httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-dist/binaries/win32 HEADER.html README.html
Date Wed, 28 May 2003 05:47:24 GMT
jwoolley    2003/05/27 22:47:24

  Modified:    .        .htaccess Announcement2.html Announcement2.txt
                        README.html
               binaries/win32 HEADER.html README.html
  Log:
  get ready for httpd-2.0.46
  
  Revision  Changes    Path
  1.85      +2 -2      httpd-dist/.htaccess
  
  Index: .htaccess
  ===================================================================
  RCS file: /home/cvs/httpd-dist/.htaccess,v
  retrieving revision 1.84
  retrieving revision 1.85
  diff -u -d -u -r1.84 -r1.85
  --- .htaccess	15 May 2003 03:35:36 -0000	1.84
  +++ .htaccess	28 May 2003 05:47:23 -0000	1.85
  @@ -26,8 +26,8 @@
   AddDescription "1.3.27 compressed source" apache_1.3.27.tar.Z
   AddDescription "1.3.27 gzipped source" apache_1.3.27.tar.gz
   AddDescription "1.3.27 pkzipped source" apache_1.3.27.zip
  -AddDescription "2.0.45 compressed source" httpd-2.0.45.tar.Z
  -AddDescription "2.0.45 gzipped source" httpd-2.0.45.tar.gz
  +AddDescription "2.0.46 compressed source" httpd-2.0.46.tar.Z
  +AddDescription "2.0.46 gzipped source" httpd-2.0.46.tar.gz
   AddDescription "Source code for Win32 compilers" *-win32-src.zip
   AddDescription "Flood 0.4 source" flood-0.4.tar.gz
   AddDescription "Installer Package" *.exe
  
  
  
  1.39      +195 -98   httpd-dist/Announcement2.html
  
  Index: Announcement2.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.html,v
  retrieving revision 1.38
  retrieving revision 1.39
  diff -u -d -u -r1.38 -r1.39
  --- Announcement2.html	2 Apr 2003 19:10:45 -0000	1.38
  +++ Announcement2.html	28 May 2003 05:47:23 -0000	1.39
  @@ -14,62 +14,52 @@
   >
   <img src="../../images/apache_sub.gif" alt="">
   
  -<h1>Apache 2.0.45 Released</h1>
  +<h1>Apache 2.0.46 Released</h1>
   
  -<p>The Apache Software Foundation and The Apache HTTP Server Project are
  -   pleased to announce the eighth public release of the Apache 2.0
  +<p>The Apache Software Foundation and the Apache HTTP Server Project are
  +   pleased to announce the ninth public release of the Apache 2.0
      HTTP Server.  This Announcement notes the significant changes in
  -   2.0.45 as compared to 2.0.44.</p>
  -
  -<p><strong>OS2 users; </strong>note that Apache 2.0 versions 
  -   *including* 2.0.45 still
  -   have a Denial of Service vulnerability that was identified and reported 
  -   by Robert Howard <rihoward@rawbw.com> that will fixed with the release
  -   of 2.0.46, but is too important to delay announcement today.  The patch
  -   http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35
  -   must be applied before building on OS2.  This patch will already 
  -   be applied to all OS2 binaries released for Apache 2.0.45.
  -   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134]
  +   2.0.46 as compared to 2.0.45.</p>
   
   <p>This version of Apache is principally a security and bug fix release.
      A summary of the bug fixes is given at the end of this document.
  -   Of particular note is that 2.0.45 addresses two security
  -   vulnerabilities, both affecting all platforms.</p>
  +   Of particular note is that 2.0.46 addresses two security
  +   vulnerabilities:</p>
   
