André Malo]
*) mod_headers: Allow %% in header values to represent a literal %.
[André Malo]
*) mod_headers: Allow env clauses also for 'echo' and 'unset' actions.
[André Malo]
*) mod_headers: Allow 'echo' also for ErrorHeaders. [André Malo]
*) mod_deflate: New option for DEFLATE output file (force-gzip),
new output filter 'INFLATE' for uncompressing responses.
[Nick Kew <Nick at WebThing dot com>, Ian Holsman]
*) Added new module mod_version, which provides version dependent
configuration containers. [André Malo]
*) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
format is used. PR 27787. [André Malo]
*) Allow Digest providers to return AUTH_DENIED to propagate a 401
status and terminate the provider chain prior to checking the password.
[Geoffrey Young]
*) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
Don't place script socket inside default server root instead of
actual server root. PR 27886. [Jeff Trawick]
*) mod_proxy: Fix handling of non-200 success status codes when
"ProxyErrorOverride On" is configured. PR 20183.
[Marcus Janson <marcus.janson tre.se>, Joe Orton]
*) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize
directive (previously NetWare-only) to override default thread
stack size for threads which handle client connections. Required
for some third-party modules on platforms with small default
thread stack size. [Jeff Trawick]
*) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic
now populates r->user with the (possibly unauthenticated) user,
and mod_auth_digest returns 500 when a provider returns
AUTH_GENERAL_ERROR.
[Geoffrey Young]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Delete some make-generated files in the server directory during
"make clean" processing. PR 26552. [Jeff Trawick]
*) Add core version query function (ap_get_server_revision) and
accompanying ap_version_t structure (minor MMN bump).
[André Malo]
*) mod_rewrite: EOLs sent by external rewritemaps are now consumed
as whole. That way, on systems with more than one EOL character
rewritemap programs no longer need to switch stdout to binary
mode. PR 25635. [André Malo]
*) mod_rewrite: Introduce the ability to force a content handler via
the [handler=...] flag. [André Malo]
*) mod_rewrite: Introduce the RewriteCond -x check, which returns
true if the pattern is a file with execution permissions.
[André Malo]
*) mod_rewrite: Allow proxying and RewriteRules in directory context
for subrequests. PR 14648, 15114. [André Malo]
*) mod_rewrite: Allow setting of any valid HTTP response code.
PR 25917. [André Malo]
*) mod_rewrite: Cookie creation now works locale independent.
[André Malo]
*) mod_ssl: Add support for distributed session cache using 'distcache'.
[Geoff Thorpe <geoff geoffthorpe.net>]
*) mod_dav: Disallow requests with an unescaped hash character in
the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration
attaches a body to the 302 response and a wrong Content-Length header.
Ian Holsman
committed
PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]
*) Bring ErrorHeader concept forward from 1.3, so that response
header fields can be set for return even on errors or external
redirects. [Ken Coar]
*) Fix <Limit> and <LimitExcept> parsing to require a closing '>'
in the initial container. PR 25414.
[Geoffrey Young <geoff apache.org>]
*) Clean up httpd -V output: Instead of displaying the MPM source
directory, display the MPM name and some MPM properties.
[Geoffrey Young <geoff apache.org>]
*) mod_ssl/mod_status: Re-enable support for output of SSL session
cache information in server-status page. [Joe Orton]
*) mod_ssl: Remove the shmht session cache, shmcb should be used
instead. [Joe Orton]
*) mod_logio: Account for some bytes handed to the network layer prior to
dropped connections. [Jeff Trawick]
*) mod_autoindex: new directive IndexStyleSheet
[Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]
*) Fix uninitialized gprof directory name in prefork MPM. PR 24450.
*) Log an error when requests for URIs which fail to map to a valid
filesystem name are rejected with 403. [Jeff Trawick]
*) Switch to APR 1.0 API.
*) Major overhaul of mod_include's filter parser. The new parser code
is expected to be more robust and should catch all of the edge cases
that were not handled by the previous one. This includes a binary
incompatible change of mod_include's external API. [André Malo]
*) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
PR 14223. [André Malo]
*) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
the current rewrite state was just used as lookup path, which lead to
strange and often useless results. Related to PR 8493. [André Malo]
*) Change Listen directive to bind to all addresses when a hostname is
not specified. [Justin Erenkrantz]
*) Correct failure with Listen directives on machines with IPv6 enabled.
