httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-site/xdocs Announcement index.xml
Date Fri, 09 Aug 2002 20:02:33 GMT
jwoolley    2002/08/09 13:02:33

  Modified:    docs     Announcement index.html
               docs/contributors index.html
               xdocs    Announcement index.xml
  Log:
  update for 2.0.40 release
  
  (I hope the transforms didn't break too bad :-( )
  
  Revision  Changes    Path
  1.12      +153 -288  httpd-site/docs/Announcement
  
  Index: Announcement
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/Announcement,v
  retrieving revision 1.11
  retrieving revision 1.12
  diff -u -d -u -r1.11 -r1.12
  --- Announcement	18 Jun 2002 04:52:58 -0000	1.11
  +++ Announcement	9 Aug 2002 20:02:32 -0000	1.12
  @@ -1,18 +1,18 @@
   
  -Apache 2.0.39 Released
  +Apache 2.0.40 Released
   ---------------------------------------------
   
  -The Apache HTTP Server Project is proud to announce the third public
  -release of Apache 2.0.  Apache 2.0 has been running on the Apache.org
  +The Apache HTTP Server Project is proud to announce the fourth public
  +release of Apache 2.0.  Apache 2.0 has been running on the apache.org
   website since December of 2000 and has proven to be very reliable.
   
  -This version of Apache is principally a security and bug fix
  -release.  A summary of the bug fixes is given at the end of this document.
  -Of particular note is that 2.0.39 addresses and fixes the issues noted
  -in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
  -in the handling of chunked transfer encoding.  We would like to thank
  -Mark Litchfield of ngssoftware.com for discovering and reporting the
  -vulnerability.
  +This version of Apache is principally a security and bug fix release.
  +A summary of the changes is given at the end of this document.  Of
  +particular note is that 2.0.40 fixes the serious vulnerability noted in
  +CAN-2002-0661 and the pair of path exposures in CAN-2002-0654 (mitre.org).
  +We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
  +discovering and reporting the vulnerability and one of the path exposures
  +and Jim Race <jrace@qualys.com> for reporting the other path exposure.
   
   Apache 2.0 offers numerous enhancements, improvements and performance
   boosts over the 1.3 codebase. The most visible and noteworthy addition
  @@ -25,8 +25,8 @@
   platform that supports IPv6.
   
   This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of many of the advancements in 
  -Apache 2.0, the initial release of Apache is expected to perform equally 
  +OS/2, Windows, and Netware.  Because of many of the advancements in
  +Apache 2.0, the initial release of Apache is expected to perform equally
   well on all supported platforms.
   
   There are new snapshots of the Apache httpd source available every 6
  @@ -36,324 +36,189 @@
   give it a spin on your platforms.
   
   Apache has been the most popular web server on the Internet since
  -April of 1996. The March 2002 WWW server site survey by Netcraft (see
  +April of 1996. The July 2002 Web Server Survey by Netcraft (see
   http://www.netcraft.com/survey/) found that more web servers were
  -using Apache than any other software; Apache runs on more than 54%
  +using Apache than any other software; Apache runs on more than 57%
   of the web servers on the Internet.
   
   For more information and to download the release tarballs, please
   visit http://httpd.apache.org/
   
   
  -Changes since 2.0.36
  +Changes since 2.0.39
   ---------------------------------------------
   
  -Changes with Apache 2.0.39
  -
  -  *) Fixed a build problem in htpasswd.c on Win32.
  -     [Guenter Knauf <eflash@gmx.net>, Cliff Woolley]
  -
  -Changes with Apache 2.0.38
  -
  -  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
  -     tmpnam being unsafe.   [Ryan Bloom]
  -
  -  *) We must set the MIME-type for .shtml files to text/html if we want them
  -     to be parsed for SSI tags.  Add the config for that to the default 
  -     config file so that it is easier to enable .shtml parsing.
  -     [Dave Dyer <ddyer@real-me.net>]
  -
  -  *) Fixed a problem with 'make install' on ReliantUnix.
  -     [Jean-frederic Clere <jfrederic.clere@fujitsu-siemens.com>]
  -
  -  *) Make the default_handler catch all requests that aren't served by
  -     another handler.  This also gets us to return a 404 if a directory
  -     is requested, there is no DirectoryIndex, and mod_autoindex isn't
  -     loaded.  [Justin Erenkrantz]
  -
  -  *) Fixed the handling of nested if-statements in shtml files.
  -     PR 9866  [Brian Pane]
  -
  -  *) Allow 'make install DESTDIR=/path'.  This allows packagers to install
  -     into a directory different from the one that was configured.  This 
  -     also mirrors the root= feature from 1.3.  We cannot use prefix=,
  -     because both APR and APR-util resolve their installation paths at 
  -     configuration time.  This means that there is no variable prefix 
  -     to replace.  [Andreas Hasenack <andreas@netbank.com.br>]
  -
  -  *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
  -     These levels of AIX don't have a thundering herd problem with
  -     accept().  [Jeff Trawick]
  -
  -  *) prefork MPM: Ignore mutex errors during graceful restart.  For
  -     certain types of mutexes (particularly SysV semaphores), we
  -     should expect to occasionally fail to obtain or release the
  -     mutex during restart processing.  [Jeff Trawick]
  -
  -  *) Fix install-bindist.sh so that it finds any perl instead of just
  -     early perl 5.x versions.  This is consistent with a build/install
  -     from source, and it allows the perl scripts installed by a bindist 
  -     to work on systems with perl 5.6.  [Jeff Trawick]
  -
  -  *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
  -     Tru64 (and probably some other platforms).  [Jeff Trawick]
  -
  -  *) Allow CGI scripts to return their Content-Length.  This also fixes a
  -     hang on HEAD requests seen on certain platforms (such as FreeBSD).
  -     [Justin Erenkrantz]
  -
  -  *) Added log rotation based on file size to the RotateLog support
  -     utility. [Brad Nicholes]
  -
  -  *) Fix some casting in mod_rewrite which broke random maps.
  -     PR 9770  [Allan Edwards, Greg Ames, Jeff Trawick]
  -
  -Changes with Apache 2.0.37
  -
  -  *) allow POST method over SSL when per-directory client cert
  -     authentication is used with 'SSLOptions +OptRenegotiate' enabled
  -     and a client cert was found in the ssl session cache.
  -
  -  *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
  -     session cache when there is no cert chain in the cache.  prior to
  -     the fix this situation would result in a FORBIDDEN response and
  -     error message "Cannot find peer certificate chain"
  -     [Doug MacEachern]
  -
  -  *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
  -     one was already sent.  PR 9644  [Jeff Trawick]
  -
  -  *) Fix the display of the default name for the mime types config
  -     file.  PR 9729  [Matthew Brecknell <mbrecknell@orchestream.com>]
  -
  -  *) Fix the working directory *for WinNT/2K/XP services only* to
  -     change to the Apache directory (one level above the location 
  -     of Apache.exe, in the case that Apache.exe resides in bin/.)
  -     Solves the case of ServerRoot /foo paths where /foo was not
  -     on the same drive as /winnt/system32.  [William Rowe]
  -
  -  *) Make 2.0's "AcceptMutex" startup message now "completely"
  -     match how 1.3 does it. [Jim Jagielski]
  -
  -  *) Implement a fixed size memory cache using a priority queue
  -     [Ian Holsman]
  -
  -  *) Fix apxs to allow "apxs -q installbuilddir" and to allow
  -     querying certain other variables from config_vars.mk.  PR 9316  
  -     [Jeff Trawick]
  -
  -  *) Added the "detached" attribute to the cgi_exec_info_t internals
  -     so that Win32 and Netware won't create a new window or console
  -     for each CGI invoked.  PR 8387
  -     [Brad Nicholes, William Rowe]
  -
  -  *) Consolidated the command line parameters and attributes that are 
  -     manipulated by the optional function ap_cgi_build_command() in
  -     mod_cgi into a single structure.
  +  *) SECURITY: [CAN-2002-0661] Close a very significant security hole that
  +     applies only to the Win32, OS2 and Netware platforms.  Unix was not
  +     affected, Cygwin may be affected.  Certain URIs will bypass security
  +     and allow users to invoke or access any file depending on the system
  +     configuration.  Without upgrading, a single .conf change will close
  +     the vulnerability.  Add the following directive in the global server
  +     httpd.conf context before any other Alias or Redirect directives:
  +         RedirectMatch 400 "\\\.\."
  +     Reported by Auriemma Luigi <bugtest@sitoverde.com>.
        [Brad Nicholes]
   
