Skip to content
CHANGES 581 KiB
Newer Older
11001 11002 11003 11004 11005 11006 11007 11008 11009 11010 11011 11012 11013 11014 11015 11016 11017 11018 11019 11020 11021 11022 11023 11024 11025 11026 11027 11028 11029 11030 11031 11032 11033 11034 11035 11036 11037 11038 11039 11040 11041 11042 11043 11044 11045 11046 11047 11048 11049 11050 11051 11052 11053 11054 11055 11056 11057 11058 11059 11060 11061 11062 11063 11064 11065 11066 11067 11068 11069 11070 11071 11072 11073 11074 11075 11076 11077 11078 11079 11080 11081 11082 11083 11084 11085 11086 11087 11088 11089 11090 11091 11092 11093 11094 11095 11096 11097 11098 11099 11100 11101 11102 11103 11104 11105 11106 11107 11108 11109 11110 11111 11112 11113 11114 11115 11116 11117 11118 11119 11120 11121 11122 11123 11124 11125 11126 11127 11128 11129 11130 11131 11132 11133 11134 11135 11136 11137 11138 11139 11140 11141 11142 11143 11144 11145 11146 11147 11148 11149 11150 11151 11152 11153 11154 11155 11156 11157 11158 11159 11160 11161 11162 11163 11164 11165 11166 11167 11168 11169 11170 11171 11172 11173 11174 11175 11176 11177 11178 11179 11180 11181 11182 11183 11184 11185 11186 11187 11188 11189 11190 11191 11192 11193 11194 11195 11196 11197 11198 11199 11200 11201 11202 11203 11204 11205 11206 11207 11208 11209 11210 11211 11212 11213 11214 11215 11216 11217 11218 11219 11220 11221 11222 11223 11224 11225 11226 11227 11228 11229 11230 11231 11232 11233 11234 11235 11236 11237 11238 11239 11240 11241 11242 11243 11244 11245 11246 11247 11248 11249 11250 11251 11252 11253 11254 11255 11256 11257 11258 11259 11260 11261 11262 11263 11264 11265 11266 11267 11268 11269 11270 11271 11272 11273 11274 11275 11276 11277 11278 11279 11280 11281 11282 11283 11284 11285 11286 11287 11288 11289 11290 11291 11292 11293 11294 11295 11296 11297 11298 11299 11300 11301 11302 11303 11304 11305 11306 11307 11308 11309 11310 11311 11312 11313 11314 11315 11316 11317 11318 11319 11320 11321 11322 11323 11324 11325 11326 11327 11328 11329 11330 11331 11332 11333 11334 11335 11336 11337 11338 11339 11340 11341 11342 11343 11344 11345 11346 11347 11348 11349 11350 11351 11352 11353 11354 11355 11356 11357 11358 11359 11360 11361 11362 11363 11364 11365 11366 11367 11368 11369 11370 11371 11372 11373 11374 11375 11376 11377 11378 11379 11380 11381 11382 11383 11384 11385 11386 11387 11388 11389 11390 11391 11392 11393 11394 11395 11396 11397 11398 11399 11400 11401 11402 11403 11404 11405 11406 11407 11408 11409 11410 11411 11412 11413 11414 11415 11416 11417 11418 11419 11420 11421 11422 11423 11424 11425 11426 11427 11428 11429 11430 11431 11432 11433 11434 11435 11436 11437 11438 11439 11440 11441 11442 11443 11444 11445 11446 11447 11448 11449 11450 11451 11452 11453 11454 11455 11456 11457 11458 11459 11460 11461 11462 11463 11464 11465 11466 11467 11468 11469 11470 11471 11472 11473 11474 11475 11476 11477 11478 11479 11480 11481 11482 11483 11484 11485 11486 11487 11488 11489 11490 11491 11492 11493 11494 11495 11496 11497 11498 11499 11500 11501 11502 11503 11504 11505 11506 11507 11508 11509 11510 11511 11512 11513 11514 11515 11516 11517 11518 11519 11520 11521 11522 11523 11524 11525 11526 11527 11528 11529 11530 11531 11532 11533 11534 11535 11536 11537 11538 11539 11540 11541 11542 11543 11544 11545 11546 11547 11548 11549 11550 11551 11552 11553 11554 11555 11556 11557 11558 11559 11560 11561 11562 11563 11564 11565 11566 11567 11568 11569 11570 11571 11572 11573 11574 11575 11576 11577 11578 11579 11580 11581 11582 11583 11584 11585 11586 11587 11588 11589 11590 11591 11592 11593 11594 11595 11596 11597 11598 11599 11600 11601 11602 11603 11604 11605 11606 11607 11608 11609 11610 11611 11612 11613 11614 11615 11616 11617 11618 11619 11620 11621 11622 11623 11624 11625 11626 11627 11628 11629 11630 11631 11632 11633 11634 11635 11636 11637 11638 11639 11640 11641 11642 11643 11644 11645 11646 11647 11648 11649 11650 11651 11652 11653 11654 11655 11656 11657 11658 11659 11660 11661 11662 11663 11664 11665 11666 11667 11668 11669 11670 11671 11672 11673 11674 11675 11676 11677 11678 11679 11680 11681 11682 11683 11684 11685 11686 11687 11688 11689 11690 11691 11692 11693 11694 11695 11696 11697 11698 11699 11700 11701 11702 11703 11704 11705 11706 11707 11708 11709 11710 11711 11712 11713 11714 11715 11716 11717 11718 11719 11720 11721 11722 11723 11724 11725 11726 11727 11728 11729 11730 11731 11732 11733 11734 11735 11736 11737 11738 11739 11740 11741 11742 11743 11744 11745 11746 11747 11748 11749 11750 11751 11752 11753 11754 11755 11756 11757 11758 11759 11760 11761 11762 11763 11764 11765 11766 11767 11768 11769 11770 11771 11772 11773 11774 11775 11776 11777 11778 11779 11780 11781 11782 11783 11784 11785 11786 11787 11788 11789 11790 11791 11792 11793 11794 11795 11796 11797 11798 11799 11800 11801 11802 11803 11804 11805 11806 11807 11808 11809 11810 11811 11812 11813 11814 11815 11816 11817 11818 11819 11820 11821 11822 11823 11824 11825 11826 11827 11828 11829 11830 11831 11832 11833 11834 11835 11836 11837 11838 11839 11840 11841 11842 11843 11844 11845 11846 11847 11848 11849 11850 11851 11852 11853 11854 11855 11856 11857 11858 11859 11860 11861 11862 11863 11864 11865 11866 11867 11868 11869 11870 11871 11872 11873 11874 11875 11876 11877 11878 11879 11880 11881 11882 11883 11884 11885 11886 11887 11888 11889 11890 11891 11892 11893 11894 11895 11896 11897 11898 11899 11900 11901 11902 11903 11904 11905 11906 11907 11908 11909 11910 11911 11912 11913 11914 11915 11916 11917 11918 11919 11920 11921 11922 11923 11924 11925 11926 11927 11928 11929 11930 11931 11932 11933 11934 11935 11936 11937 11938 11939 11940 11941 11942 11943 11944 11945 11946 11947 11948 11949 11950 11951 11952 11953 11954 11955 11956 11957 11958 11959 11960 11961 11962 11963 11964 11965 11966 11967 11968 11969 11970 11971 11972 11973 11974 11975 11976 11977 11978 11979 11980 11981 11982 11983 11984 11985 11986 11987 11988 11989 11990 11991 11992 11993 11994 11995 11996 11997 11998 11999 12000
     multiple occurrences of the same key. [Stephen Scheck
     <sscheck@infonex.net>, Ben Laurie] PR#1604

