httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-dist Announcement2.html Announcement2.txt HEADER.html README.html
Date Fri, 09 Aug 2002 19:17:54 GMT
striker     2002/08/09 12:17:54

  Modified:    .        Announcement2.html Announcement2.txt HEADER.html
                        README.html
  Log:
  Commit the announcement.
  
  Revision  Changes    Path
  1.22      +158 -290  httpd-dist/Announcement2.html
  
  Index: Announcement2.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.html,v
  retrieving revision 1.21
  retrieving revision 1.22
  diff -u -r1.21 -r1.22
  --- Announcement2.html	18 Jun 2002 22:20:07 -0000	1.21
  +++ Announcement2.html	9 Aug 2002 19:17:53 -0000	1.22
  @@ -14,21 +14,22 @@
   >
   <IMG SRC="../../images/apache_sub.gif" ALT="">
   
  -<H2 ALIGN="CENTER">Apache 2.0.39 Released</H2>
  +<H2 ALIGN="CENTER">Apache 2.0.40 Released</H2>
   
  -<p>The Apache HTTP Server Project is proud to announce the third public
  -release of Apache 2.0.  Apache 2.0 has been running on the Apache.org website 
  -since December of 2000 and has proven to be very reliable.</p>
  -
  -<p>This version of Apache is principally a security and bug fix
  -release.  A summary of the bug fixes is given at the end of this document.
  -Of particular note is that 2.0.39 addresses and fixes the issues noted
  -in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
  -CAN-2002-0392 (mitre.org)</a>
  -[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
  -regarding a vulnerability in the handling of chunked transfer encoding.
  -We would like to thank Mark Litchfield of ngssoftware.com for discovering
  -and reporting the vulnerability.</p>
  +<p>The Apache HTTP Server Project is proud to announce the fourth public
  +release of Apache 2.0.  Apache 2.0 has been running on the apache.org
  +website since December of 2000 and has proven to be very reliable.</p>
  +
  +<p>This version of Apache is principally a security and bug fix release.
  +A summary of the changes is given at the end of this document.  Of
  +particular note is that 2.0.40 fixes the serious vulnerability noted in
  +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661">
  +CAN-2002-0661</a> and the pair of path exposures in
  +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0654">
  +CAN-2002-0654</a> (mitre.org).
  +We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
  +discovering and reporting the vulnerability and one of the path exposures
  +and Jim Race <jrace@qualys.com> for reporting the other path exposure.</p>
   
   <p>Apache 2.0 offers numerous enhancements, improvements and performance
   boosts over the 1.3 codebase. The most visible and noteworthy addition
  @@ -41,8 +42,8 @@
   platform that supports IPv6.</p>
   
   <p>This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of many of the advancements in 
  -Apache 2.0, the initial release of Apache is expected to perform equally 
  +OS/2, Windows, and Netware.  Because of many of the advancements in
  +Apache 2.0, the initial release of Apache is expected to perform equally
   well on all supported platforms.</p>
   
   <p>There are new snapshots of the Apache httpd source available every 6
  @@ -52,326 +53,193 @@
   give it a spin on your platforms.</p>
   
   <p>Apache has been the most popular web server on the Internet since
  -April of 1996. The March 2002 WWW server site survey by Netcraft (see
  +April of 1996. The July 2002 Web Server Survey by Netcraft (see
   http://www.netcraft.com/survey/) found that more web servers were
  -using Apache than any other software; Apache runs on more than 54%
  +using Apache than any other software; Apache runs on more than 57%
   of the web servers on the Internet.</p>
   
   <p>For more information and to download the release tarballs, please
   visit http://httpd.apache.org/</p>
   
