Changes with Apache 2.0.55 *) SECURITY: CAN-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton] *) worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames] *) mod_ldap: Fix PR 36563. Keep track of the number of attributes retrieved from LDAP so that all of the values can be properly cached even if the value is NULL. [Brad Nicholes, Ondrej Sury ] *) SECURITY: CAN-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel] *) SECURITY: CAN-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe] *) Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick] *) Correct mod_cgid's argv[0] so that the full path can be delved by the invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S ] *) mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton] *) Support the suppress-error-charset setting, as with Apache 1.3.x. PR 31274. [Jeff Trawick] *) EBCDIC: Handle chunked input from client or, with proxy, origin server. [Jeff Trawick] *) Fix bad globbing comparison which could result in getting a directory listing when a file was requested. PR 34512. [sean ] *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker() was called even if mod_auth_ldap_check_user_id() was not (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski] *) SECURITY: CAN-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton] *) mod_proxy: Fix over-eager handling of '%' for reverse proxies. PR 15207. [Jim Jagielski] *) mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton] *) Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton] *) mod_ldap: Avoid segfaults when opening connections if using a version of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes] *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe] *) SECURITY: CAN-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton] *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick] *) Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick] *) SECURITY: CAN-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ] *) mod_userdir: Fix possible memory corruption issue. PR 34588. [David Leonard ] *) worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames] *) mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames] *) proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. PR 15859. [Jeff Trawick] Changes with Apache 2.0.54 *) mod_cache: Add CacheIgnoreHeaders directive. PR 30399. [Rüdiger Plüm ] *) mod_ldap: Added the directive LDAPConnectionTimeout to configure the ldap socket connection timeout value. [Brad Nicholes] *) Correctly export all mod_dav public functions. [Branko Čibej ] *) Add a build script to create a solaris package. [Graham Leggett] *) worker MPM: Fix a problem which could cause httpd processes to remain active after shutdown. [Jeff Trawick] *) Unix MPMs: Shut down the server more quickly when child processes are slow to exit. [Joe Orton, Jeff Trawick] *) Remove formatting characters from ap_log_error() calls. These were escaped as fallout from CAN-2003-0020. [Eric Covener ] *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418. [David Reid] *) htdigest: Fix permissions of created files. PR 33765. [Joe Orton] *) core_input_filter: Move buckets to a persistent brigade instead of creating a new brigade. This stop a memory leak when proxying a Streaming Media Server. PR 33382. [Paul Querna] *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid hiccups from additional path information passed in non-utf-8 format. [Richard Donkin ] *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170. [Rici Lake ] *) mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] *) --with-module can now take more than one module to be statically linked: --with-module=:,:,... If the -subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] *) Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. Remove some arbitrary moving around of binaries - the RPM now maps to the ASF build of httpd. [Graham Leggett] *) mod_dumpio, an I/O logging/dumping module, added to the modules/expermimental subdirectory. [Jim Jagielski] *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP library handles special characters. PR 24437. [Jess Holle] *) Win32 MPM: Correct typo in debugging output. [William Rowe] *) conf: Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. PR 23421. [Roy Fielding] *) Add charset to example CGI scripts. [Roy Fielding] *) mod_ssl: fail quickly if SSL connection is aborted rather than making many doomed ap_pass_brigade calls. PR 32699. [Joe Orton] *) Remove compiled-in upper limit on LimitRequestFieldSize. [Bill Stoddard] *) Start keeping track of time-taken-to-process-request again for mod_status if ExtendedStatus is enabled. [Jim Jagielski] *) mod_proxy: Handle client-aborted connections correctly. PR 32443. [Janne Hietamäki, Joe Orton] *) Fix handling of files >2Gb on all platforms (or builds) where apr_off_t is larger than apr_size_t. PR 28898. [Joe Orton] *) mod_include: Fix bug which could truncate variable expansions of N*64 characters by one byte. PR 32985. [Joe