  *) send_fd_length() did not calculate total_bytes_sent properly in error
     cases.  [Ben Reser <breser@regnow.com>] PR#1366

  *) r->connection->user was allocated in the wrong pool causing corruption
     in some cases when used with mod_cern_meta.  [Dean Gaudet] PR#1500

  *) mod_proxy was sending HTTP/1.1 responses to ftp requests by mistake.
     Also removed the auto-generated link to www.apache.org that was the
     source of so many misdirected bug reports.  [Roy Fielding, Marc Slemko]

  *) Multiple "close" tokens may have been set in the "Connection"
     header, not an error, but a waste.
     [Ronald.Tschalaer@psi.ch] PR#1683

  *) "basic" and "digest" auth tokens should be tested case-insensitive.
     [Ronald.Tschalaer@psi.ch] PR#1599, PR#1666

  *) It appears the "257th byte" bug (see
     htdocs/manual/misc/known_client_problems.html#257th-byte) can happen
     at the 256th byte as well.  Fixed.  [Dean Gaudet]

  *) mod_rewrite would not handle %3f properly in some situations.
     [Ralf Engelschall]

  *) Apache could generate improperly chunked HTTP/1.1 responses when
     the bputc() or rputc() functions were used by modules (such as
     mod_include).  [Dean Gaudet]

  *) #ifdef wrap a few #defines in httpd.h to make life easier on
     some ports.  [Ralf Engelschall]

  *) Fix MPE compilation error in mod_usertrack.c.  [Mark Bixby]

  *) Quote CC='$(CC)' to improve recurse make calls.  [Martin Kraemer]

  *) Avoid B_ERROR redeclaration on sysvr4 systems.  [Martin Kraemer]

Changes with Apache 1.2.5

  *) SECURITY: Fix a possible buffer overflow in logresolve.  This is
     only an issue on systems without a MAXDNAME define or where 
     the resolver returns domain names longer than MAXDNAME.  [Marc Slemko]

  *) Fix an improper length in an ap_snprintf call in proxy_date_canon().
     [Marc Slemko]

  *) Fix core dump in the ftp proxy when reading incorrectly formatted
     directory listings.  [Marc Slemko]

  *) SECURITY: Fix possible minor buffer overflow in the proxy cache.
     [Marc Slemko]

  *) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
     is used to read various types of files such as htaccess and 
     htpasswd files.  [Marc Slemko]

  *) SECURITY: Ensure that the buffer returned by ht_time is always
     properly null terminated.  [Marc Slemko]

  *) SECURITY: General mod_include cleanup, including fixing several
     possible buffer overflows and a possible infinite loop.  This cleanup
     was done against 1.3 code and then backported to 1.2, the result
     is a large difference (due to indentation cleanup in 1.3 code).
     Users interested in seeing a smaller set of relevant differences
     should consider comparing against src/modules/standard/mod_include.c
     from the 1.3b3 release.  Non-indentation changes to mod_include
     between 1.2 and 1.3 were minimal.  [Dean Gaudet, Marc Slemko]

  *) SECURITY: Numerous changes to mod_imap in a general cleanup
     including fixing a possible buffer overflow.  This cleanup also
     was done with 1.3 code as a basis, see the the previous note
     about mod_include.  [Dean Gaudet]

  *) SECURITY: If a htaccess file can not be read due to bad 
     permissions, deny access to the directory with a HTTP_FORBIDDEN.  
     The previous behavior was to ignore the htaccess file if it could not
     be read.  This change may make some setups with unreadable
     htaccess files stop working.  PR#817  [Marc Slemko]

  *) SECURITY: no2slash() was O(n^2) in the length of the input.  
     Make it O(n).  This inefficiency could be used to mount a denial 
     of service attack against the Apache server.  Thanks to 
     Michal Zalewski <lcamtuf@boss.staszic.waw.pl> for reporting
     this.  [Dean Gaudet]

  *) mod_include used uninitialized data for some uses of && and ||.
     [Brian Slesinsky <bslesins@wired.com>] PR#1139

  *) mod_imap should decline all non-GET methods.
     [Jay Bloodworth <jay@pathways.sde.state.sc.us>]

  *) suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour]

  *) mod_userdir was modifying r->finfo in cases where it wasn't setting
     r->filename.  Since those two are meant to be in sync with each other
     this is a bug.  ["Paul B. Henson" <henson@intranet.csupomona.edu>]

  *) mod_include did not properly handle all possible redirects from sub-
     requests.  [Ken Coar]

  *) Inetd mode (which is buggy) uses timeouts without having setup the
     jmpbuffer. [Dean Gaudet] PR#1064

  *) Work around problem under Linux where a child will start looping
     reporting a select error over and over.
     [Rick Franchuk <rickf@transpect.net>] PR#1107

Changes with Apache 1.2.4

  *) The ProxyRemote change in 1.2.3 introduced a bug resulting in the proxy
     always making requests with the full-URI instead of just the URI path.
     [Marc Slemko, Roy Fielding]

  *) Add -lm for AIX versions >= 4.2 to allow Apache to link properly
     on this platform.  [Marc Slemko]

