Upload File

changes

Download Changes

If you can't read please download the document

Upload: lineage-exp-interlude

Post on 07-Nov-2014

77 views

Category:

Documents


38 download

Report

TRANSCRIPT

-*- coding: utf-8 -*Changes with Apache 2.2.4 *) mod_isapi: Correctly present SERVER_PORT_SECURE. PR: 40573. [Matt Eaton ] *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util statically like the older support programs. [Eric Covener ] *) core: Fix NONBLOCK status of listening sockets on restart/graceful PR 37680. [Darius Davis ] *) mod_deflate: Rework inflate output and deflate output filter to fix several issues: Incorrect handling of flush buckets, potential memory leaks, excessive memory usage in inflate output filter for large compressed content. PR 39854. [Ruediger Pluem, Nick Kew, Justin Erenkrantz] *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer. [Davi Arnaut ] *) Allow mod_dumpio to log at other than DEBUG levels via the new DumpIOLogLevel directive. [Jim Jagielski] *) rotatelogs: Improve error message for open failures. PR 39487. [Joe Orton] *) mod_dbd: share per-request database handles across subrequests and internal redirects [Chris Darroch] *) mod_dbd: key connection pools to virtual hosts correctly even when ServerName is unset/unavailable [Graham Leggett] *) Better detection and clean up of ldap connection that has been terminated by the ldap server. PR 40878. [Rob Baily ] *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions by creating a root pool for object persistence across requests. This also eliminates the need for custom serialization code. [Davi Arnaut ] *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If set, REMOTE_USER will be set to this attribute, rather than the username supplied by the user. Useful for example when you want users to log in using an email address, but need to supply a userid instead to the backend. [Graham Leggett] *) mod_cgi and mod_cgid: Don't use apr_status_t error return from input filters as HTTP return value from the handler. PR 31579. [Nick Kew] *) mod_cache: Eliminate a bogus error in the log when a filter returns AP_FILTER_ERROR. [Niklas Edmundsson ] *) core: Fix issue which could cause piped loggers to be orphaned and never terminate after a graceful restart. PR 40651. [Joe Orton, Ruediger Pluem] *) core: Fix address-in-use startup failure caused by corruption of the list of listen sockets in some configurations with multiple generic Listen

directives. [Jeff Trawick] *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew] *) mod_proxy: Add explicit flushing feature. When Servlet container sends AJP body message with size 0, this means that Servlet container has asked for an explicit flush. Create flush bucket in that case. This feature has been added to the recent Tomcat versions without breaking the AJP protocol. [Mladen Turk] *) mod_proxy_balancer: Set the new environment variable BALANCER_ROUTE_CHANGED if a worker with a route different from the one supplied by the client had been chosen or if the client supplied no routing information for a balancer with sticky sessions. [Ruediger Pluem] *) mod_proxy_balancer: Add information about the route, the sticky session and the worker used during a request as environment variables. PR 39806. [Brian ] *) mod_proxy: Don't try to use dead backend connection. PR 37770. [Olivier BOEL ] *) mod_proxy_balancer: Extract stickysession routing information contained as parameter in the URL correctly. PR 40400. [Ruediger Pluem, Tomokazu Harada ] *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol. A new worker directive ping=timeout will cause CPING packet to be send expecting CPONG packet within defined timeout. In case the backend is too busy this will fail instead sending the full header. [Mladen Turk] *) mod_disk_cache: Make sure that only positive integers are accepted for the CacheMaxFileSize and CacheMinFileSize parameters in the config file. PR39380. [Niklas Edmundsson ] *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an authority component and an empty path, the empty path is to be equivalent to "/". It explicitly cites the following four URIs as equivalents: http://example.com http://example.com/ http://example.com:/ http://example.com:80/ [Davi Arnaut ] *) mod_cache: Don't cache requests otherwise mod_cache will always might lead to numerous rename() previously cached. [Davi Arnaut with a expires date in the past; try to cache the URL. This bug errors on win32 if the URL was ]

*) core: Deal with the widespread use of apr_status_t return values as HTTP status codes, as documented in PR#31759 (a bug shared by the default handler, mod_cgi, mod_cgid, mod_proxy, and probably others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] *) mod_ext_filter: Handle filter names which include capital letters. PR 40323. [Jeff Trawick] *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH support. Also corrects the slashes for Windows.

PR 15993. [William Rowe] *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the token parser worked while the resulting length was misinterpreted. PR 29098. [Brock Bland ] *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade attempts to stream the response at the client. Log these as well. PR 30022, 40470. [William Rowe, Matt Eaton ] *) mod_isapi: Ensure we walk through all the methods the developer may have employed to report their HTTP status result code. PR 16637 30033 28089. [Matt Lewandowsky , William Rowe] *) mod_echo: Fix precedence problem in if statement. PR 40658. [Larry Cipriani ] *) mod_mime_magic: Fix precedence problem in if statement. PR 40656. [Larry Cipriani ] *) The full server version information is now included in the error log at startup as well as server status reports, irrespective of the setting of the ServerTokens directive. ap_get_server_version() is now deprecated, and is replaced by ap_get_server_banner() and ap_get_server_description(). [Jeff Trawick] *) mod_proxy_balancer: Workers can now be defined as part of a balancer cluster "set" in which members of a lower-numbered set are preferred over higher numbered ones. [Jim Jagielski] *) mod_proxy_balancer: Workers can now be defined as "hot standby" which will only be used if all other workers are unusable (eg: in error or disabled). Also, the balancer-manager displays the election count and I/O counts of all workers. [Jim Jagielski] *) mod_proxy_ajp: Close connection to backend if reading of request body fails. PR 40310. [Ian Abel ] *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if it is in error state before sending "Service Temporarily Unavailable". PR 38962. [Christian Boitel ] Changes with Apache 2.2.3 *) SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. [Mark Cox] *) Win32: Minor fixes to build more cleanly under Visual Studio 2005 with command line builds. [William Rowe] *) mod_authn_alias: Add a check to make sure that the base provider and the alias names are different and also that the alias has not been registered before. PR 40051. [Brad Nicholes] *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529. [Ray Price , Josh Fenlason ]

*) mod_cache: Do not overwrite the Content-Type in the cache, for successfully revalidated cached objects. PR 39647. [Ruediger Pluem] *) mod_speling: Add directive to deal with case corrections only and ignore other misspellings [Olivier Thereaux ] *) mod_dbd: Fix dependence on virtualhost configuration in defining prepared statements (possible segfault at startup in user modules such as mod_authn_dbd). [Nick Kew] *) Add optional 'scheme://' prefix to ServerName directive, allowing correct determination of the canonical server URL for use behind a proxy or offload device handling SSL; fixing redirect generation in those cases. PR 33398. [Sander Temme] *) Added server_scheme field to server_rec for above. Minor MMN bump. [Sander Temme] *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593. [Ruediger Pluem, Joe Orton] *) Worker MPM: On graceless shutdown or restart, send signals to each worker thread to wake them up if they're polling on a Keep-Alive connection. PR 38737. [Chris Darroch] *) worker and event MPMs: fix excessive forking if fork() or child_init take a long time. PR 39275. [Greg Ames, Jeff Trawick, Chris Darroch ] *) configure: Add "--with-included-apr" flag to force use of the bundled version of APR at build time. [Joe Orton] *) Respect GracefulShutdownTimeout in the worker and event MPMs. [Chris Darroch, Garrett Rooney] *) mod_mem_cache: Set content type correctly when delivering data from cache. PR 39266. [Ruediger Pluem] *) mod_autoindex: Fix filename escaping with FancyIndexing disabled. PR 38910. [Robby Griffin ] *) mod_charset_lite: Bypass translation when the source and dest charsets are the same. [Jeff Trawick] Changes with Apache 2.2.2 *) mod_deflate: work correctly in an internal redirect [Brian J. France ] *) mod_proxy_balancer: Initialize members of a balancer correctly. PR 38227. [James A. Robinson ] *) mod_proxy: Do not release connections from connection pool twice. PR 38793. [Ruediger Pluem, matthias ] *) core: Prevent reading uninitialized memory while reading a line of protocol input. PR 39282. [Davi Arnaut ] *) mod_dbd: Update defaults, improve error reporting.

