-*- coding: utf-8 -*-
Changes with Apache 2.2.0
*) mod_negotiation: Minor performance tweak by reusing already calculated
strlen.
[Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>]
*) Remove support for 'On' and 'Off' for AuthBasicProvider and
AuthDigestProvider. [Joshua Slive, Justin Erenkrantz]
*) Add in new UseCanonicalPhysicalPort directive, which controls
whether or not Apache will ever use the actual physical port
when constructing the canonical port number. [Jim Jagielski]
*) mod_dav: Fix a null pointer dereference in an error code path during the
handling of MKCOL.
[Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>]
*) mod_proxy_balancer: When finding best worker, use case insensitive
match for scheme and host, but case sensitive for the rest of
the path. [Jim Jagielski, Ruediger Pluem]
*) Require use of APR >= 1.2.0 and APR-util >= 1.2.0 when configured
to use external copies of the libraries. [Joe Orton]
*) Fix DESTDIR=... installation when using bundled copy of APR.
[Torsten Foertsch <torsten.foertsch gmx.net>]
*) mod_dav: Fix handling of unknown state tokens in If: headers.
PR: 37288. [Joe Orton]
*) Strip out Experimental MPMs that have gone nowhere since 2.0
(perchild, threadpool, leader). [Nick Kew]
Changes with Apache 2.1.9
*) Add mod_authn_dbd (SQL-based authentication) [Nick Kew]
*) mod_proxy_ajp: Do not spool the entire response from AJP backend before
sending it up the filter chain. PR 37100. [Ruediger Pluem]
*) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which
only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that
subrequests to non-local resources work again. [Ruediger Pluem]
*) mod_proxy: Do not lowercase the entire worker name of a BalancerMember
since this breaks case sensitive URI's. PR 36906. [Ruediger Pluem]
*) core: AddOutputFilterByType is ignored for proxied requests. PR 31226.
[Joe Orton, Ruediger Pluem]
*) mod_proxy_http: Prevent data corruption of POST request bodies when
client accesses proxied resources with SSL. PR 37145.
[Ruediger Pluem, William Rowe]
*) mod_ssl: Fix issue which could cause spurious warnings about use
of name-based vhosts. PR 37051. [Joe Orton]
*) ab: Fix to ensure that only the expected number of requests are run.
PR 36966. [Joe Orton]
*) mod_proxy_balancer: BalancerManager and proxies correctly handle
member workers with paths. PR 36816. [Ruediger Pluem, Jim Jagielski]
*) mod_log_config: %{hextid}P will log the thread id in hex with APR
versions 1.2.0 or higher. [Jeff Trawick]
*) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as
in 1.3. [Jeff Trawick]
*) Support dbd connection tied to conn_rec in mod_dbd. [Nick Kew]
*) Fix use of pools in mod_dbd. [Brian J France, Nick Kew]
*) Promote modules from "experimental": mod_dbd, mod_filter,
mod_charset_lite. [Nick Kew]
*) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL
connections. PR 36883.
[William Barker <william.barker wilshire.com>, Ruediger Pluem]
*) Eliminated the NET_TIME filter, restructuring the timeout logic.
This provides a working mod_echo on all platforms, and ensures any
custom protocol module is at least given an initial timeout value
based on the <VirtualHost > context's Timeout directive.
[William Rowe]
*) mod_proxy: Run the request_status hook also if there are no free workers
or all workers are in error state.
[Ruediger Pluem, Brian Akins <brian.akins turner.com>]
*) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which
trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951.
[Jeff Trawick, Ruediger Pluem]
*) mod_proxy_balancer: Fix handling of sticky sessions with Tomcat.
PR 36507. [Ruediger Pluem]
*) SECURITY: CVE-2005-2970 (cve.mitre.org)
worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances. [Greg Ames]
*) Doxygen fixups. [Neale Ranns <neale ranns.org>, Ian Holsman]
*) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing
mod_dir from serving indexes correctly with mod_cache enabled.
[Colm MacCarthaigh]
Changes with Apache 2.1.8
*) Fix lingering close implementation to match 1.3.x behaviour.
PR 35292. [Joe Orton]
*) mod_ssl: Support limited buffering of request bodies to allow
per-location renegotiation to proceed. PR 12355. [Joe Orton]
*) Fix regression since 2.0.x in AllowOverride Options handling.
PR 35330. [kabe <kabe sra-tohoku.co.jp>]
*) mod_ssl: Fix memory leak in ssl_util_algotypeof().
PR 25659. [David Blake <dblake hp com>, Martin Kraemer]
*) prefork, worker and event MPMs: Support a graceful-stop procedure:
Server will wait until existing requests are finished or until
"GracefulShutdownTimeout" number of seconds before exiting.
[Colm MacCarthaigh, Ken Coar, Bill Stoddard]
*) prefork, worker and event MPMs: Prevent children from holding open
listening ports upon graceful restart or stop. PR 28167.
[Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
*) SECURITY: CVE-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration. [Joe Orton]
*) mod_ssl: Catch parse errors from misconfigured or malformed
CRLs. PR 36438. [Joe Orton]
*) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
providers. Prevent problems when no Vhost containers were
configured with proxy balancers. [Jim Jagielski]
*) New provider function to list all available provider names in a
specific group and version (ap_list_provider_names). [Jim Jagielski]
*) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a
per-protocol, per-host and per-path basis. Intended for proxy
configurations. [Colm MacCarthaigh]
*) mod_disk_cache: Canonicalise the storage key, for improved hit/miss
ratio. [Colm MacCarthaigh]
*) mod_cgid: Append .PID to the script socket filename and remove the
script socket on exit. [Colm MacCarthaigh, Jim Jagielski]
*) mod_cgid: run the get_suexec_identity hook within the request-handler
instead of within cgid. PR 36410. [Colm MacCarthaigh]
*) Linux 2.0: remove support for threaded MPM's due to linuxthreads use
of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh]
Changes with Apache 2.1.7
*) SECURITY: CVE-2005-2491 (cve.mitre.org):
Fix integer overflows in PCRE in quantifier parsing which could
be triggered by a local user through use of a carefully-crafted
regex in an .htaccess file. [Philip Hazel]
*) mod_proxy/mod_proxy_balancer: Provide a simple, functional
interface to add additional balancer lb selection methods
without requiring code changes to mod_proxy/mod_proxy_balancer;
these can be implemented via sub-modules now. [Jim Jagielski]
*) mod_cache: Fix incorrectly served 304 responses when expired cache
entity is valid, but cache is unwritable and headers cannot be
updated. [Colm MacCarthaigh <colm stdlib.net>]
*) mod_cache: Remove entities from the cache when re-validation
receives a 404 or other content-no-longer-present error.
[Rüdiger Plüm ruediger.pluem vodafone.com]
*) mod_disk_cache: Properly remove files from cache when needed.
[Rüdiger Plüm ruediger.pluem vodafone.com]
*) mod_disk_cache: Support htcacheclean removing directories.
[Andreas Steinmetz]
*) htcacheclean: Add -t option to remove empty directories.
[Colm MacCarthaigh <colm stdlib.net>]
*) Remove the base href tag from mod_proxy_ftp, as it breaks relative
links for clients not using an Authorization header. [Graham Leggett,
Jon Snow <jsnow27 gatesec.net>]
*) mod_cache: Restore the HTTP status of cached responses.
[Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>]
*) mod_cache: Store varied contents all in the same prefix for a varied URI.
[Paul Querna]
*) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content
filters. [Paul Querna]
*) mod_negotiation: Correctly report 404 instead of 403 for missing files.
[Paul Querna]
*) new hook (request_status) that gets ran in proxy_handler just before
the final return. This gives modules an opportunity to do something
based on the proxy status. (minor MMN bump)
[Brian Akins <bakins turner.com>, Ian Holsman]
*) Add additional SSLSessionCache option, 'nonenotnull', which is
similar to 'none' (disabling any external shared cache) but forces
OpenSSL to provide a non-null session ID. [Jim Jagielski]
*) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
[Paul Querna]
*) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>]
*) Fixed complaints about unpackaged files within the RPM build
after changes to the config files. [Graham Leggett]
*) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of
just closing the socket, a HTTP request is made, to make sure the child is
always awakened. [Paul Querna]
Changes with Apache 2.1.6
*) Fix htdbm password validation for records which included comments.
[Eric Covener <covener gmail.com>]
*) mod_cgid: Fix buffer overflow processing ScriptSock directive.
[Steve Kemp <steve steve.org.uk>]
Changes with Apache 2.1.5
*) mod_ssl: Setting the Protocol to 'https' can replace the use of the
'SSLEngine on' command. [Paul Querna]
*) core: Refactor the mapping of Accept Filters to Sockets. Add the
AcceptFilter and Protocol directives to aid in mapping filter types.
Extend the Listen directive to optionally take a protocol name.
[Paul Querna]
*) mod_disk_cache: Support storing multiple variations of one URL. PR 35211.
[Paul Querna]
*) mod_disk_cache: Atomically create the header data file. [Paul Querna]
*) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
[Paul Querna]
*) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'.
[Paul Querna]
*) mod_mime_magic: Handle CRLF-format magic files so that it works with
the default installation on Windows. [Jeff Trawick]
*) core: Allow multiple modules to register interest in a single
configuration command. [Paul Querna]
*) authn_provider_alias: Adds the configuration block tag
<AuthnProviderAlias baseProvider Alias>
Authentication directives contained within this block can be
referenced as a new authProvider using the AuthBasicProvider or
AuthDigestProvider directive. These directives will be merged in to
the per_dir configuration just before the base provider is called.
[Brad Nicholes]
*) ap_getword_conf: Fix backslashes at the end of configuration directives.
PR 34834. [Timo Viipuri <viipuri dlc.fi>]
*) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml
Provide module hooks for apr_dbd; optimise for httpd
threaded and non-threaded arch [Nick Kew]
*) ab: SSL support rewritten, improved, and enabled if SSL is enabled
during the build; -f and -Z arguments added to specify SSL protocol
options. [Masaoki Kobayashi <masaoki techfirm.co.jp>]
*) mod_info: Show the Quick Handler [Paul Querna]
*) mod_ldap: Add the directive LDAPVerifyServerCert to specify
whether to force verification of the server certificate when
establishing an SSL connection to the LDAP server.
[Brad Nicholes]
*) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name
hook. [Paul Querna]
*) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump)
[Paul Querna]
*) ap_get_local_host() rewritten for APR. [Jim Jagielski]
*) Add the ap_vhost_iterate_given_conn function to expose the information
used in Name Based Virtual Hosting. (minor MMN bump)
[Paul Querna]
*) Remove the never working ap_method_list_do and ap_method_list_vdo.
[Paul Querna]
*) Added makefile and doc for building mod_ssl on the NetWare
platform. [Guenter Knauf, Brad Nicholes]
*) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes
applications that send the Vary Header themselves, and also apply
mod_deflate as an output filter. [Paul Querna]
*) Change the default (when not present in the config file) setting
for UseCanonicalName to Off.
[Joshua Slive]
*) mod_userdir: The module no longer does any remapping unless the
UserDir directive is present in the config file.
[Joshua Slive]
*) Massively simplify the distributed httpd.conf by removing
many features and many directives that are at their default
setting. Add a selection of example config excerpts for adding
extra features in the conf/extra/ directory. Install the
distributed config and the extra config examples in the
conf/original/ directory during make install.
[Joshua Slive, Justin Erenkrantz]
*) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap,
mod_userdir and mod_autoindex as shared modules rather than
built-in modules within the NetWare build.
[Brad Nicholes]
*) Rename mod_imap to mod_imagemap.
[Paul Querna]
*) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap
by changing the mod_ldap exported functions to optional functions.
[Brad Nicholes]
Changes with Apache 2.1.4
*) Don't let a subrequest inherit headers describing the original request's
body. [Greg Ames]
*) Fix Windows CompContext buff size miscalculation
[Allan Edwards]
*) Add ReceiveBufferSize directive to control the TCP receive buffer.
[Eric Covener <covener gmail.com>]
*) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the
end of the request body to work with really old HTTP servers.
[Justin Erenkrantz]
*) util_ldap: Keep track of the number of attributes retrieved from
LDAP so that all the values can be properly cached even if the
value is NULL. PR 33901 [Brad Nicholes]
*) mod_cache: Fix error where incoming Cache-Control would be ignored.