*) Fix a link failure in mod_ssl when the OpenSSL libraries contain
the ENGINE functions but the engine header files are missing.
[Cliff Woolley]
*) mod_rewrite: RewriteRules in server context using the force
type feature [T=...] no longer disable MultiViews. [André Malo]
*) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
[André Malo]
*) mod_authz_groupfile: Strip trailing spaces of group names. This
hopefully saves some hours of searching for typos. PR 12863.
[André Malo]
*) mod_actions: Propagate the handler name to the action script via
the REDIRECT_HANDLER environment variable. [André Malo]
*) mod_actions: Introduce the "virtual" modifier to the Action directive,
which allows the use of handlers for virtual locations. PR 8431.
[André Malo]
*) mod_speling: Recognize AcceptPathInfo setting for the particular
location. Default is to reject path information. PR 21059.
[André Malo]
*) mod_ext_filter: Add the ability to filter request bodies.
*) Fix some broken log messages in WinNT MPM.
*) prefork MPM: Use the right permissions for the directory created
*) Fix a compile failure with recent OpenSSL and picky compilers
(e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick]
Madhusudan Mathihalli
committed
*) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
the INCLUDE path to be defined properly.
Madhusudan Mathihalli
committed
Madhusudan Mathihalli
committed
*) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
Madhusudan Mathihalli
committed
*) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc).
Madhusudan Mathihalli
committed
*) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
[Ian Holsman, André Malo]
*) mod_negotiation: quality values are now parsed independent from
the current locale. level values are now really parsed as integers.
PR 17564. [André Malo]
*) Extend mod_negotiation to evaluate the environment variables
no-gzip and gzip-only-text/html the same way as mod_deflate does.
[André Malo]
*) mod_rewrite: Fix some problems reporting errors with mapping
programs (RewriteMap prg:/something). [Jeff Trawick]
Justin Erenkrantz
committed
*) Return 413 if chunk-ext-header is too long rather than reading from
the truncated line. PR 15857. [Justin Erenkrantz]
*) Allow restart of httpd to occur even with syntax errors in the config
file. PR 16813. [Justin Erenkrantz]
*) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679.
[Justin Erenkrantz]
*) Remove files on 'make distclean' that should be. PR 15592.
[Justin Erenkrantz]
Justin Erenkrantz
committed
*) Allow apachectl to perform status with links and elinks as well.
[Justin Erenkrantz]
*) mod_log_config change optional hook to return previous handler
[Ian Holsman]
*) Forward port of mod_actions' ability to handle arbitrary methods
with the Script directive. [André Malo]
*) Let suexec send a message to stderr, if it failed or its policy
was violated. This message appears in the error log and allows
for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo]
Justin Erenkrantz
committed
*) Modify buildconf to copy all required files into httpd's tree.
Justin Erenkrantz
committed
Justin Erenkrantz
committed
*) Allow mod_dav to do weak entity comparison functions.
[Justin Erenkrantz]
*) Move RFC 1413 ident requests from core to new module mod_ident.
[André Malo]
*) Add mod_authz_owner - a forward port of "Require file-owner"
and "Require file-group", which was already present in version
1.3.21. [André Malo]
Justin Erenkrantz
committed
*) Add mod_dav_lock - a generic subset of the DAV locking implementation.
[Justin Erenkrantz]
*) Replace some of the mutex locking in the worker MPM with
atomic operations for higher concurrency. [Brian Pane]
*) Allow 'make depend' to work with non-GCC compilers.
[Justin Erenkrantz]
*) If an httpd.conf has commented out AddModule directives,
apxs -i -a will add an un-commented AddModule directive for
the new module, which breaks the config.
PR: 11212 [Joe Orton]
Justin Erenkrantz
committed
*) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz]
*) Move the check of the Expect request header field after the hook
for ap_post_read_request, since that is the only opportunity for
modules to handle Expect extensions. [Justin Erenkrantz]
*) Rewrite of aaa modules to an authn/authz model.
[Dirk-Willem van Gulik, Justin Erenkrantz]
[Apache 2.1.0-dev includes those bug fixes and changes with the
Apache 2.0.xx tree as documented, and except as noted, below.]