   
  -<h3>Changes since 2.0.36</h3>
  +<h3>Changes since 2.0.39</h3>
   
   <pre>
  -Changes with Apache 2.0.39
   
  -  *) Fixed a build problem in htpasswd.c on Win32.
  -     [Guenter Knauf &lt;eflash@gmx.net&gt;, Cliff Woolley]
  -
  -Changes with Apache 2.0.38
  -
  -  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
  -     tmpnam being unsafe.   [Ryan Bloom]
  -
  -  *) We must set the MIME-type for .shtml files to text/html if we want them
  -     to be parsed for SSI tags.  Add the config for that to the default 
  -     config file so that it is easier to enable .shtml parsing.
  -     [Dave Dyer &lt;ddyer@real-me.net&gt;]
  -
  -  *) Fixed a problem with 'make install' on ReliantUnix.
  -     [Jean-frederic Clere &lt;jfrederic.clere@fujitsu-siemens.com&gt;]
  -
  -  *) Make the default_handler catch all requests that aren't served by
  -     another handler.  This also gets us to return a 404 if a directory
  -     is requested, there is no DirectoryIndex, and mod_autoindex isn't
  -     loaded.  [Justin Erenkrantz]
  -
  -  *) Fixed the handling of nested if-statements in shtml files.
  -     PR 9866  [Brian Pane]
  -
  -  *) Allow 'make install DESTDIR=/path'.  This allows packagers to install
  -     into a directory different from the one that was configured.  This 
  -     also mirrors the root= feature from 1.3.  We cannot use prefix=,
  -     because both APR and APR-util resolve their installation paths at 
  -     configuration time.  This means that there is no variable prefix 
  -     to replace.  [Andreas Hasenack &lt;andreas@netbank.com.br&gt;]
  -
  -  *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
  -     These levels of AIX don't have a thundering herd problem with
  -     accept().  [Jeff Trawick]
  -
  -  *) prefork MPM: Ignore mutex errors during graceful restart.  For
  -     certain types of mutexes (particularly SysV semaphores), we
  -     should expect to occasionally fail to obtain or release the
  -     mutex during restart processing.  [Jeff Trawick]
  -
  -  *) Fix install-bindist.sh so that it finds any perl instead of just
  -     early perl 5.x versions.  This is consistent with a build/install
  -     from source, and it allows the perl scripts installed by a bindist 
  -     to work on systems with perl 5.6.  [Jeff Trawick]
  -
  -  *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
  -     Tru64 (and probably some other platforms).  [Jeff Trawick]
  -
  -  *) Allow CGI scripts to return their Content-Length.  This also fixes a
  -     hang on HEAD requests seen on certain platforms (such as FreeBSD).
  -     [Justin Erenkrantz]
  -
  -  *) Added log rotation based on file size to the RotateLog support
  -     utility. [Brad Nicholes]
  -
  -  *) Fix some casting in mod_rewrite which broke random maps.
  -     PR 9770  [Allan Edwards, Greg Ames, Jeff Trawick]
  -
  -Changes with Apache 2.0.37
  -
  -  *) allow POST method over SSL when per-directory client cert
  -     authentication is used with 'SSLOptions +OptRenegotiate' enabled
  -     and a client cert was found in the ssl session cache.
  -
  -  *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
  -     session cache when there is no cert chain in the cache.  prior to
  -     the fix this situation would result in a FORBIDDEN response and
  -     error message "Cannot find peer certificate chain"
  -     [Doug MacEachern]
  -
  -  *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
  -     one was already sent.  PR 9644  [Jeff Trawick]
  -
  -  *) Fix the display of the default name for the mime types config
  -     file.  PR 9729  [Matthew Brecknell &lt;mbrecknell@orchestream.com&gt;]
  -
  -  *) Fix the working directory *for WinNT/2K/XP services only* to
  -     change to the Apache directory (one level above the location 
  -     of Apache.exe, in the case that Apache.exe resides in bin/.)
  -     Solves the case of ServerRoot /foo paths where /foo was not
  -     on the same drive as /winnt/system32.  [William Rowe]
  -
  -  *) Make 2.0's "AcceptMutex" startup message now "completely"
  -     match how 1.3 does it. [Jim Jagielski]
  -
  -  *) Implement a fixed size memory cache using a priority queue
  -     [Ian Holsman]
  -
  -  *) Fix apxs to allow "apxs -q installbuilddir" and to allow
  -     querying certain other variables from config_vars.mk.  PR 9316  
  -     [Jeff Trawick]
  -
  -  *) Added the "detached" attribute to the cgi_exec_info_t internals
  -     so that Win32 and Netware won't create a new window or console
  -     for each CGI invoked.  PR 8387
  -     [Brad Nicholes, William Rowe]
  -
  -  *) Consolidated the command line parameters and attributes that are 
  -     manipulated by the optional function ap_cgi_build_command() in
  -     mod_cgi into a single structure.
  +  *) SECURITY: [CAN-2002-0661] Close a very significant security hole that
  +     applies only to the Win32, OS2 and Netware platforms.  Unix was not
  +     affected, Cygwin may be affected.  Certain URIs will bypass security
  +     and allow users to invoke or access any file depending on the system
  +     configuration.  Without upgrading, a single .conf change will close
  +     the vulnerability.  Add the following directive in the global server
  +     httpd.conf context before any other Alias or Redirect directives:
  +         RedirectMatch 400 "\\\.\."
  +     Reported by Auriemma Luigi <bugtest@sitoverde.com>.
        [Brad Nicholes]
   
  -  *) Get rid of uninitialized value errors with "apxs -q" on certain
  -     variables.  [Stas Bekman &lt;stas@stason.org&gt;]
  -
  -  *) Fix apxs to allow it to work when the build directory is somewhere
  -     besides server-root/build.  PR 8453  
  -     [Jeff Trawick and a host of others]
  -
  -  *) Allow ap_discard_request_body to be called multiple times in the
  -     same request.  Essentially, ap_http_filter keeps track of whether
  -     it has sent an EOS bucket up the stack, if so, it will only ever
  -     send an EOS bucket for this request.  
  -     [Ryan Bloom, Justin Erenkrantz, Greg Stein]
  -
  -  *) Remove all special mod_ssl URIs.  This also fixes the bug where
  -     redirecting (.*) will allow an SSL protected page to be viewed
  -     without SSL.  [Ryan Bloom]
  -
  -  *) Fix the binary build install script so that the build logic
  -     created by "apxs -g" will work when the user has a binary
  -     build.  [Jeff Trawick]
  -
  -  *) Allow instdso.sh to work with full paths to the shared module.
  -     [Justin Erenkrantz]
  -
  -  *) NetWare: Enabled CGI functionality and added mod_cgi as a built
  -     in module for NetWare  [Brad Nicholes]
  -
  -  *) Changed cgi and piped log behavior to accept 65536 characters
  -     on Win32 (matching Linux) before deadlocking between outputing
  -     client stdin, slurping the output from stdout and then the stderr
  -     stream.  PR 8179  [William Rowe]
  -
  -  *) Fixed Win32 wintty.exe support to assure the window title is valid.
  -     Elimiates possible gpfault or garbage title without the -t option.
  +  *) SECURITY:  Close a path-revealing exposure in multiview type
  +     map negotiation (such as the default error documents) where the
  +     module would report the full path of the typemapped .var file when
  +     multiple documents or no documents could be served based on the mime
  +     negotiation.  Reported by Auriemma Luigi <bugtest@sitoverde.com>.
  +     [CAN-2002-0654]  [William Rowe]
  +
  +  *) SECURITY:  Close a path-revealing exposure in cgi/cgid when we
  +     fail to invoke a script.  The modules would report "couldn't create
  +     child process /path-to-script/script.pl" revealing the full path
  +     of the script.  Reported by Jim Race <jrace@qualys.com>.
  +     [CAN-2002-0654]  [Bill Stoddard]
  +
  +  *) Set aside the apr-iconv and apr_xlate() features for the Win32
  +     build of 2.0.40 so development can be completed.  A patch, from
  +     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
  +     will be available for those that wish to work with apr-iconv.
        [William Rowe]
   
  -  *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
  -     brigades and input filters.  [Justin Erenkrantz]
  +  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
  +     chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
   
