Skip to content
CHANGES 610 KiB
Newer Older
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
Changes with Apache 2.1.0-dev

  [Remove entries to the current 2.0 section below, when backported]
  *) mod_deflate: Don't deflate responses with zero length 
     e.g. proxied 304's [Allan Edwards]

Andre Malo's avatar
Andre Malo committed
  *) <IfModule> now recognizes the module identifier in addition to the
     file name. PR 29003.  [Edward Rudd <eddie omegaware.com>, André Malo]

  *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
     chosen SSL environment variable.  PR 20957. 
     [Martin v. Loewis <martin v.loewis.de>]

  *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
     OpenSSL 0.9.7 flag which uses the server's cipher order rather
     than the client's.  PR 28665.
     [Jim Schneider <jschneid netilla.com>]
  *) mod_ssl: Drop support for the CompatEnvVars argument to
     SSLOptions, which was never actually implemented in 2.0.
     [Joe Orton]

  *) Fix bug in mod_deflate that unconditionally sent deflate'd output
     even when Accept-Encoding is not present.  [Justin Erenkrantz]

  *) Pass environment variables through to piped loggers, resolving
     a regression since 1.3.  [Ken Coar, Jeff Trawick]

  *) Enable the option to support anonymous shared memory in mod_ldap.
     This makes the cache work on Linux again. [Graham Leggett]

  *) Small fix to allow reverse proxying to an ftp server. Previously
     an attempt to do this would try and connect to 0.0.0.0, regardless
     of the server specified. PR 24922
     [Pascal Terjan <pterjan@linuxfr.org>]

  *) RPM spec file changes: changed default dependancy to link to db4
     instead of db3. Fixed complaints about unpackaged files.
     [Graham Leggett]

  *) External rewrite map responses are no longer limited to 2048
     bytes.  [André Malo]

Jim Jagielski's avatar
Jim Jagielski committed
  *) Proxy server was deleting cookies that Apache had already
     assigned if the origin server had set any cookies. PR 27023.
     [Jim Jagielski]

  *) Prevent Win32 pool corruption at startup [Allan Edwards]

  *) Removed old and unmaintained ap_add_named_module API and changed
     the following APIs to return an error instead of hard exiting:
     ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules,
     and ap_process_resource_config.  [André Malo]
  *) Include directives no longer refuse to process symlinks on
     directories. Instead there's now a maximum nesting level
     of included directories (128 as distributed). This is configurable
     at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
     PR 28492.  [André Malo]

  *) Recursive Include directives no longer crash. The server stops
     including configuration files after a certain nesting level (128
     as distributed). This is configurable at compile time using the
     -DAP_MAX_INCLUDE_DEPTH switch. PR 28370.  [André Malo]

  *) mod_headers: Allow %% in header values to represent a literal %.
     [André Malo]

  *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions.
     [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) mod_headers: Allow 'echo' also for ErrorHeaders.  [André Malo]

  *) mod_cgi: Handle output on stderr during script execution on Unix
     platforms; preventing deadlock when stderr output fills pipe buffer.
Joe Orton's avatar
Joe Orton committed
     Also fixes case where stderr from nph- scripts could be lost.
     PR 22030, 18348.  [Joe Orton, Jeff Trawick]
Ian Holsman's avatar
Ian Holsman committed
  *) mod_deflate: New option for DEFLATE output file (force-gzip),
     new output filter 'INFLATE' for uncompressing responses.
     [Nick Kew <Nick at WebThing dot com>, Ian Holsman]

  *) Added new module mod_version, which provides version dependent
     configuration containers.  [André Malo]

  *) Accept URLs for the ServerAdmin directive. If the supplied
     argument is not recognized as an URL, assume it's a mail address.
     PR 28174.  [André Malo]

  *) mod_rewrite no longer confuses the RewriteMap caches if
     different maps defined in different virtual hosts use the
     same map name. PR 26462.  [André Malo]

  *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
     format is used.  PR 27787.  [André Malo]

  *) mod_usertrack: Escape the cookie name before pasting into the
     regexp.  [André Malo]

  *) Enable special ErrorDocument value 'default' which restores the
     canned server response for the scope of the directive.
     [Geoffrey Young]

  *) Allow Digest providers to return AUTH_DENIED to propagate a 401
     status and terminate the provider chain prior to checking the password.
     [Geoffrey Young]

  *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
     PR 27985.  [André Malo]

  *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
     Don't place script socket inside default server root instead of
     actual server root.  PR 27886.  [Jeff Trawick]

  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
     is set in r->subprocess_env allow mismatched query strings to pass.
     PR 27758.  [Paul Querna <chip force-elite.com>, Geoffrey Young]

  *) Satisfy directives now can be influenced by a surrounding <Limit>
     container.  PR 14726.  [André Malo]

  *) mod_proxy: Fix handling of non-200 success status codes when
     "ProxyErrorOverride On" is configured.  PR 20183.
     [Marcus Janson <marcus.janson tre.se>, Joe Orton]

