Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 17777 invoked by uid 500); 3 Oct 2002 16:17:57 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 17766 invoked by uid 500); 3 Oct 2002 16:17:57 -0000 Delivered-To: apmail-httpd-dist-cvs@apache.org Date: 3 Oct 2002 16:17:56 -0000 Message-ID: <20021003161756.27799.qmail@icarus.apache.org> From: wrowe@apache.org To: httpd-dist-cvs@apache.org Subject: cvs commit: httpd-dist Announcement.html Announcement.txt Announcement2.html Announcement2.txt X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N wrowe 2002/10/03 09:17:56 Modified: . Announcement.html Announcement.txt Announcement2.html Announcement2.txt Log: Attempt to consistify ALL of the announcements. Revision Changes Path 1.11 +21 -26 httpd-dist/Announcement.html Index: Announcement.html =================================================================== RCS file: /home/cvs/httpd-dist/Announcement.html,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- Announcement.html 2 Oct 2002 18:03:14 -0000 1.10 +++ Announcement.html 3 Oct 2002 16:17:55 -0000 1.11 @@ -26,29 +26,28 @@ A summary of the bug fixes is given at the end of this document. Of particular note is that 1.3.27 addresses and fixes 3 security vulnerabilities.

-

- CAN-2002-0839 (cve.mitre.org): - A vulnerability exists in all versions of + +

CAN-2002-0839 (cve.mitre.org): A vulnerability exists in all versions of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue.

-

- CAN-2002-0840 (cve.mitre.org): - Apache is susceptible to a cross site + +

CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for - the responsible notification and disclosure of this issue.

-

- CAN-2002-0843 (cve.mitre.org): - There were some possible overflows in ab.c + notification of this issue.

+ +

CAN-2002-0843 (cve.mitre.org): There were some possible overflows in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible - notification and disclosure of this issue. -

+ notification and disclosure of this issue.

We consider Apache 1.3.27 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of @@ -56,24 +55,20 @@ releases will be made in the 1.2.x family.

Apache 1.3.27 is available for download from

-
   
  -
  -       http://www.apache.org/dist/httpd/
  -
+
+
http://www.apache.org/dist/httpd/
+

Please see the CHANGES_1.3 file in the same directory for a full list of changes.

-

Binary distributions are available from -

  -
  -       http://www.apache.org/dist/httpd/binaries/
  -
- +

Binary distributions are available from +

+
http://www.apache.org/dist/httpd/binaries/
+

The source and binary distributions are also available via any of the mirrors listed at

-
  -
  -       http://www.apache.org/mirrors/
  -
+
+
http://www.apache.org/mirrors/
+

As of Apache 1.3.12 binary distributions contain all standard Apache 1.10 +12 -7 httpd-dist/Announcement.txt Index: Announcement.txt =================================================================== RCS file: /home/cvs/httpd-dist/Announcement.txt,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- Announcement.txt 2 Oct 2002 18:03:14 -0000 1.9 +++ Announcement.txt 3 Oct 2002 16:17:55 -0000 1.10 @@ -11,21 +11,21 @@ Of particular note is that 1.3.27 addresses and fixes 3 security vulnerabilities. - CAN-2002-0839 (cve.mitre.org): A vulnerability exists in all versions of - Apache prior to 1.3.27 on platforms using System V shared memory based + CAN-2002-0839 (cve.mitre.org)[1]: A vulnerability exists in all versions + of Apache prior to 1.3.27 on platforms using System V shared memory based scoreboards. This vulnerability allows an attacker who can execute under the Apache UID to exploit the Apache shared memory scoreboard format and send a signal to any process as root or cause a local denial of service attack. We thank iDefense for their responsible notification and disclosure of this issue. - CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site + CAN-2002-0840 (cve.mitre.org)[2]: Apache is susceptible to a cross site scripting vulnerability in the default 404 page of any web server hosted - on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for - the responsible notification and disclosure of this issue. + on a domain that allows wildcard DNS lookups. We thank Matthew Murphy + for notification of this issue. - CAN-2002-0843 (cve.mitre.org): There were some possible overflows in ab.c - which could be exploited by a malicious server. Note that this + CAN-2002-0843 (cve.mitre.org)[3]: There were some possible overflows + in ab.c which could be exploited by a malicious server. Note that this vulnerability is not in Apache itself, but rather one of the support programs bundled with Apache. We thank David Wagner for the responsible notification and disclosure of this issue. @@ -163,3 +163,8 @@ a line feed character) in the first 1023 bytes. The overflow is always a '\0' (string termination) character. + References + + [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839 + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 + [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843 1.26 +100 -169 httpd-dist/Announcement2.html Index: Announcement2.html =================================================================== RCS file: /home/cvs/httpd-dist/Announcement2.html,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- Announcement2.html 24 Sep 2002 23:10:56 -0000 1.25 +++ Announcement2.html 3 Oct 2002 16:17:55 -0000 1.26 @@ -14,196 +14,127 @@ > -

