Newer
Older
*) SECURITY: CVE-2002-0840 (cve.mitre.org)
HTML-escape the address produced by ap_server_signature() against
this cross-site scripting vulnerability exposed by the directive
'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME
environment variable for CGI and SSI requests. It's safe to
escape as only the '<', '>', and '&' characters are affected,
which won't appear in a valid hostname. Reported by Matthew
Murphy <mattmurphy kc.rr.com>. [Brian Pane]
*) Fix a core dump in mod_cache when it attemtped to store uncopyable
buckets. This happened, for instance, when a file to be cached
contained SSI tags to execute a CGI script (passed as a pipe
bucket). [Paul J. Reder]
*) Ensure that output already available is flushed to the network
when the content-length filter realizes that no new output will
be available for a while. This helps some streaming CGIs as
well as some other dynamically-generated content. [Jeff Trawick]
*) Fix a mutex problem in mod_ssl session cache support which
could lead to an infinite loop. PR 12705
Fix the exposure of CGI source when a POST request is sent to
a location where both DAV and CGI are enabled. [Ryan Bloom]
*) Allow the UserDir directive to accept a list of directories.
This matches what Apache 1.3 does. Also add documentation for
*) New Module: mod_logio. adds the ability to log bytes sent and
*) SuExec needs to use the same default directory as the rest of
server, namely /usr/local/apache2.
*) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
*) Make sure the contents of the WWW-Authenticate header is
passed on a 4xx error by proxy. Previously all headers
were dropped, resulting in the browser being unable to
authenticate. [Dr Richard Reiner <rreiner fscinternet.com>,
Richard Danielli <rdanielli fscinternet.com>, Graham Wiseman
<gwiseman fscinternet.com>, David Henderson
<dhenderson fscinternet.com>]
*) Make mod_cache's CacheMaxStreamingBuffer directive work
properly for virtual hosts that override server-wide mod_cache
*) Add -p option to apxs to allow programs to be compiled with apxs.
[Justin Erenkrantz]
*) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121]
mod_dav: Check for versioning hooks before using them.
*) The protocol version (eg: HTTP/1.1) in the request line parsing
is now case insensitive. [Jim Jagielski]
*) Allow AddOutputFilterByType to add multiple filters per directive.
[Justin Erenkrantz]
*) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz]
*) Fixed mod_disk_cache's generation of 304s
*) Add support for using fnmatch patterns in the final path
segment of an Include statement (eg.. include /foo/bar/*.conf).
and remove the noise on stderr during config dir processing.
*) mod_cache: cache_storage.c. Add the hostname and any request
args to the key generated for caching. This provides a unique
key for each virtual host and for each request with unique
args. [Paul J. Reder, args code provided by Kris Verbeeck]
*) mod_cache: Do not cache responses to GET requests with query
URLs if the origin server does not explicitly provide an
Expires header on the response (RFC 2616 Section 13.9)
*) Fix memory leak in core_output_filter. [Justin Erenkrantz]
*) Update OpenSSL detection to work on Darwin.
*) Update the xslt and css to give the documentation a more
modern style.
[André Malo <nd perlig.de>, Gernot Winkler <greh o3media.de>]
*) Fix some bucket memory leaks in the chunking code
*) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]
*) mod_cache: added support for caching streamed responses (proxy,
CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
*) Add image/x-icon to httpd.conf PR 10993.
*) Fix FileETags none operation. PR 12207.
*) Restored the experimental leader/followers MPM to working
condition and converted its thread synchronization from
mutexes to atomic CAS. [Brian Pane]
*) Fix Logic on non-html file removal in mod_deflate
*) Fix "ab -g"'s truncated year: the last digit was cut off.
*) mod_rewrite can now sets cookies in err_headers, uses the correct
expiry date, and can now set the path as well
PR 12132,12181,12172.
*) The content-length filter no longer tries to buffer up
the entire output of a long-running request before sending
anything to the client. [Brian Pane]
*) Win32: Lower the default stack size from 1MB to 256K. This will
allow around 8000 threads to be started per child process.
'EDITBIN /STACK:size apache.exe' can be used to change this
value directly in the apache.exe executable.
[Bill Stoddard]
*) Win32: Implement ThreadLimit directive in the Windows MPM.
*) Remove CacheOn config directive since it is set but never checked.