  -  *) Get rid of uninitialized value errors with "apxs -q" on certain
  -     variables.  [Stas Bekman <stas@stason.org>]
  -
  -  *) Fix apxs to allow it to work when the build directory is somewhere
  -     besides server-root/build.  PR 8453  
  -     [Jeff Trawick and a host of others]
  -
  -  *) Allow ap_discard_request_body to be called multiple times in the
  -     same request.  Essentially, ap_http_filter keeps track of whether
  -     it has sent an EOS bucket up the stack, if so, it will only ever
  -     send an EOS bucket for this request.  
  -     [Ryan Bloom, Justin Erenkrantz, Greg Stein]
  -
  -  *) Remove all special mod_ssl URIs.  This also fixes the bug where
  -     redirecting (.*) will allow an SSL protected page to be viewed
  -     without SSL.  [Ryan Bloom]
  -
  -  *) Fix the binary build install script so that the build logic
  -     created by "apxs -g" will work when the user has a binary
  -     build.  [Jeff Trawick]
  -
  -  *) Allow instdso.sh to work with full paths to the shared module.
  -     [Justin Erenkrantz]
  -
  -  *) NetWare: Enabled CGI functionality and added mod_cgi as a built
  -     in module for NetWare  [Brad Nicholes]
  +  *) SECURITY:  Close a path-revealing exposure in multiview type
  +     map negotiation (such as the default error documents) where the
  +     module would report the full path of the typemapped .var file when
  +     multiple documents or no documents could be served based on the mime
  +     negotiation.  Reported by Auriemma Luigi <bugtest@sitoverde.com>.
  +     [CAN-2002-0654]  [William Rowe]
   
  -  *) Changed cgi and piped log behavior to accept 65536 characters
  -     on Win32 (matching Linux) before deadlocking between outputing
  -     client stdin, slurping the output from stdout and then the stderr
  -     stream.  PR 8179  [William Rowe]
  +  *) SECURITY:  Close a path-revealing exposure in cgi/cgid when we
  +     fail to invoke a script.  The modules would report "couldn't create
  +     child process /path-to-script/script.pl" revealing the full path
  +     of the script.  Reported by Jim Race <jrace@qualys.com>.
  +     [CAN-2002-0654]  [Bill Stoddard]
   
  -  *) Fixed Win32 wintty.exe support to assure the window title is valid.
  -     Elimiates possible gpfault or garbage title without the -t option.
  +  *) Set aside the apr-iconv and apr_xlate() features for the Win32
  +     build of 2.0.40 so development can be completed.  A patch, from
  +     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
  +     will be available for those that wish to work with apr-iconv.
        [William Rowe]
   
  -  *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
  -     brigades and input filters.  [Justin Erenkrantz]
  +  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
  +     chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
   
  -  *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
  -     body.  [Justin Erenkrantz]
  -    
  -  *) NetWare: Piping log entries through RotateLogs using the 
  -     CustomLogs directive is finally supported now that we have 
  -     the pipes and spawning functionality working.
  -     [Brad Nicholes]
  +  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
  +     set to 1, so we can exclude things from the general case with
  +     browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
   
  -  *) Detect overflow when reading the hex bytes forming a chunk line.
  -     [Aaron Bannert]
  +  *) Accept multiple leading /'s for requests within the DocumentRoot.
  +     PR 10946  [William Rowe, David Shane Holden <dpejesh@yahoo.com>]
   
  -  *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
  -     [James Tait <JTait@wyrddreams.demon.co.uk>]
  +  *) Solved the reports of .pdf byterange failures on Win32 alone.
  +     APR's sendfile for the win32 platform collapses header and trailer
  +     buffers into a single buffer.  However, we destroyed the pointers
  +     to the header buffer if a trailer buffer was present.  PR 10781
  +     [William Rowe]
   
  -  *) Correctly return 413 when an invalid chunk size is given on
  -     input.  Also modify ap_discard_request_body to not do anything
  -     on sub-requests or when the connection will be dropped.
  -     [Justin Erenkrantz]
  +  *) mod_ext_filter: Add the ability to enable or disable a filter via
  +     an environment variable.  Add the ability to register a filter of
  +     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]
   
  -  *) Fix the TIME_* SSL var lookups to be threadsafe.  PR 9469.
  -     [Cliff Woolley]
  +  *) Restore the ability to specify host names on Listen directives.
  +     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
   
  -  *) Ensure that apr_brigade_write() flushes in all of the cases that
  -     it should to avoid conditions in some modules that could cause
  -     large amounts of data to be buffered.  [Cliff Woolley]
  +  *) When deciding on the default address family for listening sockets,
  +     make sure we can actually bind to an AF_INET6 socket before
  +     deciding that we should default to AF_INET6.  This fixes a startup
  +     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]
   
  -  *) Fix problem where mod_cache/mod_disk_cache was incorrectly
  -     stripping the content_type from cached responses.
  -     [Bill Stoddard]
  +  *) Replace usage of atol() to parse strings when we might want a
  +     larger-than-long value with apr_atoll(), which returns long long.
  +     This allows HTTPD to deal with larger files correctly.
  +     [Shantonu Sen <ssen@apple.com>]
   
  -  *) apachectl passes through any httpd options.  Note: apachectl
  -     should be used in preference to httpd since it ensures that any
  -     appropriate environment variables have been set up.
  +  *) mod_ext_filter: Ignore any content-type parameters when checking if
  +     the response should be filtered.  Previously, "intype=text/html"
  +     wouldn't match something like "text/html;charset=8859_1".
        [Jeff Trawick]
   
  -  *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
  -     PR 7810  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
  -
  -  *) Fix suexec execution of CGI scripts from mod_include.
  -     PR 7791, 8291  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
  +  *) mod_ext_filter: Set up environment variables for external programs.
  +     [Craig Sebenik <craig@netapp.com>]
   
  -  *) Fix segfaults at startup on some platforms when mod_auth_digest,
  -     mod_suexec, or mod_ssl were used as DSO's due to the way they
  -     were tracking the current init phase since DSO's get completely
  -     unloaded and reloaded between phases.  PR 9413.
  -     [Tsuyoshi Sasamoto <nazonazo@super.win.ne.jp>, Brad Nicholes]
  +  *) Modified the HTTP_IN filter to immediately append the EOS (end of
  +     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
  +     the caller to determine that no content remains without prefetching
  +     additional POST body.  [William Rowe]
   
  -  *) Fix mod_include's handling of regular expressions in
  -     "<!--#if" directives [Julius Gawlas <julius_gawlas@hp.com>]
  +  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane@kame.net>]
   