[Chris Darroch , Nick Kew] *) mod_dbd: Create own pool and mutex to avoid problem use of process pool in request processing. [Chris Darroch ] *) HTML-escape the Expect error message. Not classed as security as an attacker has no way to influence the Expect header a victim will send to a target site. Reported by Thiago Zaninotti . [Mark Cox] *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX. [Jeff Trawick] *) htdbm: Warn the user when adding a plaintext password on a platform where it wouldn't work with the server (i.e., anywhere that has crypt()). [Jeff Trawick] *) mod_proxy: don't reuse a connection that may be to the wrong backend PR 39253 [Ruediger Pluem] *) Default handler: Don't return output filter apr_status_t values. PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] Changes with Apache 2.2.1 *) SECURITY: CVE-2005-3357 (cve.mitre.org) mod_ssl: Fix a possible crash during access control checks if a non-SSL request is processed for an SSL vhost (such as the "HTTP request received on SSL port" error message when an 400 ErrorDocument is configured, or if using "SSLEngine optional"). PR 37791. [Rdiger Plm, Joe Orton] *) SECURITY: CVE-2005-3352 (cve.mitre.org) mod_imagemap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT. [Mark Cox] *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now configurable at runtime via the 'flushpackets' and 'flushwait' worker params. Minor MMN bump. [Jim Jagielski] *) mod_proxy: Fix incorrect usage of local and shared worker init. PR 38403. [Jim Jagielski] *) mod_isapi: Fix compiler errors on Unix platforms. [William Rowe] *) mod_proxy_http: Do send keep-alive header if the client sent connection: keep-alive and do not close backend connection if the client sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton] *) mod_disk_cache: Return the correct error codes from bucket read failures, instead of APR_EGENERAL. [Brian Akins ] *) Add APR/APR-Util Compiled and Runtime Version numbers to the output of 'httpd -V'. [William Rowe]

*) http: If a connection is aborted while waiting for a chunked line, flag the connection as errored out. [Justin Erenkrantz] *) core: Reject invalid Expect header immediately. PR 38123. [Ruediger Pluem] *) Fix mis-shifted 32 bit scope, masked to 64 bits as a method. [Will Rowe, Joe Orton] *) mod_proxy: Fix KeepAlives not being allowed and set to backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski] *) Fix instdso.sh "sed syntax error" installation issue on some platforms. PR 38108. [Masaoki Kobayashi ] *) mod_ssl: Fix possible crashes in shmcb with gcc 4 on platforms requiring word-aligned pointers. PR 38838. [Joe Orton] *) mod_proxy: If we get an error reading the upstream response, close the connection. [Justin Erenkrantz, Roy T. Fielding, Jim Jagielski, Ruediger Pluem] *) mod_proxy_ajp: Support common headers of the AJP protocol in responses. PR 38340. [Aleksey Pesternikov ] *) mod_proxy_balancer: Do not overwrite the status of initialized workers and respect the configured status of uninitilized workers when creating a new child process. [Ruediger Pluem] *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of the ajp message to prevent mod_proxy_ajp from reading beyond the buffer boundaries and thus revealing possibly sensitive memory contents to the client. [Ruediger Pluem] *) Ensure that the proper status line is written to the client, fixing incorrect status lines caused by filters which modify r->status without resetting r->status_line, such as the built-in byterange filter. [Jeff Trawick] *) mod_speling: Stop crashing with certain non-file requests. [Jeff Trawick] *) mod_cache: Make caching of reverse proxies possible again. PR 38017. [Ruediger Pluem] *) Modify apr[util] .h detection to avoid breakage on VPATH builds using Solaris make (amoung others) and avoid breakage in ./buildconf when srclib/apr[-util] are symlinks rather than directories proper. [William Rowe] *) Avoid Server-driven negotiation when a script has emitted an explicit Status: header. PR 38070. [Nick Kew] *) Fix to avoid feeding C99 to C++ compilers. [Joe Orton] *) Chunk filter: Fix chunk filter to create correct chunks in the case that a flush bucket is surrounded by data buckets. [Ruediger Pluem] *) Fix syntax error in httpd.h with strict compilers. PR 37840. [Per Olausson ]

*) Fix recursive ErrorDocument handling. PR 36090. [Chris Darroch ] *) Don't hang on error return from post_read_request. PR 37790. [Nick Kew] *) Fix off-by-one error in proxy_balancer. PR 37753. [Kazuhiro Osawa ] Changes with Apache 2.2.0 *) mod_negotiation: Minor performance tweak by reusing already calculated strlen. [Ruediger Pluem, Christophe Jaillet ] *) Remove support for 'On' and 'Off' for AuthBasicProvider and AuthDigestProvider. [Joshua Slive, Justin Erenkrantz] *) Add in new UseCanonicalPhysicalPort directive, which controls whether or not Apache will ever use the actual physical port when constructing the canonical port number. [Jim Jagielski] *) mod_dav: Fix a null pointer dereference in an error code path during the handling of MKCOL. [Ruediger Pluem, Ghassan Misherghi ] *) mod_proxy_balancer: When finding best worker, use case insensitive match for scheme and host, but case sensitive for the rest of the path. [Jim Jagielski, Ruediger Pluem] *) Require use of APR >= 1.2.0 and APR-util >= 1.2.0 when configured to use external copies of the libraries. [Joe Orton] *) Fix DESTDIR=... installation when using bundled copy of APR. [Torsten Foertsch ] *) mod_dav: Fix handling of unknown state tokens in If: headers. PR: 37288. [Joe Orton] *) Strip out Experimental MPMs that have gone nowhere since 2.0 (perchild, threadpool, leader). [Nick Kew] Changes with Apache 2.1.9 *) Add mod_authn_dbd (SQL-based authentication) [Nick Kew] *) mod_proxy_ajp: Do not spool the entire response from AJP backend before sending it up the filter chain. PR 37100. [Ruediger Pluem] *) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that subrequests to non-local resources work again. [Ruediger Pluem] *) mod_proxy: Do not lowercase the entire worker name of a BalancerMember since this breaks case sensitive URI's. PR 36906. [Ruediger Pluem] *) core: AddOutputFilterByType is ignored for proxied requests. PR 31226. [Joe Orton, Ruediger Pluem] *) mod_proxy_http: Prevent data corruption of POST request bodies when

client accesses proxied resources with SSL. PR 37145. [Ruediger Pluem, William Rowe] *) mod_ssl: Fix issue which could cause spurious warnings about use of name-based vhosts. PR 37051. [Joe Orton] *) ab: Fix to ensure that only the expected number of requests are run. PR 36966. [Joe Orton] *) mod_proxy_balancer: BalancerManager and proxies correctly handle member workers with paths. PR 36816. [Ruediger Pluem, Jim Jagielski] *) mod_log_config: %{hextid}P will log the thread id in hex with APR versions 1.2.0 or higher. [Jeff Trawick] *) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as in 1.3. [Jeff Trawick] *) Support dbd connection tied to conn_rec in mod_dbd. [Nick Kew] *) Fix use of pools in mod_dbd. [Brian J France, Nick Kew] *) Promote modules from "experimental": mod_dbd, mod_filter, mod_charset_lite. [Nick Kew] *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL connections. PR 36883. [William Barker , Ruediger Pluem] *) Eliminated the NET_TIME filter, restructuring the timeout logic. This provides a working mod_echo on all platforms, and ensures any custom protocol module is at least given an initial timeout value based on the context's Timeout directive. [William Rowe] *) mod_proxy: Run the request_status hook also if there are no free workers or all workers are in error state. [Ruediger Pluem, Brian Akins ] *) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951. [Jeff Trawick, Ruediger Pluem] *) mod_proxy_balancer: Fix handling of sticky sessions with Tomcat. PR 36507. [Ruediger Pluem] *) SECURITY: CVE-2005-2970 (cve.mitre.org) worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames] *) Doxygen fixups. [Neale Ranns , Ian Holsman] *) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing mod_dir from serving indexes correctly with mod_cache enabled. [Colm MacCarthaigh] Changes with Apache 2.1.8 *) Fix lingering close implementation to match 1.3.x behaviour. PR 35292. [Joe Orton]

*) mod_ssl: Support limited buffering of request bodies to allow per-location renegotiation to proceed. PR 12355. [Joe Orton] *) Fix regression since 2.0.x in AllowOverride Options handling. PR 35330. [kabe ] *) mod_ssl: Fix memory leak in ssl_util_algotypeof(). PR 25659. [David Blake , Martin Kraemer] *) prefork, worker and event MPMs: Support a graceful-stop procedure: Server will wait until existing requests are finished or until "GracefulShutdownTimeout" number of seconds before exiting. [Colm MacCarthaigh, Ken Coar, Bill Stoddard] *) prefork, worker and event MPMs: Prevent children from holding open listening ports upon graceful restart or stop. PR 28167. [Colm MacCarthaigh, Brian Pinkerton ] *) SECURITY: CVE-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton] *) mod_ssl: Catch parse errors from misconfigured or malformed CRLs. PR 36438. [Joe Orton] *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as providers. Prevent problems when no Vhost containers were configured with proxy balancers. [Jim Jagielski] *) New provider function to list all available provider names in a specific group and version (ap_list_provider_names). [Jim Jagielski] *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a per-protocol, per-host and per-path basis. Intended for proxy configurations. [Colm MacCarthaigh] *) mod_disk_cache: Canonicalise the storage key, for improved hit/miss ratio. [Colm MacCarthaigh] *) mod_cgid: Append .PID to the script socket filename and remove the script socket on exit. [Colm MacCarthaigh, Jim Jagielski] *) mod_cgid: run the get_suexec_identity hook within the request-handler instead of within cgid. PR 36410. [Colm MacCarthaigh] *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh] Changes with Apache 2.1.7 *) SECURITY: CVE-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel] *) mod_proxy/mod_proxy_balancer: Provide a simple, functional interface to add additional balancer lb selection methods without requiring code changes to mod_proxy/mod_proxy_balancer;

these can be implemented via sub-modules now. [Jim Jagielski] *) mod_cache: Fix incorrectly served 304 responses when expired cache entity is valid, but cache is unwritable and headers cannot be updated. [Colm MacCarthaigh ] *) mod_cache: Remove entities from the cache when re-validation receives a 404 or other content-no-longer-present error. [Rdiger Plm ruediger.pluem vodafone.com] *) mod_disk_cache: Properly remove files from cache when needed. [Rdiger Plm ruediger.pluem vodafone.com] *) mod_disk_cache: Support htcacheclean removing directories. [Andreas Steinmetz] *) htcacheclean: Add -t option to remove empty directories. [Colm MacCarthaigh ] *) Remove the base href tag from mod_proxy_ftp, as it breaks relative links for clients not using an Authorization header. [Graham Leggett, Jon Snow ] *) mod_cache: Restore the HTTP status of cached responses. [Hansjoerg Pehofer ] *) mod_cache: Store varied contents all in the same prefix for a varied URI. [Paul Querna] *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content filters. [Paul Querna] *) mod_negotiation: Correctly report 404 instead of 403 for missing files. [Paul Querna] *) new hook (request_status) that gets ran in proxy_handler just before the final return. This gives modules an opportunity to do something based on the proxy status. (minor MMN bump) [Brian Akins , Ian Holsman] *) Add additional SSLSessionCache option, 'nonenotnull', which is similar to 'none' (disabling any external shared cache) but forces OpenSSL to provide a non-null session ID. [Jim Jagielski] *) Add httxt2dbm to support/ for creating RewriteMap DBM Files. [Paul Querna] *) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note the negotiated compression. [Georg v. Zezschwitz ] *) Fixed complaints about unpackaged files within the RPM build after changes to the config files. [Graham Leggett] *) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of just closing the socket, a HTTP request is made, to make sure the child is always awakened. [Paul Querna] Changes with Apache 2.1.6 *) Fix htdbm password validation for records which included comments.