No sense wasting cycles on unused code. Besides, the only truly
bug free code is deleted code. :) [Paul J. Reder]
*) BufferLogs are now run-time enabled, and the log_config now has 2 new
callbacks to allow a 3rd party module to actually do the writing of the
log file [Ian Holsman]
*) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
[André Malo, Astrid Keßler <kess kess-net.de>]
*) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
*) Fix a null pointer dereference in the merge_env_dir_configs
function of the mod_env module. PR 11791
[Paul J. Reder]
*) New option to ServerTokens 'maj[or]'. Only show the major version
Also Surfaced this directive in the standard config (default FULL)
[Ian Holsman]
*) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
maps. The dbm type (e.g., ndbm, gdbm) can be specified on the
RewriteMap directive. PR 10644 [Jeff Trawick]
*) Fixed mod_rewrite's RewriteMap prg: support so that request/response
pairs will no longer get out of sync with each other. PR 9534
[Cliff Woolley]
*) Fixes required to get quoted and escaped command args working in
mod_ext_filter. PR 11793 [Paul J. Reder]
*) mod-proxy: handle proxied responses with no status lines
[JD Silvester <jsilves uwo.ca>, Brett Huttley <brett huttley.net>]
*) Fix bug where environment or command line arguments containing
non-ASCII-7 characters would cause the Win32 child process creation
to fail. PR 11854 [William Rowe]
*) Bug #11213.. make module loading error messages more informative
*) thread safety & proxy-ftp [Alexey Panchenko <alexey liwest.ru>, Ian Holsman]
*) mod_disk_cache works much better. This module should still
be considered experimental. [Eric Prud'hommeaux]
*) Performance improvement for keepalive requests: when setting
aside a small file for potential concatenation with the next
response on the connection, set aside the file descriptor rather
than copying the file into the heap. [Brian Pane]
*) Modified version check on openssl so that it finds the executable
first and then performs a check of the version, only warning the
user if they chose, or we selected, an old version of OpenSSL.
This change also allows the code to work for non-openssl libraries
selected via the --with-ssl=dir option, which can override the
automated library check in any case. [Roy Fielding]
*) SECURITY: CVE-2002-0661 (cve.mitre.org)
Close a very significant security hole that
applies only to the Win32, OS2 and Netware platforms. Unix was not
affected, Cygwin may be affected. Certain URIs will bypass security
and allow users to invoke or access any file depending on the system
configuration. Without upgrading, a single .conf change will close
the vulnerability. Add the following directive in the global server
httpd.conf context before any other Alias or Redirect directives;
RedirectMatch 400 "\\\.\."
*) SECURITY: CVE-2002-0654 (cve.mitre.org)
Close a path-revealing exposure in multiview type
map negotiation (such as the default error documents) where the
module would report the full path of the typemapped .var file when
multiple documents or no documents could be served based on the mime
*) SECURITY: CVE-2002-0654 (cve.mitre.org)
Close a path-revealing exposure in cgi/cgid when we
fail to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
*) Set aside the apr-iconv and apr_xlate() features for the Win32
build of 2.0.40 so development can be completed. A patch, from
<http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
will be available for those that wish to work with apr-iconv.
[William Rowe]
*) Fix proxy so that it is possible to access ftp: URLs via a proxy
*) mod-deflate now checks to make sure that 'gzip-only-text/html' is
Ian Holsman
committed
set to 1, so we can exclude things from the general case with
Ian Holsman
committed
*) Accept multiple leading /'s for requests within the DocumentRoot.
*) Solved the reports of .pdf byterange failures on Win32 alone.
APR's sendfile for the win32 platform collapses header and trailer
buffers into a single buffer. However, we destroyed the pointers
to the header buffer if a trailer buffer was present. PR 10781
[William Rowe]
*) mod_ext_filter: Add the ability to enable or disable a filter via
an environment variable. Add the ability to register a filter of
type other than AP_FTYPE_RESOURCE. [Jeff Trawick]
*) Restore the ability to specify host names on Listen directives.
*) When deciding on the default address family for listening sockets,
make sure we can actually bind to an AF_INET6 socket before
deciding that we should default to AF_INET6. This fixes a startup
problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick]
Wilfredo Sanchez
committed
*) Replace usage of atol() to parse strings when we might want a
larger-than-long value with apr_atoll(), which returns long long.
This allows HTTPD to deal with larger files correctly.
