Skip to content
CHANGES 541 KiB
Newer Older
Changes with Apache 2.0.43

  *) SECURITY: [CAN-2002-0840] HTML-escape the address produced by 
     ap_server_signature() against this cross-site scripting 
     vulnerability exposed by the directive 'UseCanonicalName Off'.  
     Also HTML-escape the SERVER_NAME environment variable for CGI 
     and SSI requests.  It's safe to escape as only the '<', '>', 
     and '&' characters are affected, which won't appear in a valid 
     hostname.  Reported by Matthew Murphy <mattmurphy@kc.rr.com>.
     [Brian Pane]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix a core dump in mod_cache when it attemtped to store uncopyable
     buckets. This happened, for instance, when a file to be cached
     contained SSI tags to execute a CGI script (passed as a pipe
     bucket). [Paul J. Reder]

  *) Ensure that output already available is flushed to the network
     when the content-length filter realizes that no new output will
     be available for a while.  This helps some streaming CGIs as
     well as some other dynamically-generated content.  [Jeff Trawick]

  *) Fix a mutex problem in mod_ssl session cache support which
     could lead to an infinite loop.  PR 12705  
     [amund.elstad@ergo.no (Amund Elstad), Jeff Trawick]

  *) SECURITY: Allow POST requests and CGI scripts to work when DAV 
     is enabled on the location.  [Ryan Bloom]
  *) Allow the UserDir directive to accept a list of directories.
     This matches what Apache 1.3 does.  Also add documentation for
     this feature. [Jay Ball <jay@veggiespam.com>]

Ian Holsman's avatar
Ian Holsman committed
  *) New Module: mod_logio. adds the ability to log bytes sent and
     received. [Bojan Smojver <bojan@rexursive.com>]

  *) SuExec needs to use the same default directory as the rest of
     server, namely /usr/local/apache2.  
     [SangBeom han <sbhan@os.korea.ac.kr>]

  *) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
     [Thomas Bennett <thomas.bennett@eds.com>, Graham Leggett]

  *) Make sure the contents of the WWW-Authenticate header is
     passed on a 4xx error by proxy. Previously all headers
     were dropped, resulting in the browser being unable to
     authenticate. [Dr Richard Reiner <rreiner@fscinternet.com>,
     Richard Danielli <rdanielli@fscinternet.com>, Graham Wiseman
     <gwiseman@fscinternet.com>, David Henderson
     <dhenderson@fscinternet.com>]

  *) Make mod_cache's CacheMaxStreamingBuffer directive work
     properly for virtual hosts that override server-wide mod_cache
     setttings.  [Matthieu Estrade <estrade-m@ifrance.com>]

  *) Add -p option to apxs to allow programs to be compiled with apxs.
     [Justin Erenkrantz]

Sander Striker's avatar
Sander Striker committed
Changes with Apache 2.0.42

Sander Striker's avatar
Sander Striker committed
  *) mod_dav: Check for versioning hooks before using them.
     [Greg Stein]
Sander Striker's avatar
Sander Striker committed
Changes with Apache 2.0.41
  *) The protocol version (eg: HTTP/1.1) in the request line parsing
     is now case insensitive. [Jim Jagielski]

  *) Allow AddOutputFilterByType to add multiple filters per directive.
     [Justin Erenkrantz]

  *) Remove warnings with Sun's Forte compiler.  [Justin Erenkrantz]

  *) Fixed mod_disk_cache's generation of 304s
     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]

  *) Add support for using fnmatch patterns in the final path
     segment of an Include statement (eg.. include /foo/bar/*.conf).
     and remove the noise on stderr during config dir processing.
     [Joe Orton <jorton@redhat.com>]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_cache: cache_storage.c. Add the hostname and any request
     args to the key generated for caching. This provides a unique
     key for each virtual host and for each request with unique
     args. [Paul J. Reder, args code provided by Kris Verbeeck]

  *) mod_cache: Do not cache responses to GET requests with query
     URLs if the origin server does not explicitly provide an
     Expires header on the response (RFC 2616 Section 13.9)
     [Kris Verbeeck krisv@be.ubizen.com]
  *) Fix memory leak in core_output_filter.  [Justin Erenkrantz]

  *) Update OpenSSL detection to work on Darwin.
     [Sander Temme <sctemme@covalent.net>]