[Eric Covener ] *) mod_cgid: Fix buffer overflow processing ScriptSock directive. [Steve Kemp ] Changes with Apache 2.1.5 *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 'SSLEngine on' command. [Paul Querna] *) core: Refactor the mapping of Accept Filters to Sockets. Add the AcceptFilter and Protocol directives to aid in mapping filter types. Extend the Listen directive to optionally take a protocol name. [Paul Querna] *) mod_disk_cache: Support storing multiple variations of one URL. PR 35211. [Paul Querna] *) mod_disk_cache: Atomically create the header data file. [Paul Querna] *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125. [Paul Querna] *) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'. [Paul Querna] *) mod_mime_magic: Handle CRLF-format magic files so that it works with the default installation on Windows. [Jeff Trawick] *) core: Allow multiple modules to register interest in a single configuration command. [Paul Querna] *) authn_provider_alias: Adds the configuration block tag Authentication directives contained within this block can be referenced as a new authProvider using the AuthBasicProvider or AuthDigestProvider directive. These directives will be merged in to the per_dir configuration just before the base provider is called. [Brad Nicholes] *) ap_getword_conf: Fix backslashes at the end of configuration directives. PR 34834. [Timo Viipuri ] *) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml Provide module hooks for apr_dbd; optimise for httpd threaded and non-threaded arch [Nick Kew] *) ab: SSL support rewritten, improved, and enabled if SSL is enabled during the build; -f and -Z arguments added to specify SSL protocol options. [Masaoki Kobayashi ] *) mod_info: Show the Quick Handler [Paul Querna] *) mod_ldap: Add the directive LDAPVerifyServerCert to specify whether to force verification of the server certificate when establishing an SSL connection to the LDAP server. [Brad Nicholes] *) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name hook. [Paul Querna]

*) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump) [Paul Querna] *) ap_get_local_host() rewritten for APR. [Jim Jagielski] *) Add the ap_vhost_iterate_given_conn function to expose the information used in Name Based Virtual Hosting. (minor MMN bump) [Paul Querna] *) Remove the never working ap_method_list_do and ap_method_list_vdo. [Paul Querna] *) Added makefile and doc for building mod_ssl on the NetWare platform. [Guenter Knauf, Brad Nicholes] *) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes applications that send the Vary Header themselves, and also apply mod_deflate as an output filter. [Paul Querna] *) Change the default (when not present in the config file) setting for UseCanonicalName to Off. [Joshua Slive] *) mod_userdir: The module no longer does any remapping unless the UserDir directive is present in the config file. [Joshua Slive] *) Massively simplify the distributed httpd.conf by removing many features and many directives that are at their default setting. Add a selection of example config excerpts for adding extra features in the conf/extra/ directory. Install the distributed config and the extra config examples in the conf/original/ directory during make install. [Joshua Slive, Justin Erenkrantz] *) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap, mod_userdir and mod_autoindex as shared modules rather than built-in modules within the NetWare build. [Brad Nicholes] *) Rename mod_imap to mod_imagemap. [Paul Querna] *) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap by changing the mod_ldap exported functions to optional functions. [Brad Nicholes] Changes with Apache 2.1.4 *) Don't let a subrequest inherit headers describing the original request's body. [Greg Ames] *) Fix Windows CompContext buff size miscalculation [Allan Edwards] *) Add ReceiveBufferSize directive to control the TCP receive buffer. [Eric Covener ] *) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the

end of the request body to work with really old HTTP servers. [Justin Erenkrantz] *) util_ldap: Keep track of the number of attributes retrieved from LDAP so that all the values can be properly cached even if the value is NULL. PR 33901 [Brad Nicholes] *) mod_cache: Fix error where incoming Cache-Control would be ignored. [Justin Erenkrantz] *) mod_cache: Correctly handle originally conditional requests. [Sander Striker] *) mod_disk_cache: Correctly update cached headers on revalidated responses. [Sander Striker, Justin Erenkrantz] *) worker MPM/mod_status: Support per-worker tracking of pid and generation in the scoreboard so that mod_status can accurately represent workers in processes which are gracefully terminating. (major MMN bump) [Jeff Trawick] *) Correctly export all mod_dav public functions. [Branko ibej ] Changes with Apache 2.1.3 *) mod_ssl: Add ssl_ext_lookup optional function for accessing certificate extensions. [David Reid, Joe Orton] *) Add support for use of an external PCRE library; pass the --with-pcre flag to configure. PR 27550. [Joe Orton, Andres Salomon ] *) Renamed regex interfaces to be namespace-safe, and moved from pcreposix.h header to ap_regex.h: regex_t->ap_regex_t, regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions reg*->ap_reg*. PR 27550. [Andres Salomon , Joe Orton] *) Only recompile buildmark.c when we have to relink httpd. [Justin Erenkrantz] *) mod_cache: Fix up handling of revalidated responses. [Justin Erenkrantz] *) mod_disk_cache: Properly load cached ETag from on-disk structures. [Justin Erenkrantz] *) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL to allow it to override the connection type set in mod_ldap. This parameter can be set to NONE, SSL or TLS | STARTTLS. [Brad Nicholes] *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740. [Max Bowsher ] *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170. [Rici Lake ]

*) mod_proxy: Fix ap_proxy_canonenc API. PR 32459. [Jim Jagielski] *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive. [Justin Erenkrantz] *) Add --enable-pie flag to configure, to build httpd as a Position Independent Executable where supported (GCC/binutils). [Joe Orton] *) proxy_balancer: Add in load-balancing via weighted traffic byte count. [Jim Jagielski] *) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI scripts to be properly cached. [Justin Erenkrantz, Sander Striker] *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option() API for the setting of server and client SSL certificates. Replaced LDAPTrustedCA directive with LDAPTrustedGlobalCert and LDAPTrustedClientCert directives to correctly support global certs (CA certs / Netware client certs) and per connection client certs as supported by Netware, OpenLDAP and Netscape/Mozilla. [Graham Leggett] *) mod_cache: Remove unimplemented CacheForceCompletion directive. [Justin Erenkrantz] *) support/check_forensic: Fix temp file usage [Javier Fernandez-Sanguino Pen~a ] *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives which can be used to configure a specific list of CA names to send in a client certificate request. PR 32848. [Tim Taylor ] *) --with-module can now take more than one module to be statically linked: --with-module=:,:,... If the -subdirectory doesn't exist it will be created and populated with a standard Makefile.in. [Erik Abele] *) Remove some compiler warnings within the LDAP modules [Graham Leggett] *) Add a build script to create a solaris package. [Graham Leggett] *) ap_http_scheme() replaced with ap_http_method() - this function returns the scheme (http v.s. https). [William Rowe] *) mod_proxy: Fix a request corruption problem and a buffering problem which sometimes prevented proxy-sendchunks from working. [Jeff Trawick] *) Fix the RPM spec file so that an RPM build now works. An RPM build now requires system installations of APR and APR-util. [Graham Leggett] *) Significantly simplify the load balancer scheduling algorithm for the proxy BalancerMember weighting. loadfactors (lbfactors) are now normalized with respect to each other. [Jim Jagielski]

