Skip to content
CHANGES 663 KiB
Newer Older
  *) mod_actions: Propagate the handler name to the action script via
     the REDIRECT_HANDLER environment variable.  [André Malo]
  *) mod_actions: Introduce the "virtual" modifier to the Action directive,
     which allows the use of handlers for virtual locations. PR 8431.
  *) mod_speling: Recognize AcceptPathInfo setting for the particular
     location. Default is to reject path information. PR 21059.
  *) mod_ext_filter: Add the ability to filter request bodies.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Philipp Reisner <philipp.reisner linbit.com>]
  *) Fix some broken log messages in WinNT MPM.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Juan Rivera <Juan.Rivera citrix.com>]
  *) prefork MPM: Use the right permissions for the directory created 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     for gprof support.  [Jim Carlson <jcarlson jnous.com>]
  *) Fix a compile failure with recent OpenSSL and picky compilers
     (e.g., OpenSSL 0.9.7a and xlc_r on AIX).  [Jeff Trawick]

  *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
     the INCLUDE path to be defined properly.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>]
  *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
  *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
     autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Geoff Thorpe <geoff geoffthorpe.net>]
  *) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
  *) mod_negotiation: quality values are now parsed independent from
     the current locale. level values are now really parsed as integers.
  *) Extend mod_negotiation to evaluate the environment variables
     no-gzip and gzip-only-text/html the same way as mod_deflate does.
  *) mod_rewrite: Fix some problems reporting errors with mapping
     programs (RewriteMap prg:/something).  [Jeff Trawick]

  *) Return 413 if chunk-ext-header is too long rather than reading from
     the truncated line.  PR 15857.  [Justin Erenkrantz]

  *) Allow restart of httpd to occur even with syntax errors in the config
     file.  PR 16813.  [Justin Erenkrantz]

  *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure.  PR 15679.
     [Justin Erenkrantz]

  *) Remove files on 'make distclean' that should be.  PR 15592.
     [Justin Erenkrantz]

  *) Allow apachectl to perform status with links and elinks as well.
     [Justin Erenkrantz]

  *) mod_log_config change optional hook to return previous handler
     [Ian Holsman]

  *) Forward port of mod_actions' ability to handle arbitrary methods
     with the Script directive.  [André Malo]
  *) Let suexec send a message to stderr, if it failed or its policy
     was violated. This message appears in the error log and allows
     for easier debugging. PR 5381, 7638, 8255, 10773.  [André Malo]
  *) Modify buildconf to copy all required files into httpd's tree.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
  *) Allow mod_dav to do weak entity comparison functions.
     [Justin Erenkrantz]

Andre Malo's avatar
Andre Malo committed
  *) Move RFC 1413 ident requests from core to new module mod_ident.
Andre Malo's avatar
Andre Malo committed
  *) Add mod_authz_owner - a forward port of "Require file-owner"
     and "Require file-group", which was already present in version
Andre Malo's avatar
Andre Malo committed

  *) Add mod_dav_lock - a generic subset of the DAV locking implementation.
     [Justin Erenkrantz]

  *) Replace some of the mutex locking in the worker MPM with
     atomic operations for higher concurrency.  [Brian Pane]

  *) Allow 'make depend' to work with non-GCC compilers.
     [Justin Erenkrantz]

  *) If an httpd.conf has commented out AddModule directives, 
     apxs -i -a will add an un-commented AddModule directive for 
     the new module, which breaks the config.
     PR: 11212 [Joe Orton]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Fix mod_proxy handling of filtered input bodies.  [Justin Erenkrantz]

  *) Move the check of the Expect request header field after the hook
     for ap_post_read_request, since that is the only opportunity for
     modules to handle Expect extensions.  [Justin Erenkrantz]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Rewrite of aaa modules to an authn/authz model.
     [Dirk-Willem van Gulik, Justin Erenkrantz]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  [Apache 2.1.0-dev includes those bug fixes and changes with the
   Apache 2.0.xx tree as documented, and except as noted, below.]

  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
     mod_ssl: Fix a possible crash during access control checks if a
     non-SSL request is processed for an SSL vhost (such as the
     "HTTP request received on SSL port" error message when an 400
     ErrorDocument is configured, or if using "SSLEngine optional").
     PR 37791.  [Rüdiger Plüm, Joe Orton]

  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
     mod_imap: Escape untrusted referer header before outputting in HTML
     to avoid potential cross-site scripting.  Change also made to
     ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

  *) mod_speling: Stop crashing with certain non-file requests.
     [Jeff Trawick]

  *) keep the Content-Length header for a HEAD with no response body.
     PR 18757 [Greg Ames]

  *) Modify apr[util] .h detection to avoid breakage on VPATH builds
     using Solaris make (amoung others) and avoid breakage in ./buildconf
     when srclib/apr[-util] are symlinks rather than directories proper.
     [William Rowe]

  *) Avoid server-driven negotiation when a CGI script has emitted an
     explicit "Status:" header. PR 38070.  [Nick Kew]

  *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
     format is used. PR 27787.  [André Malo]