  -  *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
  -     body.  [Justin Erenkrantz]
  -    
  -  *) NetWare: Piping log entries through RotateLogs using the 
  -     CustomLogs directive is finally supported now that we have 
  -     the pipes and spawning functionality working.
  -     [Brad Nicholes]
  -
  -  *) Detect overflow when reading the hex bytes forming a chunk line.
  -     [Aaron Bannert]
  -
  -  *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
  -     [James Tait &lt;JTait@wyrddreams.demon.co.uk&gt;]
  -
  -  *) Correctly return 413 when an invalid chunk size is given on
  -     input.  Also modify ap_discard_request_body to not do anything
  -     on sub-requests or when the connection will be dropped.
  -     [Justin Erenkrantz]
  -
  -  *) Fix the TIME_* SSL var lookups to be threadsafe.  PR 9469.
  -     [Cliff Woolley]
  -
  -  *) Ensure that apr_brigade_write() flushes in all of the cases that
  -     it should to avoid conditions in some modules that could cause
  -     large amounts of data to be buffered.  [Cliff Woolley]
  -
  -  *) Fix problem where mod_cache/mod_disk_cache was incorrectly
  -     stripping the content_type from cached responses.
  -     [Bill Stoddard]
  +  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
  +     set to 1, so we can exclude things from the general case with
  +     browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
  +
  +  *) Accept multiple leading /'s for requests within the DocumentRoot.
  +     PR 10946  [William Rowe, David Shane Holden <dpejesh@yahoo.com>]
  +
  +  *) Solved the reports of .pdf byterange failures on Win32 alone.
  +     APR's sendfile for the win32 platform collapses header and trailer
  +     buffers into a single buffer.  However, we destroyed the pointers
  +     to the header buffer if a trailer buffer was present.  PR 10781
  +     [William Rowe]
   
  -  *) apachectl passes through any httpd options.  Note: apachectl
  -     should be used in preference to httpd since it ensures that any
  -     appropriate environment variables have been set up.
  +  *) mod_ext_filter: Add the ability to enable or disable a filter via
  +     an environment variable.  Add the ability to register a filter of
  +     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]
  +
  +  *) Restore the ability to specify host names on Listen directives.
  +     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
  +
  +  *) When deciding on the default address family for listening sockets,
  +     make sure we can actually bind to an AF_INET6 socket before
  +     deciding that we should default to AF_INET6.  This fixes a startup
  +     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]
  +
  +  *) Replace usage of atol() to parse strings when we might want a
  +     larger-than-long value with apr_atoll(), which returns long long.
  +     This allows HTTPD to deal with larger files correctly.
  +     [Shantonu Sen <ssen@apple.com>]
  +
  +  *) mod_ext_filter: Ignore any content-type parameters when checking if
  +     the response should be filtered.  Previously, "intype=text/html"
  +     wouldn't match something like "text/html;charset=8859_1".
        [Jeff Trawick]
   
  -  *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
  -     PR 7810  [Colm MacCarthaigh &lt;colmmacc@redbrick.dcu.ie&gt;]
  +  *) mod_ext_filter: Set up environment variables for external programs.
  +     [Craig Sebenik <craig@netapp.com>]
   
  -  *) Fix suexec execution of CGI scripts from mod_include.
  -     PR 7791, 8291  [Colm MacCarthaigh &lt;colmmacc@redbrick.dcu.ie&gt;]
  +  *) Modified the HTTP_IN filter to immediately append the EOS (end of
  +     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
  +     the caller to determine that no content remains without prefetching
  +     additional POST body.  [William Rowe]
   
  -  *) Fix segfaults at startup on some platforms when mod_auth_digest,
  -     mod_suexec, or mod_ssl were used as DSO's due to the way they
  -     were tracking the current init phase since DSO's get completely
  -     unloaded and reloaded between phases.  PR 9413.
  -     [Tsuyoshi Sasamoto &lt;nazonazo@super.win.ne.jp&gt;, Brad Nicholes]
  +  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane@kame.net>]
   
  -  *) Fix mod_include's handling of regular expressions in
  -     "&lt;!--#if" directives [Julius Gawlas &lt;julius_gawlas@hp.com&gt;]
  +  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Fix the worker MPM deadlock problem  [Brian Pane]
  +  *) Update SuSE layout.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Modify the module documentation to allow for translations.
  -     [Yoshiki Hayashi, Joshua Slive]
  +  *) Changes to the internationalized error documents:
  +     Comment them out in the default config file to make the default
  +     install as simple as possible; Correct the english 500 error to
  +     be more understandable; Add a Swedish translation.
  +     [Thomas Sjogren <thomas@northernsecurity.net>,
  +      Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
   
  -  *) Fix a file permissions problem which prevented mod_disk_cache
  -     from working on Unix.  [Jeff Trawick]
  +  *) Increase the limit on file descriptors per process in apachectl.
  +     [Brian Pane]
   
  -  *) Add "-k start|restart|graceful|stop" support to httpd for the Unix 
  -     MPMs.  These have semantics very similar to the old apachectl 
  -     commands of the same name.  [Justin Erenkrantz, Jeff Trawick]
  +  *) Fix a dependency error when building ApacheMonitor, so that Win32
  +     and MSVC now trust that the project is current (when it is).
  +     [James Cox <imajes@php.net>]
   
  -  *) Make sure that the runtime dir is created by make install.
  -     PR 9233.  [Jeff Trawick]
  -
  -  *) Fix an unusual set of ./configure arguments that could cause
  -     mod_http to be built as a DSO, which it currently doesn't
  -     support.  PR 9244.
  -     [Cliff Woolley, Robin Johnson &lt;robbat2@orbis-terrarum.net&gt;]
  -
  -  *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
  -     of the %X, %b and %B logformat options. PR 8253, 8996.
  -     [Bill Stoddard]
  +  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
  +     [Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
   
  -  *) If content-encoding is already present, do not run deflate (PR 9222)
  -     [Kazuhisa ASADA &lt;kaz@asada.sytes.net&gt;]
  +  *) APR-Util Renames pending have been completed [Thom May]
   
  -  *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
  -     It is currently ignored and it will be removed in a future release
  -     of Apache.  [Jeff Trawick]
  +  *) Performance improvements for the code that reads request
  +     headers (ap_rgetline_core() and related functions)  [Brian Pane]
   
  -  *) Removed documentation references to the no-longer-supported
  -     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
  -     certificates, if truly desired, can be generated using openssl
  -     commands.  PR 8724.  [Cliff Woolley]
  +  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
  +     to configure the maximum amount of memory the allocators will
  +     hold on to for reuse.  Anything over the MaxMemFree threshold
  +     will be free()d.  This directive is useful when uncommon large
  +     peaks occur in memory usage.  It should _not_ be used to mask
  +     defective modules' memory use.  [Sander Striker]
   
  -  *) Remove SSLLog and SSLLogLevel directives in favor of having
  -     mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
  +  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
  +     scripts would not result in a truncated response.
  +     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
   
  -  *) OS/390: LIBPATH no longer has to be manually uncommented in
  -     envvars to get apachectl to set up httpd properly.  [Jeff Trawick]
  +  *) Add a filter_init parameter to the filter registration functions
  +     so that a filter can execute arbitrary code before the handlers
  +     are invoked.  This resolves a problem where mod_include requests
  +     would incorrectly return a 304.  [Justin Erenkrantz]
   
