- Hot Downloads
- Hot Article
Apache HTTP Server 2.0.63 for Unix
- FileType: .gz
- Softsize: MB
- Type: Usa
- Language: English
- Accredit: OpenSource
- Os: Win2003,WinXP,Win2000,Win9X
- Update: 2008-03-29
- Officialurl: http://www.apache.org
Introduce:
Changes with Apache 1.3.41
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox]
Changes with Apache 1.3.40 (not released)
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies only
to the Windows and NetWare platforms.
[Jeff Trawick]
*) More efficient implementation of the CVE-2007-3304 PID table
patch. This fixes issues with excessive memory usage by the
parent process if long-running and with a high number of child
process forks during that timeframe. Also fixes bogus "Bad pid"
errors. [Jim Jagielski, Jeff Trawick]
Changes with Apache 1.3.39
*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]
*) SECURITY: CVE-2007-3304 (cve.mitre.org)
Ensure that the parent process cannot be forced to kill non-child
processes by checking scoreboard PID data with parent process
privately stored PID data. [Jim Jagielski]
*) mime.types: Many updates to sync with IANA registry and common
unregistered types that the owners refuse to register. Admins
are encouraged to update their installed mime.types file.
PR: 35550, 37798, 39317, 31483 [Roy T. Fielding]
There was no Apache 1.3.38
Changes with Apache 1.3.37
*) SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
[Mark Cox]
Changes with Apache 1.3.36
*) Reverted SVN rev #396294 due to unwanted regression.
The new feature introduced in 1.3.35 (Allow usage of the
"Include" configuration directive within previously "Include"d
files) has been removed in the meantime.
(http://svn.apache.org/viewcvs?rev=396294&view=rev)
Changes with Apache 1.3.35
*) SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imap: Escape untrusted referer header before outputting in HTML
to avoid potential cross-site scripting. Change also made to
ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
*) core: Allow usage of the "Include" configuration directive within
previously "Include"d files. [Colm MacCarthaigh]
*) SECURITY: CVE-2006-3918 (cve.mitre.org)
HTML-escape the Expect error message. Only a security issue if
an attacker can influence the Expect header a victim will send to a
target site (it's known that some versions of Flash can do this)
Reported by Thiago Zaninotti <thiango nstalker.com>. [Mark Cox]
*) mod_cgi: Remove block on OPTIONS method so that scripts can
respond to OPTIONS directly rather than via server default.
[Roy Fielding] PR 15242
Changes with Apache 1.3.34
*) hsregex: fix potential core dumping on 64 bit machines, such as
AMD64. PR 31858. [Glenn Strauss < gs-apache-dev gluelogic.com>]
*) SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks. This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value. [Paul Querna, Joe Orton]
*) Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method. This addresses a flaw in proxy
conformance to RFC 2616 - previously the proxy server would accept
a TRACE request body although the RFC prohibited it. The default
remains 'TraceEnable on'.
[William Rowe]
*) mod_digest: Fix another nonce string calculation issue.
[Eric Covener]
Changes with Apache 1.3.33
*) SECURITY: CVE-2004-0940 (cve.mitre.org)
mod_include: Fix potential buffer overflow with escaped characters
in SSI tag string. [Martin Kraemer, Jim Jagielski]
Changes with Apache 1.3.32
*) mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
[michael teitler <michael.teitler cetelem.fr>,
Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
*) mod_rewrite: Fix 0 bytes write into random memory position.
PR 31036. [Andr? Malo]
*) mod_digest: Fix nonce string calculation since 1.3.31 which
would force re-authentication for every connection if
AuthDigestRealmSeed was not configured. PR 30920. [Joe Orton]
*) Trigger an error when a LoadModule directive attempts to
load a module which is built-in. This is a common error when
switching from a DSO build to a static build.
[Jeff Trawick, Geoffrey Young]
*) Fix trivial bug in mod_log_forensic that caused the child
to seg fault when certain invalid requests were fired at it with
forensic logging is enabled. PR 29313.
[Will Slater <Will Slater orbisuk.com>]
*) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
[chunyan sheng <shengperson yahoo.com>, Andr? Malo]
*) mod_rewrite no longer confuses the RewriteMap caches if
different maps defined in different virtual hosts use the
same map name. PR 26462. [Andr? Malo]
*) mod_setenvif: Remove "support" for Remote_User variable which
never worked at all. PR 25725. [Andr? Malo]
*) mod_usertrack: Escape the cookie name before pasting into the
regexp. [Andr? Malo]
*) Win32: Improve error reporting after a failed attempt to spawn a
piped log process or rewrite map process. [Jeff Trawick]
*) SECURITY: CVE-2004-0492 (cve.mitre.org)
Reject responses from a remote server if sent an invalid (negative)
Content-Length. [Mark Cox]
*) Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects mod_usertrack and
core. PR 28218. [Andr? Malo]
*) No longer breaks mod_dav, frontpage and others. Repair a patch
in 1.3.31 which prevented discarding the request body for requests
that will be keptalive but are not currently keptalive. PR 29237.
[Jim Jagielski, Rasmus Lerdorf]
*) COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
It controls how UseCanonicalName Off determines the port value if
the client doesn't provide one in the Host header. If defined during
compilation, UseCanonicalName Off will use the physical port number to
generate the canonical name. If not defined, it tries the current Port
value followed by the default port for the current scheme.
[Jim Jagielski]
Changes with Apache 1.3.31
*) SECURITY: CVE-2003-0987 (cve.mitre.org)
Verification as to whether the nonce returned in the client response
is one we issued ourselves by means of a AuthDigestRealmSeed secret
exposed as an md5(). See mod_digest documentation for more details.
The experimental mod_auth_digest.c does not have this issue.
[Dirk-Willem van Gulik, Jeff Trawick, Jim Jagielski]
Changes with Apache 1.3.30
*) Fix memory corruption problem with ap_custom_response() function.
The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.
[Will Lowe, Jeff Trawick]
*) Reinit socket to allow mod_proxy to continue to try
connections when invalid IPs are accessed. PR 27542.
[Alexander Prohorenko <white extrasy.net>]
*) SECURITY: CVE-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
Enabled for some platforms known to have the issue (accept()
blocking after select() returns readable). Define
NONBLOCK_WHEN_MULTI_LISTEN if needed for your platform and not
already defined. [Jeff Trawick, Brad Nicholes, Joe Orton]
*) SECURITY: CVE-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a
netmask; issue is only known to affect big-endian 64-bit
platforms; on affected platforms such rules would never produce
matches. PR 23850. [Henning Brauer <henning openbsd.org>]
*) Fix mod_include's expression parser to recognize strings correctly
even if they start with an escaped token. [Andr? Malo]
*) The whole codebase was relicensed and is now available under
the Apache License, Version 2.0 (http://www.apache.org/licenses).