*) mod_dumpio: Added to the available module suite; it is an I/O logging/dumping module. Placed in the (new) debug module subdirectory. mod_bucketeer moved to that directory as well. [Jim Jagielski] *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting of a connection until data is available. [Paul Querna] Changes with Apache 2.1.2 *) mod_proxy: Respect errors reported by pre_connection hooks. [Jeff Trawick] *) core: Error out on sections that are missing an argument instead of silently consuming the section. PR 25460. [Geoffrey Young, Paul Querna] *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental. *) Upgraded PCRE to version 5.0. [Brian Pane] *) mod_cgid: Catch configuration problem where two web server instances share same ServerRoot but admin forgot to use ScriptSock. [Jeff Trawick] *) mod_cgi: Ensure that all stderr is logged for a script which returns a Location header to generate a non-local redirect. PR 20111. [Joe Orton] *) Added the Event MPM to more efficiently handle clients during a Keep Alive request. [Paul Querna, Greg Ames] Changes with Apache 2.1.1 *) mod_proxy_http: Stream content better - always flush buffered data to the client before blocking waiting for new data. PR 19954. [Joe Orton] *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which will dump the filenames of all configured SSL certificates to stdout. [Joe Orton] *) mod_disk_cache: Remove a bunch of non-implemented garbage collection and cache size directives that are now available through htcacheclean. [Justin Erenkrantz] *) Add htcacheclean to support/ for assistance with mod_disk_cache. [Andreas Steinmetz] *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that allows the module to authorize a user based on a complex LDAP search filter. [Brad Nicholes] *) mod_usertrack: Run the fixups hook before other modules. PR 29755. [Paul Querna] *) Allow mod_authnz_ldap authorization functionality to be used without requiring the user to also be authenticated through

mod_authnz_ldap. This allows other authentication modules to take advantage of LDAP authorization only [PR 28253] [Jari Ahonen jah progress.com, Brad Nicholes] *) Log the client IP address when an error occurs disabling nagle on a connection, but log at a severity of debug since this error generally means that the connection was dropped before data was sent. Log the client IP address when reporting errors in the core output filter. [Jeff Trawick] *) core: Add a warning message if the request line read fails. [Paul Querna] *) mod_rewrite: Removed the MaxRedirects option in favor of the core LimitInternalRecursion directive. [Andr Malo] *) mod_info: Added listing of the Request Hooks and added more build information like 'httpd -V' contains. Changed output to XHTML. [Paul Querna] *) mod_info: Rewrote config tree walk using a recursive function. Added ?config option. Added printout of config filename and line numbers. [Rici Lake , Paul Querna] *) mod_proxy: Fix type error that prevents proxy-sendchunks from working. [Justin Erenkrantz] *) mod_proxy: Fix data corruption by properly setting aside buckets. [Justin Erenkrantz] *) mod_proxy: If a request has a blank body and has a 0 Content-Length headers, pass that to the proxy. [Justin Erenkrantz] *) Recognize QSA flag in mod_rewrite again. [Jan Kratochvil ] *) Restructured mod_auth_ldap to fit the new authentication model. The module is now called authnz_ldap and has been moved out of the modules/experimental area and into modules/aaa with the other auth modules. Both the authn_ldap provider and the authz_ldap handler are contained within the authnz_ldap module. The authz_ldap handler introduces 3 new "requires" values for handling authorization. These handlers are ldap-user, ldap-group and ldap-dn. [Brad Nicholes] *) Fix some compiler warnings in proxy [Geoffrey Young ] *) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the number of days until the client cert expires. [Joe Orton] *) Add test_config hook, run only if httpd is invoked using -t. [Joe Orton] *) Improve error handling for corrupted pid files. [Jeff Trawick] *) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD (for backwards compatibility): Avoids mod_ssl.h (not included in 2.0-HEAD) and use apr_socket_create_ex for 0.9.x

[Mladen Turk] *) Added proxy_ajp.c module for proxy support to ajp:// backends. [Jean Frederic Clere] *) Fixes the build of proxy on Windows. Since the proxy_module is declared as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there is a LNK2001 error when building proxy_http. [Mladen Turk] *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap. [Graham Leggett] *) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz] *) perchild MPM: Fix thread safety problem in the use of longjmp(). [Tsuyoshi SASAMOTO ] *) Add load balancer support to the scoreboard in preparation for load balancing support in mod_proxy. [Mladen Turk] *) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to allow a non-secure connection to be upgraded to secure connections [Brad Nicholes] *) core: Add Options= syntax to AllowOverride to specify which options may be overridden in .htaccess files. PR 29310. [Tom Alsberg , Paul Querna] *) ab: Handle long URLs with an error instead of an buffer overflow. PR 28204. [Erik Weide , Paul Querna] *) mod_so, core: Add new command line options to print all loaded modules. '-t -D DUMP_MODULES' and '-M' will show all static and shared modules as loaded from the configuration file. [Paul Querna] *) mod_autoindex: Add ShowForbidden to IndexOptions to list files that are not shown because the subrequest returned 401 or 403. PR 10575. [Paul Querna] *) mod_headers: implement "Early" processing option in post_read_request to enable Header and RequestHeader directives to be used to set up testcases for pre-fixups request phases [Nick Kew] *) mod_proxy: multiple bugfixes, principally support cookies in ProxyPassReverse, and don't canonicalise URL passed to backend. Documentation correspondingly updated. [Nick Kew ] *) mod_deflate: support gzip flags in inflate_out_filter [Nick Kew ] *) Drop the ErrorHeader directive which turned out to be a misnomer. Instead there's a new optional flag for the Header directive ('always'), which keeps the former ErrorHeader functionality. [Andr Malo] *) mod_deflate: Don't deflate responses with zero length e.g. proxied 304's [Allan Edwards] *) now recognizes the module identifier in addition to the

file name. PR 29003. [Edward Rudd , Andr Malo] *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the OpenSSL 0.9.7 flag which uses the server's cipher order rather than the client's. PR 28665. [Jim Schneider ] *) mod_ssl: Drop support for the CompatEnvVars argument to SSLOptions, which was never actually implemented in 2.0. [Joe Orton] *) Fix bug in mod_deflate that unconditionally sent deflate'd output even when Accept-Encoding is not present. [Justin Erenkrantz] *) Pass environment variables through to piped loggers and start them via the shell, resolving regressions since 1.3. PR 28815 [Ken Coar, Jeff Trawick] *) External rewrite map responses are no longer limited to 2048 bytes. [Andr Malo] *) Proxy server was deleting cookies that Apache had already assigned if the origin server had set any cookies. PR 27023. [Jim Jagielski] *) Removed old and unmaintained ap_add_named_module API and changed the following APIs to return an error instead of hard exiting: ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules, and ap_process_resource_config. [Andr Malo] *) mod_headers: Allow %% in header values to represent a literal %. [Andr Malo] *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions. [Andr Malo] *) mod_headers: Allow 'echo' also for ErrorHeaders. [Andr Malo] *) mod_deflate: New option for DEFLATE output file (force-gzip), new output filter 'INFLATE' for uncompressing responses. [Nick Kew , Ian Holsman] *) Added new module mod_version, which provides version dependent configuration containers. [Andr Malo] *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o format is used. PR 27787. [Andr Malo] *) Allow Digest providers to return AUTH_DENIED to propagate a 401 status and terminate the provider chain prior to checking the password. [Geoffrey Young] *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost; Don't place script socket inside default server root instead of actual server root. PR 27886. [Jeff Trawick] *) mod_proxy: Fix handling of non-200 success status codes when "ProxyErrorOverride On" is configured. PR 20183. [Marcus Janson , Joe Orton]

*) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize directive (previously NetWare-only) to override default thread stack size for threads which handle client connections. Required for some third-party modules on platforms with small default thread stack size. [Jeff Trawick] *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic now populates r->user with the (possibly unauthenticated) user, and mod_auth_digest returns 500 when a provider returns AUTH_GENERAL_ERROR. [Geoffrey Young] *) The whole codebase was relicensed and is now available under the Apache License, Version 2.0 (http://www.apache.org/licenses). [Apache Software Foundation] *) Delete some make-generated files in the server directory during "make clean" processing. PR 26552. [Jeff Trawick] *) Add core version query function (ap_get_server_revision) and accompanying ap_version_t structure (minor MMN bump). [Andr Malo] *) mod_rewrite: EOLs sent by external rewritemaps are now consumed as whole. That way, on systems with more than one EOL character rewritemap programs no longer need to switch stdout to binary mode. PR 25635. [Andr Malo] *) mod_rewrite: Introduce the ability to force a content handler via the [handler=...] flag. [Andr Malo] *) mod_rewrite: Introduce the RewriteCond -x check, which returns true if the pattern is a file with execution permissions. [Andr Malo] *) mod_rewrite: Allow proxying and RewriteRules in directory context for subrequests. PR 14648, 15114. [Andr Malo] *) mod_rewrite: Allow setting of any valid HTTP response code. PR 25917. [Andr Malo] *) mod_rewrite: Cookie creation now works locale independent. [Andr Malo] *) mod_ssl: Add support for distributed session cache using 'distcache'. [Geoff Thorpe ] *) mod_dav: Disallow requests with an unescaped hash character in the Request-URI. PR 21779. [Amit Athavale ] *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration attaches a body to the 302 response and a wrong Content-Length header. PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de] *) Bring ErrorHeader concept forward from 1.3, so that response header fields can be set for return even on errors or external redirects. [Ken Coar] *) Fix and parsing to require a closing '>' in the initial container. PR 25414.