Changes with Apache 1.2.3

  *) The request to a remote proxy was mangled if it was generated as the
     result of a ProxyPass directive. URL schemes other than http:// were not
     supported when ProxyRemote was used. PR#260, PR#656, PR#699, PR#713,
     PR#812 [Lars Eilebrecht]

  *) Fixed proxy-pass-through feature of mod_rewrite; Added error logging
     information for case where proxy module is not available. [Marc Slemko]

  *) Force proxy to always respond as HTTP/1.0, which it was failing to
     do for errors and cached responses.  [Roy Fielding]

  *) PORT: Improved support for ConvexOS 11.  [Jeff Venters]

Changes with Apache 1.2.2 [not released]

  *) Fixed another long-standing bug in sub_req_lookup_file where it would
     happily skip past access checks on subdirectories looked up with relative
     paths.  (It's used by mod_dir, mod_negotiation, and mod_include.)
     [Dean Gaudet]

  *) Add lockfile name to error message printed out when
     USE_FLOCK_SERIALIZED_ACCEPT is defined.
     [Marc Slemko]

  *) Enhanced the chunking and error handling inside the buffer functions.
     [Dean Gaudet, Roy Fielding]

  *) When merging the main server's <Directory> and <Location> sections into
     a vhost, put the main server's first and the vhost's second.  Otherwise
     the vhost can't override the main server.  [Dean Gaudet] PR#717

  *) The <Directory> code would merge and re-merge the same section after
     a match was found, possibly causing problems with some modules.
     [Dean Gaudet]

  *) Fixed an infinite loop in mod_imap for references above the server root.
     [Dean Gaudet] PR#748

  *) mod_include cleanup showed that handle_else was being used to handle
     endif.  It didn't cause problems, but it was cleaned up too.
     [Howard Fear]

  *) Last official synchronization of mod_rewrite with author version (because
     mod_rewrite is now directly developed by the author at the Apache Group):
     o added diff between mod_rewrite 3.0.6+ and 3.0.9
       minus WIN32/NT stuff, but plus copyright removement.
       In detail:
       - workaround for detecting infinite rewriting loops
       - fixed setting of env vars when "-" is used as subst string
       - fixed forced response code on redirects (PR#777)
       - fixed cases where r->args is ""
       - kludge to disable locking on pipes under braindead SunOS
       - fix for rewritelog in cases where remote hostname is unknown
       - fixed totally damaged request_rec walk-back loop
     o remove static from local data and add static to global ones.
     o replaced ugly proxy finding stuff by simple
       find_linked_module("mod_proxy") call.
     o added missing negation char on rewritelog()
     o fixed a few comment typos
     [Ralf S. Engelschall]

  *) Anonymous_LogEmail was logging on each subrequest.
     [Dean Gaudet] PR#421, PR#868

  *) "force-response-1.0" now only applies to requests which are HTTP/1.0 to
     begin with.  "nokeepalive" now works for HTTP/1.1 clients.  Added
     "downgrade-1.0" which causes Apache to pretend it received a 1.0.
     Additionally mod_browser now triggers during translate_name to workaround
     a deficiency in the header_parse phase.
     [Dean Gaudet] PR#875

  *) get_client_block() returns wrong length if policy is 
     REQUEST_CHUNKED_DECHUNK.
     [Kenichi Hori <ken@d2.bs1.fc.nec.co.jp>] PR#815

  *) Properly treat <files> container like other containers in mod_info.
     [Marc Slemko] PR#848

  *) The proxy didn't treat the "Host:" keyword of the host header as case-
     insensitive.  The proxy would corrupt the first line of a response from
     an HTTP/0.9 server.  [Kenichi Hori <ken@d2.bs1.fc.nec.co.jp>] PR#813,814

  *) mod_include would log some bogus values occasionally.
     [Skip Montanaro <skip@calendar.com>, Marc Slemko] PR#797

  *) PORT: The slack fd changes in 1.2.1 introduced a problem with SIGHUP
     under Solaris 2.x (up through 2.5.1).  It has been fixed.
     [Dean Gaudet] PR#832

  *) API: In HTTP/1.1, whether or not a request message contains a body
     is independent of the request method and based solely on the presence
     of a Content-Length or Transfer-Encoding.  Therefore, our default
     handlers need to be prepared to read a body even if they don't know
     what to do with it; otherwise, the body would be mistaken for the
     next request on a persistent connection.  discard_request_body()
     has been added to take care of that.  [Roy Fielding] PR#378

  *) API: Symbol APACHE_RELEASE provides a numeric form of the Apache
     release version number, such that it always increases along the
     same lines as our source code branching.  [Roy Fielding]

  *) Minor oversight on multiple variants fixed.  [Paul Sutton] PR#94

Changes with Apache 1.2.1

  *) SECURITY: Don't serve file system objects unless they are plain files,
     symlinks, or directories.  This prevents local users from using pipes
     or named sockets to invoke programs for an extremely crude form of
     CGI.  [Dean Gaudet]

  *) SECURITY: HeaderName and ReadmeName were settable in .htaccess and
     could contain "../" allowing a local user to "publish" any file on
     the system.  No slashes are allowed now.  [Dean Gaudet]

  *) SECURITY: It was possible to violate the symlink Options using mod_dir
     (headers, readmes, titles), mod_negotiation (type maps), or
     mod_cern_meta (meta files).  [Dean Gaudet]

  *) SECURITY: Apache will refuse to run as "User root" unless
     BIG_SECURITY_HOLE is defined at compile time.  [Dean Gaudet]

  *) CONFIG: If a symlink pointed to a directory then it would be disallowed
     if it contained a .htaccess disallowing symlinks.  This is contrary
     to the rule that symlink permissions are tested with the symlink
     options of the parent directory.  [Dean Gaudet] PR#353

  *) CONFIG: The LockFile directive can be used to place the serializing
     lockfile in any location.  It previously defaulted to /usr/tmp/htlock.
     [Somehow it took four of us: Randy Terbush, Jim Jagielski, Dean Gaudet,
     Marc Slemko]

  *) Request processing now retains state of whether or not the request
     body has been read, so that internal redirects and subrequests will
     not try to read it twice (and block). [Roy Fielding]

  *) Add a placeholder in modules/Makefile to avoid errors with certain
     makes. [Marc Slemko]

  *) QUERY_STRING was unescaped in mod_include, it shouldn't be.
     [Dean Gaudet] PR#644

  *) mod_include was not properly changing the current directory.
     [Marc Slemko] PR#742

  *) Attempt to work around problems with third party libraries that do not
     handle high numbered descriptors (examples include bind, and
     solaris libc).  On all systems apache attempts to keep all permanent
     descriptors above 15 (called the low slack line).  Solaris users
     can also benefit from adding -DHIGH_SLACK_LINE=256 to EXTRA_CFLAGS
     which keeps all non-FILE * descriptors above 255.  On all systems
     this should make supporting large numbers of vhosts with many open
     log files more feasible.  If this causes trouble please report it,
     you can disable this workaround by adding -DNO_SLACK to EXTRA_CFLAGS.
     [Dean Gaudet] various PRs

  *) Related to the last entry, network sockets are now opened before
     log files are opened.  The only known case where this can cause
     problems is under Solaris with many virtualhosts and many Listen
     directives.  But using -DHIGH_SLACK_LINE=256 described above will
     work around this problem.  [Dean Gaudet]

  *) USE_FLOCK_SERIALIZED_ACCEPT is now default for FreeBSD, A/UX, and
     SunOS 4.