Orton] *) Correct handling of certain bucket types in ap_save_brigade, fixing possible segfaults in mod_cgi with #include virtual. PR 31247. [Joe Orton] *) Allow for the use of --with-module=foo:bar where the ./modules/foo directory is local only. Assumes, of course, that the required files are in ./modules/foo, but makes it easier to statically build/log "external" modules. [Jim Jagielski] *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that ldap authorization only modules have access to the util_ldap user cache without having to require ldap authentication as well. PR 31898. [Jari Ahonen jah progress.com, Brad Nicholes] *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that allows the module to only authorize a user if the attribute value specified matches the value of the user object. PR 31913 [Ryan Morgan ] *) SECURITY: CAN-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] *) SECURITY: CAN-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. PR 31505. [Hartmut Keil , Joe Orton] *) mod_ssl: Fail at startup rather than segfault at runtime if a client cert is configured with an encrypted private key. PR 24030. [Joe Orton] *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448 [Joe Orton] *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] *) mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. PR 31128. [Edward Rudd , Paul Querna] *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale cache responses. [Justin Erenkrantz] *) mod_rewrite: Handle per-location rules when r->filename is unset. Previously this would segfault or simply not match as expected, depending on the platform. [Jeff Trawick] *) mod_rewrite: Fix 0 bytes write into random memory position. PR 31036. [André Malo] *) mod_disk_cache: Do not store aborted content. PR 21492. [Rüdiger Plüm ] *) mod_disk_cache: Correctly store cached content type. PR 30278. [Rüdiger Plüm ] *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP statistics display. PR 29216. [Graham Leggett] *) mod_ldap: fix a bogus error message to tell the user which file is causing a potential problem with the LDAP shared memory cache. PR 31431 [Graham Leggett] *) SECURITY: CAN-2004-1834 (cve.mitre.org) mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] *) Fix the re-linking issue when purging elements from the LDAP cache PR 24801. [Jess Holle ] *) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] *) Fix Expires handling in mod_cache. [Justin Erenkrantz] *) Alter mod_expires to run at a different filter priority to allow proper Expires storage by mod_cache. [Justin Erenkrantz] Changes with Apache 2.0.52 *) Use HTML 2.0
for error pages. PR 30732 [André Malo] *) Fix the global mutex crash when the global mutex is never allocated due to disabled/empty caches. [Jess Holle ] *) Fix a segfault in the LDAP cache when it is configured switched off. [Jess Holle ] *) SECURITY: CAN-2004-0811 (cve.mitre.org) Fix merging of the Satisfy directive, which was applied to the surrounding context and could allow access despite configured authentication. PR 31315. [Rici Lake ] *) Fix the handling of URIs containing %2F when AllowEncodedSlashes is enabled. Previously, such urls would still be rejected. [Jeff Trawick, Bill Stoddard] *) mod_mem_cache: Fixed race condition causing segfault because of memory being freed twice, or reused after being freed. [J. Clar, W. Stoddard, G. Ames] *) Add -l option to rotatelogs to let it use local time rather than UTC. PR 24417. [Ken Coar, Uli Zappe ] *) mod_log_config: Fix a bug which prevented request completion time from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE processing. PR 29696. [Alois Treindl ] Changes with Apache 2.0.51 *) SECURITY: CAN-2004-0786 (cve.mitre.org) Fix an input validation issue in apr-util which could be triggered by malformed IPv6 literal addresses. [Joe Orton] *) SECURITY: CAN-2004-0747 (cve.mitre.org) Fix buffer overflow in expansion of environment variables in configuration file parsing. [André Malo] *) SECURITY: CAN-2004-0809 (cve.mitre.org) mod_dav_fs: Fix a segfault in the handling of an indirect lock refresh. PR 31183. [Joe Orton] *) mod_include no longer checks for recursion, because that's done in the core. This allows for careful usage of recursive SSI. [André Malo] *) Fix memory leak in the cache handling of mod_rewrite. PR 27862. [chunyan sheng , André Malo] *) Include directives no longer refuse to process symlinks on directories. Instead there's now a maximum nesting level of included directories (128 as distributed). This is configurable at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch. PR 28492. [André Malo] *) Win32: apache -k start|restart|install|config can leave stranded piped logger processes (eg, rotatelogs.exe) due to improper server shutdown on these code paths. [Bill Stoddard] *) SECURITY: CAN-2004-0751 (cve.mitre.org) mod_ssl: Fix a segfault in the SSL input filter which could be triggered if using "speculative" mode, for instance by a proxy request to an SSL server. PR 30134. [Joe