[Geoffrey Young ] *) Clean up httpd -V output: Instead of displaying the MPM source directory, display the MPM name and some MPM properties. [Geoffrey Young ] *) mod_ssl/mod_status: Re-enable support for output of SSL session cache information in server-status page. [Joe Orton] *) mod_ssl: Remove the shmht session cache, shmcb should be used instead. [Joe Orton] *) mod_logio: Account for some bytes handed to the network layer prior to dropped connections. [Jeff Trawick] *) mod_autoindex: new directive IndexStyleSheet [Tyler Riddle , Paul Querna ] *) Fix uninitialized gprof directory name in prefork MPM. PR 24450. [Chris Knight ] *) Log an error when requests for URIs which fail to map to a valid filesystem name are rejected with 403. [Jeff Trawick] *) Switch to APR 1.0 API. *) Major overhaul of mod_include's filter parser. The new parser code is expected to be more robust and should catch all of the edge cases that were not handled by the previous one. This includes a binary incompatible change of mod_include's external API. [Andr Malo] *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded. PR 14223. [Andr Malo] *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously the current rewrite state was just used as lookup path, which lead to strange and often useless results. Related to PR 8493. [Andr Malo] *) Change Listen directive to bind to all addresses when a hostname is not specified. [Justin Erenkrantz] *) Correct failure with Listen directives on machines with IPv6 enabled. [Colm MacCrthaigh , Justin Erenkrantz] *) Fix a link failure in mod_ssl when the OpenSSL libraries contain the ENGINE functions but the engine header files are missing. [Cliff Woolley] *) mod_rewrite: RewriteRules in server context using the force type feature [T=...] no longer disable MultiViews. [Andr Malo] *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot. [Andr Malo] *) mod_authz_groupfile: Strip trailing spaces of group names. This hopefully saves some hours of searching for typos. PR 12863. [Andr Malo] *) mod_actions: Propagate the handler name to the action script via the REDIRECT_HANDLER environment variable. [Andr Malo]

*) mod_actions: Introduce the "virtual" modifier to the Action directive, which allows the use of handlers for virtual locations. PR 8431. [Andr Malo] *) mod_speling: Recognize AcceptPathInfo setting for the particular location. Default is to reject path information. PR 21059. [Andr Malo] *) mod_ext_filter: Add the ability to filter request bodies. [Philipp Reisner ] *) Fix some broken log messages in WinNT MPM. [Juan Rivera ] *) prefork MPM: Use the right permissions for the directory created for gprof support. [Jim Carlson ] *) Fix a compile failure with recent OpenSSL and picky compilers (e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick] *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on the INCLUDE path to be defined properly. PR 11310. [Geoff Thorpe ] *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli] *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). [Geoff Thorpe ] *) change directive name from 'compressionlevel' to 'deflatecompressionlevel' [Ian Holsman, Andr Malo] *) mod_negotiation: quality values are now parsed independent from the current locale. level values are now really parsed as integers. PR 17564. [Andr Malo] *) Extend mod_negotiation to evaluate the environment variables no-gzip and gzip-only-text/html the same way as mod_deflate does. [Andr Malo] *) mod_rewrite: Fix some problems reporting errors with mapping programs (RewriteMap prg:/something). [Jeff Trawick] *) Return 413 if chunk-ext-header is too long rather than reading from the truncated line. PR 15857. [Justin Erenkrantz] *) Allow restart of httpd to occur even with syntax errors in the config file. PR 16813. [Justin Erenkrantz] *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679. [Justin Erenkrantz] *) Remove files on 'make distclean' that should be. PR 15592. [Justin Erenkrantz] *) Allow apachectl to perform status with links and elinks as well. [Justin Erenkrantz]

*) mod_log_config change optional hook to return previous handler [Ian Holsman] *) Forward port of mod_actions' ability to handle arbitrary methods with the Script directive. [Andr Malo] *) Let suexec send a message to stderr, if it failed or its policy was violated. This message appears in the error log and allows for easier debugging. PR 5381, 7638, 8255, 10773. [Andr Malo] *) Modify buildconf to copy all required files into httpd's tree. [Thom May ] *) Allow mod_dav to do weak entity comparison functions. [Justin Erenkrantz] *) Move RFC 1413 ident requests from core to new module mod_ident. [Andr Malo] *) Add mod_authz_owner - a forward port of "Require file-owner" and "Require file-group", which was already present in version 1.3.21. [Andr Malo] *) Add mod_dav_lock - a generic subset of the DAV locking implementation. [Justin Erenkrantz] *) Replace some of the mutex locking in the worker MPM with atomic operations for higher concurrency. [Brian Pane] *) Allow 'make depend' to work with non-GCC compilers. [Justin Erenkrantz] *) If an httpd.conf has commented out AddModule directives, apxs -i -a will add an un-commented AddModule directive for the new module, which breaks the config. PR: 11212 [Joe Orton] *) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz] *) Move the check of the Expect request header field after the hook for ap_post_read_request, since that is the only opportunity for modules to handle Expect extensions. [Justin Erenkrantz] *) Rewrite of aaa modules to an authn/authz model. [Dirk-Willem van Gulik, Justin Erenkrantz] [Apache 2.1.0-dev includes those bug fixes and changes with the Apache 2.0.xx tree as documented, and except as noted, below.] Changes with Apache 2.0.56 *) Preserve the Content-Length header for a proxied HEAD response. PR 18757. [Greg Ames] *) mod_cgi(d): Remove block on OPTIONS method so that scripts can respond to OPTIONS directly rather than via server default. [Roy Fielding] PR 15242 Changes with Apache 2.0.55

*) SECURITY: CVE-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] *) Added TraceEnable [on|off|extended] per-server directive to alter the behavior of the TRACE method. This addresses a flaw in proxy conformance to RFC 2616 - previously the proxy server would accept a TRACE request body although the RFC prohibited it. The default remains 'TraceEnable on'. [William Rowe] *) Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick] *) Correct mod_cgid's argv[0] so that the full path can be delved by the invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S ] *) mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton] *) Support the suppress-error-charset setting, as with Apache 1.3.x. PR 31274. [Jeff Trawick] *) EBCDIC: Handle chunked input from client or, with proxy, origin server. [Jeff Trawick] *) Fix bad globbing comparison which could result in getting a directory listing when a file was requested. PR 34512. [sean ] *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker() was called even if mod_auth_ldap_check_user_id() was not (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski] *) SECURITY: CVE-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton] *) mod_proxy: Fix over-eager handling of '%' for reverse proxies. PR 15207. [Jim Jagielski] *) mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton] *) Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton] *) mod_ldap: Avoid segfaults when opening connections if using a version of OpenLDAP older than 2.2.21. PR 34618. [Brad Nicholes] *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe] *) SECURITY: CVE-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request

Splitting/Spoofing attacks. [Paul Querna, Joe Orton] *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick] *) Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick] *) SECURITY: CVE-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ] *) mod_userdir: Fix possible memory corruption issue. PR 34588. [David Leonard ] *) worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames] *) mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames] *) proxy HTTP: Rework the handling of request bodies to handle chunked input and input filters which modify content length, and avoid spooling arbitrary-sized request bodies in memory. PR 15859. [Jeff Trawick] Changes with Apache 2.0.54 *) mod_cache: Add CacheIgnoreHeaders directive. PR 30399. [Rdiger Plm ] *) mod_ldap: Added the directive LDAPConnectionTimeout to configure the ldap socket connection timeout value. [Brad Nicholes] *) Correctly export all mod_dav public functions. [Branko ibej ] *) Add a build script to create a solaris package. [Graham Leggett] *) worker MPM: Fix a problem which could cause httpd processes to remain active after shutdown. [Jeff Trawick] *) Unix MPMs: Shut down the server more quickly when child processes are slow to exit. [Joe Orton, Jeff Trawick] *) Remove formatting characters from ap_log_error() calls. These were escaped as fallout from CVE-2003-0020. [Eric Covener ] *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418. [David Reid] *) htdigest: Fix permissions of created files. PR 33765. [Joe Orton] *) core_input_filter: Move buckets to a persistent brigade instead of creating a new brigade. This stop a memory leak when proxying a

Streaming Media Server. PR 33382. [Paul Querna] *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid hiccups from additional path information passed in non-utf-8 format. [Richard Donkin 2Gb file). PR 17357. [Joe Orton] *) Makefile fix: httpd is linked against LIBS given to the 'make' invocation. PR 7882. [Joe Orton] *) WinNT MPM: Fix a broken log message at termination. PR 28063. [Eider Oliveira ]

*) Prevent Win32 pool corruption at startup [Allan Edwards] *) mod_ssl: Add "SSLUserName" directive to set r->user based on a chosen SSL environment variable. PR 20957. [Martin v. Loewis ] *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs. [Zvi Har'El ] *) apachectl: Fix a problem finding envvars if sbindir != bindir. PR 30723. [Friedrich Haubensak ] *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz] *) SECURITY: CVE-2004-0748 (cve.mitre.org) mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton] *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb. PR 18989. [Joe Orton] *) mod_userdir: Ensure that the userdir identity is used for suexec userdir access in a virtual host which has suexec configured. PR 18156. [Joshua Slive] *) mod_rewrite no longer confuses the RewriteMap caches if different maps defined in different virtual hosts use the same map name. PR 26462. [Andr Malo] *) mod_setenvif: Remove "support" for Remote_User variable which never worked at all. PR 25725. [Andr Malo] *) Backport from 2.1 / Regression from 1.3: mod_headers now knows again the functionality of the ErrorHeader directive. But instead using this misnomer additional flags to the Header directive were introduced ("always" and "onsuccess", defaulting to the latter). PR 28657. [Andr Malo] *) Use the higher performing 'httpready' Accept Filter on all platforms except FreeBSD < 4.1.1. [Paul Querna] *) mod_usertrack: Escape the cookie name before pasting into the regexp. [Andr Malo] *) Extend the SetEnvIf directive to capture subexpressions of the matched value. [Andr Malo] *) Recursive Include directives no longer crash. The server stops including configuration files after a certain nesting level (128 as distributed). This is configurable at compile time using the -DAP_MAX_INCLUDE_DEPTH switch. PR 28370. [Andr Malo] *) mod_dir: the trailing-slash behaviour is now configurable using the DirectorySlash directive. [Andr Malo] *) Allow proxying of resources that are invoked via DirectoryIndex. PR 14648, 15112, 29961. [Andr Malo] *) util_ldap: Switched the lock types on the shared memory cache from thread reader/writer locks to global mutexes in order to provide cross process cache protection. [Brad Nicholes]