  *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs.  PR 34264.
     [Justin Erenkrantz]

  *) mod_cache: Correctly handle responses with a 301 status. PR 37347.
     [Paul Querna]

  *) mod_proxy_http: Prevent data corruption of POST request bodies when
     client accesses proxied resources with SSL. PR 37145.
     [Ruediger Pluem, William Rowe]

  *) Elimiated the NET_TIME filter, restructuring the timeout logic.
     This provides a working mod_echo on all platforms, and ensures any
     custom protocol module is at least given an initial timeout value
     based on the <VirtualHost > context's Timeout directive.
  *) mod_ssl: Correct issue where mod_ssl does not pick up the
     ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton]

  *) Document the ReceiveBufferSize change done in r157583 [Murray
     Nesbitt <murray@cpan.org>]

  *) mod_deflate: Merge the Vary header, instead of Setting it. Fixes
     applications that send the Vary Header themselves. PR 37559.
     [Paul Querna]

  *) mod_dav: Fix a null pointer dereference in an error code path during the
     handling of MKCOL. [Ghassan Misherghi <ghassanm ucdavis.edu>]

  *) mod_mime_magic: Handle CRLF-format magic files so that it works with
     the default installation on Windows.  [Jeff Trawick]

  *) Write message to error log if AuthGroupFile cannot be opened.
     PR 37566.  [Rüdiger Plüm]

  *) Add ReceiveBufferSize directive to control the TCP receive buffer.
     [Eric Covener <covener gmail.com>]

  *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
     [Paul Querna]

  *) Remove the base href tag from proxy_ftp, as it breaks relative
     links for clients not using an Authorization header. [Graham Leggett,
     Jon Snow <jsnow27 gatesec.net>]

  *) http_request.c: Add missing va_end call. [André Malo]

  *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
     [Paul Querna]

  *) support/check_forensic: Fix temp file usage
     [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]

  *) Chunk filter: Fix chunk filter to create correct chunks in the case that
     a flush bucket is surrounded by data buckets. [Ruediger Pluem]

  *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
     respond to OPTIONS directly rather than via server default.
     [Roy Fielding] PR 15242

  *) Added new module mod_version, which provides version dependent
     configuration containers.  [André Malo]

  *) Add core version query function (ap_get_server_revision) and
     accompanying ap_version_t structure (minor MMN bump).
     [André Malo]

Jeff Trawick's avatar
Jeff Trawick committed
Changes with Apache 2.0.55
  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     proxy: Correctly handle the Transfer-Encoding and Content-Length
     headers.  Discard the request Content-Length whenever T-E: chunked
     is used, always passing one of either C-L or T-E: chunked whenever 
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]

  *) Added TraceEnable [on|off|extended] per-server directive to alter
     the behavior of the TRACE method.  This addresses a flaw in proxy
     conformance to RFC 2616 - previously the proxy server would accept
     a TRACE request body although the RFC prohibited it.  The default
     remains 'TraceEnable on'.  [William Rowe]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add ap_log_cerror() for logging messages associated with particular
     client connections.  [Jeff Trawick]

  *) Correct mod_cgid's argv[0] so that the full path can be delved by the
     invoked cgi application, to conform to the behavior of mod_cgi.
     [Pradeep Kumar S <pradeep.smani gmail.com>]

  *) mod_include: Fix possible environment variable corruption when 
     using nested includes.  PR 12655.  [Joe Orton]

  *) Support the suppress-error-charset setting, as with Apache 1.3.x.
     PR 31274.  [Jeff Trawick]

  *) EBCDIC: Handle chunked input from client or, with proxy, origin
     server.  [Jeff Trawick]

  *) Fix bad globbing comparison which could result in getting
     a directory listing when a file was requested. PR 34512.
     [sean <infamous41md hotmail.com>]

  *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
     was called even if mod_auth_ldap_check_user_id() was not
     (or if it didn't succeed) for non-authoritative cases.
     [Jim Jagielski]

  *) SECURITY: CVE-2005-2728 (cve.mitre.org)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     Fix cases where the byterange filter would buffer responses
     into memory.  PR 29962.  [Joe Orton]

  *) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
     PR 15207.  [Jim Jagielski]

  *) mod_ldap: Fix various shared memory cache handling bugs.
     PR 34209.  [Joe Orton]

  *) Fix a file descriptor leak when starting piped loggers.  PR 33748. 
     [Joe Orton]

  *) mod_ldap: Avoid segfaults when opening connections if using a version
     of OpenLDAP older than 2.2.21.  PR 34618.  [Brad Nicholes]

  *) mod_ssl: Fix build with OpenSSL 0.9.8.  PR 35757.  [William Rowe]

  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     core: If a request contains both Transfer-Encoding and Content-Length
     headers, remove the Content-Length, mitigating some HTTP Request 
     Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]

  *) proxy HTTP: If a response contains both Transfer-Encoding and a 
     Content-Length, remove the Content-Length and don't reuse the
     connection, mitigating some HTTP Response Splitting attacks.
     [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Prevent hangs of child processes when writing to piped loggers at
     the time of graceful restart.  PR 26467.  [Jeff Trawick]