  *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize 
     directive (previously NetWare-only) to override default thread 
     stack size for threads which handle client connections.  Required 
     for some third-party modules on platforms with small default 
     thread stack size.  [Jeff Trawick]
  *) mod_rewrite: Support for recognizing SSL variables in RewriteCond
     using the new "SSL:" format.  [Joe Orton, Madhusudan Mathihalli]

  *) mod_setenvif: Remove "support" for Remote_User variable which
     never worked at all. PR 25725.  [André Malo]

  *) minor mod_auth_basic and mod_auth_digest sync.  mod_auth_basic
     now populates r->user with the (possibly unauthenticated) user,
     and mod_auth_digest returns 500 when a provider returns
     AUTH_GENERAL_ERROR.
     [Geoffrey Young]

  *) The whole codebase was relicensed and is now available under
     the Apache License, Version 2.0 (http://www.apache.org/licenses).
     [Apache Software Foundation]

  *) FreeBSD: Use the httpready accept filter instead of dataready on
     newer levels of the OS.  [Paul Querna <chip force-elite.com>]

  *) Delete some make-generated files in the server directory during 
     "make clean" processing.  PR 26552.  [Jeff Trawick]

  *) Add core version query function (ap_get_server_revision) and
     accompanying ap_version_t structure (minor MMN bump).
     [André Malo]

  *) mod_rewrite: EOLs sent by external rewritemaps are now consumed
     as whole. That way, on systems with more than one EOL character
     rewritemap programs no longer need to switch stdout to binary
     mode. PR 25635.  [André Malo]

  *) mod_rewrite: Introduce the ability to force a content handler via
     the [handler=...] flag.  [André Malo]

  *) mod_rewrite: Introduce the RewriteCond -x check, which returns
     true if the pattern is a file with execution permissions.
     [André Malo]

  *) Allow proxying of resources that are invoked via DirectoryIndex.
     PR 14648.  [André Malo]

  *) mod_rewrite: Allow proxying and RewriteRules in directory context
     for subrequests.  PR 14648, 15114.  [André Malo]

  *) mod_rewrite: Allow setting of any valid HTTP response code.
     PR 25917.  [André Malo]

  *) mod_rewrite: Cookie creation now works locale independent.
     [André Malo]

  *) mod_ssl: Add support for distributed session cache using 'distcache'.
     [Geoff Thorpe <geoff geoffthorpe.net>]

  *) mod_dav: Disallow requests with an unescaped hash character in
Joe Orton's avatar
Joe Orton committed
     the Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]
Andre Malo's avatar
Andre Malo committed
  *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration
     attaches a body to the 302 response and a wrong Content-Length header.
     PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]

  *) Bring ErrorHeader concept forward from 1.3, so that response
     header fields can be set for return even on errors or external
     redirects.  [Ken Coar]

  *) Fix <Limit> and <LimitExcept> parsing to require a closing '>' 
     in the initial container.  PR 25414. 
     [Geoffrey Young <geoff apache.org>]

  *) Clean up httpd -V output: Instead of displaying the MPM source
     directory, display the MPM name and some MPM properties.
     [Geoffrey Young <geoff apache.org>]

  *) mod_ssl/mod_status: Re-enable support for output of SSL session
     cache information in server-status page.  [Joe Orton]

  *) mod_ssl: Remove the shmht session cache, shmcb should be used
     instead.  [Joe Orton]

  *) mod_logio: Account for some bytes handed to the network layer prior to
     dropped connections.  [Jeff Trawick]

  *) mod_autoindex: new directive IndexStyleSheet 
    [Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]

  *) Fix uninitialized gprof directory name in prefork MPM.  PR 24450.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Chris Knight <Christopher.D.Knight nasa.gov>]
  *) Log an error when requests for URIs which fail to map to a valid 
     filesystem name are rejected with 403.  [Jeff Trawick]

  *) Switch to APR 1.0 API.

  *) Major overhaul of mod_include's filter parser. The new parser code
     is expected to be more robust and should catch all of the edge cases
Andre Malo's avatar
Andre Malo committed
     that were not handled by the previous one. This includes a binary
     incompatible change of mod_include's external API.  [André Malo]
  *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
     PR 14223.  [André Malo]

  *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
     the current rewrite state was just used as lookup path, which lead to
     strange and often useless results. Related to PR 8493.  [André Malo]

  *) Change Listen directive to bind to all addresses when a hostname is
     not specified.  [Justin Erenkrantz]

  *) Correct failure with Listen directives on machines with IPv6 enabled.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz]
Cliff Woolley's avatar
 
Cliff Woolley committed
  *) Fix a link failure in mod_ssl when the OpenSSL libraries contain
     the ENGINE functions but the engine header files are missing.
     [Cliff Woolley]

  *) mod_rewrite: RewriteRules in server context using the force
     type feature [T=...] no longer disable MultiViews.  [André Malo]

  *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
     [André Malo]

  *) mod_authz_groupfile: Strip trailing spaces of group names. This
     hopefully saves some hours of searching for typos. PR 12863.
     [André Malo]

  *) mod_actions: Propagate the handler name to the action script via
     the REDIRECT_HANDLER environment variable.  [André Malo]

  *) mod_actions: Introduce the "virtual" modifier to the Action directive,
     which allows the use of handlers for virtual locations. PR 8431.
     [André Malo]