[Apache Software Foundation]
*) Add mod_whatkilledus and mod_backtrace (experimental) for
reporting diagnostic information after a child process crash.
See source code for documentation.
[Jeff Trawick, with help from mod_log_forensic]
*) mod_usertrack no longer inspects the Cookie2 header for
the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
*) mod_usertrack no longer overwrites other cookies.
PR 26002. [Scott Moore <apache nopdesign.com>]
*) Add fatal exception hook for running diagnostic code after a
crash. [Jeff Trawick]
*) Make REMOTE_PORT variable available in mod_rewrite.
PR 25772. [Andr? Malo]
*) Forensic logging shouldn't log internal redirects.
[Ivan Ristic <ivanr webkreator.com>]
*) Some syntax errors in mod_mime_magic's magic file can result
in a 500 error, which previously was unlogged. Now we log the
error. [Jeff Trawick]
*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
Backport of a 2.x feature by Greg Ames. [Jeff Trawick]
*) Fix bug causing core dump when using CookieTracking without
specifying a CookieName directly. Bugz# 24483.
[Manni Wood <manniwood planet-save.com>, Jim Jagielski (backport)]
*) Fix RewriteBase directive to not add double slashes. [Andr? Malo]
*) mod_rewrite: In external rewrite maps lookup keys containing
a newline now cause a lookup failure. PR 14453.
[Cedric Gavage <cedric.gavage unixtech.be>, Andr? Malo]
*) Forensic logging module added (mod_log_forensic).
[Ben Laurie]
*) SECURITY: CVE-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog. Unescaped
errorlogs are still possible using the compile time switch
"-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, Andr? Malo]
*) '%X' is now accepted as an alias for '%c' in the
LogFormat directive. This allows you to configure logging
to still log the connection status even with mod_ssl
(which changes what '%c' means). [Jim Jagielski]
*) UseCanonicalName off was ignoring the client provided
port information. [Jim Jagielski]
Changes with Apache 1.3.29
*) SECURITY: CVE-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
[Andr? Malo]
*) Within ap_bclose(), ap_pclosesocket() is now called consistently
for sockets and ap_pclosef() for files. Also, closesocket()
is used consistenly to close socket fd's. The previous
confusion between socket and file fd's would cause problems
with some applications now that we proactively close fd's to
prevent leakage. PR 22805
[Radu Greab <rgreab fx.ro>, Jim Jagielski]
*) If a request fails and the client will be redirected to another URL
due to ErrorDocument, see if we need to drop the connection after
sending the 302 response. This fixes a problem where Apache treated
the body of the failed request as the next request on a keepalive
connection. The subsequent 501 error sent to the browser prevented
some browsers from fetching the error document. [Jeff Trawick]
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
[Manni Wood <manniwood planet-save.com>]
*) Enabled RFC1413 ident functionality for both Win32 and
NetWare platforms. This also included an alternate thread safe
implementation of the socket timout functionality when querying
the identd daemon.
[Brad Nicholes, William Rowe]
*) Prevent creation of subprocess Zombies when using CGI wrappers
such as suExec and cgiwrap. PR 21737. [Numerous]
*) ab: Overlong credentials given via command line no longer clobber
the buffer. [Andr? Malo]
*) Fix ProxyPass for ftp requests - the original code was segfaulting since
many of the values were not being filled out in the request_rec.
[Tollef Fog Heen <tfheen debian.org>, Thom May]
Changes with Apache 1.3.28
*) SECURITY: CVE-2003-0460 (cve.mitre.org)
Fix the rotatelogs support program on Win32 and OS/2 to ignore
special control characters received over the pipe. Previously
such characters could cause rotatelogs to quit logging and exit.
[Andr? Malo]
*) Prevent the server from crashing when entering infinite loops. The
new LimitInternalRecursion directive configures limits of subsequent
internal redirects and nested subrequests, after which the request
will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, Jim Jagielski, Andr? Malo]
*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn apache.org>, Andr? Malo]
*) Removed BIND_NOSTART from HP/UX shl_load() logic for loadable
Apache modules, so that statics are initialized when the module
is loaded (especially critical for c++ modules on HPUX.)
[William Rowe, Noah Arliss <narliss netegrity.com>]
*) Win32 build system changes; always recompile buildmark.c (used for
Apache -v 'server built' messages) even when Apache is built from
within the IDE; build test_char.h and uri_delims.h from within the
ApacheCore.dsp project. PR 12706. [William Rowe]
*) Introduce Win32 .pdb diagnostic symbols into the Apache 1.3 build
(as created in Apache 2.0.45 and later.) Makes debugging and
analysis of crash dumps and Dr. Watson logs trivial. Requires the
Win32 binary builder to set aside the exact .pdb files that match
the released binaries (.exe/.so files) for reference by users and
developers. [William Rowe]
*) Make sure the accept mutex is released before calling child exit
hooks and cleanups. Otherwise, modules can segfault in such code
and, with pthread mutexes, leave the server deadlocked. Even if
the module doesn't segfault, if it performs extensive processing
it can temporarily prevent the server from accepting new
connections. [Jeff Trawick]
*) Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme. [Andr? Malo]
*) Use appropriate language codes for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427. [Andr? Malo]
*) Don't block synchronous signals (e.g., SIGSEGV) while waiting for
and holding a pthread accept mutex. [Jeff Trawick]
*) AIX: Change the default accept mechanism from pthread back to
fcntl. Idle child cleanup doesn't work when the child selected
for termination by the parent is waiting on a pthread mutex, and
because the AIX kernel's notion of hot process is apparently the
same as Apache's, it is common for the Apache parent to continually
select a child for termination that the kernel will leave waiting
on the mutex for extended periods of time. There are other
concerns with pthread mutexes as well, such as the ability to
deadlock the server if a child process segfaults while holding the
mutex. [Jeff Trawick]
*) Fix a pair of potential buffer overflows in htdigest
[Martin Schulze <joey infodrom.org>, Thom May]
*) A newly created child now has a start_time of 0, to prevent
mod_status from displaying a bogus value for the "time to
process most recent request" column for freshly-started children
in a previously-used scoreboard slot. [Martin Kraemer]
*) When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[Andr? Malo]
*) Fix path handling of mod_rewrite, especially on non-unix systems.