  *) SECURITY: CVE-2005-1268 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_ssl: Fix off-by-one overflow whilst printing CRL information
     at "LogLevel debug" which could be triggered if configured 
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]

  *) mod_userdir: Fix possible memory corruption issue.  PR 34588.
     [David Leonard <dleonard vintela.com>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) worker mpm: don't take down the whole server for a transient
     thread creation failure. PR 34514 [Greg Ames]
Jeff Trawick's avatar
Jeff Trawick committed
  
Joe Orton's avatar
Joe Orton committed
  *) mod_rewrite: use buffered I/O to improve performance with large
     RewriteMap txt: files.  [Greg Ames]

Jeff Trawick's avatar
Jeff Trawick committed
  *) proxy HTTP: Rework the handling of request bodies to handle
     chunked input and input filters which modify content length, and
     avoid spooling arbitrary-sized request bodies in memory.
     PR 15859.  [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
Changes with Apache 2.0.54

Sander Striker's avatar
Sander Striker committed
  *) mod_cache: Add CacheIgnoreHeaders directive.  PR 30399.
     [Rüdiger Plüm <r.pluem t-online.de>]
Sander Striker's avatar
Sander Striker committed

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
     the ldap socket connection timeout value.  
     [Brad Nicholes]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Correctly export all mod_dav public functions.
     [Branko Čibej <brane xbc.nu>]

  *) Add a build script to create a solaris package. [Graham Leggett]

Jeff Trawick's avatar
Jeff Trawick committed
  *) worker MPM: Fix a problem which could cause httpd processes to
     remain active after shutdown.  [Jeff Trawick]

  *) Unix MPMs: Shut down the server more quickly when child processes are
     slow to exit.  [Joe Orton, Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Remove formatting characters from ap_log_error() calls.  These
     were escaped as fallout from CVE-2003-0020.
Jeff Trawick's avatar
Jeff Trawick committed
     [Eric Covener <ecovener gmail.com>]

Sander Striker's avatar
Sander Striker committed
  *) mod_ssl: If SSLUsername is used, set r->user earlier.  PR 31418.
     [David Reid]

Joe Orton's avatar
Joe Orton committed
  *) htdigest: Fix permissions of created files.  PR 33765.  [Joe Orton]

Paul Querna's avatar
Paul Querna committed
  *) core_input_filter: Move buckets to a persistent brigade instead of
     creating a new brigade. This stop a memory leak when proxying a 
     Streaming Media Server. PR 33382. [Paul Querna]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid 
     hiccups from additional path information passed in non-utf-8 format.
     [Richard Donkin <rd9 donkin.org]

Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.53

Joe Orton's avatar
Joe Orton committed
  *) Fix --with-apr=/usr and/or --with-apr-util=/usr.  PR 29740.
     [Max Bowsher <maxb ukf.net>]

  *) mod_proxy: Fix ProxyRemoteMatch directive.  PR 33170.
     [Rici Lake <rici ricilake.net>]

  *) mod_proxy: Respect errors reported by pre_connection hooks.
     [Jeff Trawick]

  *) --with-module can now take more than one module to be statically
     linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
     If the <modtype>-subdirectory doesn't exist it will be created and
     populated with a standard Makefile.in.  [Erik Abele]

  *) Fix the RPM spec file so that an RPM build now works. An RPM
     build now requires system installations of APR and APR-util.
     Remove some arbitrary moving around of binaries - the RPM now
     maps to the ASF build of httpd.
     [Graham Leggett]

  *) mod_dumpio, an I/O logging/dumping module, added to the
     modules/expermimental subdirectory.  [Jim Jagielski]

  *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     library handles special characters.  PR 24437.  [Jess Holle]
  *) Win32 MPM: Correct typo in debugging output.  [William Rowe]

  *) conf: Remove AddDefaultCharset from the default configuration because
     setting a site-wide default does more harm than good. PR 23421.
     [Roy Fielding]

  *) Add charset to example CGI scripts.  [Roy Fielding]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) mod_ssl: fail quickly if SSL connection is aborted rather than
     making many doomed ap_pass_brigade calls.  PR 32699.  [Joe Orton]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Remove compiled-in upper limit on LimitRequestFieldSize.
     [Bill Stoddard]

  *) Start keeping track of time-taken-to-process-request again for
     mod_status if ExtendedStatus is enabled. [Jim Jagielski]

  *) mod_proxy: Handle client-aborted connections correctly.  PR 32443.
Joe Orton's avatar
Joe Orton committed
  *) Fix handling of files >2Gb on all platforms (or builds) where
     apr_off_t is larger than apr_size_t.  PR 28898.  [Joe Orton]

  *) mod_include: Fix bug which could truncate variable expansions
     of N*64 characters by one byte.  PR 32985.  [Joe Orton]

  *) Correct handling of certain bucket types in ap_save_brigade, fixing
     possible segfaults in mod_cgi with #include virtual.  PR 31247.
     [Joe Orton]