  *) mod_speling: Recognize AcceptPathInfo setting for the particular
     location. Default is to reject path information. PR 21059.
     [André Malo]

  *) mod_ext_filter: Add the ability to filter request bodies.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Philipp Reisner <philipp.reisner linbit.com>]
  *) Fix some broken log messages in WinNT MPM.  
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Juan Rivera <Juan.Rivera citrix.com>]
  *) prefork MPM: Use the right permissions for the directory created 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     for gprof support.  [Jim Carlson <jcarlson jnous.com>]
  *) Fix a compile failure with recent OpenSSL and picky compilers
     (e.g., OpenSSL 0.9.7a and xlc_r on AIX).  [Jeff Trawick]

  *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
     the INCLUDE path to be defined properly.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>]
  *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
  *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
     autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). 
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Geoff Thorpe <geoff geoffthorpe.net>]
  *) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
  *) mod_negotiation: quality values are now parsed independent from
     the current locale. level values are now really parsed as integers.
     PR 17564.  [André Malo]

  *) Extend mod_negotiation to evaluate the environment variables
     no-gzip and gzip-only-text/html the same way as mod_deflate does.
     [André Malo]

  *) mod_rewrite: Fix some problems reporting errors with mapping
     programs (RewriteMap prg:/something).  [Jeff Trawick]

  *) Return 413 if chunk-ext-header is too long rather than reading from
     the truncated line.  PR 15857.  [Justin Erenkrantz]

  *) Allow restart of httpd to occur even with syntax errors in the config
     file.  PR 16813.  [Justin Erenkrantz]

  *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure.  PR 15679.
     [Justin Erenkrantz]

  *) Remove files on 'make distclean' that should be.  PR 15592.
     [Justin Erenkrantz]

  *) Allow apachectl to perform status with links and elinks as well.
     [Justin Erenkrantz]

  *) Extend the SetEnvIf directive to capture subexpressions of the
     matched value.  [André Malo]

  *) mod_log_config change optional hook to return previous handler
     [Ian Holsman]

  *) Forward port of mod_actions' ability to handle arbitrary methods
     with the Script directive.  [André Malo]

  *) Let suexec send a message to stderr, if it failed or its policy
     was violated. This message appears in the error log and allows
Andre Malo's avatar
Andre Malo committed
     for easier debugging. PR 5381, 7638, 8255, 10773.  [André Malo]
  *) Modify buildconf to copy all required files into httpd's tree.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Thom May <thom planetarytramp.net>]
  *) Allow mod_dav to do weak entity comparison functions.
     [Justin Erenkrantz]

Andre Malo's avatar
Andre Malo committed
  *) Move RFC 1413 ident requests from core to new module mod_ident.
     [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Add mod_authz_owner - a forward port of "Require file-owner"
     and "Require file-group", which was already present in version
     1.3.21.  [André Malo]

  *) Add mod_dav_lock - a generic subset of the DAV locking implementation.
     [Justin Erenkrantz]

  *) Replace some of the mutex locking in the worker MPM with
     atomic operations for higher concurrency.  [Brian Pane]

  *) Allow 'make depend' to work with non-GCC compilers.
     [Justin Erenkrantz]

  *) If an httpd.conf has commented out AddModule directives, 
     apxs -i -a will add an un-commented AddModule directive for 
     the new module, which breaks the config.
     PR: 11212 [Joe Orton]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  *) Fix mod_proxy handling of filtered input bodies.  [Justin Erenkrantz]

  *) Move the check of the Expect request header field after the hook
     for ap_post_read_request, since that is the only opportunity for
     modules to handle Expect extensions.  [Justin Erenkrantz]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) Rewrite of aaa modules to an authn/authz model.
     [Dirk-Willem van Gulik, Justin Erenkrantz]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed

  [Apache 2.1.0-dev includes those bug fixes and changes with the
   Apache 2.0.xx tree as documented, and except as noted, below.]

Bill Stoddard's avatar
Bill Stoddard committed
Changes with Apache 2.0.50
Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite no longer turns forward proxy requests into reverse proxy
     requests. PR 28125  [ast domdv.de, André Malo]

  *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
     exported on Win32 and Netware as well (minor MMN bump).  PR 28523.
     [Edward Rudd <eddie omegaware.com>, André Malo]

  *) Restore the ability to disable the use of AcceptEx on Win9x systems
     automatically (broken in2.0.49). PR 28529.  [André Malo]

Jeff Trawick's avatar
Jeff Trawick committed
  *) <VirtualHost myhost> now applies to all IP addresses for myhost
     instead of just the first one reported by the resolver.  This
     corrects a regression since 1.3.  [Jeff Trawick]

  *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
     against ServerRoot PR#26602 [Brad Nicholes]
       
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2004-0488 (cve.mitre.org)
     mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
     (trusted) client certificate subject DN which exceeds 6K in length.
     [Joe Orton]

  *) mod_dav_fs: Fix MKCOL response for missing parent collections, which 
     caused issues for the Eclipse WebDAV extension.
     PR 29034.  [Joe Orton]