*) util_ldap: Reworked the cache locking scheme to eliminate duplicate cache entries in the credentials cache due to race conditions. [Brad Nicholes] *) util_ldap: Enhanced the util_ldap cache-info display to show more detail about the contents and current state of the cache. [Brad Nicholes] *) Enable the option to support anonymous shared memory in mod_ldap. This makes the cache work on Linux again. [Graham Leggett] *) Enable special ErrorDocument value 'default' which restores the canned server response for the scope of the directive. [Geoffrey Young, Andr Malo] *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack is set in r->subprocess_env allow mismatched query strings to pass. PR 27758. [Paul Querna, Geoffrey Young] *) Accept URLs for the ServerAdmin directive. If the supplied argument is not recognized as an URL, assume it's a mail address. PR 28174. [Andr Malo, Paul Querna] *) initialize server arrays prior to calling ap_setup_prelinked_modules so that static modules can push Defines values when registering hooks just like DSO modules can ["Philippe M. Chiasson" ] *) Small fix to allow reverse proxying to an ftp server. Previously an attempt to do this would try and connect to 0.0.0.0, regardless of the server specified. PR 24922 [Pascal Terjan ] *) Add the NOTICE file to the rpm spec file in compliance with the Apache v2.0 license. [Graham Leggett] *) RPM spec file changes: changed default dependancy to link to db4 instead of db3. Fixed complaints about unpackaged files. [Graham Leggett] Changes with Apache 2.0.50 *) SECURITY: CVE-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick] *) mod_cgi: Handle output on stderr during script execution on Unix platforms; preventing deadlock when stderr output fills pipe buffer. Also fixes case where stderr from nph- scripts could be lost. PR 22030, 18348. [Joe Orton, Jeff Trawick] *) mod_alias now emits a warning if it detects overlapping *Alias* directives. [Andr Malo] *) mod_rewrite no longer turns forward proxy requests into reverse proxy requests. PR 28125 [ast domdv.de, Andr Malo] *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now exported on Win32 and Netware as well (minor MMN bump). PR 28523.

[Edward Rudd , Andr Malo] *) Restore the ability to disable the use of AcceptEx on Win9x systems automatically (broken in 2.0.49). PR 28529. [Andr Malo] *) now applies to all IP addresses for myhost instead of just the first one reported by the resolver. This corrects a regression since 1.3. [Jeff Trawick] *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] *) SECURITY: CVE-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] *) mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton] *) mod_deflate: Fix memory consumption (which was proportional to the response size). PR 29318. [Joe Orton] *) mod_ssl: Log the errors returned on failure to load or initialize a crypto accelerator engine. [Joe Orton] *) Allow RequestHeader directives to be conditional. PR 27951. [Vincent Deffontaines , Andr Malo] *) Allow LimitRequestBody to be reset to unlimited. PR 29106 [Andr Malo] *) Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects: mod_setenvif, mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218. [Andr Malo] *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for small cache sizes. PR 27751. [Geoff Thorpe ] *) Remove 2Gb log file size restriction on some 32-bit platforms. PR 13511. [Joe Orton] *) mod_logio no longer removes the EOS bucket. PR 27928. [Bojan Smojver ] *) htpasswd no longer refuses to process files that contain empty lines. [Andr Malo] *) Regression from 1.3: At startup, suexec now will be checked for availability, the setuid bit and user root. The works only if httpd is compiled with the shipped APR version (0.9.5). PR 28287. [Andr Malo] *) Unix MPMs: Stop dropping connections when the file descriptor is at least FD_SETSIZE. [Jeff Trawick] *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick] *) mod_isapi: send_response_header() failed to copy status string's

last character. PR 20619. [Jesse Pelton ] *) Fix a segfault when requests for shared memory fails and returns NULL. Fix a segfault caused by a lack of bounds checking on the cache. PR 24801. [Graham Leggett] *) Throw an error message if an attempt is made to use the LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost. PR 26390 [Brad Nicholes] *) Fix a potential segfault if the bind password in the LDAP cache is NULL. PR 28250. [Jari Ahonen ] *) Quotes cannot be used around require group and require dn directives, update the documentation to reflect this. Also add quotes around the dn and group within debug messages, to make it more obvious why authentication is failing if quotes are used in error. PR 19304. [Graham Leggett] *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap from escaping filters twice when the backslash character is used. PR 24437. [Jess Holle ] *) Overhaul handling of LDAP error conditions, so that the util_ldap_* functions leave the connections in a sane state after errors have occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271 [Graham Leggett] *) mod_ldap calls ldap_simple_bind_s() to validate the user credentials. If the bind fails, the connection is left in an unbound state. Make sure that the ldap connection record is updated to show that the connection is no longer bound. [Brad Nicholes] *) Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki ] *) Update the bind credentials for the cached LDAP connection to reflect the last bind. This prevents util_ldap from creating unnecessary connections rather than reusing cached connections. [Brad Nicholes] *) mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton ] *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer size. PR 20617. [Jesse Pelton ] *) mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick] *) mod_headers no longer crashes if an empty header value should be added. [Andr Malo] *) Fix segfault in mod_expires, which occured under certain circumstances. PR 28047. [Andr Malo] *) htpasswd: use apr_temp_dir_get() and general cleanup

[Guenter Knauf , Thom May] *) mod_ssl: Fix memory leak in session cache handling. PR 26562 [Madhusudan Mathihalli] *) mod_ssl: Fix potential segfaults when performing SSL shutdown from a pool cleanup. PR 27945. [Joe Orton] *) Add forensic logging module (mod_log_forensic). [Ben Laurie] *) logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick] *) Fix the comment delimiter in htdbm so that it correctly parses the username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. [Guenter Knauf , Brad Nicholes] *) Fix crash when Apache was started with no Listen directives. [Michael Corcoran ] *) core_output_filter: Fix bug that could result in sending garbage over the network when module handlers construct bucket brigades containing multiple file buckets all referencing the same open file descriptor. [Bojan Smojver] *) Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe] *) Win32: Tweak worker thread accounting routines to eliminate server hang when number of Listen directives in httpd.conf is greater than or equal to the setting of ThreadsPerChild. [Bill Stoddard] Changes with Apache 2.0.49 *) SECURITY: CVE-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32. [Jeff Trawick] *) mod_cgid: Fix storage corruption caused by use of incorrect pool. [Jeff Trawick] *) Win32: find_read_listeners was not correctly handling multiple listeners on the Win32DisableAcceptEx path. [Bill Stoddard] *) Fix bug in mod_usertrack when no CookieName is set. PR 24483. [Manni Wood ] *) Fix some piped log problems: bogus "piped log program '(null)' failed" messages during restart and problem with the logger respawning again after Apache is stopped. PR 21648, PR 24805.

[Jeff Trawick] *) Fixed file extensions for real media files and removed rpm extension from mime.types. PR 26079. [Allan Sandfeld ] *) Remove compile-time length limit on request strings. Length is now enforced solely with the LimitRequestLine config directive. [Paul J. Reder] *) mod_ssl: Send the Close Alert message to the peer before closing the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton] *) SECURITY: CVE-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton] *) mod_ssl: Fix bug in passphrase handling which could cause spurious failures in SSL functions later. PR 21160. [Joe Orton] *) mod_log_config: Fix corruption of buffered logs with threaded MPMs. PR 25520. [Jeff Trawick] *) Fix mod_include's expression parser to recognize strings correctly even if they start with an escaped token. [Andr Malo] *) Add fatal exception hook for use by diagnostic modules. The hook is only available if the --enable-exception-hook configure parm is used and the EnableExceptionHook directive has been set to "on". [Jeff Trawick] *) Allow mod_auth_digest to work with sub-requests with different methods than the original request. PR 25040. [Josh Dady ] *) fix "Expected > but saw " errors in nested, argumentless containers. ["Philippe M. Chiasson" ] *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756. [Matthieu Estrade , Brad Nicholes] *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849 [Glenn Nielsen ] *) The whole codebase was relicensed and is now available under the Apache License, Version 2.0 (http://www.apache.org/licenses). [Apache Software Foundation] *) Fixed cache-removal order in mod_mem_cache. [Jean-Jacques Clar, Cliff Woolley] *) mod_setenvif: Fix the regex optimizer, which under circumstances treated the supplied regex as literal string. PR 24219. [Andr Malo] *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm instead of mmn. [Andr Malo] *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules could lead to a 400 (Bad Request) response. [Andr Malo]

*) Keep focus of ITERATE and ITERATE2 on the current module when the module chooses to return DECLINE_CMD for the directive. PR 22299. [Geoffrey Young ] *) Add support for IMT minor-type wildcards (e.g., text/*) to ExpiresByType. PR#7991 [Ken Coar] *) Fix segfault in mod_mem_cache cache_insert() due to cache size becoming negative. PR: 21285, 21287 [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar] *) core.c: If large file support is enabled, allow any file that is greater than AP_MAX_SENDFILE to be split into multiple buckets. This allows Apache to send files that are greater than 2gig. Otherwise we run into 32/64 bit type mismatches in the file size. [Brad Nicholes] *) proxy_http fix: mod_proxy hangs when both KeepAlive and ProxyErrorOverride are enabled, and a non-200 response without a body is generated by the backend server. (e.g.: a client makes a request containing the "If-Modified-Since" and "If-None-Match" headers, to which the backend server respond with status 304.) [Graham Wiseman , Richard Reiner] *) mod_dav: Reject requests which include an unescaped fragment in the Request-URI. PR 21779. [Amit Athavale ] *) Build array of allowed methods with proper dimensions, fixing possible memory corruption. [Jeff Trawick] *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID. PR 15057. [Otmar Lendl ] *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944 [Joe Orton] *) mod_usertrack no longer inspects the Cookie2 header for the cookie name. PR 11475. [Chris Darrochi ] *) mod_usertrack no longer overwrites other cookies. PR 26002. [Scott Moore ] *) worker MPM: fix stack overlay bug that could cause the parent process to crash. [Jeff Trawick] *) Win32: Add Win32DisableAcceptEx directive. This Windows NT/2000/CP directive is useful to work around bugs in some third party layered service providers like virus scanners, VPN and firewall products, that do not properly handle WinSock 2 APIs. Use this directive if your server is issuing AcceptEx failed messages. [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick] *) Make REMOTE_PORT variable available in mod_rewrite. PR 25772. [Andr Malo] *) Fix a long delay with CGI requests and keepalive connections on AIX. [Jeff Trawick]