Erik Abele's avatar
Erik Abele committed
  *) Allow for the use of --with-module=foo:bar where the ./modules/foo
     directory is local only. Assumes, of course, that the required
     files are in ./modules/foo, but makes it easier to statically
     build/log "external" modules.  [Jim Jagielski]

  *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that 
     ldap authorization only modules have access to the util_ldap 
     user cache without having to require ldap authentication as well.  
Joe Orton's avatar
Joe Orton committed
     PR 31898.  [Jari Ahonen jah progress.com, Brad Nicholes]

  *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
     allows the module to only authorize a user if the attribute value
     specified matches the value of the user object. PR 31913
     [Ryan Morgan <rmorgan pobox.com>]

  *) SECURITY: CVE-2004-0942 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     Fix for memory consumption DoS in handling of MIME folded request
     headers.  [Joe Orton]

  *) SECURITY: CVE-2004-0885 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
     bypassed during an SSL renegotiation.  PR 31505.  
     [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]

  *) mod_ssl: Fail at startup rather than segfault at runtime if a
     client cert is configured with an encrypted private key.
     PR 24030.  [Joe Orton]

Graham Leggett's avatar
Graham Leggett committed
  *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
     [Joe Orton]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

Graham Leggett's avatar
Graham Leggett committed
  *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
     [Jeff Trawick]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
  *) mod_cache: CacheDisable will only disable the URLs it was meant to
Graham Leggett's avatar
Graham Leggett committed
     disable, not all caching. PR 31128.
     [Edward Rudd <eddie omegaware.com>, Paul Querna]

Graham Leggett's avatar
Graham Leggett committed
  *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
     cache responses.  [Justin Erenkrantz]

  *) mod_rewrite: Handle per-location rules when r->filename is unset.
     Previously this would segfault or simply not match as expected,
     depending on the platform.  [Jeff Trawick]

  *) mod_rewrite: Fix 0 bytes write into random memory position.
Graham Leggett's avatar
Graham Leggett committed

  *) mod_disk_cache: Do not store aborted content.  PR 21492.
     [Rüdiger Plüm <r.pluem t-online.de>]
Graham Leggett's avatar
Graham Leggett committed

  *) mod_disk_cache: Correctly store cached content type.  PR 30278.
     [Rüdiger Plüm <r.pluem t-online.de>]
Graham Leggett's avatar
Graham Leggett committed

  *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     statistics display. PR 29216. [Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

  *) mod_ldap: fix a bogus error message to tell the user which file
     is causing a potential problem with the LDAP shared memory cache.
     PR 31431 [Graham Leggett]

  *) SECURITY: CVE-2004-1834 (cve.mitre.org)
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     mod_disk_cache: Do not store hop-by-hop headers.  [Justin Erenkrantz]
Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Fix the re-linking issue when purging elements from the LDAP cache
Joe Orton's avatar
Joe Orton committed
     PR 24801.  [Jess Holle <jessh ptc.com>]
Bill Stoddard's avatar
Bill Stoddard committed
  *) mod_disk_cache: Fix races in saving responses.  [Justin Erenkrantz]

  *) Fix Expires handling in mod_cache.  [Justin Erenkrantz]

  *) Alter mod_expires to run at a different filter priority to allow
     proper Expires storage by mod_cache.  [Justin Erenkrantz]

Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.52

  *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]

  *) Fix the global mutex crash when the global mutex is never allocated
     due to disabled/empty caches. [Jess Holle <jessh ptc.com>]

  *) Fix a segfault in the LDAP cache when it is configured switched
     off. [Jess Holle <jessh ptc.com>]
Graham Leggett's avatar
Graham Leggett committed

  *) SECURITY: CVE-2004-0811 (cve.mitre.org)
     Fix merging of the Satisfy directive, which was applied to
     the surrounding context and could allow access despite configured
     authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]

  *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
     is enabled.  Previously, such urls would still be rejected.
     [Jeff Trawick, Bill Stoddard]

Bill Stoddard's avatar
Bill Stoddard committed
  *) mod_mem_cache: Fixed race condition causing segfault because of memory being
     freed twice, or reused after being freed.
     [J. Clar, W. Stoddard, G. Ames]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
    
Jeff Trawick's avatar
Jeff Trawick committed
  *) Add -l option to rotatelogs to let it use local time rather than
     UTC.  PR 24417.  [Ken Coar, Uli Zappe <uli ritual.org>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_log_config: Fix a bug which prevented request completion time
     from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
     processing.  PR 29696.  [Alois Treindl <alois astro.ch>]

Changes with Apache 2.0.51

  *) SECURITY: CVE-2004-0786 (cve.mitre.org)
     Fix an input validation issue in apr-util which could be
     triggered by malformed IPv6 literal addresses.  [Joe Orton]