  -  *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
  -     may now be specified to the &lt;File/Directory &gt; container, rather
  -     than by vhost.  [William Rowe]
  +  *) Fix a long-standing bug in 2.0, CGI scripts were being called
  +     with relative paths instead of absolute paths.  Apache 1.3 used
  +     absolute paths for everything except for SuExec, this brings back
  +     that standard.  [Ryan Bloom]
   
  -  *) mod_isapi: Experimental support for faux async support for ISAPI
  -     modules.  [William Rowe]
  +  *) Fix infinite loop due to two HTTP_IN filters being present for
  +     internally redirected requests.  PR 10146.  [Justin Erenkrantz]
   
  -  *) mod_isapi: Major refactoring of the code to rely on apr internals
  -     rather than MS APIs (using our own mod_isapi.h headers for ISAPI
  -     symbol definitions.)  [William Rowe]
  +  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
  +     [Justin Erenkrantz]
   
  -  *) mod_isapi: Fixed the return string length from GetServerVariable
  -     callback, it was not including the trailing null in the consumed
  -     buffer size.  This was particularly bad for Delphi 6.0 users.
  -     PR 8934  [Sebastian Hantsch &lt;sebastian.hantsch@gmx.de&gt;]
  +  *) Fix mod_ext_filter to look in the main server for filter definitions
  +     when running in a vhost if the filter definition is not found in
  +     the vhost.  PR 10147  [Jeff Trawick]
  +
  +  *) Support WinNT CGI invocation through ScriptInterpreterSource
  +     'registry' for script interpreter paths and names with non-ascii
  +     characters in the executable filepath.  [William Rowe]
   
  -  *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
  +  *) Support the -w flag on to keep the Win32 console open on error.
        [William Rowe]
   
  -  *) Make apxs look in the correct directory for envvars.  It was
  -     broken when sbindir != bindir.  PR 8869
  -     [Andreas Sundström &lt;sunkan@zappa.cx&gt;]
  -  
  -  *) Fix mod_deflate corruption when using multiple buckets.  PR 9014.
  -     [Asada Kazuhisa &lt;kaz@asada.sytes.net&gt;]
  -
  -  *) Performance enhancements for access logger when using
  -     default timestamp formatting  [Brian Pane]
  -
  -  *) Added EnableMMAP config directive to enable the server
  -     administrator to disable memory-mapping of delivered files
  -     on a per-directory basis.  [Brian Pane]
  -
  -  *) Performance enhancements for mod_setenvif  [Brian Pane]
  -
  -  *) Fix a mod_ssl build problem on OS/390.  [Jeff Trawick]
  -
  -  *) Fixed If-Modified-Since on Win32, which would give false positives
  -     because of the sub-second resolution of file timestamps on that
  -     platform.  [Cliff Woolley]
  +  *) Normalize the hostname value in the request_rec to all-lowercase
  +     [Perry Harrington <pedward@webcom.com>]
   
  -  *) Reverse the hook ordering for mod_userdir and mod_alias so
  -     that Alias/ScriptAlias will override Userdir.  PR 8841
  -     [Joshua Slive]
  +  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
  +     extended characters (non US-ASCII) in non-utf8 format.  This brings
  +     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
  +     to the cgi application itself.  [William Rowe]
   
  -  *) Move mod_deflate out of experimental and into filters.
  -     [Justin Erenkrantz]
  -
  -  *) Get proxy CONNECT basically working.  [Jeff Trawick]
  -
  -  *) Fix mod_rewrite hang when APR uses SysV Semaphores and
  -     RewriteLogLevel is set to anything other than 0.  PR: 8143
  -     [Aaron Bannert, Cliff Woolley]
  +  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
  +     modules to bring them up to the current apr/apr-util APIs.
  +     [William Rowe]
   
  -  *) Fix byterange requests from returning 416 when using dynamic data
  -     (such as filters like mod_include).  [Justin Erenkrantz]
  +  *) Fix segfault in mod_mem_cache most frequently observed when
  +     serving the same file to multiple clients on an MP machine.
  +     [Bill Stoddard]
   
  -  *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
  -     to be extended by third-party modules via an optional function.
  -     [Tahiry Ramanamampanoharana &lt;nomentsoa@hotmail.com&gt;, Cliff Woolley]
  +  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
  +     [Brian Degenhardt <bmd@mp3.com>, Ian Holsman]
   
  -  *) Fix mod_include expression parser's handling of unquoted strings
  -     followed immediately by a closing paren.  PR 8462.  [Brian Pane]
  +  *) Fix perchild to work with apachectl by adding -k support to perchild.
  +     PR 10074  [Jeff Trawick]
   
  -  *) Remove autom4te.cache in 'make distclean'.
  -     [Thom May &lt;thom@planetarytramp.net&gt;]
  +  *) Fix a silly htpasswd.c logic error that incorrectly reported that
  +     both -c and -n had been used.  PR 9989  [Cliff Woolley]
   
  -  *) Fix generated httpd.conf to respect layout for LoadModule lines.
  -     PR 8170.  [Thom May &lt;thom@planetarytramp.net&gt;]
  +  *) Fixed a mod_include error case in which no HTTP response was sent
  +     to the client if an shtml document contained an unterminated SSI
  +     directive [Brian Pane]
   
  -  *) Win32: During a graceful restart, threads in the new process
  -     were accessing scoreboard slots still in use by active threads in 
  -     the the old process. [Bill Stoddard]
  +  *) Improve ap_get_client_block implementation by using APR-util brigade
  +     helper functions and relying on current filter assumptions.
  +     [Justin Erenkrantz]
   
   </pre>
   
  
  
  
  1.19      +153 -288  httpd-dist/Announcement2.txt
  
  Index: Announcement2.txt
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.txt,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- Announcement2.txt	18 Jun 2002 04:52:41 -0000	1.18
  +++ Announcement2.txt	9 Aug 2002 19:17:53 -0000	1.19
  @@ -1,18 +1,18 @@
   
  -Apache 2.0.39 Released
  +Apache 2.0.40 Released
   ---------------------------------------------
   
  -The Apache HTTP Server Project is proud to announce the third public
  -release of Apache 2.0.  Apache 2.0 has been running on the Apache.org
  +The Apache HTTP Server Project is proud to announce the fourth public
  +release of Apache 2.0.  Apache 2.0 has been running on the apache.org
   website since December of 2000 and has proven to be very reliable.
   