[Justin Erenkrantz]
*) mod_cache: Correctly handle originally conditional requests.
[Sander Striker]
*) mod_disk_cache: Correctly update cached headers on revalidated responses.
[Sander Striker, Justin Erenkrantz]
*) worker MPM/mod_status: Support per-worker tracking of pid and
generation in the scoreboard so that mod_status can accurately
represent workers in processes which are gracefully terminating.
(major MMN bump)
[Jeff Trawick]
*) Correctly export all mod_dav public functions.
[Branko Čibej <brane xbc.nu>]
Changes with Apache 2.1.3
*) mod_ssl: Add ssl_ext_lookup optional function for accessing
certificate extensions. [David Reid, Joe Orton]
*) Add support for use of an external PCRE library; pass the
--with-pcre flag to configure. PR 27550. [Joe Orton,
Andres Salomon <dilinger voxel.net>]
*) Renamed regex interfaces to be namespace-safe, and moved from
pcreposix.h header to ap_regex.h: regex_t->ap_regex_t,
regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions
reg*->ap_reg*. PR 27550. [Andres Salomon <dilinger voxel.net>,
Joe Orton]
*) Only recompile buildmark.c when we have to relink httpd.
[Justin Erenkrantz]
*) mod_cache: Fix up handling of revalidated responses.
[Justin Erenkrantz]
*) mod_disk_cache: Properly load cached ETag from on-disk structures.
[Justin Erenkrantz]
*) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL
to allow it to override the connection type set in mod_ldap. This
parameter can be set to NONE, SSL or TLS | STARTTLS.
[Brad Nicholes]
*) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
[Max Bowsher <maxb ukf.net>]
*) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
[Rici Lake <rici ricilake.net>]
*) mod_proxy: Fix ap_proxy_canonenc API.
PR 32459. [Jim Jagielski]
*) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive.
[Justin Erenkrantz]
*) Add --enable-pie flag to configure, to build httpd as a Position
Independent Executable where supported (GCC/binutils).
[Joe Orton]
*) proxy_balancer: Add in load-balancing via weighted traffic
byte count. [Jim Jagielski]
*) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI
scripts to be properly cached. [Justin Erenkrantz, Sander Striker]
*) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option()
API for the setting of server and client SSL certificates. Replaced
LDAPTrustedCA directive with LDAPTrustedGlobalCert and
LDAPTrustedClientCert directives to correctly support global certs
(CA certs / Netware client certs) and per connection client certs
as supported by Netware, OpenLDAP and Netscape/Mozilla.
[Graham Leggett]
*) mod_cache: Remove unimplemented CacheForceCompletion directive.
[Justin Erenkrantz]
*) support/check_forensic: Fix temp file usage
[Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
*) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
which can be used to configure a specific list of CA names to send
in a client certificate request. PR 32848.
[Tim Taylor <tim.taylor dfas.mil>]
*) --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and
populated with a standard Makefile.in. [Erik Abele]
*) Remove some compiler warnings within the LDAP modules [Graham Leggett]
*) Add a build script to create a solaris package. [Graham Leggett]
*) ap_http_scheme() replaced with ap_http_method() - this function
returns the scheme (http v.s. https).
[William Rowe]
*) mod_proxy: Fix a request corruption problem and a buffering problem
which sometimes prevented proxy-sendchunks from working.
[Jeff Trawick]
*) Fix the RPM spec file so that an RPM build now works. An RPM
build now requires system installations of APR and APR-util.
[Graham Leggett]
*) Significantly simplify the load balancer scheduling algorithm
for the proxy BalancerMember weighting. loadfactors (lbfactors)
are now normalized with respect to each other. [Jim Jagielski]
*) mod_dumpio: Added to the available module suite; it is an
I/O logging/dumping module. Placed in the (new) debug module
subdirectory. mod_bucketeer moved to that directory as well.
[Jim Jagielski]
*) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting
of a connection until data is available.
[Paul Querna]
Changes with Apache 2.1.2
*) mod_proxy: Respect errors reported by pre_connection hooks.
[Jeff Trawick]
*) core: Error out on sections that are missing an argument instead of
silently consuming the section. PR 25460.
[Geoffrey Young, Paul Querna]
*) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental.
*) Upgraded PCRE to version 5.0. [Brian Pane]
*) mod_cgid: Catch configuration problem where two web server instances
share same ServerRoot but admin forgot to use ScriptSock.
[Jeff Trawick]
*) mod_cgi: Ensure that all stderr is logged for a script which returns
a Location header to generate a non-local redirect. PR 20111.
[Joe Orton]
*) Added the Event MPM to more efficiently handle clients during a
Keep Alive request.
[Paul Querna, Greg Ames]
Changes with Apache 2.1.1
*) mod_proxy_http: Stream content better - always flush buffered data to
the client before blocking waiting for new data. PR 19954.
[Joe Orton]
*) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which
will dump the filenames of all configured SSL certificates to stdout.
[Joe Orton]
*) mod_disk_cache: Remove a bunch of non-implemented garbage collection
and cache size directives that are now available through htcacheclean.
[Justin Erenkrantz]
*) Add htcacheclean to support/ for assistance with mod_disk_cache.
[Andreas Steinmetz]
*) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
allows the module to authorize a user based on a complex LDAP
search filter. [Brad Nicholes]
*) mod_usertrack: Run the fixups hook before other modules.
PR 29755. [Paul Querna]
*) Allow mod_authnz_ldap authorization functionality to be used
without requiring the user to also be authenticated through
mod_authnz_ldap. This allows other authentication modules to
take advantage of LDAP authorization only [PR 28253]
[Jari Ahonen jah progress.com, Brad Nicholes]
*) Log the client IP address when an error occurs disabling nagle on a
connection, but log at a severity of debug since this error
generally means that the connection was dropped before data was
sent. Log the client IP address when reporting errors in the core
output filter. [Jeff Trawick]
*) core: Add a warning message if the request line read fails.
[Paul Querna]
*) mod_rewrite: Removed the MaxRedirects option in favor of the
core LimitInternalRecursion directive. [André Malo]
*) mod_info: Added listing of the Request Hooks and added more build
information like 'httpd -V' contains. Changed output to XHTML.
[Paul Querna]
*) mod_info: Rewrote config tree walk using a recursive function.
Added ?config option. Added printout of config filename and line numbers.
[Rici Lake <rici ricilake.net>, Paul Querna]
*) mod_proxy: Fix type error that prevents proxy-sendchunks from working.
[Justin Erenkrantz]
*) mod_proxy: Fix data corruption by properly setting aside buckets.
[Justin Erenkrantz]
*) mod_proxy: If a request has a blank body and has a 0 Content-Length
headers, pass that to the proxy. [Justin Erenkrantz]
*) Recognize QSA flag in mod_rewrite again.
[Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
*) Restructured mod_auth_ldap to fit the new authentication model.
The module is now called authnz_ldap and has been moved out of
the modules/experimental area and into modules/aaa with the other
auth modules. Both the authn_ldap provider and the authz_ldap
handler are contained within the authnz_ldap module. The
authz_ldap handler introduces 3 new "requires" values for handling
authorization. These handlers are ldap-user, ldap-group and
ldap-dn. [Brad Nicholes]
*) Fix some compiler warnings in proxy
[Geoffrey Young <geoff@modperlcookbook.org>]
*) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the
number of days until the client cert expires. [Joe Orton]
*) Add test_config hook, run only if httpd is invoked using -t.
[Joe Orton]
*) Improve error handling for corrupted pid files. [Jeff Trawick]
*) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD
(for backwards compatibility):
Avoids mod_ssl.h (not included in 2.0-HEAD) and
use apr_socket_create_ex for 0.9.x
[Mladen Turk]
*) Added proxy_ajp.c module for proxy support to ajp:// backends.
[Jean Frederic Clere]
*) Fixes the build of proxy on Windows. Since the proxy_module is declared
as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there
is a LNK2001 error when building proxy_http. [Mladen Turk]
*) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
[Graham Leggett]
*) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz]
*) perchild MPM: Fix thread safety problem in the use of longjmp().
[Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
*) Add load balancer support to the scoreboard in preparation for
load balancing support in mod_proxy. [Mladen Turk]
*) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to
allow a non-secure connection to be upgraded to secure connections
[Brad Nicholes]
*) core: Add Options= syntax to AllowOverride to specify which options
may be overridden in .htaccess files. PR 29310.
[Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna]
*) ab: Handle long URLs with an error instead of an buffer overflow.
PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna]
*) mod_so, core: Add new command line options to print all loaded
modules. '-t -D DUMP_MODULES' and '-M' will show all static
and shared modules as loaded from the configuration file.
[Paul Querna]
*) mod_autoindex: Add ShowForbidden to IndexOptions to list files
that are not shown because the subrequest returned 401 or 403.
PR 10575. [Paul Querna]
*) mod_headers: implement "Early" processing option in post_read_request
to enable Header and RequestHeader directives to be used to set up
testcases for pre-fixups request phases [Nick Kew]
*) mod_proxy: multiple bugfixes, principally support cookies in
ProxyPassReverse, and don't canonicalise URL passed to backend.
Documentation correspondingly updated. [Nick Kew <nick webthing.com>]
*) mod_deflate: support gzip flags in inflate_out_filter
[Nick Kew <nick webthing.com>]
*) Drop the ErrorHeader directive which turned out to be a misnomer.
Instead there's a new optional flag for the Header directive
('always'), which keeps the former ErrorHeader functionality.
[André Malo]
*) mod_deflate: Don't deflate responses with zero length
e.g. proxied 304's [Allan Edwards]
*) <IfModule> now recognizes the module identifier in addition to the
file name. PR 29003. [Edward Rudd <eddie omegaware.com>, André Malo]
*) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
OpenSSL 0.9.7 flag which uses the server's cipher order rather
than the client's. PR 28665.
[Jim Schneider <jschneid netilla.com>]
*) mod_ssl: Drop support for the CompatEnvVars argument to
SSLOptions, which was never actually implemented in 2.0.
[Joe Orton]
*) Fix bug in mod_deflate that unconditionally sent deflate'd output
even when Accept-Encoding is not present. [Justin Erenkrantz]
*) Pass environment variables through to piped loggers and start
them via the shell, resolving regressions since 1.3. PR 28815
[Ken Coar, Jeff Trawick]
*) External rewrite map responses are no longer limited to 2048
bytes. [André Malo]
*) Proxy server was deleting cookies that Apache had already
assigned if the origin server had set any cookies. PR 27023.
[Jim Jagielski]
*) Removed old and unmaintained ap_add_named_module API and changed
the following APIs to return an error instead of hard exiting:
ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules,
and ap_process_resource_config. [André Malo]
*) mod_headers: Allow %% in header values to represent a literal %.
[André Malo]
*) mod_headers: Allow env clauses also for 'echo' and 'unset' actions.
[André Malo]
*) mod_headers: Allow 'echo' also for ErrorHeaders. [André Malo]
*) mod_deflate: New option for DEFLATE output file (force-gzip),
new output filter 'INFLATE' for uncompressing responses.
[Nick Kew <Nick at WebThing dot com>, Ian Holsman]
*) Added new module mod_version, which provides version dependent
configuration containers. [André Malo]
*) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
format is used. PR 27787. [André Malo]
*) Allow Digest providers to return AUTH_DENIED to propagate a 401
status and terminate the provider chain prior to checking the password.
[Geoffrey Young]
*) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
Don't place script socket inside default server root instead of
actual server root. PR 27886. [Jeff Trawick]
*) mod_proxy: Fix handling of non-200 success status codes when
"ProxyErrorOverride On" is configured. PR 20183.
[Marcus Janson <marcus.janson tre.se>, Joe Orton]
*) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize
directive (previously NetWare-only) to override default thread
stack size for threads which handle client connections. Required
for some third-party modules on platforms with small default
thread stack size. [Jeff Trawick]
*) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic
now populates r->user with the (possibly unauthenticated) user,
and mod_auth_digest returns 500 when a provider returns
AUTH_GENERAL_ERROR.