*) SECURITY: CAN-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. PR 31315. [Rici Lake <rici ricilake.net>]
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
*) mod_mem_cache: Fixed race condition causing segfault because of memory being
freed twice, or reused after being freed.
[J. Clar, W. Stoddard, G. Ames]
*) Add -l option to rotatelogs to let it use local time rather than
UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
*) mod_log_config: Fix a bug which prevented request completion time
from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
processing. PR 29696. [Alois Treindl <alois astro.ch>]
in the core. This allows for careful usage of recursive SSI.
[André Malo]
*) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
[chunyan sheng <shengperson yahoo.com>, André Malo]
*) Include directives no longer refuse to process symlinks on
directories. Instead there's now a maximum nesting level
of included directories (128 as distributed). This is configurable
at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
PR 28492. [André Malo]
*) Win32: apache -k start|restart|install|config can leave stranded
piped logger processes (eg, rotatelogs.exe) due to improper
server shutdown on these code paths.
[Bill Stoddard]
*) SECURITY: CAN-2004-0751 (cve.mitre.org)
mod_ssl: Fix a segfault in the SSL input filter which could be
triggered if using "speculative" mode, for instance by a
proxy request to an SSL server. PR 30134. [Joe Orton]
*) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
PR 30464. [Joe Orton, Madhusudan Mathihalli]
*) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
*) Prevent CGI script output which includes a Content-Range header
from being passed through the byterange filter. [Joe Orton]
*) Satisfy directives now can be influenced by a surrounding <Limit>
container. PR 14726. [André Malo]
*) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
PR 27985. [André Malo]
Bill Stoddard
committed
*) mod_disk_cache: Implement binary format for on-disk header files.
[Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
*) mod_disk_cache: Optimize network performance of disk cache subsystem by
allowing zero-copy (sendfile) writes and other miscellaneous fixes.
[Justin Erenkrantz]
*) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
switch to the provider API instead of hooks. [Justin Erenkrantz]
*) mod_autoindex: Don't truncate the directory listing if a stat()
call fails (for instance on a >2Gb file). PR 17357.
[Joe Orton]
*) Makefile fix: httpd is linked against LIBS given to the
'make' invocation. PR 7882. [Joe Orton]
*) WinNT MPM: Fix a broken log message at termination. PR 28063.
[Eider Oliveira <eider bol.com.br>]
*) Prevent Win32 pool corruption at startup [Allan Edwards]
*) mod_ssl: Add "SSLUserName" directive to set r->user based on a
chosen SSL environment variable. PR 20957.
[Martin v. Loewis <martin v.loewis.de>]
*) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
[Zvi Har'El <rl math.technion.ac.il>]
*) apachectl: Fix a problem finding envvars if sbindir != bindir.
PR 30723. [Friedrich Haubensak <hsk imb-jena.de>]
*) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]
*) SECURITY: CAN-2004-0748 (cve.mitre.org)
mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]
*) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
PR 18989. [Joe Orton]
*) mod_userdir: Ensure that the userdir identity is used for
suexec userdir access in a virtual host which has suexec configured.
PR 18156. [Joshua Slive]
*) mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [André Malo]
*) mod_setenvif: Remove "support" for Remote_User variable which
never worked at all. PR 25725. [André Malo]
*) Backport from 2.1 / Regression from 1.3: mod_headers now knows
again the functionality of the ErrorHeader directive. But instead
using this misnomer additional flags to the Header directive were
introduced ("always" and "onsuccess", defaulting to the latter).
PR 28657. [André Malo]
*) Use the higher performing 'httpready' Accept Filter on all platforms
except FreeBSD < 4.1.1. [Paul Querna]
*) mod_usertrack: Escape the cookie name before pasting into the
regexp. [André Malo]
*) Extend the SetEnvIf directive to capture subexpressions of the
matched value. [André Malo]
*) Recursive Include directives no longer crash. The server stops
including configuration files after a certain nesting level (128
as distributed). This is configurable at compile time using the
-DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]
*) mod_dir: the trailing-slash behaviour is now configurable using the
DirectorySlash directive. [André Malo]
*) Allow proxying of resources that are invoked via DirectoryIndex.