  *) Improved unix error response logging.  [Marc Slemko]

  *) Update mod_rewrite from 3.0.5 to 3.0.6.  New ruleflag
     QSA=query_string_append.  Also fixed a nasty bug in per-dir context:
     when a URL http://... was used in conjunction with a special
     redirect flag, e.g. R=permanent, the permanent status was lost.
     [Ronald Tschalaer <Ronald.Tschalaer@psi.ch>, Ralf S. Engelschall]

  *) If an object has multiple variants that are otherwise equal Apache
     would prefer the last listed variant rather than the first.
     [Paul Sutton] PR#94

  *) "make clean" at the top level now removes *.o.  [Dean Gaudet] PR#752

  *) mod_status dumps core in inetd mode.  [Marc Slemko and Roy Fielding]
     PR#566

  *) pregsub had an off-by-1 in its error checking code. [Alexei Kosut]

  *) PORT: fix rlim_t problems with AIX 4.2. [Marc Slemko] PR#333

  *) PORT: Update UnixWare support for 2.1.2.
     [Lawrence Rosenman <ler@lerctr.org>] PR#511

  *) PORT: NonStop-UX [Joachim Schmitz <schmitz_joachim@tandem.com>] PR#327

  *) PORT: Update ConvexOS support for 11.5.
     [David DeSimone <fox@convex.com>] PR#399

  *) PORT: Support for DEC cc compiler under ULTRIX.
     ["P. Alejandro Lopez-Valencia" <alejolo@ideam.gov.co>] PR#388

  *) PORT: Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383

  *) PORT: Workaround for AIX 3.x compiler bug in http_bprintf.c.  
     [Marc Slemko] PR#725

  *) PORT: fix problem compiling http_bprintf.c with gcc under SCO
     [Marc Slemko] PR#695

Changes with Apache 1.2

Changes with Apache 1.2b11

  *) Fixed open timestamp fd in proxy_cache.c [Chuck Murcko]

  *) Added undocumented perl SSI mechanism for -DUSE_PERL_SSI and mod_perl.
     [Doug MacEachern, Rob Hartill]

  *) Proxy needs to use hard_timeout instead of soft_timeout when it is
     reading from one buffer and writing to another, at least until it has
     a custom timeout handler.  [Roy Fielding and Petr Lampa]

  *) Fixed problem on IRIX with servers hanging in IdentityCheck,
     apparently due to a mismatch between sigaction and setjmp.
     [Roy Fielding] PR#502

  *) Log correct status code if we timeout before receiving a request (408)
     or if we received a request-line that was too long to process (414).
     [Ed Korthof and Roy Fielding] PR#601

  *) Virtual hosts with the same ServerName, but on different ports, were
     not being selected properly.  [Ed Korthof]

  *) Added code to return the requested IP address from proxy_host2addr()
     if gethostbyaddr() fails due to reverse DNS lookup problems. Original
     change submitted by Jozsef Hollosi <hollosi@sbcm.com>.
     [Chuck Murcko] PR#614

  *) If multiple requests on a single connection are used to retrieve
     data from different virtual hosts, the virtual host list would be
     scanned starting with the most recently used VH instead of the first,
     causing most virtual hosts to be ignored.
     [Paul Sutton and Martin Mares] PR#610

  *) The OS/2 handling of process group was broken by a porting patch for
     MPE, so restored prior code for OS/2.  [Roy Fielding and Garey Smiley]

  *) Inherit virtual server port from main server if none (or "*") is
     given for VirtualHost.  [Dean Gaudet] PR#576

  *) If the lookup for a DirectoryIndex name with content negotiation
     has found matching variants, but none are acceptable, return the
     negotiation result if there are no more DirectoryIndex names to lookup.
     [Petr Lampa and Roy Fielding]

  *) If a soft_timeout occurs after keepalive is set, then the main child
     loop would try to read another request even though the connection
     has been aborted.  [Roy Fielding]

  *) Configure changes: Allow for whitespace at the start of a
     Module declaration. Also, be more understanding about the
     CC=/OPTIM= format in Configuration. Finally, fix compiler
     flags if using HP-UX's cc compiler. [Jim Jagielski]

  *) Subrequests and internal redirects now inherit the_request from the
     original request-line. [Roy Fielding]

  *) Test for error conditions before creating output header fields, since
     we don't want the error message to include those fields.  Likewise,
     reset the content_language(s) and content_encoding of the response
     before generating or redirecting to an error message, since the new
     message will have its own Content-* definitions. [Dean Gaudet]

  *) Restored the semantics of headers_out (headers sent only with 200..299
     and 304 responses) and err_headers_out (headers sent with all responses).
     Avoid the overhead of copying tables if err_headers_out is empty
     (the usual case).  [Roy Fielding]

  *) Fixed a couple places where a check for the default Content-Type was
     not properly checking both the value configured by the DefaultType
     directive and the DEFAULT_TYPE symbol in httpd.h.  Changed the value
     of DEFAULT_TYPE to match the documented default (text/plain).
     [Dean Gaudet] PR#506

  *) Escape the HTML-sensitive characters in the Request-URI that is
     output for each child by mod_status. [Dean Gaudet and Ken Coar] PR#501

  *) Properly initialize the flock structures used by the mutex locking
     around accept() when USE_FCNTL_SERIALIZED_ACCEPT is defined.
     [Marc Slemko]