[Geoffrey Young]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Delete some make-generated files in the server directory during
"make clean" processing. PR 26552. [Jeff Trawick]
*) Add core version query function (ap_get_server_revision) and
accompanying ap_version_t structure (minor MMN bump).
[André Malo]
*) mod_rewrite: EOLs sent by external rewritemaps are now consumed
as whole. That way, on systems with more than one EOL character
rewritemap programs no longer need to switch stdout to binary
mode. PR 25635. [André Malo]
*) mod_rewrite: Introduce the ability to force a content handler via
the [handler=...] flag. [André Malo]
*) mod_rewrite: Introduce the RewriteCond -x check, which returns
true if the pattern is a file with execution permissions.
[André Malo]
*) mod_rewrite: Allow proxying and RewriteRules in directory context
for subrequests. PR 14648, 15114. [André Malo]
*) mod_rewrite: Allow setting of any valid HTTP response code.
PR 25917. [André Malo]
*) mod_rewrite: Cookie creation now works locale independent.
[André Malo]
*) mod_ssl: Add support for distributed session cache using 'distcache'.
[Geoff Thorpe <geoff geoffthorpe.net>]
*) mod_dav: Disallow requests with an unescaped hash character in
the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration
attaches a body to the 302 response and a wrong Content-Length header.
PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]
*) Bring ErrorHeader concept forward from 1.3, so that response
header fields can be set for return even on errors or external
redirects. [Ken Coar]
*) Fix <Limit> and <LimitExcept> parsing to require a closing '>'
in the initial container. PR 25414.
[Geoffrey Young <geoff apache.org>]
*) Clean up httpd -V output: Instead of displaying the MPM source
directory, display the MPM name and some MPM properties.
[Geoffrey Young <geoff apache.org>]
*) mod_ssl/mod_status: Re-enable support for output of SSL session
cache information in server-status page. [Joe Orton]
*) mod_ssl: Remove the shmht session cache, shmcb should be used
instead. [Joe Orton]
*) mod_logio: Account for some bytes handed to the network layer prior to
dropped connections. [Jeff Trawick]
*) mod_autoindex: new directive IndexStyleSheet
[Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]
*) Fix uninitialized gprof directory name in prefork MPM. PR 24450.
[Chris Knight <Christopher.D.Knight nasa.gov>]
*) Log an error when requests for URIs which fail to map to a valid
filesystem name are rejected with 403. [Jeff Trawick]
*) Switch to APR 1.0 API.
*) Major overhaul of mod_include's filter parser. The new parser code
is expected to be more robust and should catch all of the edge cases
that were not handled by the previous one. This includes a binary
incompatible change of mod_include's external API. [André Malo]
*) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
PR 14223. [André Malo]
*) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
the current rewrite state was just used as lookup path, which lead to
strange and often useless results. Related to PR 8493. [André Malo]
*) Change Listen directive to bind to all addresses when a hostname is
not specified. [Justin Erenkrantz]
*) Correct failure with Listen directives on machines with IPv6 enabled.
[Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz]
*) Fix a link failure in mod_ssl when the OpenSSL libraries contain
the ENGINE functions but the engine header files are missing.
[Cliff Woolley]
*) mod_rewrite: RewriteRules in server context using the force
type feature [T=...] no longer disable MultiViews. [André Malo]
*) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
[André Malo]
*) mod_authz_groupfile: Strip trailing spaces of group names. This
hopefully saves some hours of searching for typos. PR 12863.
[André Malo]
*) mod_actions: Propagate the handler name to the action script via
the REDIRECT_HANDLER environment variable. [André Malo]
*) mod_actions: Introduce the "virtual" modifier to the Action directive,
which allows the use of handlers for virtual locations. PR 8431.
[André Malo]
*) mod_speling: Recognize AcceptPathInfo setting for the particular
location. Default is to reject path information. PR 21059.
[André Malo]
*) mod_ext_filter: Add the ability to filter request bodies.
[Philipp Reisner <philipp.reisner linbit.com>]
*) Fix some broken log messages in WinNT MPM.
[Juan Rivera <Juan.Rivera citrix.com>]
*) prefork MPM: Use the right permissions for the directory created
for gprof support. [Jim Carlson <jcarlson jnous.com>]
*) Fix a compile failure with recent OpenSSL and picky compilers
(e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick]
*) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
the INCLUDE path to be defined properly.
PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>]
*) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
*) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc).
[Geoff Thorpe <geoff geoffthorpe.net>]
*) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
[Ian Holsman, André Malo]
*) mod_negotiation: quality values are now parsed independent from
the current locale. level values are now really parsed as integers.
PR 17564. [André Malo]
*) Extend mod_negotiation to evaluate the environment variables
no-gzip and gzip-only-text/html the same way as mod_deflate does.
[André Malo]
*) mod_rewrite: Fix some problems reporting errors with mapping
programs (RewriteMap prg:/something). [Jeff Trawick]
*) Return 413 if chunk-ext-header is too long rather than reading from
the truncated line. PR 15857. [Justin Erenkrantz]
*) Allow restart of httpd to occur even with syntax errors in the config
file. PR 16813. [Justin Erenkrantz]
*) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679.
[Justin Erenkrantz]
*) Remove files on 'make distclean' that should be. PR 15592.
[Justin Erenkrantz]
*) Allow apachectl to perform status with links and elinks as well.
[Justin Erenkrantz]
*) mod_log_config change optional hook to return previous handler
[Ian Holsman]
*) Forward port of mod_actions' ability to handle arbitrary methods
with the Script directive. [André Malo]
*) Let suexec send a message to stderr, if it failed or its policy
was violated. This message appears in the error log and allows
for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo]
*) Modify buildconf to copy all required files into httpd's tree.
[Thom May <thom planetarytramp.net>]
*) Allow mod_dav to do weak entity comparison functions.
[Justin Erenkrantz]
*) Move RFC 1413 ident requests from core to new module mod_ident.
[André Malo]
*) Add mod_authz_owner - a forward port of "Require file-owner"
and "Require file-group", which was already present in version
1.3.21. [André Malo]
*) Add mod_dav_lock - a generic subset of the DAV locking implementation.
[Justin Erenkrantz]
*) Replace some of the mutex locking in the worker MPM with
atomic operations for higher concurrency. [Brian Pane]
*) Allow 'make depend' to work with non-GCC compilers.
[Justin Erenkrantz]
*) If an httpd.conf has commented out AddModule directives,
apxs -i -a will add an un-commented AddModule directive for
the new module, which breaks the config.
PR: 11212 [Joe Orton]
*) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz]
*) Move the check of the Expect request header field after the hook
for ap_post_read_request, since that is the only opportunity for
modules to handle Expect extensions. [Justin Erenkrantz]
*) Rewrite of aaa modules to an authn/authz model.
[Dirk-Willem van Gulik, Justin Erenkrantz]
[Apache 2.1.0-dev includes those bug fixes and changes with the
Apache 2.0.xx tree as documented, and except as noted, below.]
Changes with Apache 2.0.56
*) mod_cgi(d): Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
[Roy Fielding] PR 15242
Changes with Apache 2.0.55
*) SECURITY: CVE-2005-2088 (cve.mitre.org)
proxy: Correctly handle the Transfer-Encoding and Content-Length
headers. Discard the request Content-Length whenever T-E: chunked
is used, always passing one of either C-L or T-E: chunked whenever
the request includes a request body. Resolves an entire class of
proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'. [William Rowe]
*) Add ap_log_cerror() for logging messages associated with particular
client connections. [Jeff Trawick]
*) Correct mod_cgid's argv[0] so that the full path can be delved by the
invoked cgi application, to conform to the behavior of mod_cgi.
[Pradeep Kumar S <pradeep.smani gmail.com>]
*) mod_include: Fix possible environment variable corruption when
using nested includes. PR 12655. [Joe Orton]
*) Support the suppress-error-charset setting, as with Apache 1.3.x.
PR 31274. [Jeff Trawick]
*) EBCDIC: Handle chunked input from client or, with proxy, origin
server. [Jeff Trawick]
*) Fix bad globbing comparison which could result in getting
a directory listing when a file was requested. PR 34512.
[sean <infamous41md hotmail.com>]
*) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
was called even if mod_auth_ldap_check_user_id() was not
(or if it didn't succeed) for non-authoritative cases.
[Jim Jagielski]
*) SECURITY: CVE-2005-2728 (cve.mitre.org)
Fix cases where the byterange filter would buffer responses
into memory. PR 29962. [Joe Orton]
*) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
PR 15207. [Jim Jagielski]
*) mod_ldap: Fix various shared memory cache handling bugs.
PR 34209. [Joe Orton]
*) Fix a file descriptor leak when starting piped loggers. PR 33748.
[Joe Orton]
*) mod_ldap: Avoid segfaults when opening connections if using a version
of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes]
*) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe]
*) SECURITY: CVE-2005-2088 (cve.mitre.org)
core: If a request contains both Transfer-Encoding and Content-Length
headers, remove the Content-Length, mitigating some HTTP Request
Splitting/Spoofing attacks. [Paul Querna, Joe Orton]
*) proxy HTTP: If a response contains both Transfer-Encoding and a
Content-Length, remove the Content-Length and don't reuse the
connection, mitigating some HTTP Response Splitting attacks.
[Jeff Trawick]
*) Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart. PR 26467. [Jeff Trawick]
*) SECURITY: CVE-2005-1268 (cve.mitre.org)
mod_ssl: Fix off-by-one overflow whilst printing CRL information
at "LogLevel debug" which could be triggered if configured
to use a "malicious" CRL. PR 35081. [Marc Stern <mstern csc.com>]
*) mod_userdir: Fix possible memory corruption issue. PR 34588.
[David Leonard <dleonard vintela.com>]
*) worker mpm: don't take down the whole server for a transient
thread creation failure. PR 34514 [Greg Ames]
*) mod_rewrite: use buffered I/O to improve performance with large
RewriteMap txt: files. [Greg Ames]
*) proxy HTTP: Rework the handling of request bodies to handle
chunked input and input filters which modify content length, and
avoid spooling arbitrary-sized request bodies in memory.
PR 15859. [Jeff Trawick]
Changes with Apache 2.0.54
*) mod_cache: Add CacheIgnoreHeaders directive. PR 30399.
[Rüdiger Plüm <r.pluem t-online.de>]
*) mod_ldap: Added the directive LDAPConnectionTimeout to configure
the ldap socket connection timeout value.
[Brad Nicholes]
*) Correctly export all mod_dav public functions.
[Branko Čibej <brane xbc.nu>]
*) Add a build script to create a solaris package. [Graham Leggett]
*) worker MPM: Fix a problem which could cause httpd processes to
remain active after shutdown. [Jeff Trawick]
*) Unix MPMs: Shut down the server more quickly when child processes are
slow to exit. [Joe Orton, Jeff Trawick]
*) Remove formatting characters from ap_log_error() calls. These
were escaped as fallout from CVE-2003-0020.
[Eric Covener <ecovener gmail.com>]
*) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418.
[David Reid]
*) htdigest: Fix permissions of created files. PR 33765. [Joe Orton]
*) core_input_filter: Move buckets to a persistent brigade instead of
creating a new brigade. This stop a memory leak when proxying a
Streaming Media Server. PR 33382. [Paul Querna]
*) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid
hiccups from additional path information passed in non-utf-8 format.
[Richard Donkin <rd9 donkin.org]
Changes with Apache 2.0.53
*) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
[Max Bowsher <maxb ukf.net>]
*) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
[Rici Lake <rici ricilake.net>]
*) mod_proxy: Respect errors reported by pre_connection hooks.
[Jeff Trawick]
*) --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and
populated with a standard Makefile.in. [Erik Abele]
*) Fix the RPM spec file so that an RPM build now works. An RPM
build now requires system installations of APR and APR-util.
Remove some arbitrary moving around of binaries - the RPM now
maps to the ASF build of httpd.
[Graham Leggett]
*) mod_dumpio, an I/O logging/dumping module, added to the
modules/expermimental subdirectory. [Jim Jagielski]
*) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
library handles special characters. PR 24437. [Jess Holle]
*) Win32 MPM: Correct typo in debugging output. [William Rowe]
*) conf: Remove AddDefaultCharset from the default configuration because
setting a site-wide default does more harm than good. PR 23421.