  -<p>Prior Apache 2.0 versions through 2.0.44 had a significant Denial of 
  -   Service vulnerability that was identified and reported by David Endler 
  -   &lt;DEndler@iDefense.com&gt;, and fixed with this release.  The specific 
  -   details of this issue will be published by David Endler one week from 
  -   this release, on April 8th [this is the correct,  revised date].  
  -   No more specific information is disclosed 
  -   at this time, but all Apache 2.0 users are encouraged to upgrade now.
  -   [<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132"
  -    >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132</a>]</p>
  +<p>Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  +   certain circumstances.  This can be triggered remotely through mod_dav
  +   and possibly other mechanisms.  The crash was originally reported by
  +   David Endler &lt;DEndler@iDefense.com&gt; and was researched and fixed by
  +   Joe Orton &lt;jorton@redhat.com&gt;.  Specific details and an analysis of the
  +   crash will be published Friday, May 30.  No more specific information
  +   is disclosed at this time, but all Apache 2.0 users are encouraged to
  +   upgrade now.<br>
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245</a>]</code></p>
  +  
  +<p>Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  +   vulnerable to a denial-of-service attack on the basic authentication
  +   module, which was reported by John Hughes &lt;john.hughes@entegrity.com&gt;.
  +   A bug in the configuration scripts caused the <code>apr_password_validate()</code>
  +   function to be thread-unsafe on platforms with <code>crypt_r()</code>, including
  +   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  +   problem on platforms with no <code>crypt_r()</code> and no thread-safe <code>crypt()</code>,
  +   such as Mac OS X and possibly others.  When using a threaded MPM (which
  +   is not the default on these platforms), this allows remote attackers
  +   to create a denial of service which causes valid usernames and
  +   passwords for Basic Authentication to fail until Apache is restarted.
  +   We do not believe this bug could allow unauthorized users to gain
  +   access to protected resources.<br>
  +   <code>[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189</a>]</code></p>
   
  -<p>This release eliminated leaks of several file descriptors to child
  -   processes, such as CGI scripts, which could consitute a security threat
  -   on servers that run untrusted CGI scripts.  This issue was identified,
  -   reported and addressed by Christian Kratzer &lt;ck@cksoft.de&gt; and
  -   Bjoern A. Zeeb &lt;bz@zabbadoz.net&gt;.</p>
  +<p>The Apache Software Foundation would like to thank David Endler
  +   and John Hughes for the responsible reporting of these issues.</p>
   
  -<p>The Apache Software Foundation would like to thank David Endler, 
  -   Christian Kratzer, Bjoern Zeeb and Robert Howard for the responsible 
  -   reporting of these issues.</p>
   
  -<p>Apache 2.0.42 and later releases mark a change in the Apache release 
  -   process, and a new level of stability in the 2.0 series.  With the
  -   release of Apache 2.0.42, we will make every effort to retain 
  -   forward compatibility so that upgrading along the 2.0 series should 
  -   be much easier.  This compatibility extends from Apache release 2.0.42, 
  -   so users of that version or later should be able to upgrade without 
  -   changing configurations or updating DSO modules.  (Users of earlier 
  -   releases will need to recompile all modules in order to upgrade 
  -   to 2.0.42 or later versions.)</p>
  -
  -<p>We consider this release to be the best version of Apache available
  -   and encourage users of all prior versions to upgrade.</p>
  +<p>This release is compatible with modules compiled for 2.0.42 and later
  +   versions.  We consider this release to be the best version of Apache
  +   available and encourage users of all prior versions to upgrade.</p>
   
  -<p>Apache 2.0.45 is available for download from</p>
  +<p>Apache 2.0.46 is available for download from</p>
   <dl>
     <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
   </dl>
  @@ -93,61 +83,168 @@
      will be using are thread-safe.  Please contact the vendors of these
      modules to obtain this information.</p>
   
  -<h2>Apache 2.0.45 Major changes</h2>
  +<h2>Apache 2.0.46 Major changes</h2>
   
  -<h3>Security vulnerabilities closed since Apache 2.0.44</h3>
  +<h3>Security vulnerabilities closed since Apache 2.0.45</h3>
   <ul>
  -    <li>SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
  -       identified by David Endler <DEndler@iDefense.com> on all platforms.
  -       Details embargoed until their announcement on 7 April 2003.</li>
  +    <li><code>SECURITY [CAN-2003-0245]:</code> Fixed a bug that could
be triggered
  +       remotely through mod_dav and possibly other mechanisms, causing
  +       an Apache child process to crash.  The crash was first reported
  +       by David Endler &lt;DEndler@iDefense.com&gt; and was researched and
  +       fixed by Joe Orton &lt;jorton@redhat.com&gt;.  Details will be released
  +       on 30 May 2003.</li>
   