Apache 2.0.42 Released

+

Apache 2.0.43 Released

-

The Apache HTTP Server Project is proud to announce the fifth public -release of Apache 2.0. This is primarily a bug-fix release, including -updates to the experimental caching module, the removal of several -memory leaks, and fixes for several segfaults, one of which could have -been used as a denial-of-service against mod_dav. A complete list of -the changes since 2.0.40 is given at the end of this document.

+

The Apache Software Foundation and The Apache Server Project are + pleased to announce the sixth public release of the Apache 2.0 + HTTP Server. This Announcement notes the significant changes in + 2.0.43, as compared to 2.0.42.

+ +

This version of Apache is principally a security and bug fix release. + A summary of the bug fixes is given at the end of this document. + Of particular note is that 2.0.43 addresses and fixes two security + vulnerabilities.

+ +

CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site + scripting vulnerability in the default 404 page of any web server hosted + on a domain that allows wildcard DNS lookups. We thank Matthew Murphy for + notification of this issue.

+ +

Bug ID 13025: Apache would serve script source code for POST requests + when the DAV On directive enabled mod_dav for a given resource. We thank + Sander Holthaus for notification of this issue.

+

We consider this release to be the best version of Apache available + and encourage users of all prior versions to upgrade.

+ +

Apache 2.0.43is available for download from

+
+
http://www.apache.org/dist/httpd/
+
+ +

Please see the CHANGES_1.3 file in the same directory for a full list + of changes.

+ +

Binary distributions are available from

+
+
http://www.apache.org/dist/httpd/binaries/
+
+ +

The source and binary distributions are also available via any of the + mirrors listed at

+
+
http://www.apache.org/mirrors/
+

Apache 2.0 offers numerous enhancements, improvements, and performance -boosts over the 1.3 codebase. The most visible and noteworthy addition -is the ability to run Apache in a hybrid thread/process mode on any -platform that supports both threads and processes. This has been shown -to improve the scalability of the Apache HTTP Server significantly in -our testing. Apache 2.0 also includes support for filtered I/O. This -allows modules to modify the output of other modules before it is -sent to the client. We have also included support for IPv6 on any -platform that supports IPv6.

+ boosts over the 1.3 codebase. The most visible and noteworthy addition + is the ability to run Apache in a hybrid thread/process mode on any + platform that supports both threads and processes. This has been shown + to improve the scalability of the Apache HTTP Server significantly in + our testing. Apache 2.0 also includes support for filtered I/O. This + allows modules to modify the output of other modules before it is + sent to the client. We have also included support for IPv6 on any + platform that supports IPv6.

This version of Apache is known to work on many versions of Unix, BeOS, -OS/2, Windows, and Netware. Because of the many advances in Apache -2.0, it is expected to perform equally well on all supported platforms. -Apache 2.0 has been running on the apache.org website since December -of 2000 and has proven to be very reliable.

- -

Apache has been the most popular web server on the Internet since -April of 1996. The August 2002 Web Server Survey by Netcraft (see -http://www.netcraft.com/survey/) found that more web servers were -using Apache than any other software; Apache runs on more than 63% -of the web servers on the Internet.