[Roy Fielding]
*) Add charset to example CGI scripts. [Roy Fielding]
*) mod_ssl: fail quickly if SSL connection is aborted rather than
making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton]
*) Remove compiled-in upper limit on LimitRequestFieldSize.
[Bill Stoddard]
*) Start keeping track of time-taken-to-process-request again for
mod_status if ExtendedStatus is enabled. [Jim Jagielski]
*) mod_proxy: Handle client-aborted connections correctly. PR 32443.
[Janne Hietamäki, Joe Orton]
*) Fix handling of files >2Gb on all platforms (or builds) where
apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton]
*) mod_include: Fix bug which could truncate variable expansions
of N*64 characters by one byte. PR 32985. [Joe Orton]
*) Correct handling of certain bucket types in ap_save_brigade, fixing
possible segfaults in mod_cgi with #include virtual. PR 31247.
[Joe Orton]
*) Allow for the use of --with-module=foo:bar where the ./modules/foo
directory is local only. Assumes, of course, that the required
files are in ./modules/foo, but makes it easier to statically
build/log "external" modules. [Jim Jagielski]
*) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that
ldap authorization only modules have access to the util_ldap
user cache without having to require ldap authentication as well.
PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes]
*) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
allows the module to only authorize a user if the attribute value
specified matches the value of the user object. PR 31913
[Ryan Morgan <rmorgan pobox.com>]
*) SECURITY: CVE-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]
*) SECURITY: CVE-2004-0885 (cve.mitre.org)
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
bypassed during an SSL renegotiation. PR 31505.
[Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
*) mod_ssl: Fail at startup rather than segfault at runtime if a
client cert is configured with an encrypted private key.
PR 24030. [Joe Orton]
*) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
[Joe Orton]
*) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
[Jeff Trawick]
*) mod_cache: CacheDisable will only disable the URLs it was meant to
disable, not all caching. PR 31128.
[Edward Rudd <eddie omegaware.com>, Paul Querna]
*) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
cache responses. [Justin Erenkrantz]
*) mod_rewrite: Handle per-location rules when r->filename is unset.
Previously this would segfault or simply not match as expected,
depending on the platform. [Jeff Trawick]
*) mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036. [André Malo]
*) mod_disk_cache: Do not store aborted content. PR 21492.
[Rüdiger Plüm <r.pluem t-online.de>]
*) mod_disk_cache: Correctly store cached content type. PR 30278.
[Rüdiger Plüm <r.pluem t-online.de>]
*) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
statistics display. PR 29216. [Graham Leggett]
*) mod_ldap: fix a bogus error message to tell the user which file
is causing a potential problem with the LDAP shared memory cache.
PR 31431 [Graham Leggett]
*) SECURITY: CVE-2004-1834 (cve.mitre.org)
mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz]
*) Fix the re-linking issue when purging elements from the LDAP cache
PR 24801. [Jess Holle <jessh ptc.com>]
*) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz]
*) Fix Expires handling in mod_cache. [Justin Erenkrantz]
*) Alter mod_expires to run at a different filter priority to allow
proper Expires storage by mod_cache. [Justin Erenkrantz]
Changes with Apache 2.0.52
*) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]
*) Fix the global mutex crash when the global mutex is never allocated
due to disabled/empty caches. [Jess Holle <jessh ptc.com>]
*) Fix a segfault in the LDAP cache when it is configured switched
off. [Jess Holle <jessh ptc.com>]
*) SECURITY: CVE-2004-0811 (cve.mitre.org)
Fix merging of the Satisfy directive, which was applied to
the surrounding context and could allow access despite configured
authentication. PR 31315. [Rici Lake <rici ricilake.net>]
*) Fix the handling of URIs containing %2F when AllowEncodedSlashes
is enabled. Previously, such urls would still be rejected.
[Jeff Trawick, Bill Stoddard]
*) mod_mem_cache: Fixed race condition causing segfault because of memory being
freed twice, or reused after being freed.
[J. Clar, W. Stoddard, G. Ames]
*) Add -l option to rotatelogs to let it use local time rather than
UTC. PR 24417. [Ken Coar, Uli Zappe <uli ritual.org>]
*) mod_log_config: Fix a bug which prevented request completion time
from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
processing. PR 29696. [Alois Treindl <alois astro.ch>]
Changes with Apache 2.0.51
*) SECURITY: CVE-2004-0786 (cve.mitre.org)
Fix an input validation issue in apr-util which could be
triggered by malformed IPv6 literal addresses. [Joe Orton]
*) SECURITY: CVE-2004-0747 (cve.mitre.org)
Fix buffer overflow in expansion of environment variables in
configuration file parsing. [André Malo]
*) SECURITY: CVE-2004-0809 (cve.mitre.org)
mod_dav_fs: Fix a segfault in the handling of an indirect lock
refresh. PR 31183. [Joe Orton]
*) mod_include no longer checks for recursion, because that's done
in the core. This allows for careful usage of recursive SSI.
[André Malo]
*) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
[chunyan sheng <shengperson yahoo.com>, André Malo]
*) Include directives no longer refuse to process symlinks on
directories. Instead there's now a maximum nesting level
of included directories (128 as distributed). This is configurable
at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
PR 28492. [André Malo]
*) Win32: apache -k start|restart|install|config can leave stranded
piped logger processes (eg, rotatelogs.exe) due to improper
server shutdown on these code paths.
[Bill Stoddard]
*) SECURITY: CVE-2004-0751 (cve.mitre.org)
mod_ssl: Fix a segfault in the SSL input filter which could be
triggered if using "speculative" mode, for instance by a
proxy request to an SSL server. PR 30134. [Joe Orton]
*) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
PR 30464. [Joe Orton, Madhusudan Mathihalli]
*) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton]
*) Prevent CGI script output which includes a Content-Range header
from being passed through the byterange filter. [Joe Orton]
*) Satisfy directives now can be influenced by a surrounding <Limit>
container. PR 14726. [André Malo]
*) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
PR 27985. [André Malo]
*) mod_disk_cache: Implement binary format for on-disk header files.
[Brian Akins <bakins web.turner.com>, Justin Erenkrantz]
*) mod_disk_cache: Optimize network performance of disk cache subsystem by
allowing zero-copy (sendfile) writes and other miscellaneous fixes.
[Justin Erenkrantz]
*) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
switch to the provider API instead of hooks. [Justin Erenkrantz]
*) mod_autoindex: Don't truncate the directory listing if a stat()
call fails (for instance on a >2Gb file). PR 17357.
[Joe Orton]
*) Makefile fix: httpd is linked against LIBS given to the
'make' invocation. PR 7882. [Joe Orton]
*) WinNT MPM: Fix a broken log message at termination. PR 28063.
[Eider Oliveira <eider bol.com.br>]
*) Prevent Win32 pool corruption at startup [Allan Edwards]
*) mod_ssl: Add "SSLUserName" directive to set r->user based on a
chosen SSL environment variable. PR 20957.
[Martin v. Loewis <martin v.loewis.de>]
*) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
[Zvi Har'El <rl math.technion.ac.il>]
*) apachectl: Fix a problem finding envvars if sbindir != bindir.
PR 30723. [Friedrich Haubensak <hsk imb-jena.de>]
*) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz]
*) SECURITY: CVE-2004-0748 (cve.mitre.org)
mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton]
*) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
PR 18989. [Joe Orton]
*) mod_userdir: Ensure that the userdir identity is used for
suexec userdir access in a virtual host which has suexec configured.
PR 18156. [Joshua Slive]
*) mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [André Malo]
*) mod_setenvif: Remove "support" for Remote_User variable which
never worked at all. PR 25725. [André Malo]
*) Backport from 2.1 / Regression from 1.3: mod_headers now knows
again the functionality of the ErrorHeader directive. But instead
using this misnomer additional flags to the Header directive were
introduced ("always" and "onsuccess", defaulting to the latter).
PR 28657. [André Malo]
*) Use the higher performing 'httpready' Accept Filter on all platforms
except FreeBSD < 4.1.1. [Paul Querna]
*) mod_usertrack: Escape the cookie name before pasting into the
regexp. [André Malo]
*) Extend the SetEnvIf directive to capture subexpressions of the
matched value. [André Malo]
*) Recursive Include directives no longer crash. The server stops
including configuration files after a certain nesting level (128
as distributed). This is configurable at compile time using the
-DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo]
*) mod_dir: the trailing-slash behaviour is now configurable using the
DirectorySlash directive. [André Malo]
*) Allow proxying of resources that are invoked via DirectoryIndex.
PR 14648, 15112, 29961. [André Malo]
*) util_ldap: Switched the lock types on the shared memory cache
from thread reader/writer locks to global mutexes in order to
provide cross process cache protection. [Brad Nicholes]
*) util_ldap: Reworked the cache locking scheme to eliminate duplicate
cache entries in the credentials cache due to race conditions.
[Brad Nicholes]
*) util_ldap: Enhanced the util_ldap cache-info display to show more
detail about the contents and current state of the cache.
[Brad Nicholes]
*) Enable the option to support anonymous shared memory in mod_ldap.
This makes the cache work on Linux again. [Graham Leggett]
*) Enable special ErrorDocument value 'default' which restores the
canned server response for the scope of the directive.
[Geoffrey Young, André Malo]
*) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
is set in r->subprocess_env allow mismatched query strings to pass.
PR 27758. [Paul Querna, Geoffrey Young]
*) Accept URLs for the ServerAdmin directive. If the supplied
argument is not recognized as an URL, assume it's a mail address.
PR 28174. [André Malo, Paul Querna]
*) initialize server arrays prior to calling ap_setup_prelinked_modules
so that static modules can push Defines values when registering
hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]
*) Small fix to allow reverse proxying to an ftp server. Previously
an attempt to do this would try and connect to 0.0.0.0, regardless
of the server specified. PR 24922
[Pascal Terjan <pterjan@linuxfr.org>]
*) Add the NOTICE file to the rpm spec file in compliance with the
Apache v2.0 license. [Graham Leggett]
*) RPM spec file changes: changed default dependancy to link to db4
instead of db3. Fixed complaints about unpackaged files.
[Graham Leggett]
Changes with Apache 2.0.50
*) SECURITY: CVE-2004-0493 (cve.mitre.org)
Close a denial of service vulnerability identified by Georgi
Guninski which could lead to memory exhaustion with certain
input data. [Jeff Trawick]
*) mod_cgi: Handle output on stderr during script execution on Unix
platforms; preventing deadlock when stderr output fills pipe buffer.
Also fixes case where stderr from nph- scripts could be lost.
PR 22030, 18348. [Joe Orton, Jeff Trawick]
*) mod_alias now emits a warning if it detects overlapping *Alias*
directives. [André Malo]
*) mod_rewrite no longer turns forward proxy requests into reverse proxy
requests. PR 28125 [ast domdv.de, André Malo]
*) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
exported on Win32 and Netware as well (minor MMN bump). PR 28523.
[Edward Rudd <eddie omegaware.com>, André Malo]
*) Restore the ability to disable the use of AcceptEx on Win9x systems
automatically (broken in 2.0.49). PR 28529. [André Malo]
*) <VirtualHost myhost> now applies to all IP addresses for myhost
instead of just the first one reported by the resolver. This
corrects a regression since 1.3. [Jeff Trawick]
*) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
against ServerRoot PR#26602 [Brad Nicholes]
*) SECURITY: CVE-2004-0488 (cve.mitre.org)
mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[Joe Orton]
*) mod_dav_fs: Fix MKCOL response for missing parent collections, which
caused issues for the Eclipse WebDAV extension.
PR 29034. [Joe Orton]
*) mod_deflate: Fix memory consumption (which was proportional to the
response size). PR 29318. [Joe Orton]
*) mod_ssl: Log the errors returned on failure to load or initialize
a crypto accelerator engine. [Joe Orton]
*) Allow RequestHeader directives to be conditional. PR 27951.
[Vincent Deffontaines <vincent gryzor.com>, André Malo]
*) Allow LimitRequestBody to be reset to unlimited. PR 29106
[André Malo]
*) Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects: mod_setenvif, mod_usertrack,
mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
*) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
small cache sizes. PR 27751. [Geoff Thorpe <geoff geoffthorpe.net>]
*) Remove 2Gb log file size restriction on some 32-bit platforms.