  *) Update the xslt and css to give the documentation a more
     modern style.
     [André Malo <nd@perlig.de>, Gernot Winkler <greh@o3media.de>]
  *) Fix some bucket memory leaks in the chunking code
     [Joe Schaefer <joe+apache@sunstarsys.com>]

  *) Add ModMimeUsePathInfo directive.  [Justin Erenkrantz]

  *) mod_cache: added support for caching streamed responses (proxy,
     CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]

  *) Add image/x-icon to httpd.conf PR 10993.
     [Ian Holsman, Peter Bieringer <pb@bieringer.de>]

  *) Fix FileETags none operation.  PR 12207.
     [Justin Erenkrantz, Andrew Ho <andrew@tellme.com>]

  *) Restored the experimental leader/followers MPM to working
     condition and converted its thread synchronization from
     mutexes to atomic CAS.  [Brian Pane]

  *) Fix Logic on non-html file removal in mod_deflate
     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]

Martin Kraemer's avatar
Martin Kraemer committed
  *) Fix "ab -g"'s truncated year: the last digit was cut off.
     [Leon Brocard <acme@astray.com>]

  *) mod_rewrite can now sets cookies in err_headers, uses the correct
     expiry date, and can now set the path as well
     PR 12132,12181,12172.
Ian Holsman's avatar
Ian Holsman committed
     [Ian Holsman / Rob Cromwell <apachechangelog@robcromwell.com>]

  *) The content-length filter no longer tries to buffer up
     the entire output of a long-running request before sending
     anything to the client.  [Brian Pane]

  *) Win32: Lower the default stack size from 1MB to 256K. This will
     allow around 8000 threads to be started per child process. 
     'EDITBIN /STACK:size apache.exe' can be used to change this 
     value directly in the apache.exe executable.
     [Bill Stoddard]

  *) Win32: Implement ThreadLimit directive in the Windows MPM.
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Remove CacheOn config directive since it is set but never checked.
     No sense wasting cycles on unused code. Besides, the only truly
     bug free code is deleted code. :)   [Paul J. Reder]

  *) BufferLogs are now run-time enabled, and the log_config now has 2 new
     callbacks to allow a 3rd party module to actually do the writing of the
     log file [Ian Holsman]

  *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
     [André Malo, Astrid Keßler <kess@kess-net.de>]

  *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix a null pointer dereference in the merge_env_dir_configs
     function of the mod_env module. PR 11791
     [Paul J. Reder]

  *) New option to ServerTokens 'maj[or]'. Only show the major version
     Also Surfaced this directive in the standard config (default FULL)
     [Ian Holsman]

  *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
     maps.  The dbm type (e.g., ndbm, gdbm) can be specified on the
     RewriteMap directive.  PR 10644  [Jeff Trawick]
  *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
     pairs will no longer get out of sync with each other.  PR 9534
     [Cliff Woolley]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fixes required to get quoted and escaped command args working in
     mod_ext_filter. PR 11793 [Paul J. Reder]

  *) mod-proxy: handle proxied responses with no status lines
     [JD Silvester <jsilves@uwo.ca>, Brett Huttley <brett@huttley.net>]
Ian Holsman's avatar
Ian Holsman committed

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Fix bug where environment or command line arguments containing 
     non-ASCII-7 characters would cause the Win32 child process creation
     to fail.  PR 11854  [William Rowe]

  *) Bug #11213.. make module loading error messages more informative 
     [Ian Darwin <Ian779@darwinsys.com>]

Ian Holsman's avatar
Ian Holsman committed
  *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]

Bill Stoddard's avatar
Bill Stoddard committed
  *) mod_disk_cache works much better. This module should still
     be considered experimental. [Eric Prud'hommeaux]
  *) Performance improvement for keepalive requests: when setting
     aside a small file for potential concatenation with the next
     response on the connection, set aside the file descriptor rather
     than copying the file into the heap.  [Brian Pane]
Cliff Woolley's avatar
Cliff Woolley committed
Changes with Apache 2.0.40
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) SECURITY: [CAN-2002-0661] Close a very significant security hole that 
     applies only to the Win32, OS2 and Netware platforms.  Unix was not 
     affected, Cygwin may be affected.  Certain URIs will bypass security
     and allow users to invoke or access any file depending on the system 
     configuration.  Without upgrading, a single .conf change will close 
Loading full blame...