  *) SECURITY: CVE-2004-0747 (cve.mitre.org)
     Fix buffer overflow in expansion of environment variables in
     configuration file parsing.  [André Malo]
  *) SECURITY: CVE-2004-0809 (cve.mitre.org)
     mod_dav_fs: Fix a segfault in the handling of an indirect lock
     refresh.  PR 31183.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_include no longer checks for recursion, because that's done
Cliff Woolley's avatar
Cliff Woolley committed
     in the core. This allows for careful usage of recursive SSI.
Andre Malo's avatar
Andre Malo committed

  *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
     [chunyan sheng <shengperson yahoo.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Include directives no longer refuse to process symlinks on
     directories. Instead there's now a maximum nesting level
     of included directories (128 as distributed). This is configurable
     at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
Andre Malo's avatar
Andre Malo committed

Bill Stoddard's avatar
Bill Stoddard committed
  *) Win32: apache -k start|restart|install|config can leave stranded
     piped logger processes (eg, rotatelogs.exe) due to improper
     server shutdown on these code paths.
     [Bill Stoddard]

  *) SECURITY: CVE-2004-0751 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_ssl: Fix a segfault in the SSL input filter which could be
     triggered if using "speculative" mode, for instance by a 
     proxy request to an SSL server.  PR 30134.  [Joe Orton]

  *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
     PR 30464.  [Joe Orton, Madhusudan Mathihalli]

  *) mod_ssl: Add new 'ssl_is_https' optional function.  [Joe Orton]

  *) Prevent CGI script output which includes a Content-Range header
     from being passed through the byterange filter.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Satisfy directives now can be influenced by a surrounding <Limit>
     container.  PR 14726.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
Andre Malo's avatar
Andre Malo committed

  *) mod_disk_cache: Implement binary format for on-disk header files.
     [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]

  *) mod_disk_cache: Optimize network performance of disk cache subsystem by
     allowing zero-copy (sendfile) writes and other miscellaneous fixes.
     [Justin Erenkrantz]

  *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
     switch to the provider API instead of hooks.  [Justin Erenkrantz]

Joe Orton's avatar
Joe Orton committed
  *) mod_autoindex: Don't truncate the directory listing if a stat()
     call fails (for instance on a >2Gb file).  PR 17357.
     [Joe Orton]

  *) Makefile fix: httpd is linked against LIBS given to the
     'make' invocation.  PR 7882.  [Joe Orton]

Bill Stoddard's avatar
Bill Stoddard committed
  *) WinNT MPM: Fix a broken log message at termination.  PR 28063.
     [Eider Oliveira <eider bol.com.br>]

Bill Stoddard's avatar
Bill Stoddard committed
  *) Prevent Win32 pool corruption at startup [Allan Edwards]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
     chosen SSL environment variable.  PR 20957. 
     [Martin v. Loewis <martin v.loewis.de>]

  *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
     [Zvi Har'El <rl math.technion.ac.il>]

  *) apachectl: Fix a problem finding envvars if sbindir != bindir.
     PR 30723.  [Friedrich Haubensak <hsk imb-jena.de>]

  *) mod_ssl: Build on RHEL 3.  PR 18989.  [Justin Erenkrantz]

  *) SECURITY: CVE-2004-0748 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_ssl: Fix a potential infinite loop.  PR 29964.  [Joe Orton]

  *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
     PR 18989.  [Joe Orton]

  *) mod_userdir: Ensure that the userdir identity is used for
     suexec userdir access in a virtual host which has suexec configured.  
     PR 18156.  [Joshua Slive]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite no longer confuses the RewriteMap caches if
     different maps defined in different virtual hosts use the
     same map name. PR 26462.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) mod_setenvif: Remove "support" for Remote_User variable which
     never worked at all. PR 25725.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Backport from 2.1 / Regression from 1.3: mod_headers now knows
     again the functionality of the ErrorHeader directive. But instead
     using this misnomer additional flags to the Header directive were
     introduced ("always" and "onsuccess", defaulting to the latter).
Andre Malo's avatar
Andre Malo committed

  *) Use the higher performing 'httpready' Accept Filter on all platforms 
     except FreeBSD < 4.1.1. [Paul Querna]

Andre Malo's avatar
Andre Malo committed
  *) mod_usertrack: Escape the cookie name before pasting into the
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Extend the SetEnvIf directive to capture subexpressions of the
Andre Malo's avatar
Andre Malo committed

  *) Recursive Include directives no longer crash. The server stops
     including configuration files after a certain nesting level (128
     as distributed). This is configurable at compile time using the
     -DAP_MAX_INCLUDE_DEPTH switch. PR 28370.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_dir: the trailing-slash behaviour is now configurable using the
     DirectorySlash directive.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Allow proxying of resources that are invoked via DirectoryIndex.
     PR 14648, 15112, 29961.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) util_ldap: Switched the lock types on the shared memory cache 
     from thread reader/writer locks to global mutexes in order to 
     provide cross process cache protection. [Brad Nicholes]
     
  *) util_ldap: Reworked the cache locking scheme to eliminate duplicate 
     cache entries in the credentials cache due to race conditions.
     [Brad Nicholes]
     
  *) util_ldap: Enhanced the util_ldap cache-info display to show more 
     detail about the contents and current state of the cache. 
     [Brad Nicholes]
     
Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Enable the option to support anonymous shared memory in mod_ldap.
     This makes the cache work on Linux again. [Graham Leggett]

Geoffrey Young's avatar
Geoffrey Young committed
  *) Enable special ErrorDocument value 'default' which restores the
     canned server response for the scope of the directive.
Geoffrey Young's avatar
Geoffrey Young committed

Paul Querna's avatar
Paul Querna committed
  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
     is set in r->subprocess_env allow mismatched query strings to pass.
     PR 27758.  [Paul Querna, Geoffrey Young]

  *) Accept URLs for the ServerAdmin directive. If the supplied
     argument is not recognized as an URL, assume it's a mail address.
     PR 28174.  [André Malo, Paul Querna]
Paul Querna's avatar
Paul Querna committed

Geoffrey Young's avatar
Geoffrey Young committed
  *) initialize server arrays prior to calling ap_setup_prelinked_modules
     so that static modules can push Defines values when registering
     hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Small fix to allow reverse proxying to an ftp server. Previously
     an attempt to do this would try and connect to 0.0.0.0, regardless
     of the server specified. PR 24922
     [Pascal Terjan <pterjan@linuxfr.org>]

Graham Leggett's avatar
Graham Leggett committed
  *) Add the NOTICE file to the rpm spec file in compliance with the
     Apache v2.0 license. [Graham Leggett]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
Graham Leggett's avatar
Graham Leggett committed
  *) RPM spec file changes: changed default dependancy to link to db4
     instead of db3. Fixed complaints about unpackaged files.
     [Graham Leggett]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
 
Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.50
  *) SECURITY: CVE-2004-0493 (cve.mitre.org)
     Close a denial of service vulnerability identified by Georgi
     Guninski which could lead to memory exhaustion with certain
     input data.  [Jeff Trawick]

Joe Orton's avatar
Joe Orton committed
  *) mod_cgi: Handle output on stderr during script execution on Unix
     platforms; preventing deadlock when stderr output fills pipe buffer.
     Also fixes case where stderr from nph- scripts could be lost.
     PR 22030, 18348.  [Joe Orton, Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_alias now emits a warning if it detects overlapping *Alias*
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite no longer turns forward proxy requests into reverse proxy
     requests. PR 28125  [ast domdv.de, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
     exported on Win32 and Netware as well (minor MMN bump).  PR 28523.
     [Edward Rudd <eddie omegaware.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Restore the ability to disable the use of AcceptEx on Win9x systems
     automatically (broken in 2.0.49). PR 28529.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) <VirtualHost myhost> now applies to all IP addresses for myhost
     instead of just the first one reported by the resolver.  This
     corrects a regression since 1.3.  [Jeff Trawick]

  *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
     against ServerRoot PR#26602 [Brad Nicholes]
       
  *) SECURITY: CVE-2004-0488 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
     (trusted) client certificate subject DN which exceeds 6K in length.
     [Joe Orton]

  *) mod_dav_fs: Fix MKCOL response for missing parent collections, which 
     caused issues for the Eclipse WebDAV extension.
     PR 29034.  [Joe Orton]

  *) mod_deflate: Fix memory consumption (which was proportional to the
     response size).  PR 29318.  [Joe Orton]

  *) mod_ssl: Log the errors returned on failure to load or initialize
     a crypto accelerator engine.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Allow RequestHeader directives to be conditional. PR 27951.
     [Vincent Deffontaines <vincent gryzor.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Allow LimitRequestBody to be reset to unlimited. PR 29106
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Fix a bunch of cases where the return code of the regex compiler
     was not checked properly. This affects: mod_setenvif, mod_usertrack,
     mod_proxy, mod_proxy_ftp and core. PR 28218.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
     small cache sizes.  PR 27751.  [Geoff Thorpe <geoff geoffthorpe.net>]

  *) Remove 2Gb log file size restriction on some 32-bit platforms.
     PR 13511.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_logio no longer removes the EOS bucket. PR 27928.
     [Bojan Smojver <bojan rexursive.com>]

  *) htpasswd no longer refuses to process files that contain empty
Andre Malo's avatar
Andre Malo committed

Andre Malo's avatar
Andre Malo committed
  *) Regression from 1.3: At startup, suexec now will be checked for
     availability, the setuid bit and user root. The works only if
     httpd is compiled with the shipped APR version (0.9.5).
Andre Malo's avatar
Andre Malo committed

  *) Unix MPMs: Stop dropping connections when the file descriptor
     is at least FD_SETSIZE.  [Jeff Trawick]

  *) Fix handling of IPv6 numeric strings in mod_proxy.  [Jeff Trawick]

  *) mod_isapi: send_response_header() failed to copy status string's 
     last character.  PR 20619.  [Jesse Pelton <jsp pkc.com>]

Graham Leggett's avatar
Graham Leggett committed
  *) Fix a segfault when requests for shared memory fails and returns
     NULL. Fix a segfault caused by a lack of bounds checking on the
Joe Orton's avatar
Joe Orton committed
     cache.  PR 24801.  [Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