Orton] *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups. PR 30464. [Joe Orton, Madhusudan Mathihalli] *) mod_ssl: Add new 'ssl_is_https' optional function. [Joe Orton] *) Prevent CGI script output which includes a Content-Range header from being passed through the byterange filter. [Joe Orton] *) Satisfy directives now can be influenced by a surrounding container. PR 14726. [André Malo] *) mod_rewrite now officially supports RewriteRules in sections. PR 27985. [André Malo] *) mod_disk_cache: Implement binary format for on-disk header files. [Brian Akins , Justin Erenkrantz] *) mod_disk_cache: Optimize network performance of disk cache subsystem by allowing zero-copy (sendfile) writes and other miscellaneous fixes. [Justin Erenkrantz] *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and switch to the provider API instead of hooks. [Justin Erenkrantz] *) mod_autoindex: Don't truncate the directory listing if a stat() call fails (for instance on a >2Gb file). PR 17357. [Joe Orton] *) Makefile fix: httpd is linked against LIBS given to the 'make' invocation. PR 7882. [Joe Orton] *) WinNT MPM: Fix a broken log message at termination. PR 28063. [Eider Oliveira ] *) Prevent Win32 pool corruption at startup [Allan Edwards] *) mod_ssl: Add "SSLUserName" directive to set r->user based on a chosen SSL environment variable. PR 20957. [Martin v. Loewis ] *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs. [Zvi Har'El ] *) apachectl: Fix a problem finding envvars if sbindir != bindir. PR 30723. [Friedrich Haubensak ] *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz] *) SECURITY: CAN-2004-0748 (cve.mitre.org) mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton] *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb. PR 18989. [Joe Orton] *) mod_userdir: Ensure that the userdir identity is used for suexec userdir access in a virtual host which has suexec configured. PR 18156. [Joshua Slive] *) mod_rewrite no longer confuses the RewriteMap caches if different maps defined in different virtual hosts use the same map name. PR 26462. [André Malo] *) mod_setenvif: Remove "support" for Remote_User variable which never worked at all. PR 25725. [André Malo] *) Backport from 2.1 / Regression from 1.3: mod_headers now knows again the functionality of the ErrorHeader directive. But instead using this misnomer additional flags to the Header directive were introduced ("always" and "onsuccess", defaulting to the latter). PR 28657. [André Malo] *) Use the higher performing 'httpready' Accept Filter on all platforms except FreeBSD < 4.1.1. [Paul Querna] *) mod_usertrack: Escape the cookie name before pasting into the regexp. [André Malo] *) Extend the SetEnvIf directive to capture subexpressions of the matched value. [André Malo] *) Recursive Include directives no longer crash. The server stops including configuration files after a certain nesting level (128 as distributed). This is configurable at compile time using the -DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [André Malo] *) mod_dir: the trailing-slash behaviour is now configurable using the DirectorySlash directive. [André Malo] *) Allow proxying of resources that are invoked via DirectoryIndex. PR 14648, 15112, 29961. [André Malo] *) util_ldap: Switched the lock types on the shared memory cache from thread reader/writer locks to global mutexes in order to provide cross process cache protection. [Brad Nicholes] *) util_ldap: Reworked the cache locking scheme to eliminate duplicate cache entries in the credentials cache due to race conditions. [Brad Nicholes] *) util_ldap: Enhanced the util_ldap cache-info display to show more detail about the contents and current state of the cache. [Brad Nicholes] *) Enable the option to support anonymous shared memory in mod_ldap. This makes the cache work on Linux again. [Graham Leggett] *) Enable special ErrorDocument value 'default' which restores the canned server response for the scope of the directive. [Geoffrey Young, André Malo] *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack is set in r->subprocess_env allow mismatched query strings to pass. PR 27758. [Paul Querna, Geoffrey Young] *) Accept URLs for the ServerAdmin directive. If the supplied argument is not recognized as an URL, assume it's a mail address. PR 28174. [André Malo, Paul Querna] *) initialize server arrays prior to calling ap_setup_prelinked_modules so that static modules can push Defines values when registering hooks just like DSO modules can ["Philippe M. Chiasson" ] *) Small fix to allow reverse proxying to an ftp server. Previously an attempt to do this would try and connect to 0.0.0.0, regardless of the server specified. PR 24922 [Pascal Terjan ] *) Add the NOTICE file to the rpm spec file in compliance with the Apache v2.0 license. [Graham Leggett] *) RPM spec file changes: changed default dependancy to link to db4 instead of db3. Fixed complaints about unpackaged files. [Graham Leggett] Changes with Apache 2.0.50 *) SECURITY: CAN-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick] *) mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. PR 22030, 18348. [Joe Orton, Jeff Trawick] *) mod_alias now emits a warning if it detects overlapping *Alias* directives. [André Malo] *) mod_rewrite no longer turns forward proxy requests into reverse proxy requests. PR 28125 [ast domdv.de, André Malo] *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now exported on Win32 and Netware as well (minor MMN bump). PR 28523. [Edward Rudd , André Malo] *) Restore the ability to disable the use of AcceptEx on Win9x systems automatically (broken in 2.0.49). PR 28529. [André Malo] *) now applies to all IP addresses for myhost instead of just the first one reported by the resolver. This corrects a regression since 1.3. [Jeff Trawick] *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] *) SECURITY: CAN-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] *) mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton] *) mod_deflate: Fix memory consumption (which was proportional to the response size). PR 29318. [Joe Orton] *) mod_ssl: Log the errors returned on failure to load or initialize a crypto accelerator engine. [Joe Orton] *) Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines , André Malo] *) Allow LimitRequestBody to be reset to unlimited. PR 29106 [André Malo] *) Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects: mod_setenvif, mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo] *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for small cache sizes. PR 27751. [Geoff Thorpe ] *) Remove 2Gb log file size restriction on some 32-bit platforms. PR 13511. [Joe Orton] *) mod_logio no longer removes the EOS bucket. PR 27928. [Bojan Smojver ] *) htpasswd no longer refuses to process files that contain empty lines. [André Malo] *) Regression from 1.3: At startup, suexec now will be checked for availability, the setuid bit and user root. The works only if httpd is compiled with the shipped APR version (0.9.5). PR 28287. [André Malo] *) Unix MPMs: Stop dropping connections when the file descriptor is at least FD_SETSIZE. [Jeff Trawick] *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick] *) mod_isapi: send_response_header() failed to copy status string's last character. PR 20619. [Jesse Pelton ] *) Fix a segfault when requests for shared memory fails and returns NULL. Fix a segfault caused by a lack of bounds checking on the cache. PR 24801. [Graham Leggett] *) Throw an error message if an attempt is made to use the LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost. PR 26390 [Brad Nicholes] *) Fix a potential segfault if the bind password in the LDAP cache is NULL. PR 28250. [Jari Ahonen ] *) Quotes cannot be used around require group and require dn directives, update the documentation to reflect this. Also add quotes around the dn and group within debug messages, to make it more obvious why authentication is failing if quotes are used in error. PR 19304. [Graham Leggett] *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap from escaping filters twice when the backslash character is used. PR 24437. [Jess Holle ] *) Overhaul handling of LDAP error conditions, so that the util_ldap_* functions leave the connections in a sane state after errors have occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271 [Graham Leggett] *) mod_ldap calls ldap_simple_bind_s() to validate the user credentials. If the bind fails, the connection is left in an unbound state. Make sure that the ldap connection record is updated to show that the connection is no longer bound. [Brad Nicholes] *) Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki ] *) Update the bind credentials for the cached LDAP connection to reflect the last bind. This prevents util_ldap from creating unnecessary connections rather than reusing cached connections. [Brad Nicholes] *) mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton ] *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer size. PR 20617. [Jesse Pelton ] *) mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick] *) mod_headers no longer crashes if an empty header value should be added. [André Malo] *) Fix segfault in mod_expires, which occured under certain circumstances. PR 28047. [André Malo] *) htpasswd: use apr_temp_dir_get() and general cleanup [Guenter Knauf , Thom May] *) mod_ssl: Fix memory leak in session cache handling. PR 26562 [Madhusudan Mathihalli] *) mod_ssl: Fix potential segfaults when performing SSL shutdown from a pool cleanup. PR 27945. [Joe Orton] *) Add forensic logging module (mod_log_forensic). [Ben Laurie] *) logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick] *) Fix the comment delimiter in htdbm so that it correctly parses the username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. [Guenter Knauf , Brad Nicholes] *) Fix crash when Apache was started with no Listen directives. [Michael Corcoran ] *) core_output_filter: Fix bug that could result in sending garbage over the network