  *) mod_deflate: Fix memory consumption (which was proportional to the
     response size).  PR 29318.  [Joe Orton]

  *) mod_ssl: Log the errors returned on failure to load or initialize
     a crypto accelerator engine.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Allow RequestHeader directives to be conditional. PR 27951.
     [Vincent Deffontaines <vincent gryzor.com>, André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Allow LimitRequestBody to be reset to unlimited. PR 29106
     [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Fix a bunch of cases where the return code of the regex compiler
     was not checked properly. This affects: mod_setenvif, mod_usertrack,
     mod_proxy, mod_proxy_ftp and core. PR 28218.  [André Malo]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
     small cache sizes.  PR 27751.  [Geoff Thorpe <geoff geoffthorpe.net>]

  *) Remove 2Gb log file size restriction on some 32-bit platforms.
     PR 13511.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_logio no longer removes the EOS bucket. PR 27928.
     [Bojan Smojver <bojan rexursive.com>]

  *) htpasswd no longer refuses to process files that contain empty
     lines.  [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) Regression from 1.3: At startup, suexec now will be checked for
     availability, the setuid bit and user root. The works only if
     httpd is compiled with the shipped APR version (0.9.5).
Andre Malo's avatar
Andre Malo committed
     PR 28287.  [André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Unix MPMs: Stop dropping connections when the file descriptor
     is at least FD_SETSIZE.  [Jeff Trawick]

  *) Fix handling of IPv6 numeric strings in mod_proxy.  [Jeff Trawick]

  *) mod_isapi: send_response_header() failed to copy status string's 
     last character.  PR 20619.  [Jesse Pelton <jsp pkc.com>]

Graham Leggett's avatar
Graham Leggett committed
  *) Fix a segfault when requests for shared memory fails and returns
     NULL. Fix a segfault caused by a lack of bounds checking on the
Joe Orton's avatar
Joe Orton committed
     cache.  PR 24801.  [Graham Leggett]
Graham Leggett's avatar
Graham Leggett committed

Graham Leggett's avatar
Graham Leggett committed
  *) Throw an error message if an attempt is made to use the LDAPTrustedCA
     or LDAPTrustedCAType directives in a VirtualHost. PR 26390
     [Brad Nicholes]

  *) Fix a potential segfault if the bind password in the LDAP cache
Joe Orton's avatar
Joe Orton committed
     is NULL.  PR 28250.  [Jari Ahonen <jah progress.com>]

  *) Quotes cannot be used around require group and require dn
     directives, update the documentation to reflect this. Also add
     quotes around the dn and group within debug messages, to make it
     more obvious why authentication is failing if quotes are used in
Joe Orton's avatar
Joe Orton committed
     error.  PR 19304.  [Graham Leggett]

  *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
     from escaping filters twice when the backslash character is used.
Joe Orton's avatar
Joe Orton committed
     PR 24437.  [Jess Holle <jessh ptc.com>]

  *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
     functions leave the connections in a sane state after errors have
     occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
     27271 [Graham Leggett]
Joe Orton's avatar
Joe Orton committed
                                                                                
  *) mod_ldap calls ldap_simple_bind_s() to validate the user
     credentials.  If the bind fails, the connection is left
     in an unbound state.  Make sure that the ldap connection
     record is updated to show that the connection is no longer
     bound. [Brad Nicholes]
Joe Orton's avatar
Joe Orton committed

Jeff Trawick's avatar
Jeff Trawick committed
  *) Ensure that lines in the request which are too long are 
     properly terminated before logging.
     [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Update the bind credentials for the cached LDAP connection to 
     reflect the last bind.  This prevents util_ldap from creating 
     unnecessary connections rather than reusing cached connections.
     [Brad Nicholes]
     
  *) mod_isapi: GetServerVariable returned improperly terminated header 
     fields given "ALL_HTTP" or "ALL_RAW".  PR 20656.
     [Jesse Pelton <jsp pkc.com>]

  *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
     size.  PR 20617.  [Jesse Pelton <jsp pkc.com>]

  *) mod_dav: Fix a problem that could cause crashes when manipulating 
     locks on some platforms.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_headers no longer crashes if an empty header value should
     be added.  [André Malo]

  *) Fix segfault in mod_expires, which occured under certain
     circumstances. PR 28047.  [André Malo]

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) htpasswd: use apr_temp_dir_get() and general cleanup
     [Guenter Knauf <eflash gmx.net>, Thom May]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix memory leak in session cache handling.  PR 26562
     [Madhusudan Mathihalli]

  *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
     a pool cleanup.  PR 27945.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) Add forensic logging module (mod_log_forensic).
     [Ben Laurie]

  *) logresolve: Allow size of log line buffer to be overridden at
     build time (MAXLINE).  PR 27793.  [Jeff Trawick]

Bradley Nicholes's avatar
Bradley Nicholes committed
  *) Fix the comment delimiter in htdbm so that it correctly parses the 
     username comment.  Also add a terminate function to allow NetWare 
     to pause the output before the screen is destroyed.
     [Guenter Knauf <eflash gmx.net>, Brad Nicholes] 
  