  -  *) Fix the worker MPM deadlock problem  [Brian Pane]
  +  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Modify the module documentation to allow for translations.
  -     [Yoshiki Hayashi, Joshua Slive]
  +  *) Update SuSE layout.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Fix a file permissions problem which prevented mod_disk_cache
  -     from working on Unix.  [Jeff Trawick]
  +  *) Changes to the internationalized error documents:
  +     Comment them out in the default config file to make the default
  +     install as simple as possible; Correct the english 500 error to
  +     be more understandable; Add a Swedish translation.
  +     [Thomas Sjogren <thomas@northernsecurity.net>,
  +      Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
   
  -  *) Add "-k start|restart|graceful|stop" support to httpd for the Unix 
  -     MPMs.  These have semantics very similar to the old apachectl 
  -     commands of the same name.  [Justin Erenkrantz, Jeff Trawick]
  +  *) Increase the limit on file descriptors per process in apachectl.
  +     [Brian Pane]
   
  -  *) Make sure that the runtime dir is created by make install.
  -     PR 9233.  [Jeff Trawick]
  +  *) Fix a dependency error when building ApacheMonitor, so that Win32
  +     and MSVC now trust that the project is current (when it is).
  +     [James Cox <imajes@php.net>]
   
  -  *) Fix an unusual set of ./configure arguments that could cause
  -     mod_http to be built as a DSO, which it currently doesn't
  -     support.  PR 9244.
  -     [Cliff Woolley, Robin Johnson <robbat2@orbis-terrarum.net>]
  +  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
  +     [Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
   
  -  *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
  -     of the %X, %b and %B logformat options. PR 8253, 8996.
  -     [Bill Stoddard]
  +  *) APR-Util Renames pending have been completed [Thom May]
   
  -  *) If content-encoding is already present, do not run deflate (PR 9222)
  -     [Kazuhisa ASADA <kaz@asada.sytes.net>]
  +  *) Performance improvements for the code that reads request
  +     headers (ap_rgetline_core() and related functions)  [Brian Pane]
   
  -  *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
  -     It is currently ignored and it will be removed in a future release
  -     of Apache.  [Jeff Trawick]
  +  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
  +     to configure the maximum amount of memory the allocators will
  +     hold on to for reuse.  Anything over the MaxMemFree threshold
  +     will be free()d.  This directive is useful when uncommon large
  +     peaks occur in memory usage.  It should _not_ be used to mask
  +     defective modules' memory use.  [Sander Striker]
   
  -  *) Removed documentation references to the no-longer-supported
  -     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
  -     certificates, if truly desired, can be generated using openssl
  -     commands.  PR 8724.  [Cliff Woolley]
  +  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
  +     scripts would not result in a truncated response.
  +     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
   
  -  *) Remove SSLLog and SSLLogLevel directives in favor of having
  -     mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
  +  *) Add a filter_init parameter to the filter registration functions
  +     so that a filter can execute arbitrary code before the handlers
  +     are invoked.  This resolves a problem where mod_include requests
  +     would incorrectly return a 304.  [Justin Erenkrantz]
   
  -  *) OS/390: LIBPATH no longer has to be manually uncommented in
  -     envvars to get apachectl to set up httpd properly.  [Jeff Trawick]
  +  *) Fix a long-standing bug in 2.0, CGI scripts were being called
  +     with relative paths instead of absolute paths.  Apache 1.3 used
  +     absolute paths for everything except for SuExec, this brings back
  +     that standard.  [Ryan Bloom]
   
  -  *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
  -     may now be specified to the <File/Directory > container, rather
  -     than by vhost.  [William Rowe]
  +  *) Fix infinite loop due to two HTTP_IN filters being present for
  +     internally redirected requests.  PR 10146.  [Justin Erenkrantz]
   
  -  *) mod_isapi: Experimental support for faux async support for ISAPI
  -     modules.  [William Rowe]
  +  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
  +     [Justin Erenkrantz]
   
  -  *) mod_isapi: Major refactoring of the code to rely on apr internals
  -     rather than MS APIs (using our own mod_isapi.h headers for ISAPI
  -     symbol definitions.)  [William Rowe]
  +  *) Fix mod_ext_filter to look in the main server for filter definitions
  +     when running in a vhost if the filter definition is not found in
  +     the vhost.  PR 10147  [Jeff Trawick]
   
  -  *) mod_isapi: Fixed the return string length from GetServerVariable
  -     callback, it was not including the trailing null in the consumed
  -     buffer size.  This was particularly bad for Delphi 6.0 users.
  -     PR 8934  [Sebastian Hantsch <sebastian.hantsch@gmx.de>]
  +  *) Support WinNT CGI invocation through ScriptInterpreterSource
  +     'registry' for script interpreter paths and names with non-ascii
  +     characters in the executable filepath.  [William Rowe]
   
  -  *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
  +  *) Support the -w flag on to keep the Win32 console open on error.
        [William Rowe]
   
  -  *) Make apxs look in the correct directory for envvars.  It was
  -     broken when sbindir != bindir.  PR 8869
  -     [Andreas Sundström <sunkan@zappa.cx>]
  -  
  -  *) Fix mod_deflate corruption when using multiple buckets.  PR 9014.
  -     [Asada Kazuhisa <kaz@asada.sytes.net>]
  -
  -  *) Performance enhancements for access logger when using
  -     default timestamp formatting  [Brian Pane]
  -
  -  *) Added EnableMMAP config directive to enable the server
  -     administrator to disable memory-mapping of delivered files
  -     on a per-directory basis.  [Brian Pane]
  -
  -  *) Performance enhancements for mod_setenvif  [Brian Pane]
  -
  -  *) Fix a mod_ssl build problem on OS/390.  [Jeff Trawick]
  -
  -  *) Fixed If-Modified-Since on Win32, which would give false positives
  -     because of the sub-second resolution of file timestamps on that
  -     platform.  [Cliff Woolley]
  -
  -  *) Reverse the hook ordering for mod_userdir and mod_alias so
  -     that Alias/ScriptAlias will override Userdir.  PR 8841
  -     [Joshua Slive]
  -
  -  *) Move mod_deflate out of experimental and into filters.
  -     [Justin Erenkrantz]
  -
  -  *) Get proxy CONNECT basically working.  [Jeff Trawick]
  +  *) Normalize the hostname value in the request_rec to all-lowercase
  +     [Perry Harrington <pedward@webcom.com>]
   
  -  *) Fix mod_rewrite hang when APR uses SysV Semaphores and
  -     RewriteLogLevel is set to anything other than 0.  PR: 8143
  -     [Aaron Bannert, Cliff Woolley]
  +  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
  +     extended characters (non US-ASCII) in non-utf8 format.  This brings
  +     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
  +     to the cgi application itself.  [William Rowe]
   
  -  *) Fix byterange requests from returning 416 when using dynamic data
  -     (such as filters like mod_include).  [Justin Erenkrantz]
  +  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
  +     modules to bring them up to the current apr/apr-util APIs.
  +     [William Rowe]
   
  -  *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
  -     to be extended by third-party modules via an optional function.
  -     [Tahiry Ramanamampanoharana <nomentsoa@hotmail.com>, Cliff Woolley]
  +  *) Fix segfault in mod_mem_cache most frequently observed when
  +     serving the same file to multiple clients on an MP machine.
  +     [Bill Stoddard]
   
  -  *) Fix mod_include expression parser's handling of unquoted strings
  -     followed immediately by a closing paren.  PR 8462.  [Brian Pane]
  +  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
  +     [Brian Degenhardt <bmd@mp3.com>, Ian Holsman]
   
  -  *) Remove autom4te.cache in 'make distclean'.
  -     [Thom May <thom@planetarytramp.net>]
  +  *) Fix perchild to work with apachectl by adding -k support to perchild.
  +     PR 10074  [Jeff Trawick]
   