when module handlers construct bucket brigades containing multiple file buckets all referencing the same open file descriptor. [Bojan Smojver] *) Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe] *) Win32: Tweak worker thread accounting routines to eliminate server hang when number of Listen directives in httpd.conf is greater than or equal to the setting of ThreadsPerChild. [Bill Stoddard] Changes with Apache 2.0.49 *) SECURITY: CAN-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32. [Jeff Trawick] *) mod_cgid: Fix storage corruption caused by use of incorrect pool. [Jeff Trawick] *) Win32: find_read_listeners was not correctly handling multiple listeners on the Win32DisableAcceptEx path. [Bill Stoddard] *) Fix bug in mod_usertrack when no CookieName is set. PR 24483. [Manni Wood ] *) Fix some piped log problems: bogus "piped log program '(null)' failed" messages during restart and problem with the logger respawning again after Apache is stopped. PR 21648, PR 24805. [Jeff Trawick] *) Fixed file extensions for real media files and removed rpm extension from mime.types. PR 26079. [Allan Sandfeld ] *) Remove compile-time length limit on request strings. Length is now enforced solely with the LimitRequestLine config directive. [Paul J. Reder] *) mod_ssl: Send the Close Alert message to the peer before closing the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton] *) SECURITY: CVE-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton] *) mod_ssl: Fix bug in passphrase handling which could cause spurious failures in SSL functions later. PR 21160. [Joe Orton] *) mod_log_config: Fix corruption of buffered logs with threaded MPMs. PR 25520. [Jeff Trawick] *) Fix mod_include's expression parser to recognize strings correctly even if they start with an escaped token. [André Malo] *) Add fatal exception hook for use by diagnostic modules. The hook is only available if the --enable-exception-hook configure parm is used and the EnableExceptionHook directive has been set to "on". [Jeff Trawick] *) Allow mod_auth_digest to work with sub-requests with different methods than the original request. PR 25040. [Josh Dady ] *) fix "Expected > but saw " errors in nested, argumentless containers. ["Philippe M. Chiasson" ] *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756. [Matthieu Estrade , Brad Nicholes] *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849 [Glenn Nielsen ] *) The whole codebase was relicensed and is now available under the Apache License, Version 2.0 (http://www.apache.org/licenses). [Apache Software Foundation] *) Fixed cache-removal order in mod_mem_cache. [Jean-Jacques Clar, Cliff Woolley] *) mod_setenvif: Fix the regex optimizer, which under circumstances treated the supplied regex as literal string. PR 24219. [André Malo] *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm instead of mmn. [André Malo] *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules could lead to a 400 (Bad Request) response. [André Malo] *) Keep focus of ITERATE and ITERATE2 on the current module when the module chooses to return DECLINE_CMD for the directive. PR 22299. [Geoffrey Young ] *) Add support for IMT minor-type wildcards (e.g., text/*) to ExpiresByType. PR#7991 [Ken Coar] *) Fix segfault in mod_mem_cache cache_insert() due to cache size becoming negative. PR: 21285, 21287 [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar] *) core.c: If large file support is enabled, allow any file that is greater than AP_MAX_SENDFILE to be split into multiple buckets. This allows Apache to send files that are greater than 2gig. Otherwise we run into 32/64 bit type mismatches in the file size. [Brad Nicholes] *) proxy_http fix: mod_proxy hangs when both KeepAlive and ProxyErrorOverride are enabled, and a non-200 response without a body is generated by the backend server. (e.g.: a client makes a request containing the "If-Modified-Since" and "If-None-Match" headers, to which the backend server respond with status 304.) [Graham Wiseman , Richard Reiner] *) mod_dav: Reject requests which include an unescaped fragment in the Request-URI. PR 21779. [Amit Athavale ] *) Build array of allowed methods with proper dimensions, fixing possible memory corruption. [Jeff Trawick] *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID. PR 15057. [Otmar Lendl ] *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944 [Joe Orton] *) mod_usertrack no longer inspects the Cookie2 header for the cookie name. PR 11475. [Chris Darrochi ] *) mod_usertrack no longer overwrites other cookies. PR 26002. [Scott Moore ] *) worker MPM: fix stack overlay bug that could cause the parent process to crash. [Jeff Trawick] *) Win32: Add Win32DisableAcceptEx directive. This Windows NT/2000/CP directive is useful to work around bugs in some third party layered service providers like virus scanners, VPN and firewall products, that do not properly handle WinSock 2 APIs. Use this directive if your server is issuing AcceptEx failed