  -This version of Apache is principally a security and bug fix
  -release.  A summary of the bug fixes is given at the end of this document.
  -Of particular note is that 2.0.39 addresses and fixes the issues noted
  -in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
  -in the handling of chunked transfer encoding.  We would like to thank
  -Mark Litchfield of ngssoftware.com for discovering and reporting the
  -vulnerability.
  +This version of Apache is principally a security and bug fix release.
  +A summary of the changes is given at the end of this document.  Of
  +particular note is that 2.0.40 fixes the serious vulnerability noted in
  +CAN-2002-0661 and the pair of path exposures in CAN-2002-0654 (mitre.org).
  +We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
  +discovering and reporting the vulnerability and one of the path exposures
  +and Jim Race <jrace@qualys.com> for reporting the other path exposure.
   
   Apache 2.0 offers numerous enhancements, improvements and performance
   boosts over the 1.3 codebase. The most visible and noteworthy addition
  @@ -25,8 +25,8 @@
   platform that supports IPv6.
   
   This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of many of the advancements in 
  -Apache 2.0, the initial release of Apache is expected to perform equally 
  +OS/2, Windows, and Netware.  Because of many of the advancements in
  +Apache 2.0, the initial release of Apache is expected to perform equally
   well on all supported platforms.
   
   There are new snapshots of the Apache httpd source available every 6
  @@ -36,324 +36,189 @@
   give it a spin on your platforms.
   
   Apache has been the most popular web server on the Internet since
  -April of 1996. The March 2002 WWW server site survey by Netcraft (see
  +April of 1996. The July 2002 Web Server Survey by Netcraft (see
   http://www.netcraft.com/survey/) found that more web servers were
  -using Apache than any other software; Apache runs on more than 54%
  +using Apache than any other software; Apache runs on more than 57%
   of the web servers on the Internet.
   
   For more information and to download the release tarballs, please
   visit http://httpd.apache.org/
   
   
  -Changes since 2.0.36
  +Changes since 2.0.39
   ---------------------------------------------
   
  -Changes with Apache 2.0.39
  -
  -  *) Fixed a build problem in htpasswd.c on Win32.
  -     [Guenter Knauf <eflash@gmx.net>, Cliff Woolley]
  -
  -Changes with Apache 2.0.38
  -
  -  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
  -     tmpnam being unsafe.   [Ryan Bloom]
  -
  -  *) We must set the MIME-type for .shtml files to text/html if we want them
  -     to be parsed for SSI tags.  Add the config for that to the default 
  -     config file so that it is easier to enable .shtml parsing.
  -     [Dave Dyer <ddyer@real-me.net>]
  -
  -  *) Fixed a problem with 'make install' on ReliantUnix.
  -     [Jean-frederic Clere <jfrederic.clere@fujitsu-siemens.com>]
  -
  -  *) Make the default_handler catch all requests that aren't served by
  -     another handler.  This also gets us to return a 404 if a directory
  -     is requested, there is no DirectoryIndex, and mod_autoindex isn't
  -     loaded.  [Justin Erenkrantz]
  -
  -  *) Fixed the handling of nested if-statements in shtml files.
  -     PR 9866  [Brian Pane]
  -
  -  *) Allow 'make install DESTDIR=/path'.  This allows packagers to install
  -     into a directory different from the one that was configured.  This 
  -     also mirrors the root= feature from 1.3.  We cannot use prefix=,
  -     because both APR and APR-util resolve their installation paths at 
  -     configuration time.  This means that there is no variable prefix 
  -     to replace.  [Andreas Hasenack <andreas@netbank.com.br>]
  -
  -  *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
  -     These levels of AIX don't have a thundering herd problem with
  -     accept().  [Jeff Trawick]
  -
  -  *) prefork MPM: Ignore mutex errors during graceful restart.  For
  -     certain types of mutexes (particularly SysV semaphores), we
  -     should expect to occasionally fail to obtain or release the
  -     mutex during restart processing.  [Jeff Trawick]
  -
  -  *) Fix install-bindist.sh so that it finds any perl instead of just
  -     early perl 5.x versions.  This is consistent with a build/install
  -     from source, and it allows the perl scripts installed by a bindist 
  -     to work on systems with perl 5.6.  [Jeff Trawick]
  -
  -  *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
  -     Tru64 (and probably some other platforms).  [Jeff Trawick]
  -
  -  *) Allow CGI scripts to return their Content-Length.  This also fixes a
  -     hang on HEAD requests seen on certain platforms (such as FreeBSD).
  -     [Justin Erenkrantz]
  -
  -  *) Added log rotation based on file size to the RotateLog support
  -     utility. [Brad Nicholes]
  -
  -  *) Fix some casting in mod_rewrite which broke random maps.
  -     PR 9770  [Allan Edwards, Greg Ames, Jeff Trawick]
  -
  -Changes with Apache 2.0.37
  -
  -  *) allow POST method over SSL when per-directory client cert
  -     authentication is used with 'SSLOptions +OptRenegotiate' enabled
  -     and a client cert was found in the ssl session cache.
  -
  -  *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
  -     session cache when there is no cert chain in the cache.  prior to
  -     the fix this situation would result in a FORBIDDEN response and
  -     error message "Cannot find peer certificate chain"
  -     [Doug MacEachern]
  -
  -  *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
  -     one was already sent.  PR 9644  [Jeff Trawick]
  -
  -  *) Fix the display of the default name for the mime types config
  -     file.  PR 9729  [Matthew Brecknell <mbrecknell@orchestream.com>]
  -
  -  *) Fix the working directory *for WinNT/2K/XP services only* to
  -     change to the Apache directory (one level above the location 
  -     of Apache.exe, in the case that Apache.exe resides in bin/.)
  -     Solves the case of ServerRoot /foo paths where /foo was not
  -     on the same drive as /winnt/system32.  [William Rowe]
  -
  -  *) Make 2.0's "AcceptMutex" startup message now "completely"
  -     match how 1.3 does it. [Jim Jagielski]
  -
  -  *) Implement a fixed size memory cache using a priority queue
  -     [Ian Holsman]
  -
  -  *) Fix apxs to allow "apxs -q installbuilddir" and to allow
  -     querying certain other variables from config_vars.mk.  PR 9316  
  -     [Jeff Trawick]
  -
  -  *) Added the "detached" attribute to the cgi_exec_info_t internals
  -     so that Win32 and Netware won't create a new window or console
  -     for each CGI invoked.  PR 8387
  -     [Brad Nicholes, William Rowe]
  -
  -  *) Consolidated the command line parameters and attributes that are 
  -     manipulated by the optional function ap_cgi_build_command() in
  -     mod_cgi into a single structure.
  +  *) SECURITY: [CAN-2002-0661] Close a very significant security hole that
  +     applies only to the Win32, OS2 and Netware platforms.  Unix was not
  +     affected, Cygwin may be affected.  Certain URIs will bypass security
  +     and allow users to invoke or access any file depending on the system
  +     configuration.  Without upgrading, a single .conf change will close
  +     the vulnerability.  Add the following directive in the global server
  +     httpd.conf context before any other Alias or Redirect directives:
  +         RedirectMatch 400 "\\\.\."
  +     Reported by Auriemma Luigi <bugtest@sitoverde.com>.
        [Brad Nicholes]
   