  -  *) Fix generated httpd.conf to respect layout for LoadModule lines.
  -     PR 8170.  [Thom May <thom@planetarytramp.net>]
  +  *) Fix a silly htpasswd.c logic error that incorrectly reported that
  +     both -c and -n had been used.  PR 9989  [Cliff Woolley]
   
  -  *) Win32: During a graceful restart, threads in the new process
  -     were accessing scoreboard slots still in use by active threads in 
  -     the the old process. [Bill Stoddard]
  +  *) Fixed a mod_include error case in which no HTTP response was sent
  +     to the client if an shtml document contained an unterminated SSI
  +     directive [Brian Pane]
   
  +  *) Improve ap_get_client_block implementation by using APR-util brigade
  +     helper functions and relying on current filter assumptions.
  +     [Justin Erenkrantz]
  
  
  
  1.36      +32 -56    httpd-site/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/index.html,v
  retrieving revision 1.35
  retrieving revision 1.36
  diff -u -d -u -r1.35 -r1.36
  --- index.html	10 Jul 2002 06:54:58 -0000	1.35
  +++ index.html	9 Aug 2002 20:02:32 -0000	1.36
  @@ -76,35 +76,27 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  -   <a name="Security"><strong>SECURITY ADVISORY: June 20, 2002</strong></a>
  +   <a name="Security"><strong>SECURITY ADVISORY: August 9, 2002</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
  -<p><b>UPDATE:</b>
  -<font size="-1">(supersedes security bulletin 20020617)</font></p>
  -<p>This follow-up to our earlier advisory is to warn of known-exploitable
  -conditions related to this vulnerability on both 64-bit platforms and
  -32-bit platforms alike.  Though we previously reported that 32-bit
  -platforms were not remotely exploitable, it has since been proven by
  -Gobbles that certain conditions allowing exploitation do exist.</p>
  -<p>Successful exploitation of this vulnerability can lead to the execution of
  -arbitrary code on the server with the permissions of the web server child
  -process.  This can facilitate the further exploitation of vulnerabilities
  -unrelated to Apache on the local system, potentially allowing the intruder
  -root access.</p>
  -<p>Note that early patches for this issue released by ISS and others do not
  -address its full scope.</p>
  -<p>Due to the existence of exploits circulating in the wild for some
  -platforms, the risk is considered high.  The Apache Software Foundation
  -has released versions 1.3.26 and 2.0.39 that address and fix this issue,
  -and all users are urged to upgrade immediately.  These versions are
  -available for download; see below.</p>
  -<p>If, for any reason, you are unable to upgrade at this time, as a minimum,
  -this <a href="http://www.apache.org/dist/httpd/patches/apply_to_1.3.22/SECURITY_chunk_size_patch.txt">patch for httpd 1.2.0-1.3.22</a>
  -should be applied to the source code.</p>
  +<p>On the 7th August 2002, The Apache Software Foundation was
  +notified of the discovery of a significant vulnerability, identified by
  +Auriemma Luigi &lt;bugtest@sitoverde.com&gt;.</p>
  +<p>This vulnerability has the potential to allow an attacker to inflict
  +serious damage to a server and reveal sensitive data.  This vulnerability
  +affects default installations of the Apache web server.</p>
  +<p>Unix and other variant platforms appear unaffected.  Cygwin users are
  +likely to be affected.</p>
  +<p>A simple one line workaround in the httpd.conf file will close the
  +vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
  +the following directive to the global server configuration:</p>
  +<p><code>RedirectMatch 400 "\\\.\."</code></p>
  +<p>Fixes for this vulnerability and some less serious problems are
  +included in Apache 2.0.40, which is available below.</p>
   <p align="center">
  -<a href="info/security_bulletin_20020620.txt">Full Advisory</a>
  +<a href="info/security_bulletin_20020809a.txt">Full Advisory</a>
   </p>
     </blockquote>
    </td></tr>
  @@ -112,43 +104,28 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  -   <a name="2.0.39"><strong>Apache 2.0.39 Released</strong></a>
  +   <a name="2.0.40"><strong>Apache 2.0.40 Released</strong></a>
     </font>
    </td></tr>
    <tr><td>
     <blockquote>
  -<p>The Apache HTTP Server Project is proud to announce the third public
  -release of Apache 2.0.  Apache 2.0 has been running on the Apache.org
  +<p>The Apache HTTP Server Project is proud to announce the fourth public
  +release of Apache 2.0.  Apache 2.0 has been running on the apache.org
   website since December of 2000 and has proven to be very reliable.</p>
  -<p>This version of Apache is principally a security and bug fix
  -release.  Of particular note is that 2.0.39 addresses and fixes the issues
  -noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
  -CAN-2002-0392 (mitre.org)</a>
  -[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
  -regarding a vulnerability in the handling of chunked transfer encoding as
  -described above.</p>
  -<p>Apache 2.0 offers numerous enhancements, improvements and performance
  -boosts over the 1.3 codebase. The most visible and noteworthy addition
  -is the ability to run Apache in a hybrid thread/process mode on any
  -platform that supports both threads and processes.  This has shown to
  -improve the scalability of the Apache HTTP Server significantly in
  -our testing.  Apache 2.0 also includes support for filtered I/O.  This
  -allows modules to modify the output of other modules before it is
  -sent to the client.  We have also included support for IPv6 on any
  -platform that supports IPv6.</p>
  -<p>This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of many of the advancements in 
  -Apache 2.0, the initial release of Apache is expected to perform equally 
  -well on all supported platforms.</p>
  -<p>There are new snapshots of the Apache httpd source available every 6
  -hours from http://cvs.apache.org/snapshots/ - please download and test
  -if you feel brave. We don't guarantee anything except that it will
  -take up disk space, but if you have the time and skills, please
  -give it a spin on your platforms.</p>
  +<p>This version of Apache is principally a security and bug fix release.
  +A summary of the changes is given at the end of this document.  Of
  +particular note is that 2.0.40 fixes the serious vulnerability noted in
  +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661">
  +CAN-2002-0661</a> and the pair of path exposures in
  +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0654">
  +CAN-2002-0654</a> (mitre.org).
  +We would like to thank Auriemma Luigi &lt;bugtest@sitoverde.com&gt; for
  +discovering and reporting the vulnerability and one of the path exposures
  +and Jim Race &lt;jrace@qualys.com&gt; for reporting the other path exposure.</p>
   <p align="center">
  -<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.39</a> | 
  +<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.40</a> | 
   <a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
  -<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.39</a>
  +<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.40</a>
   </p>
     </blockquote>
    </td></tr>
  @@ -168,8 +145,7 @@
   noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
   CAN-2002-0392 (mitre.org)</a>
   [<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
  -regarding a vulnerability in the handling of chunked transfer encoding as
  -described above.</p>
  +regarding a vulnerability in the handling of chunked transfer encoding.</p>
   <p align="center">
   
   <a href="http://www.apache.org/dist/httpd/">Download Apache 1.3</a> | 
  
  
  
  1.27      +1 -1      httpd-site/docs/contributors/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/contributors/index.html,v
  retrieving revision 1.26
  retrieving revision 1.27
  diff -u -d -u -r1.26 -r1.27
  --- index.html	30 Jul 2002 22:42:28 -0000	1.26
  +++ index.html	9 Aug 2002 20:02:32 -0000	1.27
  @@ -593,7 +593,7 @@
   <p>
   
   <strong>Name:</strong> <a name="kraemer">Martin Kraemer</a><br />
  -<strong>Email:</strong> Martin.Kraemer@mchp.siemens.de<br />
  +<strong>Email:</strong> Martin.Kraemer@Fujitsu-Siemens.com<br />
   <strong>Organization:</strong> <a href="http://www.fujitsu-siemens.com/">Fujitsu-Siemens Computers</a><br />
   <strong>Occupation:</strong> Software Development Engineer<br />
   <strong>Location:</strong> Munich, Germany<br />
  
  
  
  1.8       +153 -288  httpd-site/xdocs/Announcement
  
  Index: Announcement
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/Announcement,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -d -u -r1.7 -r1.8
  --- Announcement	18 Jun 2002 04:52:59 -0000	1.7
  +++ Announcement	9 Aug 2002 20:02:33 -0000	1.8
  @@ -1,18 +1,18 @@
   
  -Apache 2.0.39 Released
  +Apache 2.0.40 Released
   ---------------------------------------------
   
  -The Apache HTTP Server Project is proud to announce the third public
  -release of Apache 2.0.  Apache 2.0 has been running on the Apache.org
  +The Apache HTTP Server Project is proud to announce the fourth public
  +release of Apache 2.0.  Apache 2.0 has been running on the apache.org
   website since December of 2000 and has proven to be very reliable.
   