PR 13511. [Joe Orton]
*) mod_logio no longer removes the EOS bucket. PR 27928.
[Bojan Smojver <bojan rexursive.com>]
*) htpasswd no longer refuses to process files that contain empty
lines. [André Malo]
*) Regression from 1.3: At startup, suexec now will be checked for
availability, the setuid bit and user root. The works only if
httpd is compiled with the shipped APR version (0.9.5).
PR 28287. [André Malo]
*) Unix MPMs: Stop dropping connections when the file descriptor
is at least FD_SETSIZE. [Jeff Trawick]
*) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick]
*) mod_isapi: send_response_header() failed to copy status string's
last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
*) Fix a segfault when requests for shared memory fails and returns
NULL. Fix a segfault caused by a lack of bounds checking on the
cache. PR 24801. [Graham Leggett]
*) Throw an error message if an attempt is made to use the LDAPTrustedCA
or LDAPTrustedCAType directives in a VirtualHost. PR 26390
[Brad Nicholes]
*) Fix a potential segfault if the bind password in the LDAP cache
is NULL. PR 28250. [Jari Ahonen <jah progress.com>]
*) Quotes cannot be used around require group and require dn
directives, update the documentation to reflect this. Also add
quotes around the dn and group within debug messages, to make it
more obvious why authentication is failing if quotes are used in
error. PR 19304. [Graham Leggett]
*) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
from escaping filters twice when the backslash character is used.
PR 24437. [Jess Holle <jessh ptc.com>]
*) Overhaul handling of LDAP error conditions, so that the util_ldap_*
functions leave the connections in a sane state after errors have
occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
27271 [Graham Leggett]
*) mod_ldap calls ldap_simple_bind_s() to validate the user
credentials. If the bind fails, the connection is left
in an unbound state. Make sure that the ldap connection
record is updated to show that the connection is no longer
bound. [Brad Nicholes]
*) Ensure that lines in the request which are too long are
properly terminated before logging.
[Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]
*) Update the bind credentials for the cached LDAP connection to
reflect the last bind. This prevents util_ldap from creating
unnecessary connections rather than reusing cached connections.
[Brad Nicholes]
*) mod_isapi: GetServerVariable returned improperly terminated header
fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
[Jesse Pelton <jsp pkc.com>]
*) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
size. PR 20617. [Jesse Pelton <jsp pkc.com>]
*) mod_dav: Fix a problem that could cause crashes when manipulating
locks on some platforms. [Jeff Trawick]
*) mod_headers no longer crashes if an empty header value should
be added. [André Malo]
*) Fix segfault in mod_expires, which occured under certain
circumstances. PR 28047. [André Malo]
*) htpasswd: use apr_temp_dir_get() and general cleanup
[Guenter Knauf <eflash gmx.net>, Thom May]
*) mod_ssl: Fix memory leak in session cache handling. PR 26562
[Madhusudan Mathihalli]
*) mod_ssl: Fix potential segfaults when performing SSL shutdown from
a pool cleanup. PR 27945. [Joe Orton]
*) Add forensic logging module (mod_log_forensic).
[Ben Laurie]
*) logresolve: Allow size of log line buffer to be overridden at
build time (MAXLINE). PR 27793. [Jeff Trawick]
*) Fix the comment delimiter in htdbm so that it correctly parses the
username comment. Also add a terminate function to allow NetWare
to pause the output before the screen is destroyed.
[Guenter Knauf <eflash gmx.net>, Brad Nicholes]
*) Fix crash when Apache was started with no Listen directives.
[Michael Corcoran <mcorcoran warpsolutions.com>]
*) core_output_filter: Fix bug that could result in sending
garbage over the network when module handlers construct
bucket brigades containing multiple file buckets all referencing
the same open file descriptor. [Bojan Smojver]
*) Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
[Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
*) Win32: Tweak worker thread accounting routines to eliminate
server hang when number of Listen directives in httpd.conf
is greater than or equal to the setting of ThreadsPerChild.
[Bill Stoddard]
Changes with Apache 2.0.49
*) SECURITY: CVE-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
With Apache 2.x there is no performance concern about enabling the
logic for platforms which don't need it, so it is enabled everywhere
except for Win32. [Jeff Trawick]
*) mod_cgid: Fix storage corruption caused by use of incorrect pool.
[Jeff Trawick]
*) Win32: find_read_listeners was not correctly handling multiple
listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
*) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
[Manni Wood <manniwood planet-save.com>]
*) Fix some piped log problems: bogus "piped log program '(null)'
failed" messages during restart and problem with the logger
respawning again after Apache is stopped. PR 21648, PR 24805.
[Jeff Trawick]
*) Fixed file extensions for real media files and removed rpm extension
from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
*) Remove compile-time length limit on request strings. Length is
now enforced solely with the LimitRequestLine config directive.
[Paul J. Reder]
*) mod_ssl: Send the Close Alert message to the peer before closing
the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
*) SECURITY: CVE-2004-0113 (cve.mitre.org)
mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
PR 27106. [Joe Orton]
*) mod_ssl: Fix bug in passphrase handling which could cause spurious
failures in SSL functions later. PR 21160. [Joe Orton]
*) mod_log_config: Fix corruption of buffered logs with threaded
MPMs. PR 25520. [Jeff Trawick]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [André Malo]
*) Add fatal exception hook for use by diagnostic modules. The hook
is only available if the --enable-exception-hook configure parm
is used and the EnableExceptionHook directive has been set to
"on". [Jeff Trawick]
*) Allow mod_auth_digest to work with sub-requests with different
methods than the original request. PR 25040.
[Josh Dady <jpd indecisive.com>]
*) fix "Expected </Foo>> but saw </Foo>" errors in nested,
argumentless containers.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
[Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
*) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
[Glenn Nielsen <glenn apache.org>]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Fixed cache-removal order in mod_mem_cache.
[Jean-Jacques Clar, Cliff Woolley]
*) mod_setenvif: Fix the regex optimizer, which under circumstances
treated the supplied regex as literal string. PR 24219.
[André Malo]
*) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
instead of mmn. [André Malo]
*) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
could lead to a 400 (Bad Request) response. [André Malo]
*) Keep focus of ITERATE and ITERATE2 on the current module when
the module chooses to return DECLINE_CMD for the directive.
PR 22299. [Geoffrey Young <geoff apache.org>]
*) Add support for IMT minor-type wildcards (e.g., text/*) to
ExpiresByType. PR#7991 [Ken Coar]
*) Fix segfault in mod_mem_cache cache_insert() due to cache size
becoming negative. PR: 21285, 21287
[Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
*) core.c: If large file support is enabled, allow any file that is
greater than AP_MAX_SENDFILE to be split into multiple buckets.
This allows Apache to send files that are greater than 2gig.
Otherwise we run into 32/64 bit type mismatches in the file size.
[Brad Nicholes]
*) proxy_http fix: mod_proxy hangs when both KeepAlive and
ProxyErrorOverride are enabled, and a non-200 response without a
body is generated by the backend server. (e.g.: a client makes a
request containing the "If-Modified-Since" and "If-None-Match"
headers, to which the backend server respond with status 304.)
[Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
*) mod_dav: Reject requests which include an unescaped fragment in the
Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) Build array of allowed methods with proper dimensions, fixing
possible memory corruption. [Jeff Trawick]
*) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
PR 15057. [Otmar Lendl <lendl nic.at>]
*) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
[Joe Orton]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore <apache nopdesign.com>]
*) worker MPM: fix stack overlay bug that could cause the parent
process to crash. [Jeff Trawick]
*) Win32: Add Win32DisableAcceptEx directive. This Windows
NT/2000/CP directive is useful to work around bugs in some
third party layered service providers like virus scanners,
VPN and firewall products, that do not properly handle
WinSock 2 APIs. Use this directive if your server is issuing
AcceptEx failed messages.
[Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
*) Make REMOTE_PORT variable available in mod_rewrite.
PR 25772. [André Malo]
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
*) mod_autoindex: Add 'XHTML' option in order to allow switching between
HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
*) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
[André Malo]
*) mod_ssl: Advertise SSL library version as determined at run-time rather
than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
*) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
*) Fix build with parallel make. PR 24643. [Joe Orton]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
*) Backport major overhaul of mod_include's filter parser from 2.1.
The new parser code is expected to be more robust and should
catch all of the edge cases that were not handled by the previous one.
The 2.1 external API changes were hidden by a wrapper which is
expected to keep the API backwards compatible. [André Malo]
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
*) Add Polish translation of error messages. PR 25101.
[Tomasz Kepczynski <tomek jot23.org>]
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix htdbm to generate comment fields in DBM files correctly.
[Justin Erenkrantz]
*) mod_dav: Use bucket brigades when reading PUT data. This avoids
problems if the data stream is modified by an input filter. PR 22104.
[Tim Robbins <tim robbins.dropbear.id.au>, André Malo]
*) Fix RewriteBase directive to not add double slashes. [André Malo]
*) Improve 'configure --help' output for some modules. [Astrid Keßler]
*) Correct UseCanonicalName Off to properly check incoming port number.
[Jim Jagielski]
*) Fix slow graceful restarts with prefork MPM. [Joe Orton]
*) Fix a problem with namespace mappings being dropped in mod_dav_fs;
if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale <amit_athavale persistent.co.in>]
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
*) SECURITY: CVE-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]
*) mod_status: Report total CPU time accurately when using a threaded
MPM. PR 23795. [Jeff Trawick]
*) Fix memory leak in handling of request bodies during reverse
proxy operations. PR 24991. [Larry Toppi <larry.toppi citrix.com>]
*) Win32 MPM: Implement MaxMemFree to enable setting an upper
limit on the amount of storage used by the bucket brigades
in each server thread. [Bill Stoddard]
*) Modified the cache code to be header-location agnostic. Also
fixed a number of other cache code bugs related to PR 15852.
Includes a patch submitted by Sushma Rai <rsushma novell.com>.
This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
closing the PR since that is what they are using. [Paul J. Reder]
*) complain via error_log when mod_include's INCLUDES filter is
enabled, but the relevant Options flag allowing the filter to run
for the specific resource wasn't set, so that the filter won't
silently get skipped. next remove itself, so the warning will be
logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]
*) mod_info: HTML escape configuration information so it displays
correctly. PR 24232. [Thom May]
*) Restore the ability to add a description for directories that
don't contain an index file. (Broken in 2.0.48) [André Malo]
*) Fix a problem with the display of empty variables ("SetEnv foo") in
mod_include. PR 24734 [Markus Julen <mj zermatt.net>]
*) mod_log_config: Log the minutes component of the timezone correctly.
PR 23642. [Hong-Gunn Chew <hgbug gunnet.org>]
*) mod_proxy: Fix cases where an invalid status-line could be sent
to the client. PR 23998. [Joe Orton]
*) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
are also loaded. [Joe Orton]
*) mod_ssl: Use human-readable OpenSSL error strings in logs; use
thread-safe interface for retrieving error strings. [Joe Orton]
*) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
avoid reporting an Internal Server error if it is used without
having been set in the httpd.conf file. PR: 23748, 24459
[André Malo, Liam Quinn <liam htmlhelp.com>]
*) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
option is set. PR 21668. [Jesse Tie-Ten-Quee <highos highos.com>]
*) mod_include no longer allows an ETag header on 304 responses.
PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]
*) EBCDIC: Convert header fields to ASCII before sending (broken
since 2.0.44). [Martin Kraemer]
*) Fix the inability to log errors like exec failure in
mod_ext_filter/mod_cgi script children. This was broken after
such children stopped inheriting the error log handle.
[Jeff Trawick]
*) Fix mod_info to use the real config file name, not the default
config file name. [Aryeh Katz <aryeh secured-services.com>]
*) Set the scoreboard state to indicate logging prior to running
logging hooks so that server-status will show 'L' for hung loggers
instead of 'W'. [Jeff Trawick]
Changes with Apache 2.0.48
*) SECURITY: CVE-2003-0789 (cve.mitre.org)
mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
communicate with the cgid daemon and the CGI script.
[Jeff Trawick]
*) SECURITY: CVE-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred
if one configured a regular expression with more than 9 captures.