  -  *) Get rid of uninitialized value errors with "apxs -q" on certain
  -     variables.  [Stas Bekman <stas@stason.org>]
  -
  -  *) Fix apxs to allow it to work when the build directory is somewhere
  -     besides server-root/build.  PR 8453  
  -     [Jeff Trawick and a host of others]
  -
  -  *) Allow ap_discard_request_body to be called multiple times in the
  -     same request.  Essentially, ap_http_filter keeps track of whether
  -     it has sent an EOS bucket up the stack, if so, it will only ever
  -     send an EOS bucket for this request.  
  -     [Ryan Bloom, Justin Erenkrantz, Greg Stein]
  -
  -  *) Remove all special mod_ssl URIs.  This also fixes the bug where
  -     redirecting (.*) will allow an SSL protected page to be viewed
  -     without SSL.  [Ryan Bloom]
  -
  -  *) Fix the binary build install script so that the build logic
  -     created by "apxs -g" will work when the user has a binary
  -     build.  [Jeff Trawick]
  -
  -  *) Allow instdso.sh to work with full paths to the shared module.
  -     [Justin Erenkrantz]
  -
  -  *) NetWare: Enabled CGI functionality and added mod_cgi as a built
  -     in module for NetWare  [Brad Nicholes]
  -
  -  *) Changed cgi and piped log behavior to accept 65536 characters
  -     on Win32 (matching Linux) before deadlocking between outputing
  -     client stdin, slurping the output from stdout and then the stderr
  -     stream.  PR 8179  [William Rowe]
  -
  -  *) Fixed Win32 wintty.exe support to assure the window title is valid.
  -     Elimiates possible gpfault or garbage title without the -t option.
  +  *) SECURITY:  Close a path-revealing exposure in multiview type
  +     map negotiation (such as the default error documents) where the
  +     module would report the full path of the typemapped .var file when
  +     multiple documents or no documents could be served based on the mime
  +     negotiation.  Reported by Auriemma Luigi <bugtest@sitoverde.com>.
  +     [CAN-2002-0654]  [William Rowe]
  +
  +  *) SECURITY:  Close a path-revealing exposure in cgi/cgid when we
  +     fail to invoke a script.  The modules would report "couldn't create
  +     child process /path-to-script/script.pl" revealing the full path
  +     of the script.  Reported by Jim Race <jrace@qualys.com>.
  +     [CAN-2002-0654]  [Bill Stoddard]
  +
  +  *) Set aside the apr-iconv and apr_xlate() features for the Win32
  +     build of 2.0.40 so development can be completed.  A patch, from
  +     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
  +     will be available for those that wish to work with apr-iconv.
        [William Rowe]
   
  -  *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
  -     brigades and input filters.  [Justin Erenkrantz]
  +  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
  +     chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
   
  -  *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
  -     body.  [Justin Erenkrantz]
  -    
  -  *) NetWare: Piping log entries through RotateLogs using the 
  -     CustomLogs directive is finally supported now that we have 
  -     the pipes and spawning functionality working.
  -     [Brad Nicholes]
  -
  -  *) Detect overflow when reading the hex bytes forming a chunk line.
  -     [Aaron Bannert]
  -
  -  *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
  -     [James Tait <JTait@wyrddreams.demon.co.uk>]
  -
  -  *) Correctly return 413 when an invalid chunk size is given on
  -     input.  Also modify ap_discard_request_body to not do anything
  -     on sub-requests or when the connection will be dropped.
  -     [Justin Erenkrantz]
  -
  -  *) Fix the TIME_* SSL var lookups to be threadsafe.  PR 9469.
  -     [Cliff Woolley]
  -
  -  *) Ensure that apr_brigade_write() flushes in all of the cases that
  -     it should to avoid conditions in some modules that could cause
  -     large amounts of data to be buffered.  [Cliff Woolley]
  -
  -  *) Fix problem where mod_cache/mod_disk_cache was incorrectly
  -     stripping the content_type from cached responses.
  -     [Bill Stoddard]
  +  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
  +     set to 1, so we can exclude things from the general case with
  +     browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
  +
  +  *) Accept multiple leading /'s for requests within the DocumentRoot.
  +     PR 10946  [William Rowe, David Shane Holden <dpejesh@yahoo.com>]
  +
  +  *) Solved the reports of .pdf byterange failures on Win32 alone.
  +     APR's sendfile for the win32 platform collapses header and trailer
  +     buffers into a single buffer.  However, we destroyed the pointers
  +     to the header buffer if a trailer buffer was present.  PR 10781
  +     [William Rowe]
   
  -  *) apachectl passes through any httpd options.  Note: apachectl
  -     should be used in preference to httpd since it ensures that any
  -     appropriate environment variables have been set up.
  +  *) mod_ext_filter: Add the ability to enable or disable a filter via
  +     an environment variable.  Add the ability to register a filter of
  +     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]
  +
  +  *) Restore the ability to specify host names on Listen directives.
  +     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
  +
  +  *) When deciding on the default address family for listening sockets,
  +     make sure we can actually bind to an AF_INET6 socket before
  +     deciding that we should default to AF_INET6.  This fixes a startup
  +     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]
  +
  +  *) Replace usage of atol() to parse strings when we might want a
  +     larger-than-long value with apr_atoll(), which returns long long.
  +     This allows HTTPD to deal with larger files correctly.
  +     [Shantonu Sen <ssen@apple.com>]
  +
  +  *) mod_ext_filter: Ignore any content-type parameters when checking if
  +     the response should be filtered.  Previously, "intype=text/html"
  +     wouldn't match something like "text/html;charset=8859_1".
        [Jeff Trawick]
   