- - -

We consider this release to be the best version of Apache available -and encourage users of all prior versions to upgrade. When doing so, -please keep in mind the following:

- -

This release is not binary-compatible with previous releases, so all -modules need to be recompiled in order to work with this version. For -example, a module compiled to work with 2.0.40 will not work with 2.0.42.

+ OS/2, Windows, and Netware. Because of the many advances in Apache + 2.0, it is expected to perform equally well on all supported platforms. + Apache 2.0 has been running on the apache.org website since December + of 2000 and has proven to be very reliable.

+ +

When upgrading or installing this version of Apache, please keep + in mind the following:

+ +

This release is binary-compatible only with 2.0.42, and no other previous + releases. All modules must be recompiled in order to work with this version. + For example, a module compiled to work with 2.0.40 will not work with 2.0.43.

+ +

This release does not include the new mod_logio, contrary to the + documentation in the CHANGES and manual included in this release. + That module will be included in the next public release of Apache 2.0. + We regret the confusion.

+ +

Users of this release on Darwin 6.1 (including Mac OS X 10.2, a.k.a. "Jaguar") + must add --disable-ipv6 when invoking the ./configure script, to avoid + a potential security exposure related to IPv6 support on that platform.

If you intend to use Apache with one of the threaded MPMs, you must -ensure that the modules (and the libraries they depend on) that you -will be using are thread-safe. Please contact the vendors of -these modules to obtain this information.

- - -

For more information and to download the release tarballs, please -visit http://httpd.apache.org/

- - -

Changes since 2.0.40

- -
  -Changes with Apache 2.0.42
  -
  -  *) mod_dav: Check for versioning hooks before using them.
  -     [Greg Stein]
  -
  -Changes with Apache 2.0.41
  -
  -  *) The protocol version (eg: HTTP/1.1) in the request line parsing
  -     is now case insensitive. [Jim Jagielski]
  -
  -  *) Allow AddOutputFilterByType to add multiple filters per directive.
  -     [Justin Erenkrantz]
  -
  -  *) Remove warnings with Sun's Forte compiler.  [Justin Erenkrantz]
  -
  -  *) Fixed mod_disk_cache's generation of 304s
  -     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  -
  -  *) Add support for using fnmatch patterns in the final path
  -     segment of an Include statement (eg.. include /foo/bar/*.conf).
  -     and remove the noise on stderr during config dir processing.
  -     [Joe Orton <jorton@redhat.com>]
  -
  -  *) mod_cache: cache_storage.c. Add the hostname and any request
  -     args to the key generated for caching. This provides a unique
  -     key for each virtual host and for each request with unique
  -     args. [Paul J. Reder, args code provided by Kris Verbeeck]
  -
  -  *) mod_cache: Do not cache responses to GET requests with query
  -     URLs if the origin server does not explicitly provide an
  -     Expires header on the response (RFC 2616 Section 13.9)
  -     [Kris Verbeeck krisv@be.ubizen.com]
  -
  -  *) Fix memory leak in core_output_filter.  [Justin Erenkrantz]
  -
  -  *) Update OpenSSL detection to work on Darwin.
  -     [Sander Temme <sctemme@covalent.net>]
  -
  -  *) Update the xslt and css to give the documentation a more
  -     modern style.
  -     [Andr� Malo <nd@perlig.de>, Gernot Winkler <greh@o3media.de>]
  -
  -  *) Fix some bucket memory leaks in the chunking code
  -     [Joe Schaefer <joe+apache@sunstarsys.com>]
  -
  -  *) Add ModMimeUsePathInfo directive.  [Justin Erenkrantz]
  -
  -  *) mod_cache: added support for caching streamed responses (proxy,
  -     CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]
  -
  -  *) Add image/x-icon to httpd.conf PR 10993.
  -     [Ian Holsman, Peter Bieringer <pb@bieringer.de>]
  -
  -  *) Fix FileETags none operation.  PR 12207.
  -     [Justin Erenkrantz, Andrew Ho <andrew@tellme.com>]
  -
  -  *) Restored the experimental leader/followers MPM to working
  -     condition and converted its thread synchronization from
  -     mutexes to atomic CAS.  [Brian Pane]
  -
  -  *) Fix Logic on non-html file removal in mod_deflate
  -     [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
  -
  -  *) Fix "ab -g"'s truncated year: the last digit was cut off.
  -     [Leon Brocard <acme@astray.com>]
  -
  -  *) mod_rewrite can now sets cookies in err_headers, uses the correct
  -     expiry date, and can now set the path as well
  -     PR 12132,12181,12172.
  -     [Ian Holsman / Rob Cromwell <apachechangelog@robcromwell.com>]
  -
  -  *) The content-length filter no longer tries to buffer up
  -     the entire output of a long-running request before sending
  -     anything to the client.  [Brian Pane]
  -
  -  *) Win32: Lower the default stack size from 1MB to 256K. This will
  -     allow around 8000 threads to be started per child process.
  -     'EDITBIN /STACK:size apache.exe' can be used to change this
  -     value directly in the apache.exe executable.
  -     [Bill Stoddard]
  -
  -  *) Win32: Implement ThreadLimit directive in the Windows MPM.
  -     [Bill Stoddard]
  -
  -  *) Remove CacheOn config directive since it is set but never checked.
  -     No sense wasting cycles on unused code. Besides, the only truly
  -     bug free code is deleted code. :)   [Paul J. Reder]
  -
  -  *) BufferLogs are now run-time enabled, and the log_config now has 2 new
  -     callbacks to allow a 3rd party module to actually do the writing of the
  -     log file [Ian Holsman]
  +   ensure that the modules (and the libraries they depend on) that you
  +   will be using are thread-safe.  Please contact the vendors of
  +   these modules to obtain this information.