There was some confusion between local paths and URL paths.
PR 12902. [Andr? Malo]
*) backport from 2.x series: Prevent endless loops of internal redirects
in mod_rewrite by aborting after exceeding a limit of internal redirects.
The limit defaults to 10 and can be changed using the RewriteOptions
directive. PR 17462. [Andr? Malo]
*) Use the correct locations of srm.conf and access.conf when tailoring
the httpd.conf during the install process. PR 9446.
[Stanislav Brabec <utx penguin.cz>]
*) suexec: Be more pedantic when cleaning environment. Clean it
immediately after startup. PR 2790, 10449.
[Jeff Stewart <jws purdue.edu>, Andr? Malo]
*) Fix apxs to insert LoadModule/AddModule directives only outside of
sections. PR 8712, 9012. [Andr? Malo]
*) Fix suexec compile error under SUNOS4, where strerror() doesn't
exist. PR 5913, 9977.
[Jonathan W Miner <Jonathan.W.Miner lmco.com>]
*) Unix build: Add support for environment variable
EXTRA_LDFLAGS_SHLIB, which allows the user to add to the hard-coded
ld flags specified for DSOs. Compare with the existing LDFLAGS_SHLIB
environment variable, which allows the user to completely replace the
hard-coded ld flags specified for DSOs. [Jeff Trawick]
*) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
not specified. Now it assumes "/" as already documented. PR 16937.
[Andr? Malo]
*) In configure always assume suexec-umask to be an octal value by
prepending a "0". PR 16984. [Andr? Malo]
*) Fix typo in suexec -V output. PR 9034.
[Youichirou Koga <y-koga apache.or.jp>]
*) Fix bug where 'Satisfy Any' without an AuthType resulted in an
"Internal Server Error" response. PR 9076. [Andr? Malo]
*) mod_rewrite: Allow "RewriteEngine Off" even if no
"Options FollowSymlinks" (or SymlinksIfOwnermatch) is set.
PR 12395. [Andr? Malo]
*) Change the log messages for setsockopt(TCP_NODELAY) and
getsockname() failures to log the client IP address and to
change the log level to debug. [Jeff Trawick]
*) Correction to mod_negotation for Win32, OS2, Netware etc, where
case insensitive requests such as the HEADER or README search
from autoindex would fail to match HEADER.html (because the
system internally looked for the case-sensitive header.* pattern.)
PR 7300 [William Rowe]
*) Correction to mod_autoindex so that only text/* files (prefering
/html, then /plain, then some other flavor) can be recovered
from a multiview-based HEADER or README subrequest.
[William Rowe]
*) Improvements to mod_usertrack that allows for a regular (verbose)
as well as "compact" version of the tracking cookie (the new
'CookieFormat' directive), and the ability to prepend a string
to the cookie via the 'CookiePrefix' directive.
[P錶 L鴅erg <pallo initio.no>, with cleanup by Jim Jagielski]
*) Certain 3rd party modules would bypass the Apache API and not
invoke ap_cleanup_for_exec() before creating sub-processes.
To such a child process, Apache's file descriptors (lock
fd's, log files, sockets) were accessible, allowing them
direct access to Apache log file etc. Where the OS allows,
we now add proactive close functions to prevent these file
descriptors from leaking to the child processes.
[Jim Jagielski, Martin Kraemer]
*) Prevent obscenely large values of precision in ap_vformatter
from clobbering a buffer. [Sander Striker, Jim Jagielski]
*) NetWare: implemented ap_os_default_port() to resolve the
correct default port based on the request method. This fixes
a URL reconstruction problem on a redirect.
[Pavel Novy <novy feld.cvut.cz>]
*) Added new ap_register_cleanup_ex() API function which allows
for a "magic" cleanup function to be run at register time
rather than at cleanup time. Also added the
ap_note_cleanups_for_(socket|fd|file)_ex() API functions
which allows for control over whether that magic cleanup
should be called or not. This does not change the default
behavior of the non-"ex" function (eg: ap_register_cleanup).
[Jim Jagielski, concept by Ben Laurie]
*) PORT: Take advantage of OpenBSD's arc4random() function for the
initial secret [Henning Brauer <hb-apache-dev at bsws.de>]
*) If Listen directive is not a port, but just an IP, emit an
error condition as this case is ambiguous.
[Rich Bowen, Justin Erenkrantz, Cliff Woolley]
*) Update timeout algorithm in free_proc_chain. If a subprocess
did not exit immediately, the thread would sleep for 3 seconds
before checking the subprocess exit status again. In a very
common case when the subprocess was an HTTP server CGI script,
the CGI script actually exited a fraction of a second into the 3
second sleep, which effectively limited the server to serving one
CGI request every 3 seconds across a persistent connection.
PRs 6961, 8664 [Bill Stoddard]
*) mod_setenvif: Add SERVER_ADDR special keyword to allow
envariable setting according to the server IP address
which received the request. [Ken Coar]
*) PORT: Enable SINGLE_LISTEN_UNSERIALIZED_ACCEPT for AIX 4.3.2
and above. Update AIX configure logic to allow higher AIX
release numbers without having to change Apache.
[Jeff Trawick]
Changes with Apache 1.3.27
*) SECURITY: CVE-2002-0840 (cve.mitre.org)
Prevent a cross-site scripting vulnerability in the default
error page. The issue could only be exploited if the directive
UseCanonicalName is set to Off and a server is being run at
a domain that allows wildcard DNS. [Matthew Murphy]
*) SECURITY: CVE-2002-0843 (cve.mitre.org)
Fix some possible overflows in ab.c that could be exploited by
a malicious server. Reported by David Wagner. [Jim Jagielski]
*) Included a patch submitted by Sander van Zoest (#9181) and
written by Michael Radwin whichs is essentially a work around
for the adding headers to error responses. As apache does not
go through the proper chain for non 2xx responses. This patch
adds an ErrorHeader directive; which is for non 2xx replies the
direct analog of the existing Header directive. This is usefull
during 3xx redirects or more complex 4xx auth schemes. [Dirk-
Willem van Gulik]
*) Included the patch submitted by Sander van Zoest (#12712) which
prevents just 'anything' being sucked in when doing gobbeling in
complete directories - such as editor backup files and other
cruft. This patch allows us to tailor/control this properly by
allowing simple wildcards such as *.conf. [Dirk-Willem van Gulik]
*) SECURITY: CVE-2002-0839 (cve.mitre.org)
Add the new directive 'ShmemUIDisUser'. By default, Apache
will no longer set the uid/gid of SysV shared memory scoreboard
to User/Group, and it will therefore stay the uid/gid of
the parent Apache process. This is actually the way it should
be, however, some implementations may still require this, which
can be enabled by 'ShmemUIDisUser On'. Reported by iDefense.