Wilfredo Sanchez
committed
*) mod_ext_filter: Ignore any content-type parameters when checking if
the response should be filtered. Previously, "intype=text/html"
wouldn't match something like "text/html;charset=8859_1".
[Jeff Trawick]
*) mod_ext_filter: Set up environment variables for external programs.
*) Modified the HTTP_IN filter to immediately append the EOS (end of
stream) bucket for C-L POST bodies, saving a roundtrip and allowing
the caller to determine that no content remains without prefetching
additional POST body. [William Rowe]
*) Get proxy ftp to work over IPv6. [Shoichi Sakane <sakane kame.net>]
*) Look for OpenSSL libraries in /usr/lib64. [Peter Poeml <poeml suse.de>]
*) Changes to the internationalized error documents:
Comment them out in the default config file to make the default
install as simple as possible; Correct the english 500 error to
be more understandable; Add a Swedish translation.
[Thomas Sjogren <thomas northernsecurity.net>,
Erik Abele <erik codefaktor.de>, Rich Bowen, Joshua Slive]
*) Increase the limit on file descriptors per process in apachectl.
[Brian Pane]
*) Fix a dependency error when building ApacheMonitor, so that Win32
and MSVC now trust that the project is current (when it is).
*) mod_ext_filter: don't segfault if content-type is not set. PR 10617.
*) APR-Util Renames pending have been completed [Thom May]
*) Performance improvements for the code that reads request
headers (ap_rgetline_core() and related functions) [Brian Pane]
*) Add a new directive: MaxMemFree. MaxMemFree makes it possible
to configure the maximum amount of memory the allocators will
hold on to for reuse. Anything over the MaxMemFree threshold
will be free()d. This directive is useful when uncommon large
peaks occur in memory usage. It should _not_ be used to mask
defective modules' memory use. [Sander Striker]
*) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
scripts would not result in a truncated response.
[Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
*) Add a filter_init parameter to the filter registration functions
so that a filter can execute arbitrary code before the handlers
are invoked. This resolves a problem where mod_include requests
would incorrectly return a 304. [Justin Erenkrantz]
*) Fix a long-standing bug in 2.0, CGI scripts were being called
with relative paths instead of absolute paths. Apache 1.3 used
absolute paths for everything except for SuExec, this brings back
that standard. [Ryan Bloom]
Justin Erenkrantz
committed
*) Fix infinite loop due to two HTTP_IN filters being present for
internally redirected requests. PR 10146. [Justin Erenkrantz]
*) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
[Justin Erenkrantz]
*) Fix mod_ext_filter to look in the main server for filter definitions
when running in a vhost if the filter definition is not found in
the vhost. PR 10147 [Jeff Trawick]
*) Support WinNT CGI invocation through ScriptInterpreterSource
'registry' for script interpreter paths and names with non-ascii
characters in the executable filepath. [William Rowe]
*) Support the -w flag on to keep the Win32 console open on error.
[William Rowe]
*) Normalize the hostname value in the request_rec to all-lowercase
*) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
extended characters (non US-ASCII) in non-utf8 format. This brings
Win32 back into CGI/1.1 compliance, and leaves charset decoding up
to the cgi application itself. [William Rowe]
*) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
modules to bring them up to the current apr/apr-util APIs.
[William Rowe]
Bill Stoddard
committed
*) Fix segfault in mod_mem_cache most frequently observed when
serving the same file to multiple clients on an MP machine.
[Bill Stoddard]
*) mod_rewrite can now set cookies (RewriteRule (.*) - [CO=name:$1:.domain])
*) Fix perchild to work with apachectl by adding -k support to perchild.
PR 10074 [Jeff Trawick]
*) Fix a silly htpasswd.c logic error that incorrectly reported that
both -c and -n had been used. PR 9989 [Cliff Woolley]
*) Fixed a mod_include error case in which no HTTP response was sent
to the client if an shtml document contained an unterminated SSI
directive [Brian Pane]
*) Improve ap_get_client_block implementation by using APR-util brigade
helper functions and relying on current filter assumptions.
[Justin Erenkrantz]
*) Fixed a build problem in htpasswd.c on Win32.
*) Rewrite htpasswd to use APR. The removes the annoying warning about
tmpnam being unsafe. [Ryan Bloom]
*) We must set the MIME-type for .shtml files to text/html if we want them
to be parsed for SSI tags. Add the config for that to the default
config file so that it is easier to enable .shtml parsing.