  *) The method for determining PATH_INFO has been restored to the pre-1.2b
     (and NCSA httpd) definition wherein it was the extra path info beyond
     the CGI script filename.  The environment variable FILEPATH_INFO has
     been removed, and instead we supply the original REQUEST_URI to any
     script that wants to be Apache-specific and needs the real URI path.
     This solves a problem with existing scripts that use extra path info
     in the ScriptAlias directive to pass options to the CGI script.
     [Roy Fielding]

  *) The _default_ change in 1.2b10 will change the behaviour on configs
     that use multiple Listen statements for listening on multiple ports.
     But that change is necessary to make _default_ consistent with other
     forms of <VirtualHost>.  It requires such configs to be modified
     to use <VirtualHost _default_:*>.  The documentation has been
     updated.  [Dean Gaudet] PR#530

  *) If an ErrorDocument CGI script is used to respond to an error
     generated by another CGI script which has already read the message
     body of the request, the server would block trying to read the
     message body again.  [Rob Hartill]

  *) signal() replacement conflicted with a define on QNX (and potentially
     other platforms). Fixed. [Ben Laurie] PR#512

Changes with Apache 1.2b10

  *) Allow HTTPD_ROOT, SERVER_CONFIG_FILE, DEFAULT_PATH, and SHELL_PATH
     to be configured via -D in Configuration.  [Dean Gaudet] PR#449

  *) <VirtualHost _default_:portnum> didn't work properly.  [Dean Gaudet]

  *) Added prototype for mktemp() for SUNOS4 [Marc Slemko]

  *) In mod_proxy.c, check return values for proxy_host2addr() when reading
     config, in case the hostent struct returned is trash.
     [Chuck Murcko] PR #491

  *) Fixed the fix in 1.2b9 for parsing URL query info into args for CGI
     scripts.  [Dean Gaudet, Roy Fielding, Marc Slemko]

Changes with Apache 1.2b9  [never announced]

  *) Reset the MODULE_MAGIC_NUMBER to account for the unsigned port
     changes and in anticipation of 1.2 final release.  [Roy Fielding]

  *) Fix problem with scripts not receiving a SIGPIPE when client drops
     the connection (e.g., when user presses Stop).  Apache will now stop
     trying to send a message body immediately after an error from write.
     [Roy Fielding and Nathan Kurz] PR#335

  *) Rearrange Configuration.tmpl so that mod_rewrite has higher priority
     than mod_alias, and mod_alias has higher priority than mod_proxy;
     rearranged other modules to enhance understanding of their purpose
     and relative order (and maybe even reduce some overhead).
     [Roy Fielding and Sameer Parekh]

  *) Fix graceful restart.  Eliminate many signal-related race
     conditions in both forms of restart, and in SIGTERM.  See
     htdocs/manual/stopping.html for details on stopping and
     restarting the parent.  [Dean Gaudet]

  *) Fix memory leaks in mod_rewrite, mod_browser, mod_include.  Tune
     memory allocator to avoid a behaviour that required extra blocks to
     be allocated.  [Dean Gaudet]

  *) Allow suexec to access files relative to current directory but not
     above.  (Excluding leading / or any .. directory.)  [Ken Coar]
     PR#269, 319, 395

  *) Fix suexec segfault when group doesn't exist. [Gregory Neil Shapiro]
     PR#367, 368, 354, 453

  *) Fix the above fix: if suexec is enabled, avoid destroying r->url
     while obtaining the /~user and save the username in a separate data
     area so that it won't be overwritten by the call to getgrgid(), and
     fix some misuse of the pool string allocation functions.  Also fixes
     a general problem with parsing URL query info into args for CGI scripts.
     [Roy Fielding] PR#339, 367, 354, 453

  *) Fix IRIX warning about bzero undefined. [Marc Slemko]

  *) Fix problem with <Directory proxy:...>. [Martin Kraemer] PR#271

  *) Corrected spelling of "authoritative".  AuthDBAuthoratative became
     AuthDBAuthoritative. [Marc Slemko] PR#420

  *) MaxClients should be at least 1. [Lars Eilebrecht] PR#375

  *) The default handler now logs invalid methods or URIs (i.e. PUT on an
     object that can't be PUT, or FOOBAR for some method FOOBAR that
     apache doesn't know about at all).  Log 404s that occur in mod_include.
     [Paul Sutton, John Van Essen]

  *) If a soft timeout (or lingerout) occurs while trying to flush a
     buffer or write inside buff.c or fread'ing from a CGI's output,
     then the timeout would be ignored. [Roy Fielding] PR#373

  *) Work around a bug in Netscape Navigator versions 2.x, 3.x and 4.0b2's
     parsing of headers.  If the terminating empty-line CRLF occurs starting
     at the 256th or 257th byte of output, then Navigator will think a normal
     image is invalid.  We are guessing that this is because their initial
     read of a new request uses a 256 byte buffer. We check the bytes written
     so far and, if we are about to tickle the bug, we instead insert a
     padding header of eminent bogosity. [Roy Fielding and Dean Gaudet] PR#232

  *) Fixed SIGSEGV problem when a DirectoryIndex file is also the source
     of an external redirection.  [Roy Fielding and Paul Sutton]

  *) Configure would create a broken Makefile if the configuration file
     contained a commented-out Rule.  [Roy Fielding]

  *) Promote per_dir_config and subprocess_env from the subrequest to the
     main request in mod_negotiation.  In particular this fixes a bug
     where <Files> sections wouldn't properly apply to negotiated content.
     [Dean Gaudet]

  *) Fix a potential deadlock in mod_cgi script_err handling.
     [Ralf S. Engelschall]

  *) rotatelogs zero-pads the logfile names to improve alphabetic sorting.
     [Mitchell Blank Jr]

  *) Updated mod_rewrite to 3.0.4: Fixes HTTP redirects from within
     .htaccess files because the RewriteBase was not replaced correctly.
     Updated mod_rewrite to 3.0.5: Fixes problem with rewriting inside
     <Directory> sections missing a trailing /.  [Ralf S. Engelschall]

  *) Clean up Linux settings in conf.h by detecting 2.x versus 1.x.  For
     1.x the settings are those of pre-1.2b8.  For 2.x we include
     USE_SHMGET_SCOREBOARD (scoreboard in shared memory rather than file) and
     HAVE_SYS_RESOURCE_H (enable the RLimit commands).
     [Dean Gaudet] PR#336, PR#340

  *) Redirect did not preserve ?query_strings when present in the client's
     request.  [Dean Gaudet]