[Jim Jagielski]
*) Fix a problem with the definition of union semun which broke
System V semaphores on systems where sizeof(int) != sizeof(long).
PR 12072 [<winterling de.ibm.com>]
*) The protocol version (eg: HTTP/1.1) in the request line parsing
is now case insensitive. This closes a few PRs and implies that
ProtocolReqCheck will trigger on *true* invalid protocols.
[Jim Jagielski]
*) Relaxed mod_digest its parsing in order to make it work
with iCal's "WebDAVFS/1.2 (01208000) Darwin/6.0 (Power Macintosh)"
User-Agent. Apache (incorrectly) insisted on a quoted URI's
in the uri field of the Authorization client header. Not
yet done for EBCDIC plaforms.
[Dirk-Willem van Gulik]
*) Back out an older patch for PR 9932, which had some incorrect
behavior. Instead, use a backport of the APR fix. This has
the nice effect that ap_snprintf() can now distinguish between
an output which was truncated, and an output which exactly
filled the buffer. [Jim Jagielski]
*) The cache in mod_proxy was incorrectly updating the Content-Length
value (to 0) from 304 responses when doing validation. Bugz#10128
[Paul Terry <paul.terry gmx.net>, <ast domdv.de>, Jim Jagielski]
*) Added support for Berkeley-DB/4.x to mod_auth_db.
[Martin Kraemer]
*) PR 10993: add image/x-icon to default httpd.conf files
[Ian Holsman, Peter Bieringer <pb bieringer.de>
*) Fix a problem in proxy where headers from other modules were
added to the response headers when this was already done in the
core already. This resulted in header (and therefore cookie)
duplication. [Martijn Schoemaker <martijn osp.nl>]
*) Fix FileETags none operation. PR 12202.
[Justin Erenkrantz, Andrew Ho <andrew tellme.com>]
*) Win32: Fix one byte buffer overflow in ap_get_win32_interpreter
when a CGI script's #! line does not contain a \r or \n (i.e.
a line feed character) in the first 1023 bytes. The overflow
is always a '\0' (string termination) character.
*) Add new "suppress-error-charset" environment variable to
allow a BrowserMatch workaround for clients that incorrectly
use the charset of a redirect as the charset of the target.
[Ken Coar]
*) Support Caldera OpenUNIX 8. [Larry Rosenman <ler lerctr.org>]
*) Use SysV semaphores by default on OpenBSD. [Henning Brauer
<hb-apache-dev bsws.de>]
*) httpd -V will now also print out the compile time defined
HARD_SERVER_LIMIT value. [Dirk-Willem van Gulik].
*) In 1.3.26, a null or all blank Content-Length field would be
triggered as an error; previous versions would silently ignore
this and assume 0. As a special case, we now allow this and
behave as we previously did. HOWEVER, previous versions would
also silently accept bogus C-L values; We do NOT do that. That
*is* an invalid value and we treat it as such.
[Jim Jagielski]
*) Add ProtocolReqCheck directive, which determines if Apache will
check for a valid protocol string in the request (eg: HTTP/1.1)
and return HTTP_BAD_REQUEST if not valid. Versions of Apache
prior to 1.3.26 would silently ignore bad protocol strings, but
1.3.26 included a more strict check. This makes it runtime
configurable. The default is On. This also removes the requirement
on an ANSI sscanf() implementation. [Jim Jagielski]
*) NetWare: implemented file locking in mod_rewrite for the NetWare
CLib platform. This fixes a bug that prevented rewrite logging
from working. [Brad Nicholes]
Changes with Apache 1.3.26
*) Potential NULL referencing fixed in the CGI module. It had
been there for 5 years. [Justin Erenkrantz]
*) Ensure that we set the result value in ap_strtol before
we return it. [Justin Erenkrantz, Jim Jagielski]
Changes with Apache 1.3.25
*) SECURITY: CVE-2002-0392 (cve.mitre.org) [CERT VU#944335]
Code changes required to address and close chunked
encoding security issues. To support this, we utilize the ANSI
functionality of strtol, and provide ap_strtol for completeness.
[Aaron Bannert, Justin Erenkrantz, Jim Jagielski, Brian Pane,
William Rowe, Cliff Woolley]
*) PORT: With OpenBSD 3.1 and up, allow modules to work on their
ELF-based architectures. [Brad <brad openbsd.org>]
*) Add X-Forwarded-Host and X-Forwarded-Server to X-Forwarded-For
to the proxy. [Thomas Eibner <thomas stderr.net>]
*) Fix a problem in mod_proxy: it would not set the number of bytes
transferred, so other modules could not access the value from
the request_rec->bytes_sent field.
[Anthony Howe <achowe at snert.com>] PR#6841
*) Fix a problem in mod_rewrite which would lead to 400 Bad Request
responses for rewriting rules which resulted in a local path.
Note: This will also reject invalid requests like
"HEAD /roaming/martin/IMAP localhost HTTP/1.0" as issued by
Netscape-4.x Roaming Profiles (on a DAV-enabled server)
[Martin Kraemer]
*) SECURITY: CVE-2003-0083 (cve.mitre.org)
Disallow anything but whitespace on the request line after the
HTTP/x.y protocol string. That prevents arbitrary user input
from ending up in the access_log and error_log. Also, special
characters (especially control characters) are escaped in the
log file now, to make a clear distinction between client-supplied
strings (with special characters) and server-side strings.
[Martin Kraemer]
*) Get rid of DEFAULT_XFERLOG as it is not used anywhere. It was
preserved by the build system, printed with "httpd -V", but
apart from that completely ignored: the default transfer log
is to not produce any transfer log.
[Martin Kraemer]
*) Fixed sending of binary files under Cygwin. PR 9185.
[Cliff Woolley]
*) Added Cygwin directory layout to config.layout file.