   
  -  *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
  -     [Andr� Malo, Astrid Ke�ler <kess@kess-net.de>]
  +
Apache is the most popular web server in the known universe; over half
  +   of the servers on the Internet are running Apache or one of its
  +   variants.

   
  -  *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>]
   
  -  *) Fix a null pointer dereference in the merge_env_dir_configs
  -     function of the mod_env module. PR 11791
  -     [Paul J. Reder]
  +
Apache 2.0.43 Major changes

   
  -  *) New option to ServerTokens 'maj[or]'. Only show the major version
  -     Also Surfaced this directive in the standard config (default FULL)
  -     [Ian Holsman]
  +
Security vulnerabilities closed since Apache 2.0.42

  +
    
  +   
  • Fixed the security vulnerability noted in CAN-2002-0840 (cvs.mitre.org)
  +       regarding a cross-site scripting vulnerability in the default error
  +       page when using wildcard DNS.
    • 
   
  -  *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
  -     maps.  The dbm type (e.g., ndbm, gdbm) can be specified on the
  -     RewriteMap directive.  PR 10644  [Jeff Trawick]
  +   
  • Prevent POST requests for CGI scripts from serving the source code
  +       when DAV is enabled on the location.
    • 
  +

   
  -  *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
  -     pairs will no longer get out of sync with each other.  PR 9534
  -     [Cliff Woolley]
  +
Bugs fixed since Apache 2.0.42

  +
    
  +   
  • Fixed a core dump in mod_cache when it attemtped to store uncopyable
  +       buckets, such as a file containing SSI tags to execute a CGI script.
    • 
   
  -  *) Fixes required to get quoted and escaped command args working in
  -     mod_ext_filter. PR 11793 [Paul J. Reder]
  +   
  • Ensured that output already available is flushed to the network
  +       to help some streaming CGIs and other dynamically-generated content.
    • 
   
  -  *) mod-proxy: handle proxied responses with no status lines
  -     [JD Silvester <jsilves@uwo.ca>, Brett Huttley <brett@huttley.net>]
  +   
  • Fixed a mutex problem in mod_ssl dbm session cache support.
    • 
   
  -  *) Fix bug where environment or command line arguments containing 
  -     non-ASCII-7 characters would cause the Win32 child process creation
  -     to fail.  PR 11854  [William Rowe]
  +   
  • Allow the UserDir directive to accept a list of directories, as in 1.3.
    • 
   