  *) Configure was finding non-modules on EXTRA_LIBS. [Frank Cringle] PR#380

  *) Use /bin/sh5 on ULTRIX.  [P. Alejandro Lopez-Valencia] PR#369

  *) Add UnixWare compile/install instructions.  [Chuck Murcko]

  *) Add mod_example (illustration of API techniques).  [Ken Coar]

  *) Add macro for memmove to conf.h for SUNOS4. [Marc Slemko]

  *) Improve handling of directories when filenames have spaces in them.
     [Chuck Murcko]

  *) For hosts with multiple IP addresses, try all additional addresses if
     necessary to get a connect. Fail only if hostent address list is
     exhausted. [Chuck Murcko]

  *) More signed/unsigned port fixes.  [Dean Gaudet]

  *) HARD_SERVER_LIMIT can be defined in the Configuration file now.
     [Dean Gaudet]

Changes with Apache 1.2b8

  *) suexec.c doesn't close the log file, allowing CGIs to continue writing
     to it.  [Marc Slemko]

  *) The addition of <Location> and <File> directives made the
     sub_req_lookup_simple() function bogus, so we now handle
     the special cases directly.  [Dean Gaudet]

  *) We now try to log where the server is dumping core when a fatal
     signal is received.  [Ken Coar]

  *) Improved lingering_close by adding a special timeout, removing the
     spurious log messages, removing the nonblocking settings (they
     are not needed with the better timeout), and adding commentary
     about the NO_LINGCLOSE and USE_SO_LINGER issues.  NO_LINGCLOSE is
     now the default for SunOS4, UnixWare, NeXT, and IRIX.  [Roy Fielding]

  *) Send error messages about setsockopt failures to the server error
     log instead of stderr.  [Roy Fielding]

  *) Fix loopholes in proxy cache expiry vis a vis alarms. [Brian Moore]

  *) Stopgap solution for CGI 3-second delay with server-side includes: if
     processing a subrequest, allocate memory from r->main->pool instead
     of r->pool so that we can avoid waiting for free_proc_chain to cleanup
     in the middle of an SSI request.  [Dean Gaudet] PR #122

  *) Fixed status of response when POST is received for a nonexistent URL
     (was sending 405, now 404) and when any method is sent with a
     full-URI that doesn't match the server and the server is not acting
     as a proxy (was sending 501, now 403).  [Roy Fielding]

  *) Host port changed to unsigned short. [Ken Coar] PR #276

  *) Fix typo in command definition of AuthAuthoritative. [Ken Coar] PR #246

  *) Defined USE_SHMGET_SCOREBOARD for shared memory on Linux.  [Dean Gaudet]

  *) Report extra info from errno with many errors that cause httpd to exit.
     spawn_child, popenf, and pclosef now have valid errno returns in the
     event of an error.  Correct problems where errno was stomped on
     before being reported.  [Dean Gaudet]

  *) In the proxy, if the cache filesystem was full, garbage_coll() was
     never called, and thus the filesystem would remain full indefinitely.
     We now also remove incomplete cache files left if the origin server
     didn't send a Content-Length header and either the client has aborted
     transfer or bwrite() to client has failed. [Petr Lampa]

  *) Fixed the handling of module and script-added header fields.
     Improved the interface for sending header fields and reduced
     the duplication of code between sending okay responses and errors.
     We now always send both headers_out and err_headers_out, and
     ensure that the server-reserved fields are not being overridden,
     while not overriding those that are not reserved.  [Roy Fielding]

  *) Moved transparent content negotiation fields to err_headers_out
     to reflect above changes.  [Petr Lampa]

  *) Fixed the determination of whether or not we should make the
     connection persistent for all of the cases where some other part
     of the server has already indicated that we should not.  Also
     improved the ordering of the test so that chunked encoding will
     be set whenever it is desired instead of only when KeepAlive
     is enabled. Added persistent connection capability for most error
     responses (those that do not indicate a bad input stream) when
     accessed by an HTTP/1.1 client. [Roy Fielding]

  *) Added missing timeouts for sending header fields, error responses,
     and the last chunk of chunked encoding, each of which could have
     resulted in a process being stuck in write forever.  Using soft_timeout
     requires that the sender check for an aborted connection rather than
     continuing after an EINTR.  Timeouts that used to be initiated before
     send_http_header (and never killed) are now initiated only within or
     around the routines that actually do the sending, and not allowed to
     propagate above the caller.  [Roy Fielding]

  *) mod_auth_anon required an @ or a . in the email address, not both.
     [Dirk vanGulik]

  *) per_dir_defaults weren't set correctly until directory_walk for
     name-based vhosts.  This fixes an obscure bug with the wrong config
     info being used for vhosts that share the same ip as the server.
     [Dean Gaudet]

  *) Improved generation of modules/Makefile to be more generic for
     new module directories. [Ken Coar, Chuck Murcko, Roy Fielding]

  *) Generate makefile dependency for Configuration based on the actual
     name given when running the Configure process.  [Dean Gaudet]

  *) Fixed problem with vhost error log not being set prior to
     initializing virtual hosts. [Dean Gaudet]

  *) Fixed infinite loop when a trailing slash is included after a type map
     file URL (extra path info). [Petr Lampa]

  *) Fixed server status updating of per-connection counters. [Roy Fielding]

  *) Add documentation for DNS issues (reliability and security), and try
     to explain the virtual host matching process.  [Dean Gaudet]

  *) Try to continue gracefully by disabling the vhost if a DNS lookup
     fails while parsing the configuration file.  [Dean Gaudet]

  *) Improved calls to setsockopt.  [Roy Fielding]

  *) Negotiation changes: Don't output empty content-type in variant list;
     Output charset in variant list; Return sooner from handle_multi() if
     no variants found; Add handling of '*' wildcard in Accept-Charset.
     [Petr Lampa and Paul Sutton]

  *) Fixed overlaying of request/sub-request notes and headers in
     mod_negotiation.  [Dean Gaudet]

  *) If two variants' charset quality are equal and one is the default
     charset (iso-8859-1), then prefer the variant that was specifically
     listed in Accept-Charset instead of the default.  [Petr Lampa]

  *) Memory allocation problem in push_array() -- it would corrupt memory
     when nalloc==0.  [Kai Risku <krisku@tf.hut.fi> and Roy Fielding]

  *) invoke_handler() doesn't handle mime arguments in content-type
     [Petr Lampa] PR#160

  *) Reduced IdentityCheck timeout to 30 seconds, as per RFC 1413 minimum.
     [Ken Coar]