PR 14648, 15112, 29961. [André Malo]
*) util_ldap: Switched the lock types on the shared memory cache
from thread reader/writer locks to global mutexes in order to
provide cross process cache protection. [Brad Nicholes]
*) util_ldap: Reworked the cache locking scheme to eliminate duplicate
cache entries in the credentials cache due to race conditions.
[Brad Nicholes]
*) util_ldap: Enhanced the util_ldap cache-info display to show more
detail about the contents and current state of the cache.
[Brad Nicholes]
*) Enable the option to support anonymous shared memory in mod_ldap.
This makes the cache work on Linux again. [Graham Leggett]
*) Enable special ErrorDocument value 'default' which restores the
canned server response for the scope of the directive.
*) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
is set in r->subprocess_env allow mismatched query strings to pass.
PR 27758. [Paul Querna, Geoffrey Young]
*) Accept URLs for the ServerAdmin directive. If the supplied
argument is not recognized as an URL, assume it's a mail address.
PR 28174. [André Malo, Paul Querna]
*) initialize server arrays prior to calling ap_setup_prelinked_modules
so that static modules can push Defines values when registering
hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
*) Small fix to allow reverse proxying to an ftp server. Previously
an attempt to do this would try and connect to 0.0.0.0, regardless
of the server specified. PR 24922
[Pascal Terjan <pterjan@linuxfr.org>]
*) Add the NOTICE file to the rpm spec file in compliance with the
Apache v2.0 license. [Graham Leggett]
*) RPM spec file changes: changed default dependancy to link to db4
instead of db3. Fixed complaints about unpackaged files.
[Graham Leggett]
*) SECURITY: CAN-2004-0493 (cve.mitre.org)
Close a denial of service vulnerability identified by Georgi
Guninski which could lead to memory exhaustion with certain
input data. [Jeff Trawick]
*) mod_cgi: Handle output on stderr during script execution on Unix
platforms; preventing deadlock when stderr output fills pipe buffer.
Also fixes case where stderr from nph- scripts could be lost.
PR 22030, 18348. [Joe Orton, Jeff Trawick]
*) mod_alias now emits a warning if it detects overlapping *Alias*
directives. [André Malo]
*) mod_rewrite no longer turns forward proxy requests into reverse proxy
requests. PR 28125 [ast domdv.de, André Malo]
*) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
exported on Win32 and Netware as well (minor MMN bump). PR 28523.
[Edward Rudd <eddie omegaware.com>, André Malo]
*) Restore the ability to disable the use of AcceptEx on Win9x systems
automatically (broken in 2.0.49). PR 28529. [André Malo]
*) <VirtualHost myhost> now applies to all IP addresses for myhost
instead of just the first one reported by the resolver. This
corrects a regression since 1.3. [Jeff Trawick]
*) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
against ServerRoot PR#26602 [Brad Nicholes]
*) SECURITY: CAN-2004-0488 (cve.mitre.org)
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[Joe Orton]
*) mod_dav_fs: Fix MKCOL response for missing parent collections, which
caused issues for the Eclipse WebDAV extension.
PR 29034. [Joe Orton]
*) mod_deflate: Fix memory consumption (which was proportional to the
response size). PR 29318. [Joe Orton]
*) mod_ssl: Log the errors returned on failure to load or initialize
a crypto accelerator engine. [Joe Orton]
*) Allow RequestHeader directives to be conditional. PR 27951.
[Vincent Deffontaines <vincent gryzor.com>, André Malo]
*) Allow LimitRequestBody to be reset to unlimited. PR 29106
[André Malo]
*) Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects: mod_setenvif, mod_usertrack,
mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
*) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
*) Remove 2Gb log file size restriction on some 32-bit platforms.
PR 13511. [Joe Orton]
*) mod_logio no longer removes the EOS bucket. PR 27928.
[Bojan Smojver <bojan rexursive.com>]
*) htpasswd no longer refuses to process files that contain empty
lines. [André Malo]
*) Regression from 1.3: At startup, suexec now will be checked for
availability, the setuid bit and user root. The works only if
httpd is compiled with the shipped APR version (0.9.5).
