Skip to content
CHANGES 548 KiB
Newer Older
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
Changes with Apache 2.0.44
  *) mod_cache: Don't cache response header fields designated
     as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
     [Estrade Matthieu <estrade-m@ifrance.com>, Brian Pane]

  *) mod_cgid: Handle environment variables containing newlines.
     PR 14550  [Piotr Czejkowski <apache@czarny.eu.org>, Jeff
     Trawick]

  *) Move mod_ext_filter out of experimental and into filters.
     [Jeff Trawick]

  *) Fixed a memory leak in mod_deflate with dynamic content.
     PR 14321  [Ken Franken <kfranken@decisionmark.com>]

  *) Add --[enable|disable]-v4-mapped configure option to control
     whether or not Apache expects to handle IPv4 connections
     on IPv6 listening sockets.  Either setting will work on 
     systems with the IPV6_V6ONLY socket option.  --enable-v4-mapped
     must be used on systems that always allow IPv4 connections on
     IPv6 listening sockets.  PR 14037 (Bugzilla), PR 7492 (Gnats)
     [Jeff Trawick]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) This fixes a problem where the underlying cache code
     indicated that there was one more element on the cache
     than there actually was. This happened since element 0
     exists but is not used. This code allocates the correct
     number of useable elements and reports the number of
     actually used elements. The previous code only allowed
     MCacheMaxObjectCount-1 objects to be stored in the
     cache. [Paul J. Reder]

  *) mod_setenvif: Add SERVER_ADDR special keyword to allow
     envariable setting according to the server IP address
     which received the request.  [Ken Coar]

  *) mod_cgid: Terminate CGI scripts when the client connection 
     drops.  PR 8388  [Jeff Trawick]

  *) Rearrange OpenSSL engine initialization to support RAND 
     redirection on crypto accelerator. 
     [Frederic DONNAT <frederic.donnat@zencod.com>]

  *) Always emit Vary header if mod_deflate is involved in the
     request.  [Andre Malo <nd@perlig.de>]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) mod_isapi: Stop unsetting the 'empty' query string result with
     a NULL argument in ecb->lpszQueryString, eliminating segfaults
     for some ISAPI modules.  PR 14399
     [Detlev Vendt <detlev.vendt@brillit.de>]

  *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
     notification is received before the HttpExtensionProc() returns 
     HSE_STATUS_PENDING.  This only affected isapi .dll's configured 
     with the ISAPIFakeAsync on directive.  PR 11918
     [John DeSetto <jdesetto@radiantsystems.com>, William Rowe]

  *) mod_isapi: Fix the issue where all results from mod_isapi would
     run through the core die handler resulting in invalid responses
     or access log entries.  PR 10216 [William Rowe]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Improves the user friendliness of the CacheRoot processing
     over my last pass. This version avoids the pool allocations
     but doesn't avoid all of the runtime checks. It no longer
     terminates during post-config processing. An error is logged
     once per worker, indicating that the CacheRoot needs to be set.
     [Paul J. Reder]

  *) Fix a bug where we keep files open until the end of a 
     keepalive connection, which can result in:
     (24)Too many open files: file permissions deny server access
     especially on threaded servers.  [Greg Ames, Jeff Trawick]

  *) Fix a bug in which mod_proxy sent an invalid Content-Length
     when a proxied URL was invoked as a server-side include within
     a page generated in response to a form POST.  [Brian Pane]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Added code to process min and max file size directives and to
     init the expirychk flag in mod_disk_cache. Added a clarifying
     comment to cache_util.   [Paul J. Reder]

  *) The value emitted by ServerSignature now mimics the Server HTTP
     header as controlled by ServerTokens.  [Francis Daly <deva@daoine.org>]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Gracefully handly retry situations in the SSL input filter,
     by following the SSL libraries' retry semantics.
     [William Rowe]

  *) Terminate CGI scripts when the client connection drops.  This
     fix only applies to some normal paths in mod_cgi.  mod_cgid
     is still busted.  PR 8388  [Jeff Trawick]

  *) Fix a bug where 416 "Range not satisfiable" was being
     returned for content that should have been redirected.
     [Greg Ames]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix memory leak in mod_ssl from internal SSL library allocations
     within SSL_get_peer_certificate and X509_get_pubkey.
     [Zvi Har'El <rl@math.technion.ac.il>
      Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>].