[Stipe Tolj, <tolj wapme-systems.de>]
*) Added a '-F' flag; which causes the mother/supervisor process to
no longer fork down and detach. But instead stays attached to
the tty - thus making live for automatic restart and exit checking
code easier. [ Contributed by Michael Handler <handler grendel.net>,
Jos Backus <jos catnook.com> [ Dirk-Willem van Gulik ]].
*) Make apxs.pl more flexible (file extensions like .so or .dll are
no longer hardcoded). [Stipe Tolj <tolj wapme-systems.de>]
*) Add an intelligent error message should no proxy submodules be
valid to handle a request. PR 8407 [Graham Leggett]
*) Allow child processes sufficient time for cleanups but making
ap_select in reclaim_child_processes more "resistant" to
signal interupts. Bugz# 8176
[David Winterbourne <davidw financenter.com>, Jim Jagielski]
*) Recognize platform specific root directories (other than
leading slash) in mod_rewrite for filename rewrite rules.
Bugz# 7492 [William Rowe]
*) For supported versions of Darwin, place dynamically loaded
Apache extensions' public symbols into the global symbol
table. This allows dynamically loaded PHP extensions.
[Marko Karppinen <markonen php.net>]
*) Correct proxy to be able to handle the unexpected 100-continue
reponses sent during PUT or POST requests. [Graham Leggett]
*) Correct a timeout problem within proxy which would force long
or slow POST requests to close after 300 seconds.
[Martin Lichtin <martin lichtin.net>, Brian Bothwell
<brian.bothwell wisdomtools.com>]
*) Add support for dechunking chunked responses in proxy.
[Graham Leggett]
*) Made AB's use of the Host: header rfc2616 compliant
by Taisuke Yamada <tai iij.ad.jp> [Dirl-Willem van Gulik].
*) Update the Red Hat Layout to match Red Hat Linux version 7.
PR BZ-7422 [Joe Orton]
*) Add some popular types to the mime magic file. PR 7730.
[Linus Walleij <triad df.lth.se>, Justin Erenkrantz]
*) Tighten up the overridden-Server-header bugfix in the proxy, by
only overriding if the request is a proxy request. It has been
pointed out that the previous fix allows CGIs and modules to
override the Server header, which is change to previous behavior.
[Graham Leggett, Joshua Slive]
*) Another fix for the multiple-cookie header bug in proxy. With some
luck this bug is actually now dead. [Graham Leggett]
Changes with Apache 1.3.24
*) Fixed a segfault in mod_include when #if, #elif, #else, or #endif
directives were improperly terminated. [Cliff Woolley]
*) Win32 SECURITY: CVE-2002-0061 (cve.mitre.org)
Introduce proper escaping of command.com and cmd.exe for Win32.
These patches close vulnerability CVE-2002-0061, identified and
reported by Ory Segal <ory.segal sanctuminc>, by which any CGI
invocation of .bat or .cmd files could compromise the system
when the .bat or .cmd was parsed the query args as an argument
to either cmd.exe /c or command.com /c. [William Rowe]
*) Add % and \r [C/R] to the dangerous Win32 shell character list.
Retain the Unix sh escapes list for compatibility.
[William Rowe]
*) Pass the command line to the cmd.exe /c interpreter double quoted.
This fixes a bug that CGI args ending in a double-quote would
cause invocation to fail. Also, treat command.com as a 16-bit
executable. [William Rowe]
*) Win32; Never invoke cmd or bat scripts based on the registry, even
for 'ScriptInterpreterSource Registry' enabled. [William Rowe]
*) Provide Win32 users a log of the cgi command invoked, to assist
in debugging scripts at LogLevel info. Also provide env vars
at LogLevel debug for additional help to admins troubleshooting
the ever mysterious "Premature end of script headers" error.
[Aaron Bannert]
*) Added the 'CGICommandArgs off' directive, to allow admins
to disable the query argument passing mechanism in Apache,
if future CGI argument vulnerabilities should be discovered.
This defaults to 'on', meaning isindex-style query arguments
are enabled. [Aaron Bannert]
*) When a proxied site was being served, Apache was replacing
the original site Server header with it's own, which is not
allowed by RFC2616. Fixed. [Graham Leggett]
*) Fixed the previous multiple-cookie fix in the proxy. Cookies
are broken in that they contain dates which in turn contain
commas - so merging and then unmerging them breaks Set-Cookie
headers. Sigh. [Graham Leggett]
*) Add ap_uuencode to the httpd.exp exports file used by
the AIX linker. [Bill Stoddard]
*) Win32: Ignore AcceptMutex directive if it is present
[Bill Stoddard]
*) mod_rewrite: restored rnd behavior that was broken in 1.3.23.
PR 10090, 10185 [Jeroen Boomgaardt <jeroen swissclue.com>]
*) NetWare: Added the command line directive -e that forces all
fatal configuration error messages to the logger screen rather
than the Apache screen before Apache is unloaded.
[Brad Nicholes <bnicholes novell.com>]
*) Add the ProxyIOBufferSize option. Previously the size of the
buffer used while reading from the remote server in proxy was
taken from ProxyReceiveBufferSize. [Graham Leggett]
*) Fix a NULL variable check in proxy where we were checking the
wrong variable. [Geff Hanoian <geff pier64.com>]
*) Fix typo in default config files related to Swedish language
documents. PR: 9906, 10040 [Tomas 謌ren <stric ing.umu.se>,
Dennis Lundberg <dennis.lundberg mdh.se>]
*) apxs didn't get rebuilt when options were changed. This must have
caused much puzzlement in the past. Fixed.
[Ben Laurie]
*) No idea why an HTTP/1.1 proxy would send an HTTP/1.0 request
to a remote server by default. Fixed.
[Graham Leggett, Gabriel Russell <g.russell ieee.org>]
*) NetWare: Added the module mod_log_nw to handle log rotation.
This module adds LogRotateDaily and LogRotateInterval to allow
all of the custom logs to be either rotated on a daily basis or
on a specific interval. Based on a patch by Bertrand Demiddelaer.
[Brad Nicholes <bnicholes novell.com>]
*) Fix typo in rotatelogs.8. [Will Lowe <harpo thebackrow.net>]
*) Clean up warnings in mod_proxy [Chuck Murcko <chuck topsail.org>]
*) TPF: Use the correct subpool when opening the error log.
This prevents a possible SIGPIPE in standalone_main.
[David McCreedy <McCreedy us.ibm.com>]
*) When proxy enabled a slow frontend client to read from an
expensive backend server, it would wait until it had delivered
the response to the slow frontend client completely before
closing the backend connection. The backend connection is now
closed as soon as the last byte is read from it, freeing up
resources that would have been tied up unnecessarily.