*) Fixed a problem with 'make install' on ReliantUnix.
*) Make the default_handler catch all requests that aren't served by
another handler. This also gets us to return a 404 if a directory
is requested, there is no DirectoryIndex, and mod_autoindex isn't
loaded. [Justin Erenkrantz]
*) Fixed the handling of nested if-statements in shtml files.
PR 9866 [Brian Pane]
*) Allow 'make install DESTDIR=/path'. This allows packagers to install
into a directory different from the one that was configured. This
also mirrors the root= feature from 1.3. We cannot use prefix=,
because both APR and APR-util resolve their installation paths at
configuration time. This means that there is no variable prefix
*) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
These levels of AIX don't have a thundering herd problem with
accept(). [Jeff Trawick]
*) prefork MPM: Ignore mutex errors during graceful restart. For
certain types of mutexes (particularly SysV semaphores), we
should expect to occasionally fail to obtain or release the
mutex during restart processing. [Jeff Trawick]
*) Fix install-bindist.sh so that it finds any perl instead of just
early perl 5.x versions. This is consistent with a build/install
from source, and it allows the perl scripts installed by a bindist
to work on systems with perl 5.6. [Jeff Trawick]
*) Fix apxs so that the makefile created by "apxs -g" works on AIX and
Tru64 (and probably some other platforms). [Jeff Trawick]
Justin Erenkrantz
committed
*) Allow CGI scripts to return their Content-Length. This also fixes a
hang on HEAD requests seen on certain platforms (such as FreeBSD).
[Justin Erenkrantz]
*) Added log rotation based on file size to the RotateLog support
utility. [Brad Nicholes]
*) Fix some casting in mod_rewrite which broke random maps.
PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]
*) allow POST method over SSL when per-directory client cert
authentication is used with 'SSLOptions +OptRenegotiate' enabled
and a client cert was found in the ssl session cache.
*) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
session cache when there is no cert chain in the cache. prior to
the fix this situation would result in a FORBIDDEN response and
error message "Cannot find peer certificate chain"
[Doug MacEachern]
*) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
one was already sent. PR 9644 [Jeff Trawick]
*) Fix the display of the default name for the mime types config
*) Fix the working directory *for WinNT/2K/XP services only* to
change to the Apache directory (one level above the location
of Apache.exe, in the case that Apache.exe resides in bin/.)
Solves the case of ServerRoot /foo paths where /foo was not
on the same drive as /winnt/system32. [William Rowe]
*) Make 2.0's "AcceptMutex" startup message now "completely"
match how 1.3 does it. [Jim Jagielski]
*) Implement a fixed size memory cache using a priority queue
[Ian Holsman]
*) Fix apxs to allow "apxs -q installbuilddir" and to allow
querying certain other variables from config_vars.mk. PR 9316
[Jeff Trawick]
*) Added the "detached" attribute to the cgi_exec_info_t internals
so that Win32 and Netware won't create a new window or console
for each CGI invoked. PR 8387
[Brad Nicholes, William Rowe]
*) Consolidated the command line parameters and attributes that are
manipulated by the optional function ap_cgi_build_command() in
mod_cgi into a single structure.
[Brad Nicholes]
*) Get rid of uninitialized value errors with "apxs -q" on certain
*) Fix apxs to allow it to work when the build directory is somewhere
besides server-root/build. PR 8453
[Jeff Trawick and a host of others]
*) Allow ap_discard_request_body to be called multiple times in the
same request. Essentially, ap_http_filter keeps track of whether
it has sent an EOS bucket up the stack, if so, it will only ever
send an EOS bucket for this request.
[Ryan Bloom, Justin Erenkrantz, Greg Stein]
*) Remove all special mod_ssl URIs. This also fixes the bug where
redirecting (.*) will allow an SSL protected page to be viewed
without SSL. [Ryan Bloom]
*) Fix the binary build install script so that the build logic
created by "apxs -g" will work when the user has a binary
build. [Jeff Trawick]
Justin Erenkrantz
committed
*) Allow instdso.sh to work with full paths to the shared module.