Bill Stoddard's avatar
Bill Stoddard committed
  *) Fix crash when Apache was started with no Listen directives.
     [Michael Corcoran <mcorcoran warpsolutions.com>]

Bill Stoddard's avatar
Bill Stoddard committed
  *) core_output_filter: Fix bug that could result in sending
     garbage over the network when module handlers construct
     bucket brigades containing multiple file buckets all referencing
     the same open file descriptor. [Bojan Smojver]
Bill Stoddard's avatar
Bill Stoddard committed

  *) Fix memory corruption problem with ap_custom_response() function.
     The core per-dir config would later point to request pool data
     that would be reused for different purposes on different requests.
     [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]

  *) Win32: Tweak worker thread accounting routines to eliminate
     server hang when number of Listen directives in httpd.conf
     is greater than or equal to the setting of ThreadsPerChild.
     [Bill Stoddard]

Jeff Trawick's avatar
Jeff Trawick committed
Changes with Apache 2.0.49
  *) SECURITY: CAN-2004-0174 (cve.mitre.org)
     Fix starvation issue on listening sockets where a short-lived
     connection on a rarely-accessed listening socket will cause a
     child to hold the accept mutex and block out new connections until
     another connection arrives on that rarely-accessed listening socket.
     With Apache 2.x there is no performance concern about enabling the 
     logic for platforms which don't need it, so it is enabled everywhere
     except for Win32.  [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
     [Jeff Trawick]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
  *) Win32: find_read_listeners was not correctly handling multiple
     listeners on the Win32DisableAcceptEx path.  [Bill Stoddard]

  *) Fix bug in mod_usertrack when no CookieName is set.  PR 24483.
     [Manni Wood <manniwood planet-save.com>]

  *) Fix some piped log problems: bogus "piped log program '(null)'
     failed" messages during restart and problem with the logger
     respawning again after Apache is stopped.  PR 21648, PR 24805.
     [Jeff Trawick]

  *) Fixed file extensions for real media files and removed rpm extension
     from mime.types. PR 26079.  [Allan Sandfeld <kde carewolf.com>]

  *) Remove compile-time length limit on request strings. Length is
     now enforced solely with the LimitRequestLine config directive.
     [Paul J. Reder]

  *) mod_ssl: Send the Close Alert message to the peer before closing
Joe Orton's avatar
Joe Orton committed
     the SSL session.  PR 27428.  [Madhusudan Mathihalli, Joe Orton]
Joe Orton's avatar
Joe Orton committed
  *) SECURITY: CAN-2004-0113 (cve.mitre.org)
     mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
     PR 27106.  [Joe Orton]

  *) mod_ssl: Fix bug in passphrase handling which could cause spurious
     failures in SSL functions later.  PR 21160.  [Joe Orton]

Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_log_config: Fix corruption of buffered logs with threaded
     MPMs.  PR 25520.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Fix mod_include's expression parser to recognize strings correctly
     even if they start with an escaped token.  [André Malo]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add fatal exception hook for use by diagnostic modules.  The hook
     is only available if the --enable-exception-hook configure parm 
     is used and the EnableExceptionHook directive has been set to 
     "on".  [Jeff Trawick]

  *) Allow mod_auth_digest to work with sub-requests with different
     methods than the original request.  PR 25040.
     [Josh Dady <jpd indecisive.com>]

Joe Orton's avatar
Joe Orton committed
  *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
     argumentless containers.
     ["Philippe M. Chiasson" <gozer cpan.org>]

  *) mod_auth_ldap: Fix some segfaults in the cache logic.  PR 18756.
     [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]

Joe Orton's avatar
Joe Orton committed
  *) mod_cgid: Restart the cgid daemon if it crashes.  PR 19849
     [Glenn Nielsen <glenn apache.org>]

Andre Malo's avatar
Andre Malo committed
  *) The whole codebase was relicensed and is now available under
     the Apache License, Version 2.0 (http://www.apache.org/licenses).
     [Apache Software Foundation]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fixed cache-removal order in mod_mem_cache.
     [Jean-Jacques Clar, Cliff Woolley]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_setenvif: Fix the regex optimizer, which under circumstances
     treated the supplied regex as literal string. PR 24219.
     [André Malo]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
     instead of mmn. [André Malo]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
     could lead to a 400 (Bad Request) response.  [André Malo]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Keep focus of ITERATE and ITERATE2 on the current module when
     the module chooses to return DECLINE_CMD for the directive.
     PR 22299.  [Geoffrey Young <geoff apache.org>]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Add support for IMT minor-type wildcards (e.g., text/*) to
     ExpiresByType.  PR#7991  [Ken Coar]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Fix segfault in mod_mem_cache cache_insert() due to cache size
     becoming negative.  PR: 21285, 21287
     [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) core.c: If large file support is enabled, allow any file that is
     greater than AP_MAX_SENDFILE to be split into multiple buckets.
     This allows Apache to send files that are greater than 2gig.
     Otherwise we run into 32/64 bit type mismatches in the file size.
     [Brad Nicholes]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) proxy_http fix: mod_proxy hangs when both KeepAlive and
     ProxyErrorOverride are enabled, and a non-200 response without a
     body is generated by the backend server. (e.g.: a client makes a
     request containing the "If-Modified-Since" and "If-None-Match"
     headers, to which the backend server respond with status 304.)
     [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]