[Graham Leggett, Igor Sysoev <is rambler-co.ru>]
*) The proxy code read chunks from the backend server in a
hardcoded amount of 8k. The existing ProxyReceiveBufferSize
parameter has been overloaded to specify the size of this buffer.
[Graham Leggett, Igor Sysoev <is rambler-co.ru>]
*) [Security] Prevent invalid client hostnames from appearing in
the log file. If a double-reverse lookup was performed (e.g.,
for an "Allow from .my.domain" directive) but failed, then
a spoofed dns-reverse-address could appear in the logs. Now
the numeric address is logged instead. Note that
reverse-address-spoofing did NOT actually allow access
to any protected resource! [Martin Kraemer]
*) Some browsers ignore cookies that have been merged into a
single Set-Cookie header. Set-Cookie and Set-Cookie2 headers
are now unmerged in the http proxy before being sent to the
client. [Graham Leggett]
*) Fix a problem with proxy where each entry of a duplicated
header such as Set-Cookie would overwrite and obliterate the
previous value of the header, resulting in multiple header
values (like cookies) going missing.
[Graham Leggett, Joshua Slive]
*) Fix a problem with proxy where X-Cache headers were
overwriting and then obliterating upstream X-Cache headers
from other proxies.
[Graham Leggett, Jacob Rief <jacob.rief tiscover.com>]
*) Win32: Work around a bug in Windows XP that caused data
corruption on writes to the network. The WinXP bug
is tickled by the combined use of WSADuplicateSocket
and blocking send() calls.
[Bill Stoddard, Bill Rowe, Allan Edwards, Szabolcs Szakacsits]
*) Add 'IgnoreCase' keyword to the IndexOptions directive;
if active, upper- and lower-case letters are insignificant
in ordering. In other words, all A* and a* files will be
listed together, rather than the a* ones after all the [A-Z]*
ones. [Tullio Andreatta <tullio logicom.it>]
*) NetWare: Implemented the real ap_os_case_canonical_filename()
function that retrieves the accurately cased path and file
name from the file system. [Brad Nicholes <bnicholes novell.com>]
*) Fix the longstanding bug that errors (returned by src/Configure)
would not be noticed by the top level configure script.
That was bad for automated configurations. [Martin Kraemer]
*) Link with -lpthread on Solaris since we reference pthread
functions for the accept mutex. Previously, the link step
would succeed but we would link to bogus versions of the
pthread functions in libc, apparently breaking accept mutex
serialization when "AcceptMutex pthread" was used and
apparently breaking some third-party modules whether
or not "AcceptMutex pthread" was used. [Jeff Trawick]
*) The Location: response header field, used for external
redirect, *must* be an absoluteURI. The Redirect directive
tested for that, but RedirectMatch didn't -- it would allow
almost anything through. Now it will try to turn an abs_path
into an absoluteURI, but it will correctly varf like Redirect
if the final redirection target isn't an absoluteURI. [Ken Coar]
*) apxs: fix bug that prevented -S option from containing quotes.
[Ben Laurie]
*) ftp proxy: various cosmetic and functional improvements
- Allow for /%2f hack (to access the root directory / )
- properly escape generated links in dir listing
- do directory listings in ASCII, to avoid problems with EBCDIC
servers
- close data & control channels to server properly
[Martin Kraemer]
*) NetWare: Added mod_auth_dbm to the project file.
[Brad Nicholes <bnicholes novell.com>]
Changes with Apache 1.3.23
*) Changed the symbol mapping of the following from API_EXPORT
to API_EXPORT_NONSTD:
ap_snprintf(), ap_table_do(), ap_bvputs(), ap_log_error(),
ap_log_rerror(), ap_log_printf(), ap_rprintf()
[William Rowe]
*) Fixed a number of mismatched int sizes and signedness problems.
Still remains, MSVC's 'interesting' declaration of FD_SET still emits
(impotent) warnings. [William Rowe]
*) mod_proxy changes:
*) Bug fix for ap_proxy_cache_conditional(), unititialized wetag
[Zvi Har'El <rl math.technion.ac.il>]
*) Add persistent connection handling
The patch changes mod_proxy to write the reply-headers using
ap_send_http_header() instead of directly using ap_bvputs(). This not
only simplifies mod_proxy, in my opinion at least, but enables it to
make use of the features of Apache's normal header and persistent
connection machinery.
[Christian von Roques <roques mti.ag>]
*) Graham Leggett's original 1.3.12 patch, updated for 1.3.19+
Original comments:
HTTP/1.1 support for mod_proxy:
- support for Cache-Control
- conditional support If-Match, If-None-Match,
If-Unmodified-Since, Etag
- support for content negotiation using Vary
- storing of request headers (for Vary support) in cache file
- storing of updated response headers (with 304 Not Modified) in
cache file
- support for 64 bit dates and content-lengths in cache file
Fixes:
- ProxyPassReverse applied to Content-Location
- entity headers no longer stripped from response after cache
revalidation
- annotation of mod_proxy cache code
[Graham Leggett <minfrin sharp.fm>]
changes to preserve binary compatibility with httpd core, clean up
[Chuck Murcko <chuck topsail.org>]
*) HPUX 11.*: Do not kill the child process when accept()
returns ENOBUFS on HPUX 11.*.
[<madhusudan_mathihalli hp.com>]
*) PORT: Numerous additions to Cygwin, including: defaulting
to Posix thread accept mutex, excluding the call to
pthread_mutexattr_setpshared(), better proxy and DBM support, and
allowing the use of native Win32 socket ops instead of
Cygwin's Posix wrapper (for better performance). The last
item required the addition of a new Configure Rule: CYGWIN_WINSOCK.
[Stipe Tolj <tolj wapme-systems.de>]
*) Use "httpready" accept filter rather than "dataready" on
FreeBSD after 4.1.1-RELEASE where it works correctly.
[Tony Finch]
*) Fix incorrect "Content-Length" header in the 416 "range not
satisfiable" response. [Joe Orton <joe manyfish.co.uk>]
*) Add FileETag directive to control fields used when constructing
an ETag for a file-based resource. Historically the inode,
size, and mtimehave been used, but the inode factor broke
caching for systems with content fan-out across multiple
back-end servers. Now the fields used in the construction
can be controlled by configuration directives. Minor MMN
bumped; MMN went from 19990320.10 to 19990320.11.