Graham Leggett's avatar
Graham Leggett committed
  *) Throw an error message if an attempt is made to use the LDAPTrustedCA
     or LDAPTrustedCAType directives in a VirtualHost. PR 26390
     [Brad Nicholes]

  *) Fix a potential segfault if the bind password in the LDAP cache
Joe Orton's avatar
Joe Orton committed
     is NULL.  PR 28250.  [Jari Ahonen <jah progress.com>]

  *) Quotes cannot be used around require group and require dn
     directives, update the documentation to reflect this. Also add
     quotes around the dn and group within debug messages, to make it
     more obvious why authentication is failing if quotes are used in
Joe Orton's avatar
Joe Orton committed
     error.  PR 19304.  [Graham Leggett]

  *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
     from escaping filters twice when the backslash character is used.
Joe Orton's avatar
Joe Orton committed
     PR 24437.  [Jess Holle <jessh ptc.com>]

  *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
     functions leave the connections in a sane state after errors have
     occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
     27271 [Graham Leggett]
Joe Orton's avatar
Joe Orton committed
                                                                                
  *) mod_ldap calls ldap_simple_bind_s() to validate the user
     credentials.  If the bind fails, the connection is left
     in an unbound state.  Make sure that the ldap connection
     record is updated to show that the connection is no longer
     bound. [Brad Nicholes]
Joe Orton's avatar
Joe Orton committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) Ensure that lines in the request which are too long are 
     properly terminated before logging.
     [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Update the bind credentials for the cached LDAP connection to 
     reflect the last bind.  This prevents util_ldap from creating 
     unnecessary connections rather than reusing cached connections.
     [Brad Nicholes]
     
  *) mod_isapi: GetServerVariable returned improperly terminated header 
     fields given "ALL_HTTP" or "ALL_RAW".  PR 20656.
     [Jesse Pelton <jsp pkc.com>]

  *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
     size.  PR 20617.  [Jesse Pelton <jsp pkc.com>]

  *) mod_dav: Fix a problem that could cause crashes when manipulating 
     locks on some platforms.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_headers no longer crashes if an empty header value should
Andre Malo's avatar
Andre Malo committed

  *) Fix segfault in mod_expires, which occured under certain
     circumstances. PR 28047.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) htpasswd: use apr_temp_dir_get() and general cleanup
     [Guenter Knauf <eflash gmx.net>, Thom May]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix memory leak in session cache handling.  PR 26562
     [Madhusudan Mathihalli]

  *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
     a pool cleanup.  PR 27945.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Add forensic logging module (mod_log_forensic).
     [Ben Laurie]

  *) logresolve: Allow size of log line buffer to be overridden at
     build time (MAXLINE).  PR 27793.  [Jeff Trawick]

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Fix the comment delimiter in htdbm so that it correctly parses the 
     username comment.  Also add a terminate function to allow NetWare 
     to pause the output before the screen is destroyed.
     [Guenter Knauf <eflash gmx.net>, Brad Nicholes] 
  
Bill Stoddard's avatar
Bill Stoddard committed
  *) Fix crash when Apache was started with no Listen directives.
     [Michael Corcoran <mcorcoran warpsolutions.com>]

Bill Stoddard's avatar
Bill Stoddard committed
  *) core_output_filter: Fix bug that could result in sending
     garbage over the network when module handlers construct
     bucket brigades containing multiple file buckets all referencing
     the same open file descriptor. [Bojan Smojver]
Bill Stoddard's avatar
Bill Stoddard committed

  *) Fix memory corruption problem with ap_custom_response() function.
     The core per-dir config would later point to request pool data
     that would be reused for different purposes on different requests.
     [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]

  *) Win32: Tweak worker thread accounting routines to eliminate
     server hang when number of Listen directives in httpd.conf
     is greater than or equal to the setting of ThreadsPerChild.
     [Bill Stoddard]

Jeff Trawick's avatar
Jeff Trawick committed
Changes with Apache 2.0.49
  *) SECURITY: CVE-2004-0174 (cve.mitre.org)
     Fix starvation issue on listening sockets where a short-lived
     connection on a rarely-accessed listening socket will cause a
     child to hold the accept mutex and block out new connections until
     another connection arrives on that rarely-accessed listening socket.
     With Apache 2.x there is no performance concern about enabling the 
     logic for platforms which don't need it, so it is enabled everywhere
     except for Win32.  [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
     [Jeff Trawick]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
  *) Win32: find_read_listeners was not correctly handling multiple
     listeners on the Win32DisableAcceptEx path.  [Bill Stoddard]

  *) Fix bug in mod_usertrack when no CookieName is set.  PR 24483.
     [Manni Wood <manniwood planet-save.com>]

  *) Fix some piped log problems: bogus "piped log program '(null)'
     failed" messages during restart and problem with the logger
     respawning again after Apache is stopped.  PR 21648, PR 24805.
     [Jeff Trawick]

  *) Fixed file extensions for real media files and removed rpm extension
     from mime.types. PR 26079.  [Allan Sandfeld <kde carewolf.com>]