Joe Orton's avatar
Joe Orton committed
  *) mod_dav: Reject requests which include an unescaped fragment in the
     Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]

  *) Build array of allowed methods with proper dimensions, fixing
     possible memory corruption.  [Jeff Trawick]

  *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
     PR 15057.  [Otmar Lendl <lendl nic.at>]

  *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
     [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_usertrack no longer inspects the Cookie2 header for
     the cookie name. PR 11475.  [Chris Darrochi <chrisd pearsoncmg.com>]

  *) mod_usertrack no longer overwrites other cookies.
     PR 26002.  [Scott Moore <apache nopdesign.com>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) worker MPM: fix stack overlay bug that could cause the parent
     process to crash.  [Jeff Trawick]

Bill Stoddard's avatar
Bill Stoddard committed
  *) Win32: Add Win32DisableAcceptEx directive. This Windows
     NT/2000/CP directive is useful to work around bugs in some 
     third party layered service providers like virus scanners, 
     VPN and firewall products, that do not properly handle 
     WinSock 2 APIs.  Use this directive if your server is issuing
     AcceptEx failed messages.
     [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Make REMOTE_PORT variable available in mod_rewrite.
     PR 25772.  [André Malo]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a long delay with CGI requests and keepalive connections on
     AIX.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) mod_autoindex: Add 'XHTML' option in order to allow switching between
     HTML 3.2 and XHTML 1.0 output. PR 23747.  [André Malo]

  *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
     [André Malo]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Advertise SSL library version as determined at run-time rather
     than at compile-time.  PR 23956.  [Eric Seidel <seidel apple.com>]

  *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
     format code is used.  PR 22741.  [Gary E. Miller <gem rellim.com>]

  *) Fix build with parallel make.  PR 24643.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: In external rewrite maps lookup keys containing
     a newline now cause a lookup failure. PR 14453.
     [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]

  *) Backport major overhaul of mod_include's filter parser from 2.1.
     The new parser code is expected to be more robust and should
     catch all of the edge cases that were not handled by the previous one.
     The 2.1 external API changes were hidden by a wrapper which is
     expected to keep the API backwards compatible.  [André Malo]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Add a hook (insert_error_filter) to allow filters to re-insert
     themselves during processing of error responses. Enable mod_expires
     to use the new hook to include Expires headers in valid error
     responses. This addresses an RFC violation. It fixes PRs 19794,
     24884, and 25123. [Paul J. Reder]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add Polish translation of error messages.  PR 25101.
     [Tomasz Kepczynski <tomek jot23.org>]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
Jeff Trawick's avatar
Jeff Trawick committed
     supported for BeOS or OS/2 MPMs.)  [Jeff Trawick, Brad Nicholes,
     Bill Stoddard]
Jeff Trawick's avatar
Jeff Trawick committed

  *) Add mod_status hook to allow modules to add to the mod_status
     report.  [Joe Orton]

Justin Erenkrantz's avatar
Justin Erenkrantz committed
  *) Fix htdbm to generate comment fields in DBM files correctly.
     [Justin Erenkrantz]

  *) mod_dav: Use bucket brigades when reading PUT data. This avoids
     problems if the data stream is modified by an input filter. PR 22104.
     [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]

  *) Fix RewriteBase directive to not add double slashes.  [André Malo]

  *) Improve 'configure --help' output for some modules.  [Astrid Keßler]

  *) Correct UseCanonicalName Off to properly check incoming port number.
     [Jim Jagielski]

  *) Fix slow graceful restarts with prefork MPM.  [Joe Orton]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
     if any property values were set which defined namespaces these
Justin Erenkrantz's avatar
Justin Erenkrantz committed
     came out mangled in the PROPFIND response.  PR 11637.
     [Amit Athavale <amit_athavale persistent.co.in>]

  *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
     the destination resource gives a 401.  PR 15571.  [Joe Orton]

Andre Malo's avatar
Andre Malo committed
  *) SECURITY: CAN-2003-0020 (cve.mitre.org)
     Escape arbitrary data before writing into the errorlog. Unescaped
     errorlogs are still possible using the compile time switch
     "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".  [Geoffrey Young, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_autoindex / core: Don't fail to show filenames containing
     special characters like '%'. PR 13598.  [André Malo]
 
Jeff Trawick's avatar
Jeff Trawick committed
  *) mod_status: Report total CPU time accurately when using a threaded
     MPM.  PR 23795.  [Jeff Trawick]

  *) Fix memory leak in handling of request bodies during reverse
     proxy operations.  PR 24991. [Larry Toppi <larry.toppi citrix.com>]

  *) Win32 MPM: Implement MaxMemFree to enable setting an upper
     limit on the amount of storage used by the bucket brigades
     in each server thread. [Bill Stoddard]
Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Modified the cache code to be header-location agnostic. Also
     fixed a number of other cache code bugs related to PR 15852.
     Includes a patch submitted by Sushma Rai <rsushma novell.com>.
     This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
     closing the PR since that is what they are using. [Paul J. Reder]