  -  *) Bug #11213.. make module loading error messages more informative 
  -     [Ian Darwin <Ian779@darwinsys.com>]
  +   
  • Changed SuExec to use the same default directory as the rest of the
  +       server, e.g. /usr/local/apache2.
    • 
   
  -  *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman]
  +   
  • Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors.
    • 
   
  -  *) mod_disk_cache works much better. This module should still
  -     be considered experimental. [Eric Prud'hommeaux]
  +   
  • Pass the WWW-Authenticate header on a 4xx responses from the proxy.
    • 
   
  -  *) Performance improvement for keepalive requests: when setting
  -     aside a small file for potential concatenation with the next
  -     response on the connection, set aside the file descriptor rather
  -     than copying the file into the heap.  [Brian Pane]
  +   
  • Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts.
    • 
   
  -
+
  • Add -p option to apxs to allow programs to be compiled with apxs.
    • + 1.21 +85 -151 httpd-dist/Announcement2.txt Index: Announcement2.txt =================================================================== RCS file: /home/cvs/httpd-dist/Announcement2.txt,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- Announcement2.txt 24 Sep 2002 22:32:49 -0000 1.20 +++ Announcement2.txt 3 Oct 2002 16:17:55 -0000 1.21 @@ -1,190 +1,124 @@ - Apache 2.0.42 Released --------------------------------------------- -The Apache HTTP Server Project is proud to announce the fifth public -release of Apache 2.0. This is primarily a bug-fix release, including -updates to the experimental caching module, the removal of several -memory leaks, and fixes for several segfaults, one of which could have -been used as a denial-of-service against mod_dav. A complete list of -the changes since 2.0.40 is given at the end of this document. + Apache 2.0.43 Released + The Apache Software Foundation and The Apache Server Project are + pleased to announce the sixth public release of the Apache 2.0 + HTTP Server. This Announcement notes the significant changes in + 2.0.43, as compared to 2.0.42. -Apache 2.0 offers numerous enhancements, improvements, and performance -boosts over the 1.3 codebase. The most visible and noteworthy addition -is the ability to run Apache in a hybrid thread/process mode on any -platform that supports both threads and processes. This has been shown -to improve the scalability of the Apache HTTP Server significantly in -our testing. Apache 2.0 also includes support for filtered I/O. This -allows modules to modify the output of other modules before it is -sent to the client. We have also included support for IPv6 on any -platform that supports IPv6. + This version of Apache is principally a security and bug fix release. + A summary of the bug fixes is given at the end of this document. + Of particular note is that 2.0.43 addresses and fixes two security + vulnerabilities. -This version of Apache is known to work on many versions of Unix, BeOS, -OS/2, Windows, and Netware. Because of the many advances in Apache -2.0, it is expected to perform equally well on all supported platforms. -Apache 2.0 has been running on the apache.org website since December -of 2000 and has proven to be very reliable. + CAN-2002-0840 (cve.mitre.org)[1]: Apache is susceptible to a cross site + scripting vulnerability in the default 404 page of any web server hosted + on a domain that allows wildcard DNS lookups. We thank Matthew Murphy + for notification of this issue. -Apache has been the most popular web server on the Internet since -April of 1996. The August 2002 Web Server Survey by Netcraft (see -http://www.netcraft.com/survey/) found that more web servers were -using Apache than any other software; Apache runs on more than 63% -of the web servers on the Internet. + Bug ID 13025[2]: Apache would serve script source code for POST requests + when the DAV On directive enabled mod_dav for a given resource. We thank + Sander Holthaus for notification of this issue. + We consider this release to be the best version of Apache available + and encourage users of all prior versions to upgrade. -We consider this release to be the best version of Apache available -and encourage users of all prior versions to upgrade. When doing so, -please keep in mind the following: + Apache 2.0.43 is available for download from -This release is not binary-compatible with previous releases, so all -modules need to be recompiled in order to work with this version. For -example, a module