[André Malo]
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins web.turner.com>, André Malo]
*) fix the config parser to support <Foo>..</Foo> containers (no
arguments in the opening tag) supported by httpd 1.3. Without
this change mod_perl 2.0's <Perl> sections are broken.
["Philippe M. Chiasson" <gozer cpan.org>]
*) mod_cgid: fix a hash table corruption problem which could
result in the wrong script being cleaned up at the end of a
request. [Jeff Trawick]
*) Update httpd-*.conf to be clearer in describing the connection
between AddType and AddEncoding for defining the meaning of
compressed file extensions. [Roy Fielding]
*) mod_rewrite: Don't die silently when failing to open RewriteLogs.
PR 23416. [André Malo]
*) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
rewritten request using "proxy:". The code was adding multiple "proxy:"
fields in the rewritten URI. PR: 13946.
[Eider Oliveira <eider bol.com.br>]
*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
httpd-std.conf PR: 19611
[Thom May]
*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
[Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) mod_autoindex: If a directory contains a file listed in the
DirectoryIndex directive, the folder icon is no longer replaced
by the icon of that file. PR 9587.
[David Shane Holden <dpejesh yahoo.com>]
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
[Manni Wood <manniwood planet-save.com>]
*) mod_cache: Fix the cache code so that responses can be cached
if they have an Expires header but no Etag or Last-Modified
headers. PR 23130.
[<bjorn exoweb.net>]
*) mod_log_config: Fix %b log format to write really "-" when 0 bytes
were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
*) Modify ap_get_client_block() to note if it has seen EOS.
[Justin Erenkrantz]
*) Fix a bug, where mod_deflate sometimes unconditionally compressed the
content if the Accept-Encoding header contained only other tokens than
"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
*) Avoid an infinite recursion, which occured if the name of an included
config file or directory contained a wildcard character. PR 22194.
[André Malo]
*) mod_ssl: Fix a problem setting variables that represent the
client certificate chain. PR 21371 [Jeff Trawick]
*) Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex. PR 20312 [Jeff Trawick]
*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
*) Fix a misleading message from the some of the threaded MPMs when
MaxClients has to be lowered due to the setting of ServerLimit.
[Jeff Trawick]
*) Lower the severity of the "listener thread didn't exit" message
to debug, as it is of interest only to developers. PR 9011
[Jeff Trawick]
*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]
*) Install config.nice into the build/ directory to make
minor version upgrades easier. [Joshua Slive]
*) Fix mod_deflate so that it does not call deflate() without checking
first whether it has something to deflate. (Currently this causes
deflate to generate a fatal error according to the zlib spec.)
PR 22259. [Stas Bekman]
*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.
PR 20195. [André Malo]
*) ab: Overlong credentials given via command line no longer clobber
the buffer. [André Malo]
*) mod_deflate: Don't attempt to hold all of the response until we're
done. [Justin Erenkrantz]
*) Assure that we block properly when reading input bodies with SSL.
PR 19242. [David Deaves <David.Deaves dd.id.au>, William Rowe]
*) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
*) mod_ext_filter: Set additional environment variables for use by
the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
*) Fix buildconf errors when libtool version changes. [Jeff Trawick]
*) Remember an authenticated user during internal redirects if the
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR 10678, 11602. [André Malo]
*) mod_include: Fix a trio of bugs that would cause various unusual
sequences of parsed bytes to omit portions of the output stream.
PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]
*) Update the header token parsing code to allow LWS between the
token word and the ':' seperator. [PR 16520]
[Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]
*) Eliminate creation of a temporary table in ap_get_mime_headers_core()
[Joe Schaefer <joe+gmane sunstarsys.com>]
*) Added FreeBSD directory layout. PR 21100.
[Sander Holthaus <info orangexl.com>, André Malo]
*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]
*) mod_rewrite: Perform child initialization on the rewrite log lock.
This fixes a log corruption issue when flock-based serialization
is used (e.g., FreeBSD). [Jeff Trawick]
*) Don't respect the Server header field as set by modules and CGIs.
As with 1.3, for proxy requests any such field is from the origin
server; otherwise it will have our server info as controlled by
the ServerTokens directive. [Jeff Trawick]
Changes with Apache 2.0.47
*) SECURITY: CVE-2003-0192 (cve.mitre.org)
Fixed a bug whereby certain sequences of per-directory
renegotiations and the SSLCipherSuite directive being used to
upgrade from a weak ciphersuite to a strong one could result in
the weak ciphersuite being used in place of the strong one.
[Ben Laurie]
*) SECURITY: CVE-2003-0253 (cve.mitre.org)
Fixed a bug in prefork MPM causing temporary denial of service
when accept() on a rarely accessed port returns certain errors.
Reported by Saheed Akhtar <S.Akhtar talis.com>. [Jeff Trawick]
*) SECURITY: CVE-2003-0254 (cve.mitre.org)
Fixed a bug in ftp proxy causing denial of service when target
host is IPv6 but proxy server can't create IPv6 socket. Fixed by
the reporter. [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests, after
which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, André Malo]
*) core_output_filter: don't split the brigade after a FLUSH bucket if
it's the last bucket. This prevents creating unneccessary empty
brigades which may not be destroyed until the end of a keepalive
connection.
[Juan Rivera <Juan.Rivera citrix.com>]
*) Add support for "streamy" PROPFIND responses.
[Ben Collins-Sussman <sussman collab.net>]
*) mod_cgid: Eliminate a double-close of a socket. This resolves
various operational problems in a threaded MPM, since on the
second attempt to close the socket, the same descriptor was
often already in use by another thread for another purpose.
[Jeff Trawick]
*) mod_negotiation: Introduce "prefer-language" environment variable,
which allows to influence the negotiation process on request basis
to prefer a certain language. [André Malo]
*) Make mod_expires' ExpiresByType work properly, including for
dynamically-generated documents. [Ken Coar, Bill Stoddard]
Changes with Apache 2.0.46
*) SECURITY: CVE-2003-0245 (cve.mitre.org)
Fixed a bug causing apr_pvsprintf() to crash by sending an overly
long string. This can be triggered remotely through mod_dav,
mod_ssl, and other mechanisms.
Reported by David Endler <DEndler iDefense.com>. [Joe Orton]
*) SECURITY: CVE-2003-0189 (cve.mitre.org)
Fixed a denial-of-service vulnerability affecting basic
authentication on Unix platforms related to thread-safety in
apr_password_validate().
Reported by John Hughes <john.hughes entegrity.com>.
*) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
when a MKACTIVITY request comes in.
[Ben Collins-Sussman <sussman collab.net>]
*) Perform run-time query in apxs for apr and apr-util's includes.
[Justin Erenkrantz]
*) run libtool from the apr install directory (in case that is different
from the apache install directory) [Jeff Trawick]
*) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
*) If mod_mime_magic does not know the content-type, do not attempt to
guess. PR 16908. [Andrew Gapon <agapon telcordia.com>]
*) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
caching. PR 17864.
[Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]
*) Add a delete flag to htpasswd.
[Thom May]
*) Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme. [André Malo]
*) Add another check for already compressed content in mod_deflate.
PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
*) Fixes for VPATH builds; copying special.mk and any future .mk files
from the source tree as well as the build tree (now creates a usable
configuration for apxs), and eliminated redundant -I'nclude paths.
[William Rowe]
*) Code fixes, constness corrections and ssl_toolkit_compat.h updates
for SSLC and OpenSSL toolkit compatibility. Still work remains to
be done to cripple features based on the limitations of RSA's binary
distribution of their SSL-C toolkit.
[William Rowe, Madhusudan Mathihalli, Jeff Trawick]
*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
[Greg Ames]
*) ap_get_mime_headers_core: allocate space for the trailing null
when folding is in effect.
PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]
*) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
*) mod_log_config: Add the ability to log the id of the thread
processing the request via new %P formats. [Jeff Trawick]
*) Use appropriate language codes for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427. [André Malo]
*) mod_auth_ldap: Use generic whitespace character class when parsing
"require" directives, instead of literal spaces only. PR 17135.
[André Malo]
*) Hook mod_rewrite's type checker before mod_mime's one. That way the
RewriteRule [T=...] Flag should work as expected now. PR 19626.
[André Malo]
*) htpasswd: Check the processed file on validity. If a line is not empty
and not a comment, it must contain at least one colon. Otherwise exit
with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]
*) Fix a problem that caused httpd to be linked with incorrect flags
on some platforms when mod_so was enabled by default, breaking
DSOs on AIX. PR 19012 [Jeff Trawick]
*) By default, use the same CC and CPP with which APR was built.
The user can override with CC and CPP environment variables.
[Jeff Trawick]
*) Fix ap_construct_url() so that it surrounds IPv6 literal address
strings with []. This fixes certain types of redirection.
PR 19207. [Jeff Trawick]
*) forward port of buffer overflow fixes for htdigest. [Thom May]
*) Added AllowEncodedSlashes directive to permit control of whether
the server will accept encoded slashes ('%2f') in the URI path.
Default condition is off (the historical behaviour). This permits
environments in which the path-info needs to contain encoded
slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar]
*) When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[André Malo]
*) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
the pattern will not always match as desired. PR 12596.
[André Malo]
*) mod_autoindex now emits and accepts modern query string parameter
delimiters (;). Thus column headers no longer contain unescaped
ampersands. PR 10880 [André Malo]
*) Enable ap_sock_disable_nagle for Windows. This along with the
addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
to be disabled for Windows. [Allan Edwards]
*) Correct a mis-correlation between mpm_common.c and mpm_common.h;
This patch reverts us to pre-2.0.46 behavior, using the
ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
was never compiled on Win32. [Allan Edwards, William Rowe]
*) Fix a build problem with passing unsupported --enable-layout
args to apr and apr-util. This broke binbuild.sh as well as
user-specified layout parameters. PR 18649 [Justin Erenkrantz,
Jeff Trawick]
*) If a Date response header was already set in the headers array,
this value was ignored in favour of the current time. This meant
that Date headers on proxied requests where rewritten when they
should not have been. PR: 14376 [Graham Leggett]
*) Add code to buildconf that produces an httpd.spec file from
httpd.spec.in, using build/get-version.sh from APR.
[Graham Leggett]
*) Fixed a segfault when multiple ProxyBlock directives were used.
PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
*) SECURITY: CVE-2003-0134 (cve.mitre.org)
OS2: Fix a Denial of Service vulnerability identified and
reported by Robert Howard <rihoward rawbw.com> that where device
names faulted the running OS2 worker process. The fix is
actually in APR 0.9.4. [Brian Havard]
*) SECURITY: CVE-2003-0083 (cve.mitre.org)
Forward port: Escape special characters (especially control
characters) in mod_log_config to make a clear distinction between
client-supplied strings (with special characters) and server-side
strings. This was already introduced in version 1.3.25.
[André Malo]
*) mod_deflate: Check also err_headers_out for an already set
Content-Encoding: gzip header. This prevents gzip compressed content
from a CGI script from being compressed once more. PR 17797.
[André Malo]
Changes with Apache 2.0.45
*) Fix possible segfaults under obscure error conditions within the
cgid daemon. [Jeff Trawick, William Rowe]
*) SECURITY: CVE-2003-0132 (cve.mitre.org)
Close a Denial of Service vulnerability identified by David
Endler <DEndler iDefense.com> on all platforms. An unlimited
stream of newlines were acceptable between requests where each
<lf> would allocate an 80 byte buffer, leading very quickly to
memory exahustion. [Brian Pane]
*) Added an rpm build script.
[Graham Leggett, Joe Orton <jorton redhat.com>]
*) Simpler, faster code path for request header scanning [Brian Pane]
*) SECURITY: Eliminated leaks of several file descriptors to child
processes, such as CGI scripts. This fix depends on the APR library
release 0.9.2 or later (0.9.3 was distributed with the httpd
source tarball for Apache 2.0.45.) PR 17206
[Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]
*) Fix path handling of mod_rewrite, especially on non-unix systems.
There was some confusion between local paths and URL paths.
PR 12902. [André Malo]
*) Prevent endless loops of internal redirects in mod_rewrite by
aborting after exceeding a limit of internal redirects. The
limit defaults to 10 and can be changed using the RewriteOptions
directive. PR 17462. [André Malo]
*) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
all worker threads are busy.