[Justin Erenkrantz]
*) NetWare: Enabled CGI functionality and added mod_cgi as a built
in module for NetWare [Brad Nicholes]
*) Changed cgi and piped log behavior to accept 65536 characters
on Win32 (matching Linux) before deadlocking between outputing
client stdin, slurping the output from stdout and then the stderr
stream. PR 8179 [William Rowe]
*) Fixed Win32 wintty.exe support to assure the window title is valid.
Elimiates possible gpfault or garbage title without the -t option.
[William Rowe]
*) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
brigades and input filters. [Justin Erenkrantz]
Justin Erenkrantz
committed
*) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
body. [Justin Erenkrantz]
*) NetWare: Piping log entries through RotateLogs using the
CustomLogs directive is finally supported now that we have
*) SECURITY: CVE-2002-0392 (cve.mitre.org) [CERT VU#944335]
Detect overflow when reading the hex bytes forming a chunk line.
[Aaron Bannert]
*) Allow RewriteMap prg:'s to take command-line arguments. PR 8464.
*) Correctly return 413 when an invalid chunk size is given on
input. Also modify ap_discard_request_body to not do anything
on sub-requests or when the connection will be dropped.
[Justin Erenkrantz]
*) Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.
[Cliff Woolley]
*) Ensure that apr_brigade_write() flushes in all of the cases that
it should to avoid conditions in some modules that could cause
large amounts of data to be buffered. [Cliff Woolley]
*) Fix problem where mod_cache/mod_disk_cache was incorrectly
stripping the content_type from cached responses.
[Bill Stoddard]
*) apachectl passes through any httpd options. Note: apachectl
should be used in preference to httpd since it ensures that any
appropriate environment variables have been set up.
[Jeff Trawick]
*) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
*) Fix suexec execution of CGI scripts from mod_include.
*) Fix segfaults at startup on some platforms when mod_auth_digest,
mod_suexec, or mod_ssl were used as DSO's due to the way they
were tracking the current init phase since DSO's get completely
unloaded and reloaded between phases. PR 9413.
*) Fix mod_include's handling of regular expressions in
*) Fix the worker MPM deadlock problem [Brian Pane]
*) Modify the module documentation to allow for translations.
[Yoshiki Hayashi, Joshua Slive]
*) Fix a file permissions problem which prevented mod_disk_cache
from working on Unix. [Jeff Trawick]
*) Add "-k start|restart|graceful|stop" support to httpd for the Unix
MPMs. These have semantics very similar to the old apachectl
commands of the same name. [Justin Erenkrantz, Jeff Trawick]
*) Make sure that the runtime dir is created by make install.
PR 9233. [Jeff Trawick]
*) Fix an unusual set of ./configure arguments that could cause
mod_http to be built as a DSO, which it currently doesn't
support. PR 9244.
*) Win32: Fix bug in apr_sendfile() that caused incorrect operation
of the %X, %b and %B logformat options. PR 8253, 8996.
[Bill Stoddard]
*) If content-encoding is already present, do not run deflate (PR 9222)
*) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
It is currently ignored and it will be removed in a future release
of Apache. [Jeff Trawick]
*) Removed documentation references to the no-longer-supported
"make certificate" feature of mod_ssl for Apache 1.3.x. Test
certificates, if truly desired, can be generated using openssl
commands. PR 8724. [Cliff Woolley]
Justin Erenkrantz
committed
*) Remove SSLLog and SSLLogLevel directives in favor of having
mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
*) OS/390: LIBPATH no longer has to be manually uncommented in
envvars to get apachectl to set up httpd properly. [Jeff Trawick]
*) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
may now be specified to the <File/Directory > container, rather
than by vhost. [William Rowe]
*) mod_isapi: Experimental support for faux async support for ISAPI
modules. [William Rowe]
*) mod_isapi: Major refactoring of the code to rely on apr internals
rather than MS APIs (using our own mod_isapi.h headers for ISAPI
symbol definitions.) [William Rowe]
*) mod_isapi: Fixed the return string length from GetServerVariable
callback, it was not including the trailing null in the consumed
buffer size. This was particularly bad for Delphi 6.0 users.
*) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
[William Rowe]
*) Make apxs look in the correct directory for envvars. It was
broken when sbindir != bindir. PR 8869
[Andreas Sundström <sunkan zappa.cx>]
*) Fix mod_deflate corruption when using multiple buckets. PR 9014.