Stas Bekman's avatar
Stas Bekman committed
  *) complain via error_log when mod_include's INCLUDES filter is
     enabled, but the relevant Options flag allowing the filter to run
     for the specific resource wasn't set, so that the filter won't
     silently get skipped. next remove itself, so the warning will be
     logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]

  *) mod_info: HTML escape configuration information so it displays 
     correctly. PR 24232. [Thom May]
     
  *) Restore the ability to add a description for directories that
     don't contain an index file.  (Broken in 2.0.48) [André Malo]

  *) Fix a problem with the display of empty variables ("SetEnv foo") in
     mod_include.  PR 24734  [Markus Julen <mj zermatt.net>]

Joe Orton's avatar
Joe Orton committed
  *) mod_log_config: Log the minutes component of the timezone correctly.
     PR 23642.  [Hong-Gunn Chew <hgbug gunnet.org>]

  *) mod_proxy: Fix cases where an invalid status-line could be sent 
     to the client.  PR 23998.  [Joe Orton]

  *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
     are also loaded.  [Joe Orton]

  *) mod_ssl: Use human-readable OpenSSL error strings in logs; use
     thread-safe interface for retrieving error strings.  [Joe Orton]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
     avoid reporting an Internal Server error if it is used without
     having been set in the httpd.conf file. PR: 23748, 24459
     [Andre Malo, Liam Quinn  <liam htmlhelp.com>]

Andre Malo's avatar
Andre Malo committed
  *) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
     option is set. PR 21668.  [Jesse Tie-Ten-Quee <highos highos.com>]

  *) mod_include no longer allows an ETag header on 304 responses.
     PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]

Jeff Trawick's avatar
Jeff Trawick committed
  *) EBCDIC: Convert header fields to ASCII before sending (broken
     since 2.0.44). [Martin Kraemer]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix the inability to log errors like exec failure in
     mod_ext_filter/mod_cgi script children.  This was broken after 
     such children stopped inheriting the error log handle.  
     [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix mod_info to use the real config file name, not the default
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     config file name.  [Aryeh Katz <aryeh secured-services.com>]
Jeff Trawick's avatar
Jeff Trawick committed
  *) Set the scoreboard state to indicate logging prior to running 
     logging hooks so that server-status will show 'L' for hung loggers
     instead of 'W'.  [Jeff Trawick]

Changes with Apache 2.0.48
Sander Striker's avatar
Sander Striker committed

Sander Striker's avatar
Sander Striker committed
  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
     the AF_UNIX socket used to communicate with the cgid daemon and
     the CGI script.  [Jeff Trawick]

William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
  *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and 
     mod_rewrite which occurred if one configured a regular expression 
     with more than 9 captures.  [André Malo]
Andre Malo's avatar
Andre Malo committed
  *) mod_include: fix segfault which occured if the filename was not
     set, for example, when processing some error conditions.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 23836.  [Brian Akins <bakins web.turner.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) fix the config parser to support <Foo>..</Foo> containers (no
     arguments in the opening tag) supported by httpd 1.3. Without
     this change mod_perl 2.0's <Perl> sections are broken.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     ["Philippe M. Chiasson" <gozer cpan.org>]
  *) mod_cgid: fix a hash table corruption problem which could
     result in the wrong script being cleaned up at the end of a
     request.  [Jeff Trawick]

  *) Update httpd-*.conf to be clearer in describing the connection
     between AddType and AddEncoding for defining the meaning of
     compressed file extensions. [Roy Fielding]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
     PR 23416.  [André Malo]

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
     rewritten request using "proxy:". The code was adding multiple "proxy:"
     fields in the rewritten URI. PR: 13946.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Eider Oliveira <eider bol.com.br>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Martin Kraemer's avatar
Martin Kraemer committed
  *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Thom May's avatar
Thom May committed
  *) Ensure that ssl-std.conf is generated at configure time, and switch
     to using the expanded config variables to work the same as
Andre Malo's avatar
Andre Malo committed
     httpd-std.conf PR: 19611
Thom May's avatar
Thom May committed
     [Thom May]

Sander Striker's avatar
Sander Striker committed
  *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Hartmut Keil <Hartmut.Keil adnovum.ch>]
Sander Striker's avatar
Sander Striker committed

Sander Striker's avatar
Sander Striker committed
  *) mod_autoindex: If a directory contains a file listed in the
     DirectoryIndex directive, the folder icon is no longer replaced
     by the icon of that file. PR 9587.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [David Shane Holden <dpejesh yahoo.com>]
Sander Striker's avatar
Sander Striker committed
  *) Fixed mod_usertrack to not get false positive matches on the
     user-tracking cookie's name.  PR 16661.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Manni Wood <manniwood planet-save.com>]
Sander Striker's avatar
Sander Striker committed

Sander Striker's avatar
Sander Striker committed
  *) mod_cache: Fix the cache code so that responses can be cached
     if they have an Expires header but no Etag or Last-Modified
     headers. PR 23130.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [<bjorn exoweb.net>]
Sander Striker's avatar
Sander Striker committed