[Igor Nazarenko <igor_nazarenko hotmail.com>]
*) Keep the subrequest filter in place when a subrequest is
redirected. PR 15423. [Jeff Trawick]
*) you can now specify the compression level for mod_deflate.
[Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>,
Michael Schroepl <Michael.Schroepl telekurs.de>]
*) mod_deflate: Extend the DeflateFilterNote directive to
allow accurate logging of the filter's in- and outstream.
[André Malo]
*) Allow SSLMutex to select/use the full range of APR locking
mechanisms available to it. Also, fix the bug that SSLMutex uses
APR_LOCK_DEFAULT no matter what. PR 8122 [Jim Jagielski,
Martin Kutschker <martin.t.kutschker blackbox.net>]
*) Restore the ability of htdigest.exe to create files that contain
more than one user. PR 12910. [André Malo]
*) Improve binary compatibility of the core between debug (aka
maintainer-mode) and a non-debug compile.
[Sander Striker]
*) mod_usertrack: don't set the cookie in subrequests. This works
around the problem that cookies were set twice during fast internal
redirects. PR 13211. [André Malo]
*) mod_autoindex no longer forgets output format and enabled version
sort in linked column headers. [André Malo]
*) Use .sv instead of .se as extension for Swedish documents in the
default configuration. PR 12877. [André Malo]
*) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
and standardized the LDAP SSL support across the various LDAP SDKs.
Isolated the SSL functionality to mod_ldap rather than speading it
across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA
and LDAPTrustedCAType directives to mod_ldap to allow for a more
common method of specifying the SSL certificate.
[Dave Ward, Brad Nicholes]
*) Fixed mod_ssl's SSLCertificateChain initialization to no longer
skip the first cert of the chain by default. This misbehavior
was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli]
*) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
be started on Unix because of such problems as bad permissions,
bad shebang line, etc. [Jeff Trawick]
*) Fix 64-bit problem in mod_ssl input logic.
[Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]
*) Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
[Justin Erenkrantz]
*) Rewrite ap_xml_parse_input to use bucket brigades. PR 16134.
[Justin Erenkrantz]
*) Fix segfault which occurred when a section in an included
configuration file was not closed. PR 17093. [André Malo]
*) Enhance the behavior of mod_isapi's WriteClient() callback to
provide better emulation for isapi modules that presume that the
first WriteClient() call may send status and headers. An example
of WriteClient() abuse is the foxisapi module, which relies on
that assumpion and now works. [William Rowe, Milan Kosina]
*) Check the return value of ap_run_pre_connection(). So if the
pre_connection phase fails (without setting c->aborted)
ap_run_process_connection is not executed. [Stas Bekman]
*) Fixed a problem with mod_ldap which caused it to fault when caching
was disabled. Needed to make sure that the code did not
attempt to use the cache if it didn't exist. Also fixed some memory
leaks which were due to not releasing LDAP resources on error
conditions. [Brad Nicholes]
*) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
mod_rewrite proxied URLs will not be escaped accidentally by
mod_proxy's fixup. PR 16368 [André Malo]
*) While processing filters on internal redirects, remember seen EOS
buckets also in the request structure of the redirect issuer(s). This
prevents filters (such as mod_deflate) from adding garbage to the
response. PR 14451. [André Malo]
*) suexec: Be more pedantic when cleaning environment. Clean it
immediately after startup. PR 2790, 10449.
[Jeff Stewart <jws purdue.edu>, André Malo]
*) Fix apxs to insert LoadModule directives only outside of sections.
PR 8712, 9012. [André Malo]
*) Fix suexec compile error under SUNOS4, where strerror() doesn't
exist. PR 5913, 9977.
[Jonathan W Miner <Jonathan.W.Miner lmco.com>]
*) Fix If header parsing when a non-mod_dav lock token is passed to it.
PR 16452. [Justin Erenkrantz]
*) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
not specified. Now it assumes "/" as already documented. PR 16937.
[André Malo]
*) Try to log an error if a piped log program fails. Try to
restart a piped log program in more failure situations. Fix an
existing problem with error handling in piped_log_spawn(). Use
new APR apr_proc_create() features to prevent Apache from starting
on Unix* in most cases where a piped log program can be started,
and add log messages for the other situations. *Other platforms
already failed Apache initialization if a piped log program
couldn't be started. PR 15761 [Jeff Trawick]
*) Fix mod_cern_meta to not create empty metafiles when the
metafile searched for does not exist. PR 12353
[Owen Rees <owen_rees hp.com>]
*) Introduce debugging symbols for Win32 release builds, both .pdb
and .dbg files (older debuggers and Dr. Watson-type utilities
on WinNT or Win9x don't support the newer .pdb flavor.)
[Allen Edwards, William Rowe]
*) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
information (and more). Related to PR 9076. [André Malo]
*) mod_file_cache: fix segfault serving mmaped cached files.
[Bill Stoddard]
*) mod_file_cache: fixed a segfault when multiple MMapFile directives
were used. PR 16313. [Cliff Woolley]
*) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
an incompatible pointer type to mmap_bucket_destroy(void*).
[Gerard Eviston <geviston bigpond.net.au>]
*) Enable the -n name parameter on NetWare to allow the
administrator to rename the Apache console screen
[Brad Nicholes]
*) Fixed piped access logs on Win32 by disabling OTHER_CHILD
support by default in APR. More development is required
to deploy OTHER_CHILD on Win32. [William Rowe]
*) Use saner default config values for suexec. PR 15713.
[Thom May <thom planetarytramp.net>]
*) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
(or SymlinksIfOwnermatch) is set. PR 12395. [André Malo]
*) apxs: Include any special APR ld flags when linking the DSO.
This resolves problems on AIX when building a DSO with apxs+gcc.
[Jeff Trawick]
*) Added character set support to mod_auth_LDAP to allow it to
convert extended characters used in the user ID to UTF-8
before authenticating against the LDAP directory. The new
directive AuthLDAPCharsetConfig is used to specify the config
file that contains the character set conversion table.
[Brad Nicholes]
*) Don't remove the Content-Length from responses in mod_proxy
PR: 8677 [Brian Pane]
*) Ensure LDAP version is set to v3 on every bind. PR 14235.
[Sergey A. Lipnevich <sergeyli pisem.net>]
*) Fix mod_ldap to open an existing shared memory file should one
already exist. PR 12757. [Scooter Morris <scooter gene.com>,
Graham Leggett]
*) Fix the ulimit command used by apachectl on Tru64. PR 13609.
[Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]
*) Change the ulimit command used by apachectl on AIX so that it
works in all locales. [Jeff Trawick]
*) mod_ext_filter: Fix a problem building argument lists which
occasionally caused exec to fail. PR 15491. [Jeff Trawick]
Changes with Apache 2.0.44
*) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
from Apache 1.3. PR 14276
[David Shane Holden <dpejesh yahoo.com>, William Rowe]
*) mod_mime: Workaround to prevent a segfault if r->filename=NULL
[Brian Pane]
*) Reorder the definitions for mod_ldap and mod_auth_ldap within
config.m4 to make sure the parent mod_ldap is defined first.
This ensures that mod_ldap comes before mod_auth_ldap in the
httpd.conf file, which is necessary for mod_auth_ldap to load.
PR 14256 [Graham Leggett]
*) Fix the building of cgi command lines when the query string
contains '='. PR 13914 [Ville Skyttä <ville.skytta iki.fi>,
Jeff Trawick]
*) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
implementation of MCacheMaxStreamingBuffer from mod_cache to
mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should
eliminate the need for explicitly coding MCacheMaxStreamingBuffer
in most configurations. [Bill Stoddard]
*) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
a redirect occurs. The code was passing a format string and
integer to apr_pstrcat. Changed to apr_psprintf.
[Paul J. Reder]
*) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
as set by apr-util in util_ldap.c. This should allow mod_ldap
to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
<somme oslo.westerngeco.slb.com>, Graham Leggett]
*) Fix critical bug in new --enable-v4-mapped configure option
implementation which broke IPv4 listening sockets on some
systems. [hiroyuki hanai <hanai imgsrc.co.jp>]
*) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
patterns [André Malo <nd perlig.de>]
*) Add version string to provider API. [Justin Erenkrantz]
*) build: './configure && make' now works without an in-tree
apr and apr-util. [Wilfredo Sanchez]
*) mod_negotiation: Set the appropriate mime response headers
(Content-Type, charset, Content-Language and Content-Encoding)
for negotated type-map "Body:" responses (such as the error
pages.) [André Malo <nd perlig.de>]
*) mod_log_config: Allow '%%' escaping in CustomLog format
strings to insert a literal, single '%'.
[André Malo <nd perlig.de>]
*) mod_autoindex: AddDescription directives for directories
now work as in Apache 1.3, where no trailing '/' is
specified on the directory name. Previously, the trailing
'/' *had* to be specified, which was incompatible with
Apache 1.3. PR 7990 [Jeff Trawick]
*) Fix for PR 14556. The expiry calculations in mod_cache were
trying to perform "now + ((date - lastmod) * factor)" where
date == lastmod resulting in "now + 0". The code now follows
the else path (using the default expiration) if date is
equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]
*) Use AP_DECLARE in the debug versions of ap_strXXX in case the
default calling convention is not the same as the one used by
AP_DECLARE. [Juan Rivera <Juan.Rivera citrix.com>]
*) mod_cache: Don't cache response header fields designated
as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
[Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]
*) mod_cgid: Handle environment variables containing newlines.
PR 14550 [Piotr Czejkowski <apache czarny.eu.org>, Jeff
Trawick]
*) Move mod_ext_filter out of experimental and into filters.
[Jeff Trawick]
*) Fixed a memory leak in mod_deflate with dynamic content.
PR 14321 [Ken Franken <kfranken decisionmark.com>]
*) Add --[enable|disable]-v4-mapped configure option to control
whether or not Apache expects to handle IPv4 connections
on IPv6 listening sockets. Either setting will work on
systems with the IPV6_V6ONLY socket option. --enable-v4-mapped
must be used on systems that always allow IPv4 connections on
IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats)
[Jeff Trawick]
*) This fixes a problem where the underlying cache code
indicated that there was one more element on the cache
than there actually was. This happened since element 0
exists but is not used. This code allocates the correct
number of useable elements and reports the number of
actually used elements. The previous code only allowed
MCacheMaxObjectCount-1 objects to be stored in the
cache. [Paul J. Reder]
*) mod_setenvif: Add SERVER_ADDR special keyword to allow
envariable setting according to the server IP address
which received the request. [Ken Coar]
*) mod_cgid: Terminate CGI scripts when the client connection
drops. PR 8388 [Jeff Trawick]
*) Rearrange OpenSSL engine initialization to support RAND
redirection on crypto accelerator.
[Frederic DONNAT <frederic.donnat zencod.com>]
*) Always emit Vary header if mod_deflate is involved in the
request. [André Malo <nd perlig.de>]
*) mod_isapi: Stop unsetting the 'empty' query string result with
a NULL argument in ecb->lpszQueryString, eliminating segfaults
for some ISAPI modules. PR 14399
[Detlev Vendt <detlev.vendt brillit.de>]
*) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
notification is received before the HttpExtensionProc() returns
HSE_STATUS_PENDING. This only affected isapi .dll's configured
with the ISAPIFakeAsync on directive. PR 11918
[John DeSetto <jdesetto radiantsystems.com>, William Rowe]
*) mod_isapi: Fix the issue where all results from mod_isapi would
run through the core die handler resulting in invalid responses
or access log entries. PR 10216 [William Rowe]
*) Improves the user friendliness of the CacheRoot processing
over my last pass. This version avoids the pool allocations
but doesn't avoid all of the runtime checks. It no longer
terminates during post-config processing. An error is logged
once per worker, indicating that the CacheRoot needs to be set.
[Paul J. Reder]
*) Fix a bug where we keep files open until the end of a
keepalive connection, which can result in:
(24)Too many open files: file permissions deny server access
especially on threaded servers. [Greg Ames, Jeff Trawick]
*) Fix a bug in which mod_proxy sent an invalid Content-Length
when a proxied URL was invoked as a server-side include within
a page generated in response to a form POST. [Brian Pane]
*) Added code to process min and max file size directives and to
init the expirychk flag in mod_disk_cache. Added a clarifying
comment to cache_util. [Paul J. Reder]
*) The value emitted by ServerSignature now mimics the Server HTTP
header as controlled by ServerTokens. [Francis Daly <deva daoine.org>]
*) Gracefully handly retry situations in the SSL input filter,
by following the SSL libraries' retry semantics.