  -    <li>SECURITY:  Eliminated leaks of several file descriptors to child
  -       processes, such as CGI scripts.  This fix depends on the latest
  -       APR library release 0.9.2, which is distributed with the httpd 
  -       source tarball for Apache 2.0.45.  PR 17206
  -       [Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>]</li>
  +    <li><code>SECURITY [CAN-2003-0189]:</code> Fixed a denial-of-service
vulnerability
  +       affecting basic authentication on Unix platforms related to
  +       thread-safety in <code>apr_password_validate()</code>.  The problem
was reported
  +       by John Hughes &lt;john.hughes@entegrity.com&gt;</li>
   </ul>
   
  -<h3>Bugs fixed and features added since Apache 2.0.44</h3>
  +<h3>Bugs fixed and features added since Apache 2.0.45</h3>
   <ul>
  -    <li>Prevent endless loops of internal redirects in mod_rewrite by
  -        aborting after exceeding a limit of internal redirects. The
  -        limit defaults to 10 and can be changed using the RewriteOptions
  -        directive. PR 17462.</li>
   
  -    <li>Configurable compression level for mod_deflate.</li>
  +    <li>Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
  +       when a MKACTIVITY request comes in.
  +       [Ben Collins-Sussman &lt;sussman@collab.net&gt;]</li>
   
  -    <li>Allow SSLMutex to select/use the full range of APR locking
  -        mechanisms available to it (e.g. same choices as AcceptMutex.)</li>
  +    <li>Perform run-time query in apxs for apr and apr-util's includes.
  +       [Justin Erenkrantz] </li>
   
  -    <li>mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
  -        be started on Unix because of such problems as bad permissions,
  -        bad shebang line, etc.</li>
  +    <li>run libtool from the apr install directory (in case that is different
  +       from the apache install directory) [Jeff Trawick]</li>
   
  -    <li>Try to log an error if a piped log program fails and try to
  -        restart a piped log program in more failure situations.</li>
  +    <li>configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]</li>
   
  -    <li>Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig 
  -        directive, to convert extended characters in the user ID to UTF-8,
  -        before authenticating against the LDAP directory.</li>
  +    <li>If mod_mime_magic does not know the content-type, do not attempt to
  +       guess.  PR 16908.  [Andrew Gapon &lt;agapon@telcordia.com&gt;]</li>
   
  -    <li>No longer removes the Content-Length from responses via mod_proxy.</li>
  +    <li>ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
  +       caching. PR 17864.
  +       [Andreas Leimbacher &lt;andreasl67@yahoo.de&gt;, Madhusudan Mathihalli]</li>
   
  -    <li>Enhance mod_isapi's WriteClient() callback to provide better emulation 
  -        for isapi extensions that use the first WriteClient() to send status 
  -        and headers, such as the foxisapi module.</li>
  +    <li>Add a delete flag to htpasswd.
  +       [Thom May]</li>
   
  -    <li>Win32: Avoid busy wait (consuming all the CPU idle cycles) when
  -        all worker threads are busy.</li>
  +    <li>Fix mod_rewrite's handling of absolute URIs. The escaping routines
  +       now work scheme dependent and the query string will only be
  +       appended if supported by the particular scheme.  [Andr&eacute; Malo]</li>
   
  -    <li>Introduced .pdb debugging symbols for Win32 release builds.</li>
  - 
  -    <li>Fixed piped access logs on Win32.</li>
  +    <li>Add another check for already compressed content in mod_deflate.
  +       PR 19913. [Tsuyoshi SASAMOTO &lt;nazonazo@super.win.ne.jp&gt;]</li>
   
  -    <li>Fix path handling of mod_rewrite, especially on non-unix systems.
  -        There was some confusion between local paths and URL paths.</li>
  +    <li>Fixes for VPATH builds; copying special.mk and any future .mk files 
  +       from the source tree as well as the build tree (now creates a usable
  +       configuration for apxs), and eliminated redundant -I'nclude paths.
  +       [William Rowe]</li>
   