  -This version of Apache is principally a security and bug fix
  -release.  A summary of the bug fixes is given at the end of this document.
  -Of particular note is that 2.0.39 addresses and fixes the issues noted
  -in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
  -in the handling of chunked transfer encoding.  We would like to thank
  -Mark Litchfield of ngssoftware.com for discovering and reporting the
  -vulnerability.
  +This version of Apache is principally a security and bug fix release.
  +A summary of the changes is given at the end of this document.  Of
  +particular note is that 2.0.40 fixes the serious vulnerability noted in
  +CAN-2002-0661 and the pair of path exposures in CAN-2002-0654 (mitre.org).
  +We would like to thank Auriemma Luigi <bugtest@sitoverde.com> for
  +discovering and reporting the vulnerability and one of the path exposures
  +and Jim Race <jrace@qualys.com> for reporting the other path exposure.
   
   Apache 2.0 offers numerous enhancements, improvements and performance
   boosts over the 1.3 codebase. The most visible and noteworthy addition
  @@ -25,8 +25,8 @@
   platform that supports IPv6.
   
   This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of many of the advancements in 
  -Apache 2.0, the initial release of Apache is expected to perform equally 
  +OS/2, Windows, and Netware.  Because of many of the advancements in
  +Apache 2.0, the initial release of Apache is expected to perform equally
   well on all supported platforms.
   
   There are new snapshots of the Apache httpd source available every 6
  @@ -36,324 +36,189 @@
   give it a spin on your platforms.
   
   Apache has been the most popular web server on the Internet since
  -April of 1996. The March 2002 WWW server site survey by Netcraft (see
  +April of 1996. The July 2002 Web Server Survey by Netcraft (see
   http://www.netcraft.com/survey/) found that more web servers were
  -using Apache than any other software; Apache runs on more than 54%
  +using Apache than any other software; Apache runs on more than 57%
   of the web servers on the Internet.
   
   For more information and to download the release tarballs, please
   visit http://httpd.apache.org/
   
   
  -Changes since 2.0.36
  +Changes since 2.0.39
   ---------------------------------------------
   
  -Changes with Apache 2.0.39
  -
  -  *) Fixed a build problem in htpasswd.c on Win32.
  -     [Guenter Knauf <eflash@gmx.net>, Cliff Woolley]
  -
  -Changes with Apache 2.0.38
  -
  -  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
  -     tmpnam being unsafe.   [Ryan Bloom]
  -
  -  *) We must set the MIME-type for .shtml files to text/html if we want them
  -     to be parsed for SSI tags.  Add the config for that to the default 
  -     config file so that it is easier to enable .shtml parsing.
  -     [Dave Dyer <ddyer@real-me.net>]
  -
  -  *) Fixed a problem with 'make install' on ReliantUnix.
  -     [Jean-frederic Clere <jfrederic.clere@fujitsu-siemens.com>]
  -
  -  *) Make the default_handler catch all requests that aren't served by
  -     another handler.  This also gets us to return a 404 if a directory
  -     is requested, there is no DirectoryIndex, and mod_autoindex isn't
  -     loaded.  [Justin Erenkrantz]
  -
  -  *) Fixed the handling of nested if-statements in shtml files.
  -     PR 9866  [Brian Pane]
  -
  -  *) Allow 'make install DESTDIR=/path'.  This allows packagers to install
  -     into a directory different from the one that was configured.  This 
  -     also mirrors the root= feature from 1.3.  We cannot use prefix=,
  -     because both APR and APR-util resolve their installation paths at 
  -     configuration time.  This means that there is no variable prefix 
  -     to replace.  [Andreas Hasenack <andreas@netbank.com.br>]
  -
  -  *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
  -     These levels of AIX don't have a thundering herd problem with
  -     accept().  [Jeff Trawick]
  -
  -  *) prefork MPM: Ignore mutex errors during graceful restart.  For
  -     certain types of mutexes (particularly SysV semaphores), we
  -     should expect to occasionally fail to obtain or release the
  -     mutex during restart processing.  [Jeff Trawick]
  -
  -  *) Fix install-bindist.sh so that it finds any perl instead of just
  -     early perl 5.x versions.  This is consistent with a build/install
  -     from source, and it allows the perl scripts installed by a bindist 
  -     to work on systems with perl 5.6.  [Jeff Trawick]
  -
  -  *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
  -     Tru64 (and probably some other platforms).  [Jeff Trawick]
  -
  -  *) Allow CGI scripts to return their Content-Length.  This also fixes a
  -     hang on HEAD requests seen on certain platforms (such as FreeBSD).
  -     [Justin Erenkrantz]
  -
  -  *) Added log rotation based on file size to the RotateLog support
  -     utility. [Brad Nicholes]
  -
  -  *) Fix some casting in mod_rewrite which broke random maps.
  -     PR 9770  [Allan Edwards, Greg Ames, Jeff Trawick]
  -
  -Changes with Apache 2.0.37
  -
  -  *) allow POST method over SSL when per-directory client cert
  -     authentication is used with 'SSLOptions +OptRenegotiate' enabled
  -     and a client cert was found in the ssl session cache.
  -
  -  *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
  -     session cache when there is no cert chain in the cache.  prior to
  -     the fix this situation would result in a FORBIDDEN response and
  -     error message "Cannot find peer certificate chain"
  -     [Doug MacEachern]
  -
  -  *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
  -     one was already sent.  PR 9644  [Jeff Trawick]
  -
  -  *) Fix the display of the default name for the mime types config
  -     file.  PR 9729  [Matthew Brecknell <mbrecknell@orchestream.com>]
  -
  -  *) Fix the working directory *for WinNT/2K/XP services only* to
  -     change to the Apache directory (one level above the location 
  -     of Apache.exe, in the case that Apache.exe resides in bin/.)
  -     Solves the case of ServerRoot /foo paths where /foo was not
  -     on the same drive as /winnt/system32.  [William Rowe]
  -
  -  *) Make 2.0's "AcceptMutex" startup message now "completely"
  -     match how 1.3 does it. [Jim Jagielski]
  -
  -  *) Implement a fixed size memory cache using a priority queue
  -     [Ian Holsman]
  -
  -  *) Fix apxs to allow "apxs -q installbuilddir" and to allow
  -     querying certain other variables from config_vars.mk.  PR 9316  
  -     [Jeff Trawick]
  -
  -  *) Added the "detached" attribute to the cgi_exec_info_t internals
  -     so that Win32 and Netware won't create a new window or console
  -     for each CGI invoked.  PR 8387
  -     [Brad Nicholes, William Rowe]
  -
  -  *) Consolidated the command line parameters and attributes that are 
  -     manipulated by the optional function ap_cgi_build_command() in
  -     mod_cgi into a single structure.
  +  *) SECURITY: [CAN-2002-0661] Close a very significant security hole that
  +     applies only to the Win32, OS2 and Netware platforms.  Unix was not
  +     affected, Cygwin may be affected.  Certain URIs will bypass security
  +     and allow users to invoke or access any file depending on the system
  +     configuration.  Without upgrading, a single .conf change will close
  +     the vulnerability.  Add the following directive in the global server
  +     httpd.conf context before any other Alias or Redirect directives:
  +         RedirectMatch 400 "\\\.\."
  +     Reported by Auriemma Luigi <bugtest@sitoverde.com>.
        [Brad Nicholes]
   