  *) Remove compile-time length limit on request strings. Length is
     now enforced solely with the LimitRequestLine config directive.
     [Paul J. Reder]

  *) mod_ssl: Send the Close Alert message to the peer before closing
Joe Orton's avatar
Joe Orton committed
     the SSL session.  PR 27428.  [Madhusudan Mathihalli, Joe Orton]
  *) SECURITY: CVE-2004-0113 (cve.mitre.org)
Joe Orton's avatar
Joe Orton committed
     mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
     PR 27106.  [Joe Orton]

  *) mod_ssl: Fix bug in passphrase handling which could cause spurious
     failures in SSL functions later.  PR 21160.  [Joe Orton]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_log_config: Fix corruption of buffered logs with threaded
     MPMs.  PR 25520.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Fix mod_include's expression parser to recognize strings correctly
     even if they start with an escaped token.  [André Malo]
Andre Malo's avatar
Andre Malo committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add fatal exception hook for use by diagnostic modules.  The hook
     is only available if the --enable-exception-hook configure parm 
     is used and the EnableExceptionHook directive has been set to 
     "on".  [Jeff Trawick]

  *) Allow mod_auth_digest to work with sub-requests with different
     methods than the original request.  PR 25040.
     [Josh Dady <jpd indecisive.com>]

Joe Orton's avatar
Joe Orton committed
  *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
     argumentless containers.
     ["Philippe M. Chiasson" <gozer cpan.org>]

  *) mod_auth_ldap: Fix some segfaults in the cache logic.  PR 18756.
     [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]

Joe Orton's avatar
Joe Orton committed
  *) mod_cgid: Restart the cgid daemon if it crashes.  PR 19849
     [Glenn Nielsen <glenn apache.org>]

Andre Malo's avatar
Andre Malo committed
  *) The whole codebase was relicensed and is now available under
     the Apache License, Version 2.0 (http://www.apache.org/licenses).
     [Apache Software Foundation]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fixed cache-removal order in mod_mem_cache.
     [Jean-Jacques Clar, Cliff Woolley]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_setenvif: Fix the regex optimizer, which under circumstances
     treated the supplied regex as literal string. PR 24219.
Paul J. Reder's avatar
 
Paul J. Reder committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
Paul J. Reder's avatar
 
Paul J. Reder committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
     could lead to a 400 (Bad Request) response.  [André Malo]
Paul J. Reder's avatar
 
Paul J. Reder committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Keep focus of ITERATE and ITERATE2 on the current module when
     the module chooses to return DECLINE_CMD for the directive.
     PR 22299.  [Geoffrey Young <geoff apache.org>]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Add support for IMT minor-type wildcards (e.g., text/*) to
     ExpiresByType.  PR#7991  [Ken Coar]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix segfault in mod_mem_cache cache_insert() due to cache size
     becoming negative.  PR: 21285, 21287
     [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) core.c: If large file support is enabled, allow any file that is
     greater than AP_MAX_SENDFILE to be split into multiple buckets.
     This allows Apache to send files that are greater than 2gig.
     Otherwise we run into 32/64 bit type mismatches in the file size.
     [Brad Nicholes]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) proxy_http fix: mod_proxy hangs when both KeepAlive and
     ProxyErrorOverride are enabled, and a non-200 response without a
     body is generated by the backend server. (e.g.: a client makes a
     request containing the "If-Modified-Since" and "If-None-Match"
     headers, to which the backend server respond with status 304.)
     [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]

Joe Orton's avatar
Joe Orton committed
  *) mod_dav: Reject requests which include an unescaped fragment in the
     Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]

  *) Build array of allowed methods with proper dimensions, fixing
     possible memory corruption.  [Jeff Trawick]

  *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
     PR 15057.  [Otmar Lendl <lendl nic.at>]

  *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
     [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_usertrack no longer inspects the Cookie2 header for
     the cookie name. PR 11475.  [Chris Darrochi <chrisd pearsoncmg.com>]

  *) mod_usertrack no longer overwrites other cookies.
     PR 26002.  [Scott Moore <apache nopdesign.com>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) worker MPM: fix stack overlay bug that could cause the parent
     process to crash.  [Jeff Trawick]

Bill Stoddard's avatar
Bill Stoddard committed
  *) Win32: Add Win32DisableAcceptEx directive. This Windows
     NT/2000/CP directive is useful to work around bugs in some 
     third party layered service providers like virus scanners, 
     VPN and firewall products, that do not properly handle 
     WinSock 2 APIs.  Use this directive if your server is issuing
     AcceptEx failed messages.
     [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Make REMOTE_PORT variable available in mod_rewrite.
Andre Malo's avatar
Andre Malo committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a long delay with CGI requests and keepalive connections on
     AIX.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_autoindex: Add 'XHTML' option in order to allow switching between
     HTML 3.2 and XHTML 1.0 output. PR 23747.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
Andre Malo's avatar
Andre Malo committed

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Advertise SSL library version as determined at run-time rather