*) Performance enhancements for access logger when using
default timestamp formatting [Brian Pane]
*) Added EnableMMAP config directive to enable the server
administrator to disable memory-mapping of delivered files
on a per-directory basis. [Brian Pane]
*) Performance enhancements for mod_setenvif [Brian Pane]
*) Fix a mod_ssl build problem on OS/390. [Jeff Trawick]
*) Fixed If-Modified-Since on Win32, which would give false positives
because of the sub-second resolution of file timestamps on that
platform. [Cliff Woolley]
*) Reverse the hook ordering for mod_userdir and mod_alias so
that Alias/ScriptAlias will override Userdir. PR 8841
[Joshua Slive]
*) Move mod_deflate out of experimental and into filters.
[Justin Erenkrantz]
*) Get proxy CONNECT basically working. [Jeff Trawick]
*) Fix mod_rewrite hang when APR uses SysV Semaphores and
RewriteLogLevel is set to anything other than 0. PR: 8143
[Aaron Bannert, Cliff Woolley]
*) Fix byterange requests from returning 416 when using dynamic data
(such as filters like mod_include). [Justin Erenkrantz]
*) Allow mod_rewrite's set of "int:" internal RewriteMap functions
to be extended by third-party modules via an optional function.
[Tahiry Ramanamampanoharana <nomentsoa hotmail.com>, Cliff Woolley]
*) Fix mod_include expression parser's handling of unquoted strings
followed immediately by a closing paren. PR 8462. [Brian Pane]
*) Remove autom4te.cache in 'make distclean'.
*) Fix generated httpd.conf to respect layout for LoadModule lines.
*) Win32: During a graceful restart, threads in the new process
were accessing scoreboard slots still in use by active threads in
*) Fix some minor formatting issues with ab. Part of this is
in reference to PR 8544, the rest I noticed while testing
the PR fix. [Paul J. Reder]
*) Fix a case where an invalid pass phrase is entered and an
error message is given, but the prompt is not shown again.
*) Close sockets on worker MPM when doing a graceless restart.
[Aaron Bannert]
*) Reverted a minor optimization in mod_ssl.c that used the vhost ID
as the session id context rather that a MD5 hash of that vhost ID,
because it caused very long vhost id's to be unusable with mod_ssl.
PR 8572. [Cliff Woolley]
*) Fix the link to the description of the CoredumpDirectory
directive in the server-wide document. PR 8643. [Jeff Trawick]
*) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley]
*) Synced with remaining changes from mod_ssl 2.8.8-1.3.24:
- Avoid SIGBUS on sparc machines with SHMCB session caches
- Allow whitespace between the pipe and the name of the
program in SSLLog "| /path/to/program". [Cliff Woolley]
*) Introduce mod_ext_filter and mod_deflate experimental modules
to the Win32 build (zlib sources must be in srclib\zlib.)
[William Rowe]
*) Changes to the worker MPM's queue management and thread
synchronization code to reduce mutex contention [Brian Pane]
*) Don't install *.in configuration files since we already install
*-std.conf files. [Aaron Bannert]
*) Many improvements to the threadpool MPM. [Aaron Bannert]
Justin Erenkrantz
committed
*) Fix subreqs that are promoted via fast_redirect from having invalid
frec->r structures. This would cause subtle errors later on in
request processing such as seen in PR 7966. [Justin Erenkrantz]
*) More efficient pool recycling logic for the worker MPM [Brian Pane]
*) Modify the worker MPM to not accept() new connections until
there is an available worker thread. This prevents queued
connections from starving for processing time while long-running
connections were hogging all the available threads. [Aaron Bannert]
*) Convert the worker MPM's fdqueue from a LIFO back into a FIFO.
[Aaron Bannert]
*) Get basic HTTP proxy working on EBCDIC machines. [Jeff Trawick]
*) Allow mod_unique_id to work on systems with no IPv4 address
corresponding to their host name. [Jeff Trawick]
Justin Erenkrantz
committed
*) Fix suexec behavior with user directories. PR 7810.
Justin Erenkrantz
committed
Justin Erenkrantz
committed
*) Reject a blank UserDir directive since it is ambiguous. PR 8472.
[Justin Erenkrantz]
*) Make mod_mime use case-insensitive matching when examining
extensions on all platforms. PR 8223. [Justin Erenkrantz]
*) Add an intelligent error message should no proxy submodules be
valid to handle a request. PR 8407 [Graham Leggett]
*) Major improvements in concurrent processing for AB by enabling
non-blocking connect()s and preventing APR from doing blocking
read()s. Also implement fatal error checking for apr_recv().