  -  *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
  -     PR 7810  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
  -
  -  *) Fix suexec execution of CGI scripts from mod_include.
  -     PR 7791, 8291  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
  +  *) mod_ext_filter: Set up environment variables for external programs.
  +     [Craig Sebenik <craig@netapp.com>]
   
  -  *) Fix segfaults at startup on some platforms when mod_auth_digest,
  -     mod_suexec, or mod_ssl were used as DSO's due to the way they
  -     were tracking the current init phase since DSO's get completely
  -     unloaded and reloaded between phases.  PR 9413.
  -     [Tsuyoshi Sasamoto <nazonazo@super.win.ne.jp>, Brad Nicholes]
  +  *) Modified the HTTP_IN filter to immediately append the EOS (end of
  +     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
  +     the caller to determine that no content remains without prefetching
  +     additional POST body.  [William Rowe]
   
  -  *) Fix mod_include's handling of regular expressions in
  -     "<!--#if" directives [Julius Gawlas <julius_gawlas@hp.com>]
  +  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane@kame.net>]
   
  -  *) Fix the worker MPM deadlock problem  [Brian Pane]
  +  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Modify the module documentation to allow for translations.
  -     [Yoshiki Hayashi, Joshua Slive]
  +  *) Update SuSE layout.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Fix a file permissions problem which prevented mod_disk_cache
  -     from working on Unix.  [Jeff Trawick]
  +  *) Changes to the internationalized error documents:
  +     Comment them out in the default config file to make the default
  +     install as simple as possible; Correct the english 500 error to
  +     be more understandable; Add a Swedish translation.
  +     [Thomas Sjogren <thomas@northernsecurity.net>,
  +      Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
   
  -  *) Add "-k start|restart|graceful|stop" support to httpd for the Unix 
  -     MPMs.  These have semantics very similar to the old apachectl 
  -     commands of the same name.  [Justin Erenkrantz, Jeff Trawick]
  +  *) Increase the limit on file descriptors per process in apachectl.
  +     [Brian Pane]
   
  -  *) Make sure that the runtime dir is created by make install.
  -     PR 9233.  [Jeff Trawick]
  +  *) Fix a dependency error when building ApacheMonitor, so that Win32
  +     and MSVC now trust that the project is current (when it is).
  +     [James Cox <imajes@php.net>]
   
  -  *) Fix an unusual set of ./configure arguments that could cause
  -     mod_http to be built as a DSO, which it currently doesn't
  -     support.  PR 9244.
  -     [Cliff Woolley, Robin Johnson <robbat2@orbis-terrarum.net>]
  +  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
  +     [Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
   
  -  *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
  -     of the %X, %b and %B logformat options. PR 8253, 8996.
  -     [Bill Stoddard]
  -
  -  *) If content-encoding is already present, do not run deflate (PR 9222)
  -     [Kazuhisa ASADA <kaz@asada.sytes.net>]
  +  *) APR-Util Renames pending have been completed [Thom May]
   
  -  *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
  -     It is currently ignored and it will be removed in a future release
  -     of Apache.  [Jeff Trawick]
  +  *) Performance improvements for the code that reads request
  +     headers (ap_rgetline_core() and related functions)  [Brian Pane]
   
  -  *) Removed documentation references to the no-longer-supported
  -     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
  -     certificates, if truly desired, can be generated using openssl
  -     commands.  PR 8724.  [Cliff Woolley]
  +  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
  +     to configure the maximum amount of memory the allocators will
  +     hold on to for reuse.  Anything over the MaxMemFree threshold
  +     will be free()d.  This directive is useful when uncommon large
  +     peaks occur in memory usage.  It should _not_ be used to mask
  +     defective modules' memory use.  [Sander Striker]
   
  -  *) Remove SSLLog and SSLLogLevel directives in favor of having
  -     mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
  +  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
  +     scripts would not result in a truncated response.
  +     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
   
  -  *) OS/390: LIBPATH no longer has to be manually uncommented in
  -     envvars to get apachectl to set up httpd properly.  [Jeff Trawick]
  +  *) Add a filter_init parameter to the filter registration functions
  +     so that a filter can execute arbitrary code before the handlers
  +     are invoked.  This resolves a problem where mod_include requests
  +     would incorrectly return a 304.  [Justin Erenkrantz]
   
  -  *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
  -     may now be specified to the <File/Directory > container, rather
  -     than by vhost.  [William Rowe]
  +  *) Fix a long-standing bug in 2.0, CGI scripts were being called
  +     with relative paths instead of absolute paths.  Apache 1.3 used
  +     absolute paths for everything except for SuExec, this brings back
  +     that standard.  [Ryan Bloom]
   
  -  *) mod_isapi: Experimental support for faux async support for ISAPI
  -     modules.  [William Rowe]
  +  *) Fix infinite loop due to two HTTP_IN filters being present for
  +     internally redirected requests.  PR 10146.  [Justin Erenkrantz]
   
  -  *) mod_isapi: Major refactoring of the code to rely on apr internals
  -     rather than MS APIs (using our own mod_isapi.h headers for ISAPI
  -     symbol definitions.)  [William Rowe]
  +  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
  +     [Justin Erenkrantz]
   
  -  *) mod_isapi: Fixed the return string length from GetServerVariable
  -     callback, it was not including the trailing null in the consumed
  -     buffer size.  This was particularly bad for Delphi 6.0 users.
  -     PR 8934  [Sebastian Hantsch <sebastian.hantsch@gmx.de>]
  +  *) Fix mod_ext_filter to look in the main server for filter definitions
  +     when running in a vhost if the filter definition is not found in
  +     the vhost.  PR 10147  [Jeff Trawick]
  +
  +  *) Support WinNT CGI invocation through ScriptInterpreterSource
  +     'registry' for script interpreter paths and names with non-ascii
  +     characters in the executable filepath.  [William Rowe]
   
  -  *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
  +  *) Support the -w flag on to keep the Win32 console open on error.
        [William Rowe]
   