  -  *) Get rid of uninitialized value errors with "apxs -q" on certain
  -     variables.  [Stas Bekman <stas@stason.org>]
  -
  -  *) Fix apxs to allow it to work when the build directory is somewhere
  -     besides server-root/build.  PR 8453  
  -     [Jeff Trawick and a host of others]
  -
  -  *) Allow ap_discard_request_body to be called multiple times in the
  -     same request.  Essentially, ap_http_filter keeps track of whether
  -     it has sent an EOS bucket up the stack, if so, it will only ever
  -     send an EOS bucket for this request.  
  -     [Ryan Bloom, Justin Erenkrantz, Greg Stein]
  -
  -  *) Remove all special mod_ssl URIs.  This also fixes the bug where
  -     redirecting (.*) will allow an SSL protected page to be viewed
  -     without SSL.  [Ryan Bloom]
  -
  -  *) Fix the binary build install script so that the build logic
  -     created by "apxs -g" will work when the user has a binary
  -     build.  [Jeff Trawick]
  -
  -  *) Allow instdso.sh to work with full paths to the shared module.
  -     [Justin Erenkrantz]
  -
  -  *) NetWare: Enabled CGI functionality and added mod_cgi as a built
  -     in module for NetWare  [Brad Nicholes]
  +  *) SECURITY:  Close a path-revealing exposure in multiview type
  +     map negotiation (such as the default error documents) where the
  +     module would report the full path of the typemapped .var file when
  +     multiple documents or no documents could be served based on the mime
  +     negotiation.  Reported by Auriemma Luigi <bugtest@sitoverde.com>.
  +     [CAN-2002-0654]  [William Rowe]
   
  -  *) Changed cgi and piped log behavior to accept 65536 characters
  -     on Win32 (matching Linux) before deadlocking between outputing
  -     client stdin, slurping the output from stdout and then the stderr
  -     stream.  PR 8179  [William Rowe]
  +  *) SECURITY:  Close a path-revealing exposure in cgi/cgid when we
  +     fail to invoke a script.  The modules would report "couldn't create
  +     child process /path-to-script/script.pl" revealing the full path
  +     of the script.  Reported by Jim Race <jrace@qualys.com>.
  +     [CAN-2002-0654]  [Bill Stoddard]
   
  -  *) Fixed Win32 wintty.exe support to assure the window title is valid.
  -     Elimiates possible gpfault or garbage title without the -t option.
  +  *) Set aside the apr-iconv and apr_xlate() features for the Win32
  +     build of 2.0.40 so development can be completed.  A patch, from
  +     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
  +     will be available for those that wish to work with apr-iconv.
        [William Rowe]
   
  -  *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
  -     brigades and input filters.  [Justin Erenkrantz]
  +  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
  +     chain. [Peter Van Biesen <peter.vanbiesen@vlafo.be>]
   
  -  *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
  -     body.  [Justin Erenkrantz]
  -    
  -  *) NetWare: Piping log entries through RotateLogs using the 
  -     CustomLogs directive is finally supported now that we have 
  -     the pipes and spawning functionality working.
  -     [Brad Nicholes]
  +  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
  +     set to 1, so we can exclude things from the general case with
  +     browsermatch. [Ian Holsman, Andre Schild <A.Schild@aarboard.ch>]
   
  -  *) Detect overflow when reading the hex bytes forming a chunk line.
  -     [Aaron Bannert]
  +  *) Accept multiple leading /'s for requests within the DocumentRoot.
  +     PR 10946  [William Rowe, David Shane Holden <dpejesh@yahoo.com>]
   
  -  *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
  -     [James Tait <JTait@wyrddreams.demon.co.uk>]
  +  *) Solved the reports of .pdf byterange failures on Win32 alone.
  +     APR's sendfile for the win32 platform collapses header and trailer
  +     buffers into a single buffer.  However, we destroyed the pointers
  +     to the header buffer if a trailer buffer was present.  PR 10781
  +     [William Rowe]
   
  -  *) Correctly return 413 when an invalid chunk size is given on
  -     input.  Also modify ap_discard_request_body to not do anything
  -     on sub-requests or when the connection will be dropped.
  -     [Justin Erenkrantz]
  +  *) mod_ext_filter: Add the ability to enable or disable a filter via
  +     an environment variable.  Add the ability to register a filter of
  +     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]
   
  -  *) Fix the TIME_* SSL var lookups to be threadsafe.  PR 9469.
  -     [Cliff Woolley]
  +  *) Restore the ability to specify host names on Listen directives.
  +     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh@yahoo.com>]
   
  -  *) Ensure that apr_brigade_write() flushes in all of the cases that
  -     it should to avoid conditions in some modules that could cause
  -     large amounts of data to be buffered.  [Cliff Woolley]
  +  *) When deciding on the default address family for listening sockets,
  +     make sure we can actually bind to an AF_INET6 socket before
  +     deciding that we should default to AF_INET6.  This fixes a startup
  +     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]
   
  -  *) Fix problem where mod_cache/mod_disk_cache was incorrectly
  -     stripping the content_type from cached responses.
  -     [Bill Stoddard]
  +  *) Replace usage of atol() to parse strings when we might want a
  +     larger-than-long value with apr_atoll(), which returns long long.
  +     This allows HTTPD to deal with larger files correctly.
  +     [Shantonu Sen <ssen@apple.com>]
   
  -  *) apachectl passes through any httpd options.  Note: apachectl
  -     should be used in preference to httpd since it ensures that any
  -     appropriate environment variables have been set up.
  +  *) mod_ext_filter: Ignore any content-type parameters when checking if
  +     the response should be filtered.  Previously, "intype=text/html"
  +     wouldn't match something like "text/html;charset=8859_1".
        [Jeff Trawick]
   
  -  *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
  -     PR 7810  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
  -
  -  *) Fix suexec execution of CGI scripts from mod_include.
  -     PR 7791, 8291  [Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>]
  +  *) mod_ext_filter: Set up environment variables for external programs.
  +     [Craig Sebenik <craig@netapp.com>]
   
  -  *) Fix segfaults at startup on some platforms when mod_auth_digest,
  -     mod_suexec, or mod_ssl were used as DSO's due to the way they
  -     were tracking the current init phase since DSO's get completely
  -     unloaded and reloaded between phases.  PR 9413.
  -     [Tsuyoshi Sasamoto <nazonazo@super.win.ne.jp>, Brad Nicholes]
  +  *) Modified the HTTP_IN filter to immediately append the EOS (end of
  +     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
  +     the caller to determine that no content remains without prefetching
  +     additional POST body.  [William Rowe]
   
  -  *) Fix mod_include's handling of regular expressions in
  -     "<!--#if" directives [Julius Gawlas <julius_gawlas@hp.com>]
  +  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane@kame.net>]
   