[Aaron Bannert]
*) Fix Win32 NTFS Junctions (symlinks). PR 8014 [William Rowe]
*) Fix Win32 'short name' aliases in httpd.conf directives.
PR 8009 [William Rowe]
*) Fix generation of default httpd.conf when the layout paths are
disjoint. PR 7979, 8227. [Justin Erenkrantz]
*) Swap downgrade-1.0 and force-response-1.0 conditional checks so
that downgraded responses can have force-response. PR 8357.
[Justin Erenkrantz]
*) Fix perchild MPM so that it can be configured with the move to the
*) Fix perchild MPM so that it uses ap_gname2id for groups instead of
*) Fix AcceptPathInfo. PR 8234 [Cliff Woolley]
*) SECURITY: CVE-2002-1592 (cve.mitre.org) [CERT VU#165803]
Added the APLOG_TOCLIENT flag to ap_log_rerror() to
explicitly tell the server that warning messages should be sent
to the client in addition to being recorded in the error log.
Prior to this change, ap_log_rerror() always sent warning
messages to the client. In one case, a faulty CGI script caused
the server to send a warning message to the client that contained
the full path to the CGI script. This could be considered a
minor security exposure. [Bill Stoddard]
*) mod_autoindex output when SuppressRules was specified would
omit the first carriage return so the first item in the list
would appear to the right of the column headings instead of
*) Moved the call to apr_mmap_dup outside the error branch so
that it would actually get called. This fixes a core dump
at init everytime you use the MMapFile directive. PR 8314
[Paul J. Reder]
*) Trigger an error when a LoadModule directive attempts to
load a module which is built-in. This is a common error when
switching from a DSO build to a static build. [Jeff Trawick]
*) Change instdso.sh to use libtool --install everywhere and then
clean up some stray files and symlinks that libtool leaves around
on some platforms. This gets subversion building properly since
it needed a re-link to be performed by libtool at install time,
and the old instdso.sh logic to simply cp the DSO didn't handle
that requirement. [Sander Striker]
*) Allow VPATH builds to succeed when configured from an empty
*) Fix 'control reaches end of non-void function' warning in
*) Perchild MPM is now correctly deemed as experimental and is now
located in server/mpm/experimental. [Justin Erenkrantz]
*) Fix segfault in mod_mem_cache when garabge collecting an expired
cache entry. [Bill Stoddard]
*) Introduced -E startup_logfile_name option to httpd to allow admins
to begin logging errors immediately. This provides Win32 users
an alternative to sending startup errors to the event viewer, and
allows other daemon tool authors an alternative to logging to stderr.
[William Rowe]
*) Fix subreqs with non-defined Content-Types being served improperly.
[Justin Erenkrantz]
*) Merge in latest GNU config.guess and config.sub files. PR 7818.
[Justin Erenkrantz]
*) Move 100 - Continue support to the HTTP_IN filter so that filters
are guaranteed to support 100 - Continue logic without any
intervention. [Justin Erenkrantz]
Justin Erenkrantz
committed
*) Add HTTP chunked input trailer support. [Justin Erenkrantz]
*) Rename and export get_mime_headers as ap_get_mime_headers.
[Justin Erenkrantz]
*) Allow empty Host: header arguments. PR 7441. [Justin Erenkrantz]
*) Properly substitute sbindir as httpd's location in apachectl. PR 7840.
*) Allow Win32 shebang scripts to follow the path (or omit the .exe
suffix from the shebang command), and allow ScriptInterpreterSource
Registry or RegistryStrict to override shebang lines, as 1.3 did.
*) worker MPM: Fix a situation where a child exited without releasing
the accept mutex. Depending on the OS and mutex mechanism this
could result in a hang. [Jeff Trawick]
*) Update the instructions for how to get started with mod_example.
[Stas Bekman]
*) Fix PidFile to default to rel_runtimedir instead of
rel_logfiledir. PR 7841. [Andreas Hasenack <andreas netbank.com.br>]
Bill Stoddard
committed
*) Win32: Fix problem that caused rapid performance degradation
when number of connecting clients exceeded ThreadsPerChild.
[Bill Stoddard]
*) Fixed a segfault parsing large SSIs on non-mmap systems.