messages. [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick] *) Make REMOTE_PORT variable available in mod_rewrite. PR 25772. [André Malo] *) Fix a long delay with CGI requests and keepalive connections on AIX. [Jeff Trawick] *) mod_autoindex: Add 'XHTML' option in order to allow switching between HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo] *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump). [André Malo] *) mod_ssl: Advertise SSL library version as determined at run-time rather than at compile-time. PR 23956. [Eric Seidel ] *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log format code is used. PR 22741. [Gary E. Miller ] *) Fix build with parallel make. PR 24643. [Joe Orton] *) mod_rewrite: In external rewrite maps lookup keys containing a newline now cause a lookup failure. PR 14453. [Cedric Gavage , André Malo] *) Backport major overhaul of mod_include's filter parser from 2.1. The new parser code is expected to be more robust and should catch all of the edge cases that were not handled by the previous one. The 2.1 external API changes were hidden by a wrapper which is expected to keep the API backwards compatible. [André Malo] *) Add a hook (insert_error_filter) to allow filters to re-insert themselves during processing of error responses. Enable mod_expires to use the new hook to include Expires headers in valid error responses. This addresses an RFC violation. It fixes PRs 19794, 24884, and 25123. [Paul J. Reder] *) Add Polish translation of error messages. PR 25101. [Tomasz Kepczynski ] *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes, Bill Stoddard] *) Add mod_status hook to allow modules to add to the mod_status report. [Joe Orton] *) Fix htdbm to generate comment fields in DBM files correctly. [Justin Erenkrantz] *) mod_dav: Use bucket brigades when reading PUT data. This avoids problems if the data stream is modified by an input filter. PR 22104. [Tim Robbins , André Malo] *) Fix RewriteBase directive to not add double slashes. [André Malo] *) Improve 'configure --help' output for some modules. [Astrid Keßler] *) Correct UseCanonicalName Off to properly check incoming port number. [Jim Jagielski] *) Fix slow graceful restarts with prefork MPM. [Joe Orton] *) Fix a problem with namespace mappings being dropped in mod_dav_fs; if any property values were set which defined namespaces these came out mangled in the PROPFIND response. PR 11637. [Amit Athavale ] *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where the destination resource gives a 401. PR 15571. [Joe Orton] *) SECURITY: CVE-2003-0020 (cve.mitre.org) Escape arbitrary data before writing into the errorlog. Unescaped errorlogs are still possible using the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo] *) mod_autoindex / core: Don't fail to show filenames containing special characters like '%'. PR 13598. [André Malo] *) mod_status: Report total CPU time accurately when using a threaded MPM. PR 23795. [Jeff Trawick] *) Fix memory leak in handling of request bodies during reverse proxy operations. PR 24991. [Larry Toppi ] *) Win32 MPM: Implement MaxMemFree to enable setting an upper limit on the amount of storage used by the bucket brigades in each server thread. [Bill Stoddard] *) Modified the cache code to be header-location agnostic. Also fixed a number of other cache code bugs related to PR 15852. Includes a patch submitted by Sushma Rai . This fixes mod_mem_cache but not mod_disk_cache yet so I'm not closing the PR since that is what they are using. [Paul J. Reder] *) complain via error_log when mod_include's INCLUDES filter is enabled, but the relevant Options flag allowing the filter to run for the specific resource wasn't set, so that the filter won't silently get skipped. next remove itself, so the warning will be logged only once [Stas Bekman, Jeff Trawick, Bill Rowe] *) mod_info: HTML escape configuration information so it displays correctly. PR 24232. [Thom May] *) Restore the ability to add a description for directories that don't contain an index file. (Broken in 2.0.48) [André Malo] *) Fix a problem with the display of empty variables ("SetEnv foo") in mod_include. PR 24734 [Markus Julen ] *) mod_log_config: Log the minutes component of the timezone correctly. PR 23642. [Hong-Gunn Chew ] *) mod_proxy: Fix cases where an invalid status-line could be sent to the client. PR 23998. [Joe Orton] *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL are also loaded. [Joe Orton] *) mod_ssl: Use human-readable OpenSSL error strings in logs; use thread-safe interface for retrieving error strings. [Joe Orton] *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to avoid reporting an Internal Server error if it is used without having been set in the httpd.conf file. PR: 23748, 24459 [André Malo, Liam Quinn ] *) mod_autoindex: Don't omit the start tag if the SuppressIcon option is set. PR 21668. [Jesse Tie-Ten-Quee ] *) mod_include no longer allows an ETag header on 304 responses. PR 19355. [Geoffrey Young , André Malo] *) EBCDIC: Convert header fields to ASCII before sending (broken since 2.0.44). [Martin Kraemer] *) Fix the inability to log errors like exec failure in mod_ext_filter/mod_cgi script children. This was broken after such children stopped inheriting the error log handle. [Jeff Trawick] *) Fix mod_info to use the real config file name, not the default config file name. [Aryeh Katz ] *) Set the scoreboard state to indicate logging prior to running logging hooks so that server-status will show 'L' for hung loggers instead of 'W'. [Jeff Trawick] Changes with Apache 2.0.48 *) SECURITY: CAN-2003-0789 (cve.mitre.org) mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY: CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo] *) mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins , André Malo] *) fix the config parser to support .. containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's sections are broken. ["Philippe M. Chiasson" ] *) mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick] *) Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding] *) mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo] *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira ] *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle ] *) Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May] *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil ] *) mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden ] *) Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood ] *) mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. [] *) mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keßler] *) Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz] *) Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo] *) Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [André Malo] *) mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick] *) Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick] *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick] *) Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick] *) Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick] *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar] *) Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive] *) Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman] *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker] *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [André Malo] *) ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo] *) mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz] *) Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves , William Rowe] *) Update mime.types to include latest IANA and W3C types. [Roy Fielding] *) mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick] *) Fix buildconf errors when libtool version changes. [Jeff Trawick] *) Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo] *) mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park , André Malo, Cliff Woolley] *) Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck , Nicel KM ] *) Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer ] *) Added FreeBSD directory layout. PR 21100. [Sander Holthaus , André Malo] *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen , André Malo] *) mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick] *) Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick] Changes with Apache 2.0.47 *) SECURITY: CAN-2003-0192 (cve.mitre.org) Fixed a bug whereby certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [Ben Laurie] *) SECURITY: CAN-2003-0253 (cve.mitre.org) Fixed a bug in prefork MPM causing temporary denial of service when accept() on a rarely accessed port returns certain errors. Reported by Saheed Akhtar . [Jeff Trawick] *) SECURITY: CAN-2003-0254 (cve.mitre.org) Fixed a bug in ftp proxy causing denial of service when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo ] *) SECURITY [VU#379828] Prevent the server from crashing when entering infinite loops. The new LimitInternalRecursion directive configures limits of subsequent internal redirects and nested subrequests, after which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, André Malo] *) core_output_filter: don't split the brigade after a FLUSH bucket if it's the last bucket. This prevents creating unneccessary empty brigades which may not be destroyed until the end of a keepalive connection. [Juan Rivera ] *) Add support for "streamy" PROPFIND responses. [Ben Collins-Sussman ] *) mod_cgid: Eliminate a double-close of a socket. This resolves various operational problems in a threaded MPM, since on the second attempt to close the socket, the same descriptor was often already in use by another thread for another purpose. [Jeff Trawick] *) mod_negotiation: Introduce "prefer-language" environment variable, which allows to influence the negotiation process on request basis to prefer a certain language. [André Malo] *) Make mod_expires' ExpiresByType work properly, including for dynamically-generated documents. [Ken Coar, Bill Stoddard]