*) mod_autoindex: Add 'XHTML' option in order to allow switching between HTML 3.2 and XHTML 1.0 output. PR 23747. [Andr Malo] *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump). [Andr Malo] *) mod_ssl: Advertise SSL library version as determined at run-time rather than at compile-time. PR 23956. [Eric Seidel ] *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log format code is used. PR 22741. [Gary E. Miller ] *) Fix build with parallel make. PR 24643. [Joe Orton] *) mod_rewrite: In external rewrite maps lookup keys containing a newline now cause a lookup failure. PR 14453. [Cedric Gavage , Andr Malo] *) Backport major overhaul of mod_include's filter parser from 2.1. The new parser code is expected to be more robust and should catch all of the edge cases that were not handled by the previous one. The 2.1 external API changes were hidden by a wrapper which is expected to keep the API backwards compatible. [Andr Malo] *) Add a hook themselves to use the responses. 24884, and (insert_error_filter) to allow filters to re-insert during processing of error responses. Enable mod_expires new hook to include Expires headers in valid error This addresses an RFC violation. It fixes PRs 19794, 25123. [Paul J. Reder]

*) Add Polish translation of error messages. PR 25101. [Tomasz Kepczynski ] *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes, Bill Stoddard] *) Add mod_status hook to allow modules to add to the mod_status report. [Joe Orton] *) Fix htdbm to generate comment fields in DBM files correctly. [Justin Erenkrantz] *) mod_dav: Use bucket brigades when reading PUT data. This avoids problems if the data stream is modified by an input filter. PR 22104. [Tim Robbins , Andr Malo] *) Fix RewriteBase directive to not add double slashes. [Andr Malo] *) Improve 'configure --help' output for some modules. [Astrid Keler] *) Correct UseCanonicalName Off to properly check incoming port number. [Jim Jagielski] *) Fix slow graceful restarts with prefork MPM. [Joe Orton] *) Fix a problem with namespace mappings being dropped in mod_dav_fs; if any property values were set which defined namespaces these came out mangled in the PROPFIND response. PR 11637. [Amit Athavale ]

*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where the destination resource gives a 401. PR 15571. [Joe Orton] *) SECURITY: CVE-2003-0020 (cve.mitre.org) Escape arbitrary data before writing into the errorlog. Unescaped errorlogs are still possible using the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, Andr Malo] *) mod_autoindex / core: Don't fail to show filenames containing special characters like '%'. PR 13598. [Andr Malo] *) mod_status: Report total CPU time accurately when using a threaded MPM. PR 23795. [Jeff Trawick] *) Fix memory leak in handling of request bodies during reverse proxy operations. PR 24991. [Larry Toppi ] *) Win32 MPM: Implement MaxMemFree to enable setting an upper limit on the amount of storage used by the bucket brigades in each server thread. [Bill Stoddard] *) Modified the cache code to be header-location agnostic. Also fixed a number of other cache code bugs related to PR 15852. Includes a patch submitted by Sushma Rai . This fixes mod_mem_cache but not mod_disk_cache yet so I'm not closing the PR since that is what they are using. [Paul J. Reder] *) complain via error_log when mod_include's INCLUDES filter is enabled, but the relevant Options flag allowing the filter to run for the specific resource wasn't set, so that the filter won't silently get skipped. next remove itself, so the warning will be logged only once [Stas Bekman, Jeff Trawick, Bill Rowe] *) mod_info: HTML escape configuration information so it displays correctly. PR 24232. [Thom May] *) Restore the ability to add a description for directories that don't contain an index file. (Broken in 2.0.48) [Andr Malo] *) Fix a problem with the display of empty variables ("SetEnv foo") in mod_include. PR 24734 [Markus Julen ] *) mod_log_config: Log the minutes component of the timezone correctly. PR 23642. [Hong-Gunn Chew ] *) mod_proxy: Fix cases where an invalid status-line could be sent to the client. PR 23998. [Joe Orton] *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL are also loaded. [Joe Orton] *) mod_ssl: Use human-readable OpenSSL error strings in logs; use thread-safe interface for retrieving error strings. [Joe Orton] *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to avoid reporting an Internal Server error if it is used without having been set in the httpd.conf file. PR: 23748, 24459 [Andr Malo, Liam Quinn ]

*) mod_autoindex: Don't omit the start tag if the SuppressIcon option is set. PR 21668. [Jesse Tie-Ten-Quee ] *) mod_include no longer allows an ETag header on 304 responses. PR 19355. [Geoffrey Young , Andr Malo] *) EBCDIC: Convert header fields to ASCII before sending (broken since 2.0.44). [Martin Kraemer] *) Fix the inability to log errors like exec failure in mod_ext_filter/mod_cgi script children. This was broken after such children stopped inheriting the error log handle. [Jeff Trawick] *) Fix mod_info to use the real config file name, not the default config file name. [Aryeh Katz ] *) Set the scoreboard state to indicate logging prior to running logging hooks so that server-status will show 'L' for hung loggers instead of 'W'. [Jeff Trawick] Changes with Apache 2.0.48 *) SECURITY: CVE-2003-0789 (cve.mitre.org) mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY: CVE-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andr Malo] *) mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins , Andr Malo] *) fix the config parser to support .. containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's sections are broken. ["Philippe M. Chiasson" ] *) mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick] *) Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding] *) mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [Andr Malo] *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira ] *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle ]

*) Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May] *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil ] *) mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden ] *) Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood ] *) mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. [] *) mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keler] *) Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz] *) Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, Andr Malo] *) Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [Andr Malo] *) mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick] *) Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick] *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick] *) Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick] *) Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick] *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar] *) Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive]

*) Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman] *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker] *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [Andr Malo] *) ab: Overlong credentials given via command line no longer clobber the buffer. [Andr Malo] *) mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz] *) Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves , William Rowe] *) Update mime.types to include latest IANA and W3C types. [Roy Fielding] *) mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick] *) Fix buildconf errors when libtool version changes. [Jeff Trawick] *) Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [Andr Malo] *) mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park , Andr Malo, Cliff Woolley] *) Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck , Nicel KM ] *) Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer ] *) Added FreeBSD directory layout. PR 21100. [Sander Holthaus , Andr Malo] *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen , Andr Malo] *) mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick] *) Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick]

Changes with Apache 2.0.47 *) SECURITY: CVE-2003-0192 (cve.mitre.org) Fixed a bug whereby certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [Ben Laurie] *) SECURITY: CVE-2003-0253 (cve.mitre.org) Fixed a bug in prefork MPM causing temporary denial of service when accept() on a rarely accessed port returns certain errors. Reported by Saheed Akhtar . [Jeff Trawick] *) SECURITY: CVE-2003-0254 (cve.mitre.org) Fixed a bug in ftp proxy causing denial of service when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo ] *) SECURITY [VU#379828] Prevent the server from crashing when entering infinite loops. The new LimitInternalRecursion directive configures limits of subsequent internal redirects and nested subrequests, after which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, Andr Malo] *) core_output_filter: don't split the brigade after a FLUSH bucket if it's the last bucket. This prevents creating unneccessary empty brigades which may not be destroyed until the end of a keepalive connection. [Juan Rivera ] *) Add support for "streamy" PROPFIND responses. [Ben Collins-Sussman ] *) mod_cgid: Eliminate a double-close of a socket. This resolves various operational problems in a threaded MPM, since on the second attempt to close the socket, the same descriptor was often already in use by another thread for another purpose. [Jeff Trawick] *) mod_negotiation: Introduce "prefer-language" environment variable, which allows to influence the negotiation process on request basis to prefer a certain language. [Andr Malo] *) Make mod_expires' ExpiresByType work properly, including for dynamically-generated documents. [Ken Coar, Bill Stoddard] Changes with Apache 2.0.46 *) SECURITY: CVE-2003-0245 (cve.mitre.org) Fixed a bug causing apr_pvsprintf() to crash by sending an overly long string. This can be triggered remotely through mod_dav, mod_ssl, and other mechanisms. Reported by David Endler . [Joe Orton] *) SECURITY: CVE-2003-0189 (cve.mitre.org) Fixed a denial-of-service vulnerability affecting basic authentication on Unix platforms related to thread-safety in apr_password_validate(). Reported by John Hughes .