[Brian Havard]
*) Proxy was bombing out every second keepalive request, caused by a
stray CRLF before the second response's status line. Proxy now
tries to read one more line if it encounters a CRLF where it
expected a status. PR 10010 [Graham Leggett]
*) Deprecated the apr_lock.h API. Please see the following files
for the improved thread and process locking and signaling:
apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h,
apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert]
*) Change mod_status to use scoreboard accessor functions so it can
be used in any MPM without having to be recompiled.
*) Fix parsing of some AP_DECLARE_DATA declarations so that the filter
handle declarations are recognized. This fixes problems loading
mod_autoindex on some platforms. [Brian Havard]
*) add optional fixup hook to proxy [Daniel Lopez <daniel covalent.net>]
*) Remind the admin about the User and Group directives when we are
unable to set permissions on a semaphore. PR 7812 [Jeff Trawick]
*) fix possible compilation problem in ssl_engine_kernel.c. PR 7802
[Doug MacEachern]
*) fix possible infinite loop in mod_ssl triggered by certain
netscape clients [Doug MacEachern]
*) fix ProxyPass when frontend is https and backend is http
[Doug MacEachern]
*) Add DASL support to mod_dav
Changes with Apache 2.0.35
*) mod_rewrite: updated to use the new APR global mutex type.
[Aaron Bannert]
*) Fixes for mod_include errors on boundary conditions in which
"<!--#" occurs at the very end of a bucket
[Paul Reder, Brian Pane]
*) worker, prefork, perchild, beos MPMs: Add -DFOREGROUND switch to
cause the Apache parent process to run in the foreground (similar to
-DNO_DETACH except that it doesn't switch session ids).
[Jeff Trawick]
Jim Jagielski
committed
*) Added support for Posix semaphore mutex locking (AcceptMutex posixsem)
for those platforms that support it. If using the default
implementation, this is between pthread and sysvsem in priority.
This implies it's the new default for Darwin. [Jim Jagielski]
*) AIX: Fix the syntax for setting the LDR_CNTRL and AIXTHREAD_SCOPE
environment variables in the envvars file. [Jeff Trawick]
*) worker MPM: Don't create a listener thread until we have a worker
thread. Otherwise, in situations where we'll have to wait a while
to take over scoreboard slots from a previous generation, we'll be
accepting connections we can't process yet. [Jeff Trawick]
*) Allow worker MPM to build on systems without pthread_kill().
[Pier Fumagalli, Jeff Trawick]
*) Prevent ap_add_output_filters_by_type from being called in
ap_set_content_type if the content-type hasn't changed.
[Justin Erenkrantz]
*) Performance: implemented the bucket allocator made possible by the
API change in 2.0.34. [Cliff Woolley]
*) Don't allow initialization to succeed if we can't get a socket
corresponding to one of the Listen statements. [Jeff Trawick]
*) Allow all Perchild directives to accept either numerical UID/GID
*) Make Perchild compile cleanly and serve pages again. [Ryan Bloom]
*) implement ssl proxy to support ProxyPass / https:// and the
SSLProxy* directives [Doug MacEachern]
*) Update mod_cgid to not do single-byte socket reads for CGI headers
[Brian Pane]
*) Made AB's use of the Host: header rfc2616 compliant
*) The old, legacy (and unused) code in which the scoreboard was totally
and completely contained in a file (SCOREBOARD_FILE) has been
removed. This does not affect scoreboards which are *mapped* to
files using named-shared-memory. [Jim Jagielski]
*) Change bucket brigades API to allow a "bucket allocator" to be
passed in at certain points. This allows us to implement freelists
so that we can stop using malloc/free so frequently.
[Cliff Woolley, Brian Pane]
*) Add support for macro expansion within the variable names in
<!--#echo--> and <!--#set--> directives [Brian Pane]
*) Fix some mod_include segfaults [Cliff Woolley, Brian Pane, Brad Nicholes]
*) Update the "RedHat" Layout to match Red Hat Linux version 7. PR BZ-7422
*) add compat layer to support RSA SSLC 1.x and 2.x in mod_ssl
[Jon Travis, John Barbee, William Rowe, Ryan Bloom, Doug MacEachern]
*) Add a new parameter to the quick_handler hook to instruct
quick handlers to optionally do a lookup rather than actually
serve content. This is the first of several changes required fix
several problems with how quick handlers work with subrequests.
[Bill Stoddard]