Andre Malo's avatar
Andre Malo committed
  *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
     were sent (e.g. with 304 or 204 response codes).  [Astrid Keßler]

  *) Modify ap_get_client_block() to note if it has seen EOS.
     [Justin Erenkrantz]

  *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
     content if the Accept-Encoding header contained only other tokens than
     "gzip" (such as "deflate"). PR 21523.  [Joe Orton, André Malo]

  *) Avoid an infinite recursion, which occured if the name of an included
     config file or directory contained a wildcard character. PR 22194.
     [André Malo]

  *) mod_ssl: Fix a problem setting variables that represent the
     client certificate chain.  PR 21371  [Jeff Trawick]

  *) Unix: Handle permissions settings for flock-based mutexes in 
     unixd_set_global|proc_mutex_perms().  Allow the functions to be
     called for any type of mutex.  PR 20312  [Jeff Trawick]

  *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]

Jeff Trawick's avatar
Jeff Trawick committed
  *) Fix a misleading message from the some of the threaded MPMs when 
     MaxClients has to be lowered due to the setting of ServerLimit.  
     [Jeff Trawick]

  *) Lower the severity of the "listener thread didn't exit" message
     to debug, as it is of interest only to developers.  PR 9011
     [Jeff Trawick]

  *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
     [Cliff Woolley, Jean-Jacques Clar]

  *) Install config.nice into the build/ directory to make
     minor version upgrades easier. [Joshua Slive]

  *) Fix mod_deflate so that it does not call deflate() without checking
     first whether it has something to deflate. (Currently this causes
     deflate to generate a fatal error according to the zlib spec.)
     PR 22259. [Stas Bekman]

  *) mod_ssl: Fix FakeBasicAuth for subrequest.  Log an error when an
     identity spoof is encountered.
     [Sander Striker]

Andre Malo's avatar
Andre Malo committed
  *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
     containing the .htaccess file is requested without a trailing slash.
     PR 20195.  [André Malo]

  *) ab: Overlong credentials given via command line no longer clobber
     the buffer.  [André Malo]

  *) mod_deflate: Don't attempt to hold all of the response until we're
     done.  [Justin Erenkrantz]

  *) Assure that we block properly when reading input bodies with SSL.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 19242.  [David Deaves <David.Deaves dd.id.au>, William Rowe]

  *) Update mime.types to include latest IANA and W3C types.  [Roy Fielding]

  *) mod_ext_filter: Set additional environment variables for use by
     the external filter.  PR 20944.  [Andrew Ho, Jeff Trawick]

  *) Fix buildconf errors when libtool version changes.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
  *) Remember an authenticated user during internal redirects if the
     redirection target is not access protected and pass it
     to scripts using the REDIRECT_REMOTE_USER environment variable.
     PR 10678, 11602.  [André Malo]

Andre Malo's avatar
Andre Malo committed
  *) mod_include: Fix a trio of bugs that would cause various unusual
     sequences of parsed bytes to omit portions of the output stream.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
Andre Malo's avatar
Andre Malo committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Update the header token parsing code to allow LWS between the
     token word and the ':' seperator.  [PR 16520]
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Paul J. Reder's avatar
 
Paul J. Reder committed
  *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Joe Schaefer <joe+gmane sunstarsys.com>]
Paul J. Reder's avatar
 
Paul J. Reder committed

Andre Malo's avatar
Andre Malo committed
  *) Added FreeBSD directory layout. PR 21100.
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     [Sander Holthaus <info orangexl.com>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
Andre Malo's avatar
Andre Malo committed

  *) mod_rewrite: Perform child initialization on the rewrite log lock.
     This fixes a log corruption issue when flock-based serialization
     is used (e.g., FreeBSD).  [Jeff Trawick]

  *) Don't respect the Server header field as set by modules and CGIs.
     As with 1.3, for proxy requests any such field is from the origin
     server; otherwise it will have our server info as controlled by
     the ServerTokens directive.  [Jeff Trawick]

Andre Malo's avatar
Andre Malo committed
Changes with Apache 2.0.47
  *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
     of per-directory renegotiations and the SSLCipherSuite directive
     being used to upgrade from a weak ciphersuite to a strong one
     could result in the weak ciphersuite being used in place of the
     strong one.  [Ben Laurie]

  *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
     temporary denial of service when accept() on a rarely accessed port
     returns certain errors.  Reported by Saheed Akhtar
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     <S.Akhtar talis.com>.  [Jeff Trawick]
  *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
     of service when target host is IPv6 but proxy server can't create
     IPv6 socket.  Fixed by the reporter.  [Yoshioka Tsuneo
William A. Rowe Jr's avatar
 
William A. Rowe Jr committed
     <tsuneo.yoshioka f-secure.com>]
  *) SECURITY [VU#379828] Prevent the server from crashing when entering
     infinite loops. The new LimitInternalRecursion directive configures
     limits of subsequent internal redirects and nested subrequests, after
     which the request will be aborted.  PR 19753 (and probably others).
Sander Striker's avatar
Sander Striker committed
     [William Rowe, Jeff Trawick, André Malo]