  *) Fixed problem with ErrorDocument not working for virtual hosts
     due to one of the performance changes in 1.2b7. [Dean Gaudet]

  *) Log an error message if we get a request header that is too long,
     since it may indicate a buffer overflow attack. [Marc Slemko]

  *) Made is_url() allow "[-.+a-zA-Z0-9]+:" as a valid scheme and
     not reject URLs without a double-slash, as per RFC2068 section 3.2.
     [Ken Coar] PR #146, #187

  *) Added table entry placeholder for new header_parser callback
     in all of the distributed modules. [Ken Coar] PR #191

  *) Allow for cgi files without the .EXE extension on them under OS/2.
     [Garey Smiley] PR #59

  *) Fixed error message when resource is not found and URL contains
     path info. [Petr Lampa and Dean Gaudet] PR #40

  *) Fixed user and server confusion over what should be a virtual host
     and what is the main server, resulting in access to something
     other than the name defined in the virtualhost directive (but
     with the same IP address) failing. [Dean Gaudet]

  *) Updated mod_rewrite to version 3.0.2, which: fixes compile error on
     AIX; improves the redirection stuff to enable the users to generally
     redirect to http, https, gopher and ftp; added TIME variable for
     RewriteCond which expands to YYYYMMDDHHMMSS strings and added the
     special patterns >STRING, <STRING and =STRING to RewriteCond, which
     can be used in conjunction with %{TIME} or other variables to create
     time-dependent rewriting rules. [Ralf S. Engelschall]

  *) bpushfd() no longer notes cleanups for the file descriptors it is handed.
     Module authors may need to adjust their code for proper cleanup to take
     place (that is, call note_cleanups_for_fd()). This change fixes problems
     with file descriptors being erroneously closed when the proxy module was
     in use. [Ben Laurie]

  *) Fix bug in suexec reintroduced by changes in 1.2b7 which allows
     initgroups() to hose the group information needed for later
     comparisons. [Randy Terbush]

  *) Remove unnecessary call to va_end() in create_argv() which
     caused a SEGV on some systems.

  *) Use proper MAXHOSTNAMELEN symbol for limiting length of server name.
     [Dean Gaudet]

  *) Clear memory allocated for listeners. [Randy Terbush]

  *) Improved handling of IP address as a virtualhost address and
     introduced "_default_" as a synonym for the default vhost config.
     [Dean Gaudet] PR #212

Changes with Apache 1.2b7

  *) Port to  UXP/DS(V20) [Toshiaki Nomura <nom@yk.fujitsu.co.jp>]

  *) unset Content-Length if chunked (RFC-2068) [Petr Lampa]

  *) mod_negotiation fixes [Petr Lampa] PR#157, PR#158, PR#159
     - replace protocol response numbers with symbols
     - save variant-list into main request notes
     - free allocated memory from subrequests
     - merge notes, headers_out and err_headers_out

  *) changed status check mask in proxy_http.c from "HTTP/#.# ### *" to
     "HTTP/#.# ###*" to be more lenient about what we accept.
     [Chuck Murcko]

  *) more proxy FTP bug fixes:
     - Changed send_dir() to remove user/passwd from displayed URL.
     - Changed login error messages to be more descriptive.
     - remove setting of SO_DEBUG socket option
     - Make ftp_getrc() more lenient about multiline responses,
       specifically, 230 responses which don't have continuation 230-
       on each line). These seem to be all NT FTP servers, and while
       perhaps questionable, they appear to be legal by RFC 959.
     - Add missing kill_timeout() after transfer to user completes.
     [Chuck Murcko]

  *) Fixed problem where a busy server could hang when restarting
     after being sent a SIGHUP due to child processes not exiting.
     [Marc Slemko]

  *) Modify mod_include escaping so a '\' only signifies an escaped
     character if the next character is one that needs
     escaping.  [Ben Laurie]

  *) Eliminated possible infinite loop in mod_imap when relative URLs are
     used with a 'base' directive that does not have a '/' in it.
     [Marc Slemko, reported by Onno Witvliet <onno@tc.hsa.nl>]

  *) Reduced the default timeout from 1200 seconds to 300, and the
     one in the sample configfile from 400 to 300.  [Marc Slemko]

  *) Stop vbprintf from crashing if given a NULL string pointer;
     print (null) instead.  [Ken Coar]

  *) Don't disable Nagle algorithm if system doesn't have TCP_NODELAY.
     [Marc Slemko and Roy Fielding]

  *) Fixed problem with mod_cgi-generated internal redirects trying to
     read the request message-body twice. [Archie Cobbs and Roy Fielding]

  *) Reduced timeout on lingering close, removed possibility of a blocked
     read causing the child to hang, and stopped logging of errors if
     the socket is not connected (reset by client).  [Roy Fielding]

  *) Rearranged main child loop to remove duplication of code in
     select/accept and keep-alive requests, fixed several bugs regarding
     checking scoreboard_image for exit indication and failure to
     account for all success conditions and trap all error conditions,
     prevented multiple flushes before closing the socket; close the entire
     socket buffer instead of just one descriptor, prevent logging of
     EPROTO and ECONNABORTED on platforms where supported, and generally
     improved readability.  [Roy Fielding]

  *) Extensive performance improvements. Cleaned up inefficient use of
     auto initializers, multiple is_matchexp calls on a static string,
     and excessive merging of response_code_strings. [Dean Gaudet]

  *) Added double-buffering to mod_include to improve performance on
     server-side includes. [Marc Slemko]

  *) Several fixes for suexec wrapper. [Randy Terbush]
     - Make wrapper work for files on NFS filesystem.
     - Fix portability problem of MAXPATHLEN.
     - Fix array overrun problem in clean_env().
     - Fix allocation of PATH environment variable

  *) Removed extraneous blank line is description of mod_status chars.
     [Kurt Kohler]

  *) Logging of errors from the call_exec routine simply went nowhere,
     since the logfile fd has been closed, so now we send them to stderr.
     [Harald T. Alvestrand]

  *) Fixed core dump when DocumentRoot is a CGI.
     [Ben Laurie, reported by geddis@tesserae.com]

  *) Fixed potential file descriptor leak in mod_asis; updated it and
     http_core to use pfopen/pfclose instead of fopen/fclose.
     [Randy Terbush and Roy Fielding]

  *) Fixed handling of unsigned ints in ap_snprintf() on some chips such
     as the DEC Alpha which is 64-bit but uses 32-bit ints.
     [Dean Gaudet and Ken Coar]

  *) Return a 302 response code to the client when sending a redirect
     due to a missing trailing '/' on a directory instead of a 301; now
     it is cacheable. [Markus Gyger]

  *) Fix condition where, if a bad directive occurs in .htaccess, and
     sub_request() goes first to this directory, then log_reason() will
     SIGSEGV because it doesn't have initialized r->per_dir_config.
     [PR#162 from Petr Lampa, fix by Marc Slemko and Dean Gaudet]

  *) Fix handling of lang_index in is_variant_better().  This was
     causing problems which resulted in the server sending the
     wrong language document in some cases. [Petr Lampa]

  *) Remove free() from clean_env() in suexec wrapper. This was nuking
     the clean environment on some systems.