[William Rowe]
*) Terminate CGI scripts when the client connection drops. This
fix only applies to some normal paths in mod_cgi. mod_cgid
is still busted. PR 8388 [Jeff Trawick]
*) Fix a bug where 416 "Range not satisfiable" was being
returned for content that should have been redirected.
[Greg Ames]
*) Fix memory leak in mod_ssl from internal SSL library allocations
within SSL_get_peer_certificate and X509_get_pubkey.
[Zvi Har'El <rl math.technion.ac.il>
Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
*) mod_ssl uses free() inappropriately in several places, to free
memory which has been previously allocated inside OpenSSL.
Such memory should be freed with OPENSSL_free(), not with free().
[Nadav Har'El <nyh math.technion.ac.il>,
Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].
*) Emit a message to the error log when we return 404 because
the URI contained '%2f'. (This was previously nastily silent
and difficult to debug.) [Ken Coar]
*) Fix streaming output from an nph- CGI script. CGI:IRC now
works. PR 8482 [Jeff Trawick]
*) More accurate logging of bytes sent in mod_logio when
the client terminates the connection before the response
is completely sent [Bojan Smojver <bojan rexursive.com>]
*) Fix some problems in the perchild MPM.
[Jonas Eriksson <jonas webkonsulterna.com>]
*) Change the CacheRoot processing to check for a required
value at config time. This saves a lot of wasted processing
if the mod_disk_cache module is loaded but no CacheRoot
was provided. This fix also adds code to log an error
and avoid useless pallocs and procesing when the computed
cache file name cannot be opened. This also updates the
docs accordingly. [Paul J. Reder]
*) Introduce the EnableSendfile directive, allowing users of NFS
shares to disable sendfile mechanics when they either fail
outright or provide intermitantly corrupted data. PR
[William Rowe]
*) Resolve the error "An operation was attempted on something
that is not a socket. : winnt_accept: AcceptEx failed.
Attempting to recover." for users of various firewall and
anti-virus software on Windows. PR 8325 [William Rowe]
*) Add the ProxyBadHeader directive, which gives the admin some
control on how mod_proxy should handle bogus HTTP headers from
proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
desired. [Jim Jagielski]
*) Change the LDAP modules to export their symbols correctly
during a Windows build. Add dsp files for Windows. Update
README.ldap file for Windows build instructions.
[Andre Schild <A.Schild aarboard.ch>]
*) Performance improvements for the code that generates HTTP
response headers [Brian Pane]
*) Add -S as a synonym for -t -DDUMP_VHOSTS.
[Thom May <thom planetarytramp.net>]
*) Fix a bug with dbm rewrite maps which caused the wrong value to
be used when the key was not found in the dbm. PR 13204
[Jeff Trawick]
*) Fix a problem with streaming script output and mod_cgid.
[Jeff Trawick]
*) Add ap_register_provider/ap_lookup_provider API.
[John K. Sterling <john sterls.com>, Justin Erenkrantz]
Changes with Apache 2.0.43
*) SECURITY: CVE-2002-0840 (cve.mitre.org)
HTML-escape the address produced by ap_server_signature() against
this cross-site scripting vulnerability exposed by the directive
'UseCanonicalName Off'. Also HTML-escape the SERVER_NAME
environment variable for CGI and SSI requests. It's safe to
escape as only the '<', '>', and '&' characters are affected,
which won't appear in a valid hostname. Reported by Matthew
Murphy <mattmurphy kc.rr.com>. [Brian Pane]
*) Fix a core dump in mod_cache when it attemtped to store uncopyable
buckets. This happened, for instance, when a file to be cached
contained SSI tags to execute a CGI script (passed as a pipe
bucket). [Paul J. Reder]
*) Ensure that output already available is flushed to the network
when the content-length filter realizes that no new output will
be available for a while. This helps some streaming CGIs as
well as some other dynamically-generated content. [Jeff Trawick]
*) Fix a mutex problem in mod_ssl session cache support which
could lead to an infinite loop. PR 12705
[Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
*) SECURITY: CVE-2002-1156 (cve.mitre.org)
Fix the exposure of CGI source when a POST request is sent to
a location where both DAV and CGI are enabled. [Ryan Bloom]
*) Allow the UserDir directive to accept a list of directories.
This matches what Apache 1.3 does. Also add documentation for
this feature. [Jay Ball <jay veggiespam.com>]
*) New Module: mod_logio. adds the ability to log bytes sent and
received. [Bojan Smojver <bojan rexursive.com>]
*) SuExec needs to use the same default directory as the rest of
server, namely /usr/local/apache2.
[SangBeom han <sbhan os.korea.ac.kr>]
*) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
[Thomas Bennett <thomas.bennett eds.com>, Graham Leggett]
*) Make sure the contents of the WWW-Authenticate header is
passed on a 4xx error by proxy. Previously all headers
were dropped, resulting in the browser being unable to
authenticate. [Dr Richard Reiner <rreiner fscinternet.com>,
Richard Danielli <rdanielli fscinternet.com>, Graham Wiseman
<gwiseman fscinternet.com>, David Henderson
<dhenderson fscinternet.com>]
*) Make mod_cache's CacheMaxStreamingBuffer directive work
properly for virtual hosts that override server-wide mod_cache
setttings. [Matthieu Estrade <estrade-m ifrance.com>]
*) Add -p option to apxs to allow programs to be compiled with apxs.
[Justin Erenkrantz]
Changes with Apache 2.0.42
*) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121]
mod_dav: Check for versioning hooks before using them.
[Greg Stein]
Changes with Apache 2.0.41
*) The protocol version (eg: HTTP/1.1) in the request line parsing
is now case insensitive. [Jim Jagielski]
*) Allow AddOutputFilterByType to add multiple filters per directive.
[Justin Erenkrantz]
*) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz]
*) Fixed mod_disk_cache's generation of 304s
[Kris Verbeeck <Kris.Verbeeck ubizen.com>]
*) Add support for using fnmatch patterns in the final path
segment of an Include statement (eg.. include /foo/bar/*.conf).
and remove the noise on stderr during config dir processing.
[Joe Orton <jorton redhat.com>]
*) mod_cache: cache_storage.c. Add the hostname and any request
args to the key generated for caching. This provides a unique
key for each virtual host and for each request with unique
args. [Paul J. Reder, args code provided by Kris Verbeeck]
*) mod_cache: Do not cache responses to GET requests with query
URLs if the origin server does not explicitly provide an
Expires header on the response (RFC 2616 Section 13.9)
[Kris Verbeeck <krisv be.ubizen.com>]
*) Fix memory leak in core_output_filter. [Justin Erenkrantz]
*) Update OpenSSL detection to work on Darwin.
[Sander Temme <sctemme covalent.net>]
*) Update the xslt and css to give the documentation a more
modern style.
[André Malo <nd perlig.de>, Gernot Winkler <greh o3media.de>]
*) Fix some bucket memory leaks in the chunking code
[Joe Schaefer <joe+apache sunstarsys.com>]
*) Add ModMimeUsePathInfo directive. [Justin Erenkrantz]
*) mod_cache: added support for caching streamed responses (proxy,
CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
*) Add image/x-icon to httpd.conf PR 10993.
[Ian Holsman, Peter Bieringer <pb bieringer.de>]
*) Fix FileETags none operation. PR 12207.
[Justin Erenkrantz, Andrew Ho <andrew tellme.com>]
*) Restored the experimental leader/followers MPM to working
condition and converted its thread synchronization from
mutexes to atomic CAS. [Brian Pane]
*) Fix Logic on non-html file removal in mod_deflate
[Kris Verbeeck <Kris.Verbeeck ubizen.com>]
*) Fix "ab -g"'s truncated year: the last digit was cut off.
[Leon Brocard <acme astray.com>]
*) mod_rewrite can now sets cookies in err_headers, uses the correct
expiry date, and can now set the path as well
PR 12132,12181,12172.
[Ian Holsman / Rob Cromwell <apachechangelog robcromwell.com>]
*) The content-length filter no longer tries to buffer up
the entire output of a long-running request before sending
anything to the client. [Brian Pane]
*) Win32: Lower the default stack size from 1MB to 256K. This will
allow around 8000 threads to be started per child process.
'EDITBIN /STACK:size apache.exe' can be used to change this
value directly in the apache.exe executable.
[Bill Stoddard]
*) Win32: Implement ThreadLimit directive in the Windows MPM.
[Bill Stoddard]
*) Remove CacheOn config directive since it is set but never checked.
No sense wasting cycles on unused code. Besides, the only truly
bug free code is deleted code. :) [Paul J. Reder]
*) BufferLogs are now run-time enabled, and the log_config now has 2 new
callbacks to allow a 3rd party module to actually do the writing of the
log file [Ian Holsman]
*) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
[André Malo, Astrid Keßler <kess kess-net.de>]
*) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck ubizen.com>]
*) Fix a null pointer dereference in the merge_env_dir_configs
function of the mod_env module. PR 11791
[Paul J. Reder]
*) New option to ServerTokens 'maj[or]'. Only show the major version
Also Surfaced this directive in the standard config (default FULL)
[Ian Holsman]
*) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
maps. The dbm type (e.g., ndbm, gdbm) can be specified on the
RewriteMap directive. PR 10644 [Jeff Trawick]
*) Fixed mod_rewrite's RewriteMap prg: support so that request/response
pairs will no longer get out of sync with each other. PR 9534
[Cliff Woolley]
*) Fixes required to get quoted and escaped command args working in
mod_ext_filter. PR 11793 [Paul J. Reder]
*) mod-proxy: handle proxied responses with no status lines
[JD Silvester <jsilves uwo.ca>, Brett Huttley <brett huttley.net>]
*) Fix bug where environment or command line arguments containing
non-ASCII-7 characters would cause the Win32 child process creation
to fail. PR 11854 [William Rowe]
*) Bug #11213.. make module loading error messages more informative
[Ian Darwin <Ian779 darwinsys.com>]
*) thread safety & proxy-ftp [Alexey Panchenko <alexey liwest.ru>, Ian Holsman]
*) mod_disk_cache works much better. This module should still
be considered experimental. [Eric Prud'hommeaux]
*) Performance improvement for keepalive requests: when setting
aside a small file for potential concatenation with the next
response on the connection, set aside the file descriptor rather
than copying the file into the heap. [Brian Pane]
*) Modified version check on openssl so that it finds the executable
first and then performs a check of the version, only warning the
user if they chose, or we selected, an old version of OpenSSL.
This change also allows the code to work for non-openssl libraries
selected via the --with-ssl=dir option, which can override the
automated library check in any case. [Roy Fielding]
Changes with Apache 2.0.40
*) SECURITY: CVE-2002-0661 (cve.mitre.org)
Close a very significant security hole that
applies only to the Win32, OS2 and Netware platforms. Unix was not
affected, Cygwin may be affected. Certain URIs will bypass security
and allow users to invoke or access any file depending on the system
configuration. Without upgrading, a single .conf change will close
the vulnerability. Add the following directive in the global server
httpd.conf context before any other Alias or Redirect directives;
RedirectMatch 400 "\\\.\."
Reported by Auriemma Luigi <bugtest sitoverde.com>.
[Brad Nicholes]
*) SECURITY: CVE-2002-0654 (cve.mitre.org)
Close a path-revealing exposure in multiview type
map negotiation (such as the default error documents) where the
module would report the full path of the typemapped .var file when
multiple documents or no documents could be served based on the mime
negotiation. Reported by Auriemma Luigi <bugtest sitoverde.com>.
[William Rowe]
*) SECURITY: CVE-2002-0654 (cve.mitre.org)
Close a path-revealing exposure in cgi/cgid when we
fail to invoke a script. The modules would report "couldn't create
child process /path-to-script/script.pl" revealing the full path
of the script. Reported by Jim Race <jrace qualys.com>.
[Bill Stoddard]
*) Set aside the apr-iconv and apr_xlate() features for the Win32
build of 2.0.40 so development can be completed. A patch, from
<http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
will be available for those that wish t