*) Fix for mod_dav. Call the 'can_be_activity' callback, if provided, when a MKACTIVITY request comes in. [Ben Collins-Sussman ] *) Perform run-time query in apxs for apr and apr-util's includes. [Justin Erenkrantz] *) run libtool from the apr install directory (in case that is different from the apache install directory) [Jeff Trawick] *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez] *) If mod_mime_magic does not know the content-type, do not attempt to guess. PR 16908. [Andrew Gapon ] *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session caching. PR 17864. [Andreas Leimbacher , Madhusudan Mathihalli] *) Add a delete flag to htpasswd. [Thom May] *) Fix mod_rewrite's handling of absolute URIs. The escaping routines now work scheme dependent and the query string will only be appended if supported by the particular scheme. [Andr Malo] *) Add another check for already compressed content in mod_deflate. PR 19913. [Tsuyoshi SASAMOTO ] *) Fixes for VPATH builds; copying special.mk and any future .mk files from the source tree as well as the build tree (now creates a usable configuration for apxs), and eliminated redundant -I'nclude paths. [William Rowe] *) Code fixes, constness corrections and ssl_toolkit_compat.h updates for SSLC and OpenSSL toolkit compatibility. Still work remains to be done to cripple features based on the limitations of RSA's binary distribution of their SSL-C toolkit. [William Rowe, Madhusudan Mathihalli, Jeff Trawick] *) Linux 2.4+: If Apache is started as root and you code CoreDumpDirectory, coredumps are enabled via the prctl() syscall. [Greg Ames] *) ap_get_mime_headers_core: allocate space for the trailing null when folding is in effect. PR 18170 [Peter Mayne ] *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert] *) mod_log_config: Add the ability to log the id of the thread processing the request via new %P formats. [Jeff Trawick] *) Use appropriate language codes for Czech (cs) and Traditional Chinese (zh-tw) in default config files. PR 9427. [Andr Malo] *) mod_auth_ldap: Use generic whitespace character class when parsing "require" directives, instead of literal spaces only. PR 17135. [Andr Malo]

*) Hook mod_rewrite's type checker before mod_mime's one. That way the RewriteRule [T=...] Flag should work as expected now. PR 19626. [Andr Malo] *) htpasswd: Check the processed file on validity. If a line is not empty and not a comment, it must contain at least one colon. Otherwise exit with error code 7. [Kris Verbeeck , Thom May] *) Fix a problem that caused httpd to be linked with incorrect flags on some platforms when mod_so was enabled by default, breaking DSOs on AIX. PR 19012 [Jeff Trawick] *) By default, use the same CC and CPP with which APR was built. The user can override with CC and CPP environment variables. [Jeff Trawick] *) Fix ap_construct_url() so that it surrounds IPv6 literal address strings with []. This fixes certain types of redirection. PR 19207. [Jeff Trawick] *) forward port of buffer overflow fixes for htdigest. [Thom May] *) Added AllowEncodedSlashes directive to permit control of whether the server will accept encoded slashes ('%2f') in the URI path. Default condition is off (the historical behaviour). This permits environments in which the path-info needs to contain encoded slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. [Ken Coar] *) When using Redirect in directory context, append requested query string if there's no one supplied by configuration. PR 10961. [Andr Malo] *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise the pattern will not always match as desired. PR 12596. [Andr Malo] *) mod_autoindex now emits and accepts modern query string parameter delimiters (;). Thus column headers no longer contain unescaped ampersands. PR 10880 [Andr Malo] *) Enable ap_sock_disable_nagle for Windows. This along with the addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle to be disabled for Windows. [Allan Edwards] *) Correct a mis-correlation between mpm_common.c and mpm_common.h; This patch reverts us to pre-2.0.46 behavior, using the ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle was never compiled on Win32. [Allan Edwards, William Rowe] *) Fix a build problem with passing unsupported --enable-layout args to apr and apr-util. This broke binbuild.sh as well as user-specified layout parameters. PR 18649 [Justin Erenkrantz, Jeff Trawick] *) If a Date response header was already set in the headers array, this value was ignored in favour of the current time. This meant that Date headers on proxied requests where rewritten when they should not have been. PR: 14376 [Graham Leggett]

*) Add code to buildconf that produces an httpd.spec file from httpd.spec.in, using build/get-version.sh from APR. [Graham Leggett] *) Fixed a segfault when multiple ProxyBlock directives were used. PR: 19023 [Sami Tikka ] *) SECURITY: CVE-2003-0134 (cve.mitre.org) OS2: Fix a Denial of Service vulnerability identified and reported by Robert Howard that where device names faulted the running OS2 worker process. The fix is actually in APR 0.9.4. [Brian Havard] *) SECURITY: CVE-2003-0083 (cve.mitre.org) Forward port: Escape special characters (especially control characters) in mod_log_config to make a clear distinction between client-supplied strings (with special characters) and server-side strings. This was already introduced in version 1.3.25. [Andr Malo] *) mod_deflate: Check also err_headers_out for an already set Content-Encoding: gzip header. This prevents gzip compressed content from a CGI script from being compressed once more. PR 17797. [Andr Malo] Changes with Apache 2.0.45 *) Fix possible segfaults under obscure error conditions within the cgid daemon. [Jeff Trawick, William Rowe] *) SECURITY: CVE-2003-0132 (cve.mitre.org) Close a Denial of Service vulnerability identified by David Endler on all platforms. An unlimited stream of newlines were acceptable between requests where each would allocate an 80 byte buffer, leading very quickly to memory exahustion. [Brian Pane] *) Added an rpm build script. [Graham Leggett, Joe Orton ] *) Simpler, faster code path for request header scanning [Brian Pane] *) SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the APR library release 0.9.2 or later (0.9.3 was distributed with the httpd source tarball for Apache 2.0.45.) PR 17206 [Christian Kratzer , Bjoern A. Zeeb ] *) Fix path handling of mod_rewrite, especially on non-unix systems. There was some confusion between local paths and URL paths. PR 12902. [Andr Malo] *) Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. [Andr Malo] *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when all worker threads are busy. [Igor Nazarenko ]

*) Keep the subrequest filter in place when a subrequest is redirected. PR 15423. [Jeff Trawick] *) you can now specify the compres


Physical Properties and Changes Chemical Properties and Changes

Welcome to chemistry€¢ Physical Changes Types of Changes • Chemical Changes Changes of state, temperature, volume, etc. – These are changes in matter that do not change the

Changes, What Changes? Integrating Living Mission

Changes of Latitude, Changes of Attitude--Customkit Buildings

CHANGES IN ECOSYSTEMS CHANGES, CHANGES, CHANGES Change is always occurring in ecosystems. All organisms, including humans, cause change. Two types of

Pitfalls of Managing Change. Types of Change Operational Changes Strategic Changes Cultural Changes Political Changes

Labor Distribution Changes Funding Changes in Banner HR

Physical verus chemical changes (reversible and irreversible changes

TaxSlayer Changes Tax Year 2017 - IW06 TaxSlayer Changes 2017.pdf · TaxSlayer Changes for TY2017 2 CO1 - IW 2017 Computation Changes Navigation Changes Appearance Changes Capacity

APRIL 2021 - Small Changes Inc. - Small Changes, Inc

POST MORTEM CHANGES Postmortem changes after death Immediate Changes Early Changes Late Changes

Content Recent Changes What those changes mean What has happened since the changes How are we managing the changes?

CHANGES IN LATITUDES, CHANGES IN ATTITUDES

Totaline Indoor Air - rchvacparts.com · 1500 ft2 home 30 air changes/day 40 air changes/day 67 air changes/day 65 air changes/day 2500 ft2 home 18 air changes/day 24 air changes/day

VI. Mutation Overview Changes in Ploidy Changes in ‘ Aneuploidy ’ (changes in chromosome number)

Monitoring Ototoxic Changes in Auditory and Vestibular · PDF fileMonitoring Ototoxic Changes in Auditory and ... – Hearing changes from ototoxicity ... Monitoring Ototoxic Changes

Construction Impacts Overview of Policy Changes Shuttle Changes Enforcement Faculty/Staff Changes Visitor & Event Parking Changes Resident Student Changes

Proclamation 2019 Editorial Changes—Additional Changes

Specification Changes Pub 408/2011 Changes 1 & 2

Changes in Human Geography Roots of Human Changes

Changes, Changes, and More Changes to ASTM C94 and …€¦ · Changes, Changes, and More Changes to ASTM C94 and Other Sacred Cow Documents Richard S. Szecsy, PhD, PE, FACI. President

Physical Changes vs Chemical Changes Labtclauset.org/16_StGuides/ppt-flash/chem-changes/Change...Physical Changes vs Chemical Changes Lab • What was done? • What can you observe?

Energy Changes Forms. Energy Changes Forms Electrical Changes to Light and Heat

Physical Changes Chemical Changes

Changes in materialism, changes in psychological well ...selfdeterminationtheory.org/.../2014_Kasser_et_al_materialism.pdf · ORIGINAL PAPER Changes in materialism, changes in psychological

Society changes language: Language changes society

Media & Digitalization 1 10.5.2011 |. 2 The internet business model changes mobile changes TV changes commerce

Climatological aspects and changes CHANGES IN Running

CHANGES IN EVENTS and CHANGES IN THINGS

2021 Price Guide - New Products and Changes Changes

Types of Changes Matter Undergoes. All changes in matter are classified as either... physical changes, chemical changes, or nuclear changes. Types of

Preview Bellringer Key Ideas Physical Changes Mental and Emotional Changes Social Changes Chapter 16 Section 1 Changes During Adolescence

II. Ecological Changes III. Environmental Changes IV

POST MORTEM CHANGES Signs of Death And Postmortem changes after death Immediate Changes Immediate Changes Early Changes Early Changes Late Changes Late

State Changes How matter changes forms Physical Science