  -    <li>Added an rpm build script.</li>
  +    <li>Code fixes, constness corrections and ssl_toolkit_compat.h updates
  +       for SSLC and OpenSSL toolkit compatibility.  Still work remains to
  +       be done to cripple features based on the limitations of RSA's binary 
  +       distribution of their SSL-C toolkit.
  +       [William Rowe, Madhusudan Mathihalli, Jeff Trawick]</li>
  +
  +    <li>Linux 2.4+: If Apache is started as root and you code 
  +       CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
  +       [Greg Ames]</li>
  +
  +    <li>ap_get_mime_headers_core: allocate space for the trailing null
  +       when folding is in effect.
  +       PR 18170 [Peter Mayne &lt;PeterMayne@SPAM_SUX.ap.spherion.com&gt;]</li>
  +
  +    <li>Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]</li>
  +
  +    <li>mod_log_config: Add the ability to log the id of the thread 
  +       processing the request via new %P formats.  [Jeff Trawick]</li>
  +
  +    <li>Use appropriate language codes for Czech (cs) and Traditional Chinese
  +       (zh-tw) in default config files. PR 9427.  [Andr&eacute; Malo]</li>
  +
  +    <li>mod_auth_ldap: Use generic whitespace character class when parsing
  +       "require" directives, instead of literal spaces only. PR 17135.
  +       [Andr&eacute; Malo]</li>
  +
  +    <li>Hook mod_rewrite's type checker before mod_mime's one. That way the
  +       RewriteRule [T=...] Flag should work as expected now. PR 19626.
  +       [Andr&eacute; Malo]</li>
  +
  +    <li>htpasswd: Check the processed file on validity. If a line is not empty
  +       and not a comment, it must contain at least one colon. Otherwise exit
  +       with error code 7. [Kris Verbeeck &lt;Kris.Verbeeck@ubizen.com&gt;, Thom
May]</li>
  +
  +    <li>Fix a problem that caused httpd to be linked with incorrect flags
  +       on some platforms when mod_so was enabled by default, breaking 
  +       DSOs on AIX.  PR 19012  [Jeff Trawick]</li>
  +
  +    <li>By default, use the same CC and CPP with which APR was built.
  +       The user can override with CC and CPP environment variables.
  +       [Jeff Trawick]</li>
  +
  +    <li>Fix ap_construct_url() so that it surrounds IPv6 literal address
  +       strings with [].  This fixes certain types of redirection.
  +       PR 19207.  [Jeff Trawick]</li>
  +
  +    <li>forward port of buffer overflow fixes for htdigest. [Thom May]</li>
  +
  +    <li>Added AllowEncodedSlashes directive to permit control of whether
  +       the server will accept encoded slashes ('%2f') in the URI path.
  +       Default condition is off (the historical behaviour).  This permits
  +       environments in which the path-info needs to contain encoded
  +       slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
  +       [Ken Coar]</li>
  +
  +    <li>When using Redirect in directory context, append requested query
  +       string if there's no one supplied by configuration. PR 10961.
  +       [Andr&eacute; Malo]</li>
  +
  +    <li>Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
  +       the pattern will not always match as desired. PR 12596.
  +       [Andr&eacute; Malo]</li>
  +
  +    <li>mod_autoindex now emits and accepts modern query string parameter
  +       delimiters (;). Thus column headers no longer contain unescaped
  +       ampersands. PR 10880  [Andr&eacute; Malo]</li>
  +
  +    <li>Enable ap_sock_disable_nagle for Windows. This along with the 
  +       addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
  +       to be disabled for Windows. [Allan Edwards]</li>
  +
  +    <li>Correct a mis-correlation between mpm_common.c and mpm_common.h;
  +       This patch reverts us to pre-2.0.46 behavior, using the 
  +       ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
  +       was never compiled on Win32. [Allan Edwards, William Rowe]</li>
  +
  +    <li>Fix a build problem with passing unsupported --enable-layout
  +       args to apr and apr-util.  This broke binbuild.sh as well as
  +       user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
  +       Jeff Trawick]</li>
  +
  +    <li>If a Date response header was already set in the headers array,
  +       this value was ignored in favour of the current time. This meant
  +       that Date headers on proxied requests where rewritten when they
  +       should not have been. PR: 14376 [Graham Leggett]</li>
  +
  +    <li>Add code to buildconf that produces an httpd.spec file from
  +       httpd.spec.in, using build/get-version.sh from APR.
  +       [Graham Leggett]</li>
  +
  +    <li>Fixed a segfault when multiple ProxyBlock directives were used.
  +       PR: 19023 [Sami Tikka &lt;sami.tikka@f-secure.com&gt;]</li>
  +
  +    <li><code>SECURITY [CAN-2003-0134]</code> OS2: Fix a Denial of Service
vulnerability 
  +       identified and reported by Robert Howard &lt;rihoward@rawbw.com&gt; that