  -  *) Make apxs look in the correct directory for envvars.  It was
  -     broken when sbindir != bindir.  PR 8869
  -     [Andreas Sundström <sunkan@zappa.cx>]
  -  
  -  *) Fix mod_deflate corruption when using multiple buckets.  PR 9014.
  -     [Asada Kazuhisa <kaz@asada.sytes.net>]
  +  *) Normalize the hostname value in the request_rec to all-lowercase
  +     [Perry Harrington <pedward@webcom.com>]
   
  -  *) Performance enhancements for access logger when using
  -     default timestamp formatting  [Brian Pane]
  +  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
  +     extended characters (non US-ASCII) in non-utf8 format.  This brings
  +     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
  +     to the cgi application itself.  [William Rowe]
   
  -  *) Added EnableMMAP config directive to enable the server
  -     administrator to disable memory-mapping of delivered files
  -     on a per-directory basis.  [Brian Pane]
  -
  -  *) Performance enhancements for mod_setenvif  [Brian Pane]
  -
  -  *) Fix a mod_ssl build problem on OS/390.  [Jeff Trawick]
  -
  -  *) Fixed If-Modified-Since on Win32, which would give false positives
  -     because of the sub-second resolution of file timestamps on that
  -     platform.  [Cliff Woolley]
  -
  -  *) Reverse the hook ordering for mod_userdir and mod_alias so
  -     that Alias/ScriptAlias will override Userdir.  PR 8841
  -     [Joshua Slive]
  -
  -  *) Move mod_deflate out of experimental and into filters.
  -     [Justin Erenkrantz]
  -
  -  *) Get proxy CONNECT basically working.  [Jeff Trawick]
  -
  -  *) Fix mod_rewrite hang when APR uses SysV Semaphores and
  -     RewriteLogLevel is set to anything other than 0.  PR: 8143
  -     [Aaron Bannert, Cliff Woolley]
  -
  -  *) Fix byterange requests from returning 416 when using dynamic data
  -     (such as filters like mod_include).  [Justin Erenkrantz]
  +  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
  +     modules to bring them up to the current apr/apr-util APIs.
  +     [William Rowe]
   
  -  *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
  -     to be extended by third-party modules via an optional function.
  -     [Tahiry Ramanamampanoharana <nomentsoa@hotmail.com>, Cliff Woolley]
  +  *) Fix segfault in mod_mem_cache most frequently observed when
  +     serving the same file to multiple clients on an MP machine.
  +     [Bill Stoddard]
   
  -  *) Fix mod_include expression parser's handling of unquoted strings
  -     followed immediately by a closing paren.  PR 8462.  [Brian Pane]
  +  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
  +     [Brian Degenhardt <bmd@mp3.com>, Ian Holsman]
   
  -  *) Remove autom4te.cache in 'make distclean'.
  -     [Thom May <thom@planetarytramp.net>]
  +  *) Fix perchild to work with apachectl by adding -k support to perchild.
  +     PR 10074  [Jeff Trawick]
   
  -  *) Fix generated httpd.conf to respect layout for LoadModule lines.
  -     PR 8170.  [Thom May <thom@planetarytramp.net>]
  +  *) Fix a silly htpasswd.c logic error that incorrectly reported that
  +     both -c and -n had been used.  PR 9989  [Cliff Woolley]
   
  -  *) Win32: During a graceful restart, threads in the new process
  -     were accessing scoreboard slots still in use by active threads in 
  -     the the old process. [Bill Stoddard]
  +  *) Fixed a mod_include error case in which no HTTP response was sent
  +     to the client if an shtml document contained an unterminated SSI
  +     directive [Brian Pane]
   
  +  *) Improve ap_get_client_block implementation by using APR-util brigade
  +     helper functions and relying on current filter assumptions.
  +     [Justin Erenkrantz]
  
  
  
  1.27      +1 -1      httpd-dist/HEADER.html
  
  Index: HEADER.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/HEADER.html,v
  retrieving revision 1.26
  retrieving revision 1.27
  diff -u -r1.26 -r1.27
  --- HEADER.html	18 Jun 2002 18:25:02 -0000	1.26
  +++ HEADER.html	9 Aug 2002 19:17:53 -0000	1.27
  @@ -12,7 +12,7 @@
   <ul>
   <li><a href="#mirrors">Download from your nearest mirror site!</a></li>
   <li><a href="#binaries">Binary Releases</a></li>
  -<li><a href="#apache20">Apache 2.0.39 is the best available version.</a></li>
  +<li><a href="#apache20">Apache 2.0.40 is the best available version.</a></li>
   <li><a href="#apache13">Apache 1.3.26 is also available.</a></li>
   <li><a href="#sig">PGP Signatures</a></li>
   <li><a href="#patches">Official Patches</a></li>
  
  
  
  1.23      +4 -4      httpd-dist/README.html
  
  Index: README.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/README.html,v
  retrieving revision 1.22
  retrieving revision 1.23
  diff -u -r1.22 -r1.23
  --- README.html	18 Jun 2002 18:25:02 -0000	1.22
  +++ README.html	9 Aug 2002 19:17:53 -0000	1.23
  @@ -12,7 +12,7 @@
      Every binary distribution contains an install script. See README 
      for details.</p>
   
  -<h2><a name="apache20"><a href="Announcement2.html">Apache 2.0.39</a> 
  +<h2><a name="apache20"><a href="Announcement2.html">Apache 2.0.40</a> 
       is the best available version.</a></h2>
   
   <p>This release fixes a security problem as described in our recent
  @@ -26,11 +26,11 @@
      attempt to upgrade from Apache 1.3.</p>
   
   <p>For details see the <A HREF="Announcement2.html">Official Announcement</A>.
  -   Check <a href="patches/apply_to_2.0.39/">here</a> to see if any patches 
  +   Check <a href="patches/apply_to_2.0.40/">here</a> to see if any patches 
      or other special instructions are necessary for building or running 
  -   Apache 2.0.39 on your platform.</p>
  +   Apache 2.0.40 on your platform.</p>
   
  -<p>Note the -win32.zip version of Apache 2.0.39 is nearly identical to the
  +<p>Note the -win32.zip version of Apache 2.0.40 is nearly identical to the
      .tar.gz version.  However, it offers sources in DOS/Windows CR/LF text
      and includes the Win32 .mak files.</p>
   
  
  
  

Mime
View raw message