*) Unix MPMs: Stop dropping connections when the file descriptor
is at least FD_SETSIZE. [Jeff Trawick]
*) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
*) mod_isapi: send_response_header() failed to copy status string's
last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
*) Fix a segfault when requests for shared memory fails and returns
NULL. Fix a segfault caused by a lack of bounds checking on the
*) Throw an error message if an attempt is made to use the LDAPTrustedCA
or LDAPTrustedCAType directives in a VirtualHost. PR 26390
[Brad Nicholes]
*) Fix a potential segfault if the bind password in the LDAP cache
*) Quotes cannot be used around require group and require dn
directives, update the documentation to reflect this. Also add
quotes around the dn and group within debug messages, to make it
more obvious why authentication is failing if quotes are used in
*) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
from escaping filters twice when the backslash character is used.
*) Overhaul handling of LDAP error conditions, so that the util_ldap_*
functions leave the connections in a sane state after errors have
occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
27271 [Graham Leggett]
*) mod_ldap calls ldap_simple_bind_s() to validate the user
credentials. If the bind fails, the connection is left
in an unbound state. Make sure that the ldap connection
record is updated to show that the connection is no longer
bound. [Brad Nicholes]
*) Ensure that lines in the request which are too long are
properly terminated before logging.
[Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
*) Update the bind credentials for the cached LDAP connection to
reflect the last bind. This prevents util_ldap from creating
unnecessary connections rather than reusing cached connections.
[Brad Nicholes]
*) mod_isapi: GetServerVariable returned improperly terminated header
fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
[Jesse Pelton <jsp pkc.com>]
*) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
size. PR 20617. [Jesse Pelton <jsp pkc.com>]
*) mod_dav: Fix a problem that could cause crashes when manipulating
locks on some platforms. [Jeff Trawick]
*) mod_headers no longer crashes if an empty header value should
be added. [André Malo]
*) Fix segfault in mod_expires, which occured under certain
circumstances. PR 28047. [André Malo]
*) htpasswd: use apr_temp_dir_get() and general cleanup
[Guenter Knauf <eflash gmx.net>, Thom May]
*) mod_ssl: Fix memory leak in session cache handling. PR 26562
[Madhusudan Mathihalli]
*) mod_ssl: Fix potential segfaults when performing SSL shutdown from
a pool cleanup. PR 27945. [Joe Orton]
*) Add forensic logging module (mod_log_forensic).
[Ben Laurie]
*) logresolve: Allow size of log line buffer to be overridden at
build time (MAXLINE). PR 27793. [Jeff Trawick]
*) Fix the comment delimiter in htdbm so that it correctly parses the
username comment. Also add a terminate function to allow NetWare
to pause the output before the screen is destroyed.
[Guenter Knauf <eflash gmx.net>, Brad Nicholes]
*) Fix crash when Apache was started with no Listen directives.
[Michael Corcoran <mcorcoran warpsolutions.com>]
*) core_output_filter: Fix bug that could result in sending
garbage over the network when module handlers construct
bucket brigades containing multiple file buckets all referencing
the same open file descriptor. [Bojan Smojver]
*) Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
[Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
*) Win32: Tweak worker thread accounting routines to eliminate
server hang when number of Listen directives in httpd.conf
is greater than or equal to the setting of ThreadsPerChild.
[Bill Stoddard]
*) SECURITY: CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]
*) Win32: find_read_listeners was not correctly handling multiple
listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
[Manni Wood <manniwood planet-save.com>]
*) Fix some piped log problems: bogus "piped log program '(null)'
failed" messages during restart and problem with the logger
respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]
*) Fixed file extensions for real media files and removed rpm extension
from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
*) Remove compile-time length limit on request strings. Length is
now enforced solely with the LimitRequestLine config directive.
[Paul J. Reder]
*) mod_ssl: Send the Close Alert message to the peer before closing
the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
*) SECURITY: CVE-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) mod_ssl: Fix bug in passphrase handling which could cause spurious
failures in SSL functions later. PR 21160. [Joe Orton]
*) mod_log_config: Fix corruption of buffered logs with threaded
MPMs. PR 25520. [Jeff Trawick]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [André Malo]
*) Add fatal exception hook for use by diagnostic modules. The hook
is only available if the --enable-exception-hook configure parm
is used and the EnableExceptionHook directive has been set to
"on". [Jeff Trawick]
*) Allow mod_auth_digest to work with sub-requests with different
methods than the original request. PR 25040.
