CHANGES

Changes with Apache 2.1.0-dev

  [Remove entries to the current 2.0 section below, when backported]

  *) ssl_toolkit_compat.h and code fixes to build clean on SSLC.
     [William Rowe, Madhusudan Mathihalli]

  *) Fix the inability to log errors like exec failure in
     mod_ext_filter/mod_cgi script children.  This was broken after 
     such children stopped inheriting the error log handle.  
     [Jeff Trawick]

  *) Fix a compile failure with recent OpenSSL and picky compilers
     (e.g., OpenSSL 0.9.7a and xlc_r on AIX).  [Jeff Trawick]

  *) Fix a build problem with passing unsupported --enable-layout
     args to apr and apr-util.  This broke binbuild.sh as well as
     user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
     Jeff Trawick]

  *) ap_get_mime_headers_core: allocate space for the trailing null
     when folding is in effect.
     PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>]

  *) Do not bypass output filters when redirecting subrequests internally.
     PR 17629.  [André Malo]

  *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
     the INCLUDE path to be defined properly.
     PR 11310. [Geoff Thrope <geoff@geoffthorpe.net>]

  *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
     
  *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
     autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). 
     [Geoff Thorpe <geoff@geoffthorpe.net>]

  *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
     caching. PR 17864.
     [Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli]

  *) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
     [Ian Holsman, André Malo]

  *) mod_negotiation: quality values are now parsed independent from
     the current locale. level values are now really parsed as integers.
     PR 17564.  [André Malo]

  *) Linux 2.4+: enable coredumps when Apache is started as root
     if CoreDumpDir is configured [Greg Ames]

  *) Added the WindowsSocketsWorkaround directive for Windows NT/2000/XP
     to work around problems with certain VPN and Firewall products that 
     have buggy AcceptEx implementations.
     [Allan Edwards w/ suggestions from Bill Stoddard & Bill Rowe]

  *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
     the pattern will not always match as desired. PR 12596.
     [André Malo]

  *) mod_autoindex now emits and accepts modern query string parameter
     delimiters (;). Thus column headers no longer contain unescaped
     ampersands. PR 10880  [André Malo]

  *) Extend mod_negotiation to evaluate the environment variables
     no-gzip and gzip-only-text/html the same way as mod_deflate does.
     [André Malo]

  *) mod_rewrite: Fix some problems reporting errors with mapping
     programs (RewriteMap prg:/something).  [Jeff Trawick]

  *) When using Redirect in directory context, append requested query
     string if there's no one supplied by configuration. PR 10961.
     [André Malo]

  *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
     now work scheme dependent and the query string will only be
     appended if supported by the particular scheme.  [André Malo]

  *) Return 413 if chunk-ext-header is too long rather than reading from
     the truncated line.  PR 15857.  [Justin Erenkrantz]

  *) If mod_mime_magic does not know the content-type, do not attempt to
     guess.  PR 16908.  [Andrew Gapon <agapon@telcordia.com>]

  *) Allow restart of httpd to occur even with syntax errors in the config
     file.  PR 16813.  [Justin Erenkrantz]

  *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure.  PR 15679.
     [Justin Erenkrantz]

  *) Remove files on 'make distclean' that should be.  PR 15592.
     [Justin Erenkrantz]

  *) Allow apachectl to perform status with links and elinks as well.
     [Justin Erenkrantz]

  *) Extend the SetEnvIf directive to capture subexpressions of the
     matched value.  [André Malo]

  *) mod_log_config change optional hook to return previous handler
     [Ian Holsman]

  *) Forward port of mod_actions' ability to handle arbitrary methods
     with the Script directive.  [André Malo]

  *) Let suexec send a message to stderr, if it failed or its policy
     was violated. This message appears in the error log and allows
     for easier debugging. PR 5381, 7638, 8255, 10773.  [André Malo]

  *) Modify buildconf to copy all required files into httpd's tree.
     [Thom May <thom@planetarytramp.net>]

  *) Allow mod_dav to do weak entity comparison functions.
     [Justin Erenkrantz]

  *) mod_negotiation: Introduce "prefer-language" environment variable,
     which allows to influence the negotiation process on request basis
     to prefer a certain language.  [André Malo]

  *) Added AllowEncodedSlashes directive which permits request URIs
     to encode '/' as '%2f' and pass it to scripts in path-info without
     triggering the 'no encoded slashes anywhere' legacy rule.
     PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.  [Ken Coar]

  *) Move RFC 1413 ident requests from core to new module mod_ident.
     [André Malo]

  *) Add mod_authz_owner - a forward port of "Require file-owner"
     and "Require file-group", which was already present in version
     1.3.21.  [André Malo]

  *) Add mod_dav_lock - a generic subset of the DAV locking implementation.
     [Justin Erenkrantz]

  *) Replace some of the mutex locking in the worker MPM with
     atomic operations for higher concurrency.  [Brian Pane]

  *) Allow 'make depend' to work with non-GCC compilers.
     [Justin Erenkrantz]

  *) If an httpd.conf has commented out AddModule directives, 
     apxs -i -a will add an un-commented AddModule directive for 
     the new module, which breaks the config.
     PR: 11212 [Joe Orton]

  *) Fix mod_proxy handling of filtered input bodies.  [Justin Erenkrantz]

  *) Move the check of the Expect request header field after the hook
     for ap_post_read_request, since that is the only opportunity for
     modules to handle Expect extensions.  [Justin Erenkrantz]

  *) Rewrite of aaa modules to an authn/authz model.
     [Dirk-Willem van Gulik, Justin Erenkrantz]


  [Apache 2.1.0-dev includes those bug fixes and changes with the
   Apache 2.0.xx tree as documented, and except as noted, below.]

Changes with Apache 2.0.46

  *) Add code to buildconf that produces an httpd.spec file from
     httpd.spec.in, using build/get-version.sh from APR.
     [Graham Leggett]

  *) Fixed a segfault when multiple ProxyBlock directives were used.
     PR: 19023 [Sami Tikka <sami.tikka@f-secure.com>]

  *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability 
     identified and reported by Robert Howard <rihoward@rawbw.com> that 
     where device names faulted the running OS2 worker process.
     The fix is actually in APR 0.9.4.  [Brian Havard]

  *) Forward port: Escape special characters (especially control
     characters) in mod_log_config to make a clear distinction between
     client-supplied strings (with special characters) and server-side
     strings. This was already introduced in version 1.3.25.
     [André Malo]

  *) mod_deflate: Check also err_headers_out for an already set
     Content-Encoding: gzip header. This prevents gzip compressed content
     from a CGI script from being compressed once more. PR 17797.
     [André Malo]

Changes with Apache 2.0.45

  *) Fix possible segfaults under obscure error conditions within the
     cgid daemon.  [Jeff Trawick, William Rowe]

  *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
     identified by David Endler <DEndler@iDefense.com> on all platforms.
     An unlimited stream of newlines were acceptable between requests
     where each <lf> would allocate an 80 byte buffer, leading very
     quickly to memory exahustion.  [Brian Pane]

  *) Added an rpm build script.
     [Graham Leggett, Joe Orton <jorton@redhat.com>]

  *) Simpler, faster code path for request header scanning  [Brian Pane]