[Ken Coar, from a patch by Phil Dietz]
*) NetWare: Fixed the access forbidden problem when requesting an
empty directory rather than showing the empty listing.
[Charles Goldman, Guenter Knauf <gk gknw.de>]
*) Cause Win32 to capture all child-worker process errors in
Apache to the main server error log, until the child can
open it's own error logs. [William Rowe]
*) Revert mod_negotation's handling of path_info and query_args
to the 1.3.20 behavior. PR: 8628, 8582, 8538 [William Rowe]
*) Modify buff.h and buff.c to enable modules to intercept the
output byte stream for dynamic page caching. A pointer to a
'filter callback' function is added to the end of buff.h.
This function, if registered by a module, is called
at the top of buff_write() and writev_it_all().
[Kevin Mallory <kmallory spidercache.com>]
*) When the default of 'Group #-1' was changed to 'Group "#-1"',
the Makefile wasn't updated to recognise the quotation marks.
[Owen Boyle <obo bourse.ch>]
*) Win32: Do not allow threads to continue handling keepalive
requests after a shutdown or restart has ben signaled.
[Bill Stoddard]
*) Win32: Accept OPTIONS * requests. [Keith Wannamaker]
*) Unixware 7.0 and later did not have a default locking
mechanism defined. This bug was introduced in apache 1.3.4.
[Dean Gaudet]
*) Prevent an Apache module from being loaded or added twice due
to duplicate LoadModule or AddModule directives (or a missing
ClearModuleList directive).
[William Rowe, Brian Pane <bpane pacbell.net>]
*) Add checkgid app to do run-time validation of Group directive
values which might cause the server to fall over, but which
are syntactically correct. [Ken Coar]
*) NetWare: Added mod_unique_id to the project file.
[Brad Nicholes <bnicholes novell.com>]
*) NetWare: Fixed a link problem with mod_vhost_alias so that it
exports the correct MODULE structure. PR 8598
[Brad Nicholes <bnicholes novell.com>]
*) Unix: The generated install script for binary distributions,
install-bindist.sh, now makes DSO files executable, like
make install. This allows a binary distribution to work on
HP-UX without any manual intervention. PR 7428
[Jeff Trawick]
*) Win32: The Apache Win32 developers generally recommend that
MaxRequestsPerChild be set to 0 to prevent the child process
from ever recycling. However, for those that do require a
non-zero setting, this patch fixes a serious bug that can cause
an apparent 'server-hang' condition where the server stops
responding to requests for a period of time. Prior to this
fix, when the child process handled MaxRequestsPerChild
connnections, the child process would stop accepting new
connections and begin allowing inactive threads to exit. The
problem was that a new process would not be created to begin
handling requests until the old process fully exited. The old
process can take an indeterminate amount of time to exit because
it may be sending large responses to clients connected over slow
links, or it may have threads blocked in read awaiting requests
(eg, one attack mode of the Nimda worm is to establish a
connection to the server but not send an HTTP request. This
connection will be timed out according to the setting of the
Timeout directive, 300 seconds). This fix allows the new process
to be immediately started and begin accepting requests when the
old child process reaches MaxRequestsPerChild.
[Bill Stoddard]
*) Win32: Emit error message when the server bumps up against the
ThreadsPerChild configuration limit. This will be useful for
admins to detect when their server is running out of threads
to handle requests. [Bill Stoddard]
*) Test all directories listed with the UserDir directive for validity.
Also resolves the Win32/Netware bug of unparsable quoted paths.
PR 8238 [William Rowe]
Changes with Apache 1.3.22
*) Recognize AIX 5.1. [Jeff Trawick]
*) PORT: Support AtheOS (see www.atheos.cx)
[Rodrigo Parra Novo <rodarvus terra.com.br>]
*) The manual directory is still configurable (as enabled by
the 1.3.21 change), but its default setting was reverted to
the pre-1.3.21 default as a subdirectory of the DocumentRoot.
You can adapt your path in config.layout or with the
"configure --manualdir=" switch. [Martin Kraemer]
*) Additional correction for the mutex changes on the TPF platform.
[David McCreedy <McCreedy us.ibm.com>]
*) mod_proxy - remove Explain*; replace with ap_log_*
[Chuck Murcko <chuck topsail.org>]
Changes with Apache 1.3.21
*) Enable mod_mime_magic (experimental) for Win32. [William Rowe]
*) Use an installed Expat library rather than the bundled Expat. This
fixes a problem where multiple copies of Expat could be loaded
into the process space, thus conflicting and causing strange
segfaults. Most notably with mod_perl and XML::Parsers::Expat.
[Greg Stein]
*) Handle user modification of WinNT/2K service display names. Prior
versions of Apache only accepted identical internal and display names
(where internal service names were space-stripped.) [William Rowe]
*) Introduce Win32 -W option for -k install/config to set up service
dependencies on the workstation, snmp and other services that given
modules or configurations might depend upon. [William Rowe]
*) Update the mime.types file to map video/vnd.mpegurl to mxu
and add commonly used audio/x-mpegurl for m3u extensions.
[Heiko Recktenwald <uzs106 uni-bonn.de>, Lars Eilebrecht]
*) Modified mod_mime and mod_negotiation to prevent mod_negotiation
from serving any multiview variant containing one or more
'unknown' filename extensions. In PR #8130, mod_negotiation was
incorrectly serving index.html.zh.Big5 when better variants were
available. The httpd.conf file on the failing server did not have
an AddLanguage directive for .zh, which caused mod_mime to loose
the file_type information it gleened from parsing the .html
extension. The absence of any language preferences, either in
the browser or configured on the server, caused mod_negotiation
to consider all the variants equivalent. When that occurs,
mod_negotiation picks the 'smallest' variant available, which
just happened to be index.html.zh.Big5.