  *) Tweak byteserving code (e.g. serving PDF files) to work around
     bugs in Netscape Navigator and Microsoft Internet Explorer.
     Emit Content-Length header when sending multipart/byteranges.
     [Alexei Kosut]

  *) Port to HI-UX/WE2. [Nick Maclaren]

  *) Port to HP MPE operating system for HP 3000 machines
     [Mark Bixby <markb@cccd.edu>]

  *) Fixed bug which caused a segmentation fault if only one argument
     given to RLimit* directives. [Ed Korthof]

  *) Continue persistent connection after 204 or 304 response. [Dean Gaudet]

  *) Improved buffered output to the client by delaying the flush decision
     until the BUFF code is actually about to read the next request.
     This fixes a problem introduced in 1.2b5 with clients that send
     an extra CRLF after a POST request. Also improved chunked output
     performance by combining writes using writev() and removing as
     many bflush() calls as possible.  NOTE: Platforms without writev()
     must add -DNO_WRITEV to the compiler CFLAGS, either in Configuration
     or Configure, unless we have already done so.  [Dean Gaudet]

  *) Fixed mod_rewrite bug which truncated the rewritten URL [Marc Slemko]

  *) Fixed mod_info output corruption bug introduced by buffer overflow
     fixes. [Dean Gaudet]

  *) Fixed http_protocol to correctly output all HTTP/1.1 headers, including
     for the special case of a 304 response.  [Paul Sutton]

  *) Improved handling of TRACE method by bypassing normal method handling
     and header parsing routines; fixed Allow response to always allow TRACE.
     [Dean Gaudet]

  *) Fixed compiler warnings in the regex library. [Dean Gaudet]

  *) Cleaned-up some of the generated HTML. [Ken Coar]

Changes with Apache 1.2b6

  *) Allow whitespace in imagemap mapfile coordinates. [Marc Slemko]

  *) Fix typo introduced in fix for potential infinite loop around
     accept() in child_main(). This change caused the rev to 1.2b6.
     1.2b5 was never a public beta.

Changes with Apache 1.2b5

  *) Change KeepAlive semantics (On|Off instead of a number), add
     MaxKeepAliveRequests directive. [Alexei Kosut]

  *) Various NeXT compilation patches, as well as a change in
     regex/regcomp.c since that file also used a NEXT define.
     [Andreas Koenig]

  *) Allow * to terminate the end of a directory match in mod_dir.
     Allows /~* to match for both /~joe and /~joe/. [David Bronder]

  *) Don't call can_exec() if suexec_enabled. Calling this requires
     scripts executed by the suexec wrapper to be world executable, which
     defeats one of the advantages of running the wrapper. [Randy Terbush]

  *) Portability Fix: IRIX complained with 'make clean' about *pure* (removed)
     [Jim Jagielski]

  *) Migration from sprintf() to snprintf() to avoid buffer
     overflows. [Marc Slemko]

  *) Provide portable snprintf() implementation (ap_snprintf)
     as well as *cvt family. [Jim Jagielski]

  *) Portability Fix: NeXT lacks unistd.h so we wrap it's inclusion
     [Jim Jagielski]

  *) Remove mod_fastcgi.c from the distribution. This module appears
     to be maintained more through the Open Market channels and should
     continue to be easily available at http://www.fastcgi.com/

  *) Fixed bug in modules/Makefile that wouldn't allow building in more
     than one subdirectory (or cleaning, either). [Jeremy Laidman]

  *) mod_info assumed that the config files were relative to ServerRoot.
     [Ken the Rodent]

  *) CGI scripts called as an error document resulting from failed
     CGI execution would hang waiting for POST'ed data. [Rob Hartill]

  *) Log reason when mod_dir returns access HTTP_FORBIDDEN
     [Ken the Rodent]

  *) Properly check errno to prevent display of a directory index
     when server receives a long enough URL to confuse stat().
     [Marc Slemko]

  *) Several security enhancements to suexec wrapper. It is _highly_
     recommended that previously installed versions of the wrapper
     be replaced with this version.  [Randy Terbush, Jason Dour]

        - ~user execution now properly restricted to ~user's home
          directory and below.
        - execution restricted to UID/GID > 100
        - restrict passed environment to known variables
        - call setgid() before initgroups() (portability fix)
        - remove use of setenv() (portability fix)

  *) Add HTTP/1.0 response forcing. [Ben Laurie]

  *) Add access control via environment variables. [Ben Laurie]

  *) Add rflush() function. [Alexei Kosut]

  *) remove duplicate pcalloc() call in new_connection().

  *) Fix incorrect comparison which could allow number of children =
     MaxClients + 1 if less than HARD_SERVER_LIMIT. Also fix potential
     problem if StartServers > HARD_SERVER_LIMIT. [Ed Korthof]

  *) Updated support for OSes (MachTen, ULTRIX, Paragon, ISC, OpenBSD
     AIX PS/2, CONVEXOS. [Jim Jagielski]

  *) Replace instances of inet_ntoa() with inet_addr() for ProxyBlock.
     It's more portable. [Martin Kraemer]

  *) Replace references to make in Makefile.tmpl with $(MAKE).
     [Chuck Murcko]

  *) Add ProxyBlock directive w/IP address caching. Add IP address
     caching to NoCache directive as well. ProxyBlock works with all
     handlers; NoCache now also works with FTP for anonymous logins.
     Still more code cleanup. [Chuck Murcko]

  *) Add "header parse" API hook [Ben Laurie]

  *) Fix byte ordering problems for REMOTE_PORT [Chuck Murcko]

  *) suEXEC wrapper was freeing memory that had not been malloc'ed.

  *) Correctly allow access and auth directives in <Files> sections in
     server config files. [Alexei Kosut]