  +       where device names faulted the running OS2 worker process.
  +       The fix is actually in APR 0.9.4.  [Brian Havard]</li>
  +
  +    <li>Forward port: Escape special characters (especially control
  +       characters) in mod_log_config to make a clear distinction between
  +       client-supplied strings (with special characters) and server-side
  +       strings. This was already introduced in version 1.3.25.
  +       [Andr&eacute; Malo]</li>
  +
  +    <li>mod_deflate: Check also err_headers_out for an already set
  +       Content-Encoding: gzip header. This prevents gzip compressed content
  +       from a CGI script from being compressed once more. PR 17797.
  +       [Andr&eacute; Malo]</li>
   </ul>
   
   </body>
  
  
  
  1.33      +184 -83   httpd-dist/Announcement2.txt
  
  Index: Announcement2.txt
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement2.txt,v
  retrieving revision 1.32
  retrieving revision 1.33
  diff -u -d -u -r1.32 -r1.33
  --- Announcement2.txt	2 Apr 2003 19:10:45 -0000	1.32
  +++ Announcement2.txt	28 May 2003 05:47:23 -0000	1.33
  @@ -1,58 +1,51 @@
   
  -                       Apache 2.0.45 Released
  +                       Apache 2.0.46 Released
   
  -   The Apache Software Foundation and The Apache HTTP Server Project are
  -   pleased to announce the eighth public release of the Apache 2.0
  +   The Apache Software Foundation and the Apache HTTP Server Project are
  +   pleased to announce the ninth public release of the Apache 2.0
      HTTP Server.  This Announcement notes the significant changes in
  -   2.0.45 as compared to 2.0.44.
  +   2.0.46 as compared to 2.0.45.
   
  -   OS2 users; note that Apache 2.0 versions *including* 2.0.45 still
  -   have a Denial of Service vulnerability that was identified and reported 
  -   by Robert Howard <rihoward@rawbw.com> that will fixed with the release
  -   of 2.0.46, but is too important to delay announcement today.  The patch
  -   http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35
  -   must be applied before building on OS2.  This patch will already 
  -   be applied to all OS2 binaries released for Apache 2.0.45.
  -   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0134]
   
      This version of Apache is principally a security and bug fix release.
      A summary of the bug fixes is given at the end of this document.
  -   Of particular note is that 2.0.45 addresses two security
  -   vulnerabilities, both affecting all platforms.
  +   Of particular note is that 2.0.46 addresses two security
  +   vulnerabilities:
   