compiled to work with 2.0.40 will not work with 2.0.42. + http://www.apache.org/dist/httpd/ -If you intend to use Apache with one of the threaded MPMs, you must -ensure that the modules (and the libraries they depend on) that you -will be using are thread-safe. Please contact the vendors of -these modules to obtain this information. + Please see the CHANGES_2.0 file in the same directory for a full list + of changes. + Binary distributions are available from -For more information and to download the release tarballs, please -visit http://httpd.apache.org/ + http://www.apache.org/dist/httpd/binaries/ + The source and binary distributions are also available via any of the + mirrors listed at -Changes since 2.0.40 ---------------------------------------------- + http://www.apache.org/mirrors/ -Changes with Apache 2.0.42 + Apache 2.0 offers numerous enhancements, improvements, and performance + boosts over the 1.3 codebase. The most visible and noteworthy addition + is the ability to run Apache in a hybrid thread/process mode on any + platform that supports both threads and processes. This has been shown + to improve the scalability of the Apache HTTP Server significantly in + our testing. Apache 2.0 also includes support for filtered I/O. This + allows modules to modify the output of other modules before it is + sent to the client. We have also included support for IPv6 on any + platform that supports IPv6. - *) mod_dav: Check for versioning hooks before using them. - [Greg Stein] + This version of Apache is known to work on many versions of Unix, BeOS, + OS/2, Windows, and Netware. Because of the many advances in Apache + 2.0, it is expected to perform equally well on all supported platforms. + Apache 2.0 has been running on the apache.org website since December + of 2000 and has proven to be very reliable. -Changes with Apache 2.0.41 + When upgrading or installing this version of Apache, please keep + in mind the following: - *) The protocol version (eg: HTTP/1.1) in the request line parsing - is now case insensitive. [Jim Jagielski] + This release is binary-compatible only with 2.0.42, and no other previous + releases. All modules must be recompiled in order to work with this + version. For example, a module compiled to work with 2.0.40 will not + work with 2.0.43. - *) Allow AddOutputFilterByType to add multiple filters per directive. - [Justin Erenkrantz] + This release does not include the new mod_logio, contrary to the + documentation in the CHANGES and manual included in this release. + That module will be included in the next public release of Apache 2.0. + We regret the confusion. - *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz] + Users of this release on Darwin 6.1 (including Mac OS X 10.2, a.k.a. + "Jaguar") must add --disable-ipv6 when invoking the ./configure script, + to avoid a potential security exposure related to IPv6 support on that + platform. - *) Fixed mod_disk_cache's generation of 304s - [Kris Verbeeck ] + If you intend to use Apache with one of the threaded MPMs, you must + ensure that the modules (and the libraries they depend on) that you + will be using are thread-safe. Please contact the vendors of + these modules to obtain this information. - *) Add support for using fnmatch patterns in the final path - segment of an Include statement (eg.. include /foo/bar/*.conf). - and remove the noise on stderr during config dir processing. - [Joe Orton ] + Apache is the most popular web server in the known universe; over half + of the servers on the Internet are running Apache or one of its + variants. - *) mod_cache: cache_storage.c. Add the hostname and any request - args to the key generated for caching. This provides a unique - key for each virtual host and for each request with unique - args. [Paul J. Reder, args code provided by Kris Verbeeck] - *) mod_cache: Do not cache responses to GET requests with query - URLs if the origin server does not explicitly provide an - Expires header on the response (RFC 2616 Section 13.9) - [Kris Verbeeck krisv@be.ubizen.com] + Apache 2.0.43 Major changes - *) Fix memory leak in core_output_filter. [Justin Erenkrantz] + Security vulnerabilities closed since Apache 2.0.42 - *) Update OpenSSL detection to work on Darwin. - [Sander Temme ] + * Fixed the security vulnerability noted in CAN-2002-0840 (cvs.mitre.org) + regarding a cross-site scripting vulnerability in the default error + page when using wildcard DNS. - *) Update the xslt and css to give the documentation a more - modern style. - [Andr� Malo , Gernot Winkler ] + * Prevent POST requests for CGI scripts from serving the source code + when DAV is enabled on the location. - *) Fix some bucket memory leaks in the chunking code - [Joe Schaefer ] + Bugs fixed since Apache 2.0.42 - *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz] + * Fixed a core dump in mod_cache when it attemtped to store uncopyable + buckets, such as a file containing SSI tags to execute a CGI script. - *) mod_cache: added support for caching streamed responses (proxy, - CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane] + * Ensured that output already available is flushed to the network + to help some streaming CGIs and other dynamically-generated content. - *) Add image/x-icon to httpd.conf PR 10993. - [Ian Holsman, Peter Bieringer ] + * Fixed a mutex problem in mod_ssl dbm session cache support. - *) Fix FileETags none operation. PR 12207. - [Justin Erenkrantz, Andrew Ho ] + * Allow the UserDir directive to accept a list of directories, as in 1.3. - *) Restored the experimental leader/followers MPM to working - condition and converted its thread synchronization from - mutexes to atomic CAS. [Brian Pane] + * Changed SuExec to use the same default directory as the rest of the + server, e.g. /usr/local/apache2. - *) Fix Logic on non-html file removal in mod_deflate - [Kris Verbeeck ] + * Retry connections with mod_auth_ldap on LDAP_SERVER_DOWN errors. - *) Fix "ab -g"'s truncated year: the last digit was cut off. - [Leon Brocard ] + * Pass the WWW-Authenticate header on a 4xx responses from the proxy. - *) mod_rewrite can now sets cookies in err_headers, uses the correct - expiry date, and can now set the path as well - PR 12132,12181,12172. - [Ian Holsman / Rob Cromwell ] + * Fixed mod_cache's CacheMaxStreamingBuffer directive within virtual hosts. - *) The content-length filter no longer tries to buffer up - the entire output of a long-running request before sending - anything to the client. [Brian Pane] + * Add -p option to apxs to allow programs to be compiled with apxs. - *) Win32: Lower the default stack size from 1MB to 256K. This will - allow around 8000 threads to be started per child process. - 'EDITBIN /STACK:size apache.exe' can be used to change this - value directly in the apache.exe executable. - [Bill Stoddard] + References - *) Win32: Implement ThreadLimit directive in the Windows MPM. - [Bill Stoddard] + [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 + [2] http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13025 - *) Remove CacheOn config directive since it is set but never checked. - No sense wasting cycles on unused code. Besides, the only truly - bug free code is deleted code. :) [Paul J. Reder] - - *) BufferLogs are now run-time enabled, and the log_config now has 2 new - callbacks to allow a 3rd party module to actually do the writing of the - log file [Ian Holsman] - - *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs. - [Andr� Malo, Astrid Ke�ler ] - - *) Fix Segfault in mod_cache. [Kris Verbeeck ] - - *) Fix a null pointer dereference in the merge_env_dir_configs - function of the mod_env module. PR 11791 - [Paul J. Reder] - - *) New option to ServerTokens 'maj[or]'. Only show the major version - Also Surfaced this directive in the standard config (default FULL) - [Ian Holsman] - - *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite - maps. The dbm type (e.g., ndbm, gdbm) can be specified on the - RewriteMap directive. PR 10644 [Jeff Trawick] - - *) Fixed mod_rewrite's RewriteMap prg: support so that request/response - pairs will no longer get out of sync with each other. PR 9534 - [Cliff Woolley] - - *) Fixes required to get quoted and escaped command args working in - mod_ext_filter. PR 11793 [Paul J. Reder] - - *) mod-proxy: handle proxied responses with no status lines - [JD Silvester , Brett Huttley ] - - *) Fix bug where environment or command line arguments containing - non-ASCII-7 characters would cause the Win32 child process creation - to fail. PR 11854 [William Rowe] - - *) Bug #11213.. make module loading error messages more informative - [Ian Darwin ] - - *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman] - - *) mod_disk_cache works much better. This module should still - be considered experimental. [Eric Prud'hommeaux] - - *) Performance improvement for keepalive requests: when setting - aside a small file for potential concatenation with the next - response on the connection, set aside the file descriptor rather - than copying the file into the heap. [Brian Pane]