[Josh Dady <jpd indecisive.com>]
*) fix "Expected </Foo>> but saw </Foo>" errors in nested,
argumentless containers.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
[Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
[Glenn Nielsen <glenn apache.org>]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]
*) mod_setenvif: Fix the regex optimizer, which under circumstances
treated the supplied regex as literal string. PR 24219.
[André Malo]
*) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
instead of mmn. [André Malo]
*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
could lead to a 400 (Bad Request) response. [André Malo]
*) Keep focus of ITERATE and ITERATE2 on the current module when
the module chooses to return DECLINE_CMD for the directive.
PR 22299. [Geoffrey Young <geoff apache.org>]
*) Add support for IMT minor-type wildcards (e.g., text/*) to
ExpiresByType. PR#7991 [Ken Coar]
*) Fix segfault in mod_mem_cache cache_insert() due to cache size
becoming negative. PR: 21285, 21287
[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
*) core.c: If large file support is enabled, allow any file that is
greater than AP_MAX_SENDFILE to be split into multiple buckets.
This allows Apache to send files that are greater than 2gig.
Otherwise we run into 32/64 bit type mismatches in the file size.
[Brad Nicholes]
*) proxy_http fix: mod_proxy hangs when both KeepAlive and
ProxyErrorOverride are enabled, and a non-200 response without a
body is generated by the backend server. (e.g.: a client makes a
request containing the "If-Modified-Since" and "If-None-Match"
headers, to which the backend server respond with status 304.)
[Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
*) mod_dav: Reject requests which include an unescaped fragment in the
Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) Build array of allowed methods with proper dimensions, fixing
possible memory corruption. [Jeff Trawick]
*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
PR 15057. [Otmar Lendl <lendl nic.at>]
*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
[Joe Orton]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore <apache nopdesign.com>]
*) worker MPM: fix stack overlay bug that could cause the parent
process to crash. [Jeff Trawick]
*) Win32: Add Win32DisableAcceptEx directive. This Windows
NT/2000/CP directive is useful to work around bugs in some
third party layered service providers like virus scanners,
VPN and firewall products, that do not properly handle
WinSock 2 APIs. Use this directive if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
*) Make REMOTE_PORT variable available in mod_rewrite.
PR 25772. [André Malo]
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
*) mod_autoindex: Add 'XHTML' option in order to allow switching between
HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
[André Malo]
*) mod_ssl: Advertise SSL library version as determined at run-time rather
than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
*) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
*) Fix build with parallel make. PR 24643. [Joe Orton]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
*) Backport major overhaul of mod_include's filter parser from 2.1.
The new parser code is expected to be more robust and should
catch all of the edge cases that were not handled by the previous one.
The 2.1 external API changes were hidden by a wrapper which is
expected to keep the API backwards compatible. [André Malo]
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski <tomek jot23.org>]
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix htdbm to generate comment fields in DBM files correctly.
[Justin Erenkrantz]
*) mod_dav: Use bucket brigades when reading PUT data. This avoids
problems if the data stream is modified by an input filter. PR 22104.
[Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
*) Fix RewriteBase directive to not add double slashes. [André Malo]
*) Improve 'configure --help' output for some modules. [Astrid Keßler]
*) Correct UseCanonicalName Off to properly check incoming port number.
[Jim Jagielski]
*) Fix slow graceful restarts with prefork MPM. [Joe Orton]
*) Fix a problem with namespace mappings being dropped in mod_dav_fs;
if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale <amit_athavale persistent.co.in>]
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
*) SECURITY: CVE-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]
*) mod_status: Report total CPU time accurately when using a threaded
MPM. PR 23795. [Jeff Trawick]
*) Fix memory leak in handling of request bodies during reverse
proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
*) Win32 MPM: Implement MaxMemFree to enable setting an upper
limit on the amount of storage used by the bucket brigades
in each server thread. [Bill Stoddard]
*) Modified the cache code to be header-location agnostic. Also
fixed a number of other cache code bugs related to PR 15852.
Includes a patch submitted by Sushma Rai <rsushma novell.com>.