[Bill Stoddard, Bill Rowe] PR #8130
*) SECURITY: CVE-2001-0731 (cve.mitre.org)
Close autoindex /?M=D directory listing hole reported
in bugtraq id 3009. In some configurations where multiviews and
indexes are enabled for a directory, requesting URI /?M=D could
result in a directory listing being returned to the client rather
than the negotiated index.html variant that was configured and
expected. The work around for this problem (for pre 1.3.21
releases) is to disable Indexes or Multiviews in the affected
directories. [Bill Stoddard, Bill Rowe]
*) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted)
as arguments for mod_vhost_alias'es directives. [William Rowe]
*) Changes for Win32 to assure mod_unique_id's UNIQUE_ID strings really
are unique between threads. [William Rowe]
*) mod_proxy - fix for Pragma: nocache (HTTP/1.0 only)
[Kim Bisgaard <kib dmi.dk>] PR #5668
*) PORT: Some Cygwin changes, esp. improvements for dynamic loading,
and cleanups. [Stipe Tolj <tolj wapme-systems.de>]
*) Win32 SECURITY: CVE-2001-0729 (cve.mitre.org)
The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created artificially
by using many slashes. Now a 403 FORBIDDEN is returned. This
problem was similar to and in the same area as the problem
reported and fixed by Martin Kraemer in 1.3.18, only the scope
is much narrower and is specific to Windows. [Bill Stoddard]
*) Update the mime.types file to the registered media types as
of 2001-09-25, and add xsl, so, dll extensions [Mark Cox]
*) Resolved the build failure on Win32 using MSVC 5.0 (without the
current SDK.) PRs 7790, 7948. [William Rowe]
*) mod_proxy - fix reverse proxy cookie passthrough
[Brian Eidelman <beidelman netegrity.com>] PR#6055
*) mod_proxy - fix CacheForceCompletion directive
[Alexey Panchenko <panchenko liwest.ru>] PR#8090
*) mod_proxy - close origin server connection when client aborts
[Alexey Panchenko <panchenko liwest.ru>] PR#8067,7383,6585
*) ErrorDocument 404 pointing to a parsed html file with a
<!--#include virtual="file" --> with a request URI containing
%2f would result in a segfault (NULL pointer deref, not a
security problem). [Jeff Moe <tux themoes.org>, Dean Gaudet] PR#8362
*) UnsetEnv from main body of httpd.conf file didn't work; backport
of bugfix from 2.0 codebase. [Gary Benson <gbenson redhat.com>] PR#8254
*) Win32 - add mod_unique_id.so and mod_vhost_alias.so to the build.
[William Rowe]
*) Enhancement of mod_auth to handle 'Require file-owner' and
'Require file-group'. This allows access IFF the authenticated
username (from the appropriate AuthUserFile database) matches
the username of the UID that owns the document (and equivalent
checking for file GID and user's membership in AuthGroupFile).
See the mod_auth documentation for examples. (Not supported
on Windows.) [Ken Coar]
*) Addition of the AcceptMutex runtime directive. The accept mutex
method is now runtime controllable. The suite of available methods
per platform is defined at compile time (with HAVE_FOO_SERIALIZED_ACCEPT
noting that the method is available and works, and
USE_FOO_SERIALIZED_ACCEPT noting that it should be the default
method in absense of any AcceptMutex line, or via AcceptMutex default)
and selectable at runtime. The full (current) suite is uslock,
pthread, sysvsem, fcntl, flock, os2sem, tpfcore and none, but
not all platforms accept all methods. [Jim Jagielski]
*) Parallel to a change in Apache-2.0, the manual directory was
moved out of the DocumentRoot tree to simplify the separation
of private content&configuration from server's on-line
documentation. An "Alias /manual/ ..." projects the manual/
directory (which resides now side-by-side with the icons/
directory) into the logical DocumentRoot. Note that a request
to http://server/manual (without the trailing slash) will now
behave different than before (it used to redirect to
http://server/manual/ but no longer does).
[Martin Kraemer]
*) Fixed ap_os_canonical_filename() so that it wouldn't try to
canonicalize an invalid file name. Also fixed
ap_os_is_path_absolute() so that it wouldn't recognize names
such as proxy:http://blah as a NetWare volume:pathname. Both of
these fixes were necessary to fix mod_proxy problems on NetWare.
[Brad Nicholes <BNICHOLES novell.com>]
*) Fix a storage leak (a strdup() call) in mod_mime_magic.
[Jeff Trawick]
*) We have always used the obsolete/deprecated Netscape syntax
for our tracking cookies; now the CookieStyle directive
allows the Webmaster to choose the Netscape, RFC2109, or
RFC2965 format. The new CookieDomain directive allows the
setting of the cookie's Domain= attribute, too. PR #s 5006,
5023, 5920, 6140 [Ken Coar]
*) The Win32 Makefile.win build script failed if
INSTDIR="c:\path\with spaces" was given, this is now fixed. PR 8184
[Jack Tan <jack_s_tan yahoo.com>]
*) EBCDIC: The proxy, when used in a proxy chain, "forgot" to
convert the "CONNECT host:port HTTP/1.0" request line to ASCII
before contacting the next proxy, and was thus unusable for
SSL proxying. [Martin Kraemer]
*) SECURITY: CVE-2001-0730 (cve.mitre.org)
Make support/split-logfile use the default log file if
"/" or "\" are present in the virtual host name. This prevents
the possible use of specially crafted virtual host names in
some configurations to allow writing to any .log file on the
system. [Daniel Matuschek <daniel.matuschek swisscom.com>,
Marc Slemko] PR#7848
*) Added a directive: "AcceptFilter <on|off>". To control BSD
acccept filters when at compile time SO_ACCEPT_FILTER is
detected. The default is still 'on' except when, at compile
time, AP_ACCEPT_FILTER_OFF is defined.
Also downgraded the fatal exit to a warning when the
associated setsocketopt(2) fails for any reason but
for ENOPROTOOPT. The latter - which implies that the
kernel does not support the filters - now rates only an
info level message. All in all this should make it easier
to move httpd binaries and config files across BSD machines
with varying acceptfilter support.
[Dirk-Willem van Gulik <dirkx covalent.net>]
*) Fix the <Files ~ "^\.ht"> container to *really* deny all access.
Without the Satisfy All, .ht* files could still be fetched if
they were within the scope of a Satisfy Any directive.
[Ken Coar]
*) Print a warning when an attempt is made to use line-end comments.
Apparently they are not detected/handled gracefully by all directives.
[Martin Kraemer]
*) (TPF only) Take advantage of improvements to select(), fork(), and
exec() in the TPF operating system.
[David McCreedy <McCreedy us.ib
Download Url:
☉Search Apache HTTP Server 2.0.63 for Unix In Google。
☉Search Apache HTTP Server 2.0.63 for Unix In Baidu。
☉Search Apache HTTP Server 2.0.63 for Unix In Yahoo。
☉Search Apache HTTP Server 2.0.63 for Unix In Baidu。
☉Search Apache HTTP Server 2.0.63 for Unix In Yahoo。
New CommentA total of 0 users commented on
Show All Comments
Comments