  -   Prior Apache 2.0 versions through 2.0.44 had a significant Denial of 
  -   Service vulnerability that was identified and reported by David Endler 
  -   <DEndler@iDefense.com>, and fixed with this release.  The specific 
  -   details of this issue will be published by David Endler one week from 
  -   this release, on April 8th [this is the correct,  revised date].  
  -   No more specific information is disclosed at this time, but all 
  -   Apache 2.0 users are encouraged to upgrade now.
  -   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132]
  +   Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
  +   certain circumstances.  This can be triggered remotely through mod_dav
  +   and possibly other mechanisms.  The crash was originally reported by
  +   David Endler <DEndler@iDefense.com> and was researched and fixed by
  +   Joe Orton <jorton@redhat.com>.  Specific details and an analysis of the
  +   crash will be published Friday, May 30.  No more specific information
  +   is disclosed at this time, but all Apache 2.0 users are encouraged to
  +   upgrade now.
  +   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]
  +  
  +   Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
  +   vulnerable to a denial-of-service attack on the basic authentication
  +   module, which was reported by John Hughes <john.hughes@entegrity.com>.
  +   A bug in the configuration scripts caused the apr_password_validate()
  +   function to be thread-unsafe on platforms with crypt_r(), including
  +   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
  +   problem on platforms with no crypt_r() and no thread-safe crypt(),
  +   such as Mac OS X and possibly others.  When using a threaded MPM (which
  +   is not the default on these platforms), this allows remote attackers
  +   to create a denial of service which causes valid usernames and
  +   passwords for Basic Authentication to fail until Apache is restarted.
  +   We do not believe this bug could allow unauthorized users to gain
  +   access to protected resources.
  +   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
   
  -   This release eliminated leaks of several file descriptors to child
  -   processes, such as CGI scripts, which could consitute a security threat
  -   on servers that run untrusted CGI scripts.  This issue was identified,
  -   reported and addressed by Christian Kratzer <ck@cksoft.de> and
  -   Bjoern A. Zeeb <bz@zabbadoz.net>.
  +   The Apache Software Foundation would like to thank David Endler
  +   and John Hughes for the responsible reporting of these issues.
   
  -   The Apache Software Foundation would like to thank David Endler, 
  -   Christian Kratzer, Bjoern Zeeb and Robert Howard for the responsible 
  -   reporting of these issues.
   
  -   Apache 2.0.42 and later releases mark a change in the Apache release 
  -   process, and a new level of stability in the 2.0 series.  With the
  -   release of Apache 2.0.42, we will make every effort to retain 
  -   forward compatibility so that upgrading along the 2.0 series should 
  -   be much easier.  This compatibility extends from Apache release 2.0.42, 
  -   so users of that version or later should be able to upgrade without 
  -   changing configurations or updating DSO modules.  (Users of earlier 
  -   releases will need to recompile all modules in order to upgrade 
  -   to 2.0.42 or later versions.)
  -
  -   We consider this release to be the best version of Apache available
  -   and encourage users of all prior versions to upgrade.
  +   This release is compatible with modules compiled for 2.0.42 and later
  +   versions.  We consider this release to be the best version of Apache
  +   available and encourage users of all prior versions to upgrade.
   
  -   Apache 2.0.45 is available for download from
  +   Apache 2.0.46 is available for download from
   
        http://httpd.apache.org/download.cgi
   
  @@ -74,57 +67,165 @@
      modules to obtain this information.
   
   
  -                       Apache 2.0.45 Major changes
  +                       Apache 2.0.46 Major changes
   
  -   Security vulnerabilities closed since Apache 2.0.44
  +   Security vulnerabilities closed since Apache 2.0.45
   
  -    *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
  -       identified by David Endler <DEndler@iDefense.com> on all platforms.
  -       Details embargoed until their announcement on 7 April 2003.
  +    *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
  +       remotely through mod_dav and possibly other mechanisms, causing
  +       an Apache child process to crash.  The crash was first reported
  +       by David Endler <DEndler@iDefense.com> and was researched and
  +       fixed by Joe Orton <jorton@redhat.com>.  Details will be released
  +       on 30 May 2003.
   
  -    *) SECURITY:  Eliminated leaks of several file descriptors to child
  -       processes, such as CGI scripts.  This fix depends on the latest
  -       APR library release 0.9.2, which is distributed with the httpd 
  -       source tarball for Apache 2.0.45.  PR 17206
  +    *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
  +       affecting basic authentication on Unix platforms related to
  +       thread-safety in apr_password_validate().  The problem was reported
  +       by John Hughes <john.hughes@entegrity.com>
   
  -   Bugs fixed and features added since Apache 2.0.44
   
  -    *) Prevent endless loops of internal redirects in mod_rewrite by
  -       aborting after exceeding a limit of internal redirects. The
  -       limit defaults to 10 and can be changed using the RewriteOptions
  -       directive. PR 17462.
  +   Bugs fixed and features added since Apache 2.0.45
   