  *) mod_ssl uses free() inappropriately in several places, to free
     memory which has been previously allocated inside OpenSSL.
     Such memory should be freed with OPENSSL_free(), not with free().
     [Nadav Har'El <nyh@math.technion.ac.il>,
      Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>].

  *) Emit a message to the error log when we return 404 because
     the URI contained '%2f'.  (This was previously nastily silent
     and difficult to debug.)  [Ken Coar]

  *) Fix streaming output from an nph- CGI script.  CGI:IRC now
     works.  PR 8482  [Jeff Trawick]

  *) More accurate logging of bytes sent in mod_logio when
     the client terminates the connection before the response
     is completely sent  [Bojan Smojver <bojan@rexursive.com>]

  *) Fix some problems in the perchild MPM.  
     [Jonas Eriksson <jonas@webkonsulterna.com>]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Change the CacheRoot processing to check for a required
     value at config time. This saves a lot of wasted processing
     if the mod_disk_cache module is loaded but no CacheRoot
     was provided. This fix also adds code to log an error
     and avoid useless pallocs and procesing when the computed
     cache file name cannot be opened. This also updates the
     docs accordingly.  [Paul J. Reder]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Introduce the EnableSendfile directive, allowing users of NFS 
     shares to disable sendfile mechanics when they either fail
     outright or provide intermitantly corrupted data.  PR 
     [William Rowe]

  *) Resolve the error "An operation was attempted on something 
     that is not a socket.  : winnt_accept: AcceptEx failed. 
     Attempting to recover." for users of various firewall and
     anti-virus software on Windows.  PR 8325  [William Rowe]

  *) Add the ProxyBadHeader directive, which gives the admin some
     control on how mod_proxy should handle bogus HTTP headers from
     proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
     desired. [Jim Jagielski]

  *) Change the LDAP modules to export their symbols correctly
     during a Windows build. Add dsp files for Windows. Update
     README.ldap file for Windows build instructions.
     [Andre Schild <A.Schild@aarboard.ch>]

  *) Performance improvements for the code that generates HTTP
     response headers  [Brian Pane]

  *) Add -S as a synonym for -t -DDUMP_VHOSTS.
     [Thom May <thom@planetarytramp.net>]

  *) Fix a bug with dbm rewrite maps which caused the wrong value to
     be used when the key was not found in the dbm.  PR 13204
     [Jeff Trawick]

  *) Fix a problem with streaming script output and mod_cgid.
     [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Add ap_register_provider/ap_lookup_provider API.
     [John K. Sterling <john@sterls.com>, Justin Erenkrantz]

  *) Rewrite of aaa modules to an authn/authz model.
     [Dirk-Willem van Gulik, Justin Erenkrantz]

Changes with Apache 2.0.43

  *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by 
     ap_server_signature() against this cross-site scripting 
     vulnerability exposed by the directive 'UseCanonicalName Off'.  
     Also HTML-escape the SERVER_NAME environment variable for CGI 
     and SSI requests.  It's safe to escape as only the '<', '>', 
     and '&' characters are affected, which won't appear in a valid 
     hostname.  Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
     [Brian Pane]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix a core dump in mod_cache when it attemtped to store uncopyable
     buckets. This happened, for instance, when a file to be cached
     contained SSI tags to execute a CGI script (passed as a pipe
     bucket). [Paul J. Reder]

  *) Ensure that output already available is flushed to the network
     when the content-length filter realizes that no new output will
     be available for a while.  This helps some streaming CGIs as
     well as some other dynamically-generated content.  [Jeff Trawick]

  *) Fix a mutex problem in mod_ssl session cache support which
     could lead to an infinite loop.  PR 12705  
     [amund.elstad@ergo.no (Amund Elstad), Jeff Trawick]

  *) SECURITY: CAN-2002-1156 (cve.mitre.org)
      Fix the exposure of CGI source when a POST request is sent to 
      a location where both DAV and CGI are enabled. [Ryan Bloom]
  *) Allow the UserDir directive to accept a list of directories.
     This matches what Apache 1.3 does.  Also add documentation for
Loading full blame...