  -  *) Fix the worker MPM deadlock problem  [Brian Pane]
  +  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Modify the module documentation to allow for translations.
  -     [Yoshiki Hayashi, Joshua Slive]
  +  *) Update SuSE layout.  [Peter Poeml <poeml@suse.de>]
   
  -  *) Fix a file permissions problem which prevented mod_disk_cache
  -     from working on Unix.  [Jeff Trawick]
  +  *) Changes to the internationalized error documents:
  +     Comment them out in the default config file to make the default
  +     install as simple as possible; Correct the english 500 error to
  +     be more understandable; Add a Swedish translation.
  +     [Thomas Sjogren <thomas@northernsecurity.net>,
  +      Erik Abele <erik@codefaktor.de>, Rich Bowen, Joshua Slive]
   
  -  *) Add "-k start|restart|graceful|stop" support to httpd for the Unix 
  -     MPMs.  These have semantics very similar to the old apachectl 
  -     commands of the same name.  [Justin Erenkrantz, Jeff Trawick]
  +  *) Increase the limit on file descriptors per process in apachectl.
  +     [Brian Pane]
   
  -  *) Make sure that the runtime dir is created by make install.
  -     PR 9233.  [Jeff Trawick]
  +  *) Fix a dependency error when building ApacheMonitor, so that Win32
  +     and MSVC now trust that the project is current (when it is).
  +     [James Cox <imajes@php.net>]
   
  -  *) Fix an unusual set of ./configure arguments that could cause
  -     mod_http to be built as a DSO, which it currently doesn't
  -     support.  PR 9244.
  -     [Cliff Woolley, Robin Johnson <robbat2@orbis-terrarum.net>]
  +  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
  +     [Arthur P. Smith <apsmith@aps.org>, Jeff Trawick]
   
  -  *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
  -     of the %X, %b and %B logformat options. PR 8253, 8996.
  -     [Bill Stoddard]
  +  *) APR-Util Renames pending have been completed [Thom May]
   
  -  *) If content-encoding is already present, do not run deflate (PR 9222)
  -     [Kazuhisa ASADA <kaz@asada.sytes.net>]
  +  *) Performance improvements for the code that reads request
  +     headers (ap_rgetline_core() and related functions)  [Brian Pane]
   
  -  *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
  -     It is currently ignored and it will be removed in a future release
  -     of Apache.  [Jeff Trawick]
  +  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
  +     to configure the maximum amount of memory the allocators will
  +     hold on to for reuse.  Anything over the MaxMemFree threshold
  +     will be free()d.  This directive is useful when uncommon large
  +     peaks occur in memory usage.  It should _not_ be used to mask
  +     defective modules' memory use.  [Sander Striker]
   
  -  *) Removed documentation references to the no-longer-supported
  -     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
  -     certificates, if truly desired, can be generated using openssl
  -     commands.  PR 8724.  [Cliff Woolley]
  +  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
  +     scripts would not result in a truncated response.
  +     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]
   
  -  *) Remove SSLLog and SSLLogLevel directives in favor of having
  -     mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
  +  *) Add a filter_init parameter to the filter registration functions
  +     so that a filter can execute arbitrary code before the handlers
  +     are invoked.  This resolves a problem where mod_include requests
  +     would incorrectly return a 304.  [Justin Erenkrantz]
   
  -  *) OS/390: LIBPATH no longer has to be manually uncommented in
  -     envvars to get apachectl to set up httpd properly.  [Jeff Trawick]
  +  *) Fix a long-standing bug in 2.0, CGI scripts were being called
  +     with relative paths instead of absolute paths.  Apache 1.3 used
  +     absolute paths for everything except for SuExec, this brings back
  +     that standard.  [Ryan Bloom]
   
  -  *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
  -     may now be specified to the <File/Directory > container, rather
  -     than by vhost.  [William Rowe]
  +  *) Fix infinite loop due to two HTTP_IN filters being present for
  +     internally redirected requests.  PR 10146.  [Justin Erenkrantz]
   
  -  *) mod_isapi: Experimental support for faux async support for ISAPI
  -     modules.  [William Rowe]
  +  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
  +     [Justin Erenkrantz]
   
  -  *) mod_isapi: Major refactoring of the code to rely on apr internals
  -     rather than MS APIs (using our own mod_isapi.h headers for ISAPI
  -     symbol definitions.)  [William Rowe]
  +  *) Fix mod_ext_filter to look in the main server for filter definitions
  +     when running in a vhost if the filter definition is not found in
  +     the vhost.  PR 10147  [Jeff Trawick]
   
  -  *) mod_isapi: Fixed the return string length from GetServerVariable
  -     callback, it was not including the trailing null in the consumed
  -     buffer size.  This was particularly bad for Delphi 6.0 users.
  -     PR 8934  [Sebastian Hantsch <sebastian.hantsch@gmx.de>]
  +  *) Support WinNT CGI invocation through ScriptInterpreterSource
  +     'registry' for script interpreter paths and names with non-ascii
  +     characters in the executable filepath.  [William Rowe]
   
  -  *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
  +  *) Support the -w flag on to keep the Win32 console open on error.
        [William Rowe]
   
  -  *) Make apxs look in the correct directory for envvars.  It was
  -     broken when sbindir != bindir.  PR 8869
  -     [Andreas Sundström <sunkan@zappa.cx>]
  -  
  -  *) Fix mod_deflate corruption when using multiple buckets.  PR 9014.
  -     [Asada Kazuhisa <kaz@asada.sytes.net>]
  -
  -  *) Performance enhancements for access logger when using
  -     default timestamp formatting  [Brian Pane]
  -
  -  *) Added EnableMMAP config directive to enable the server
  -     administrator to disable memory-mapping of delivered files
  -     on a per-directory basis.  [Brian Pane]
  -
  -  *) Performance enhancements for mod_setenvif  [Brian Pane]
  -
  -  *) Fix a mod_ssl build problem on OS/390.  [Jeff Trawick]
  -
  -  *) Fixed If-Modified-Since on Win32, which would give false positives
  -     because of the sub-second resolution of file timestamps on that
  -     platform.  [Cliff Woolley]
  -
  -  *) Reverse the hook ordering for mod_userdir and mod_alias so
  -     that Alias/ScriptAlias will override Userdir.  PR 8841
  -     [Joshua Slive]
  -
  -  *) Move mod_deflate out of experimental and into filters.
  -     [Justin Erenkrantz]
  -
  -  *) Get proxy CONNECT basically working.  [Jeff Trawick]
  +  *) Normalize the hostname value in the request_rec to all-lowercase
  +     [Perry Harrington <pedward@webcom.com>]
   
  -  *) Fix mod_rewrite hang when APR uses SysV Semaphores and
  -     RewriteLogLevel is set to anything other than 0.  PR: 8143
  -     [Aaron Bannert, Cliff Woolley]
  +  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
  +     extended characters (non US-ASCII) in non-utf8 format.  This brings
  +     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
  +     to the cgi application itself.  [William Rowe]
   
  -  *) Fix byterange requests from returning 416 when using dynamic data
  -     (such as filters like mod_include).  [Justin Erenkrantz]
  +  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
  +     modules to bring them up to the current apr/apr-util APIs.
  +     [William Rowe]
   
  -  *) Allow mod_rewrite's set of "int:" internal RewriteMap functions
  -     to be extended by third-party modules via an optional function.
  -     [Tahiry Ramanamampanoharana <nomentsoa@hotmail.com>, Cliff Woolley]
  +  *) Fix segfault in mod_mem_cache most frequently observed when
  +     serving the same file to multiple clients on an MP machine.
  +     [Bill Stoddard]
   
  -  *) Fix mod_include expression parser's handling of unquoted strings
  -     followed immediately by a closing paren.  PR 8462.  [Brian Pane]
  +  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
  +     [Brian Degenhardt <bmd@mp3.com>, Ian Holsman]
   
  -  *) Remove autom4te.cache in 'make distclean'.
  -     [Thom May <thom@planetarytramp.net>]
  +  *) Fix perchild to work with apachectl by adding -k support to perchild.
  +     PR 10074  [Jeff Trawick]
   
  -  *) Fix generated httpd.conf to respect layout for LoadModule lines.
  -     PR 8170.  [Thom May <thom@planetarytramp.net>]
  +  *) Fix a silly htpasswd.c logic error that incorrectly reported that
  +     both -c and -n had been used.  PR 9989  [Cliff Woolley]
   
  -  *) Win32: During a graceful restart, threads in the new process
  -     were accessing scoreboard slots still in use by active threads in 
  -     the the old process. [Bill Stoddard]
  +  *) Fixed a mod_include error case in which no HTTP response was sent
  +     to the client if an shtml document contained an unterminated SSI
  +     directive [Brian Pane]
   
  +  *) Improve ap_get_client_block implementation by using APR-util brigade
  +     helper functions and relying on current filter assumptions.
  +     [Justin Erenkrantz]
  
  
  
  1.24      +37 -64    httpd-site/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -d -u -r1.23 -r1.24
  --- index.xml	10 Jul 2002 06:54:58 -0000	1.23
  +++ index.xml	9 Aug 2002 20:02:33 -0000	1.24
  @@ -26,81 +26,55 @@
   </section>
   
   <section id="Security">
  -<title>SECURITY ADVISORY: June 20, 2002</title>
  +<title>SECURITY ADVISORY: August 9, 2002</title>
   
  -<p><b>UPDATE:</b>
  -<font size="-1">(supersedes security bulletin 20020617)</font></p>
  +<p>On the 7th August 2002, The Apache Software Foundation was
  +notified of the discovery of a significant vulnerability, identified by
  +Auriemma Luigi &lt;bugtest@sitoverde.com&gt;.</p>
   
  -<p>This follow-up to our earlier advisory is to warn of known-exploitable
  -conditions related to this vulnerability on both 64-bit platforms and
  -32-bit platforms alike.  Though we previously reported that 32-bit
  -platforms were not remotely exploitable, it has since been proven by
  -Gobbles that certain conditions allowing exploitation do exist.</p>
  +<p>This vulnerability has the potential to allow an attacker to inflict
  +serious damage to a server and reveal sensitive data.  This vulnerability
  +affects default installations of the Apache web server.</p>
   
  -<p>Successful exploitation of this vulnerability can lead to the execution of
  -arbitrary code on the server with the permissions of the web server child
  -process.  This can facilitate the further exploitation of vulnerabilities
  -unrelated to Apache on the local system, potentially allowing the intruder
  -root access.</p>
  +<p>Unix and other variant platforms appear unaffected.  Cygwin users are
  +likely to be affected.</p>
   
  -<p>Note that early patches for this issue released by ISS and others do not
  -address its full scope.</p>
  +<p>A simple one line workaround in the httpd.conf file will close the
  +vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
  +the following directive to the global server configuration:</p>
   
  -<p>Due to the existence of exploits circulating in the wild for some
  -platforms, the risk is considered high.  The Apache Software Foundation
  -has released versions 1.3.26 and 2.0.39 that address and fix this issue,
  -and all users are urged to upgrade immediately.  These versions are
  -available for download; see below.</p>
  +<p><code>RedirectMatch 400 "\\\.\."</code></p>
   
  -<p>If, for any reason, you are unable to upgrade at this time, as a minimum,
  -this <a href="http://www.apache.org/dist/httpd/patches/apply_to_1.3.22/SECURITY_chunk_size_patch.txt">patch for httpd 1.2.0-1.3.22</a>
  -should be applied to the source code.</p>
  +<p>Fixes for this vulnerability and some less serious problems are
  +included in Apache 2.0.40, which is available below.</p>
   
   <p align="center">
  -<a href="info/security_bulletin_20020620.txt">Full Advisory</a>
  +<a href="info/security_bulletin_20020809a.txt">Full Advisory</a>
   </p>
   </section>
   
  -<section id="2.0.39">
  -<title>Apache 2.0.39 Released</title>
  +<section id="2.0.40">
  +<title>Apache 2.0.40 Released</title>
   
  -<p>The Apache HTTP Server Project is proud to announce the third public
  -release of Apache 2.0.  Apache 2.0 has been running on the Apache.org
  +<p>The Apache HTTP Server Project is proud to announce the fourth public
  +release of Apache 2.0.  Apache 2.0 has been running on the apache.org
   website since December of 2000 and has proven to be very reliable.</p>
   
  -<p>This version of Apache is principally a security and bug fix
  -release.  Of particular note is that 2.0.39 addresses and fixes the issues
  -noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
  -CAN-2002-0392 (mitre.org)</a>
  -[<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
  -regarding a vulnerability in the handling of chunked transfer encoding as
  -described above.</p>
  -
  -<p>Apache 2.0 offers numerous enhancements, improvements and performance
  -boosts over the 1.3 codebase. The most visible and noteworthy addition
  -is the ability to run Apache in a hybrid thread/process mode on any
  -platform that supports both threads and processes.  This has shown to
  -improve the scalability of the Apache HTTP Server significantly in
  -our testing.  Apache 2.0 also includes support for filtered I/O.  This
  -allows modules to modify the output of other modules before it is
  -sent to the client.  We have also included support for IPv6 on any
  -platform that supports IPv6.</p>
  -
  -<p>This version of Apache is known to work on many versions of Unix, BeOS,
  -OS/2, Windows, and Netware.  Because of many of the advancements in 
  -Apache 2.0, the initial release of Apache is expected to perform equally 
  -well on all supported platforms.</p>
  -
  -<p>There are new snapshots of the Apache httpd source available every 6
  -hours from http://cvs.apache.org/snapshots/ - please download and test
  -if you feel brave. We don't guarantee anything except that it will
  -take up disk space, but if you have the time and skills, please
  -give it a spin on your platforms.</p>
  +<p>This version of Apache is principally a security and bug fix release.
  +A summary of the changes is given at the end of this document.  Of
  +particular note is that 2.0.40 fixes the serious vulnerability noted in
  +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661">
  +CAN-2002-0661</a> and the pair of path exposures in
  +<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0654">
  +CAN-2002-0654</a> (mitre.org).
  +We would like to thank Auriemma Luigi &lt;bugtest@sitoverde.com&gt; for
  +discovering and reporting the vulnerability and one of the path exposures
  +and Jim Race &lt;jrace@qualys.com&gt; for reporting the other path exposure.</p>
   
   <p align="center">
  -<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.39</a> | 
  +<a href="http://www.apache.org/dist/httpd/">Download Apache 2.0.40</a> | 
   <a href="docs-2.0/new_features_2_0.html">New Features in Apache 2.0</a> |
  -<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.39</a>
  +<a href="http://www.apache.org/dist/httpd/CHANGES_2.0">ChangeLog for 2.0.40</a>
   </p>
   
   </section>
  @@ -117,8 +91,7 @@
   noted in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392">
   CAN-2002-0392 (mitre.org)</a>
   [<a href="http://www.cert.org/advisories/CA-2002-17.html">CERT VU#944335</a>]
  -regarding a vulnerability in the handling of chunked transfer encoding as
  -described above.</p>
  +regarding a vulnerability in the handling of chunked transfer encoding.</p>
   
   <p align="center">
   
  
  
  

Mime
View raw message