  -    *) Configurable compression level for mod_deflate.
  +    *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
  +       when a MKACTIVITY request comes in.
  +       [Ben Collins-Sussman <sussman@collab.net>]
   
  -    *) Allow SSLMutex to select/use the full range of APR locking
  -       mechanisms available to it (e.g. same choices as AcceptMutex.)
  +    *) Perform run-time query in apxs for apr and apr-util's includes.
  +       [Justin Erenkrantz] 
   
  -    *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
  -       be started on Unix because of such problems as bad permissions,
  -       bad shebang line, etc.
  +    *) run libtool from the apr install directory (in case that is different
  +       from the apache install directory) [Jeff Trawick]
   
  -    *) Try to log an error if a piped log program fails and try to
  -       restart a piped log program in more failure situations.
  +    *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
   
  -    *) Added support for mod_auth_LDAP, with a new AuthLDAPCharsetConfig 
  -       directive, to convert extended characters in the user ID to UTF-8,
  -       before authenticating against the LDAP directory.
  +    *) If mod_mime_magic does not know the content-type, do not attempt to
  +       guess.  PR 16908.  [Andrew Gapon <agapon@telcordia.com>]
   
  -    *) No longer removes the Content-Length from responses via mod_proxy.
  +    *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
  +       caching. PR 17864.
  +       [Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli]
   
  -    *) Enhance mod_isapi's WriteClient() callback to provide better emulation 
  -       for isapi extensions that use the first WriteClient() to send status 
  -       and headers, such as the foxisapi module.
  +    *) Add a delete flag to htpasswd.
  +       [Thom May]
   
  -    *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
  -       all worker threads are busy. 
  +    *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
  +       now work scheme dependent and the query string will only be
  +       appended if supported by the particular scheme.  [André Malo]
   
  -    *) Introduced .pdb debugging symbols for Win32 release builds.
  - 
  -    *) Fixed piped access logs on Win32.
  +    *) Add another check for already compressed content in mod_deflate.
  +       PR 19913. [Tsuyoshi SASAMOTO <nazonazo@super.win.ne.jp>]
   
  -    *) Fix path handling of mod_rewrite, especially on non-unix systems.
  -       There was some confusion between local paths and URL paths.
  +    *) Fixes for VPATH builds; copying special.mk and any future .mk files 
  +       from the source tree as well as the build tree (now creates a usable
  +       configuration for apxs), and eliminated redundant -I'nclude paths.
  +       [William Rowe]
   
  -    *) Added an rpm build script.
  +    *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
  +       for SSLC and OpenSSL toolkit compatibility.  Still work remains to
  +       be done to cripple features based on the limitations of RSA's binary 
  +       distribution of their SSL-C toolkit.
  +       [William Rowe, Madhusudan Mathihalli, Jeff Trawick]
  +
  +    *) Linux 2.4+: If Apache is started as root and you code 
  +       CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
  +       [Greg Ames]
  +
  +    *) ap_get_mime_headers_core: allocate space for the trailing null
  +       when folding is in effect.
  +       PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>]
  +
  +    *) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]
  +
  +    *) mod_log_config: Add the ability to log the id of the thread 
  +       processing the request via new %P formats.  [Jeff Trawick]
  +
  +    *) Use appropriate language codes for Czech (cs) and Traditional Chinese
  +       (zh-tw) in default config files. PR 9427.  [André Malo]
  +
  +    *) mod_auth_ldap: Use generic whitespace character class when parsing
  +       "require" directives, instead of literal spaces only. PR 17135.
  +       [André Malo]
  +
  +    *) Hook mod_rewrite's type checker before mod_mime's one. That way the
  +       RewriteRule [T=...] Flag should work as expected now. PR 19626.
  +       [André Malo]
  +
  +    *) htpasswd: Check the processed file on validity. If a line is not empty
  +       and not a comment, it must contain at least one colon. Otherwise exit
  +       with error code 7. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>, Thom May]
  +
  +    *) Fix a problem that caused httpd to be linked with incorrect flags
  +       on some platforms when mod_so was enabled by default, breaking 
  +       DSOs on AIX.  PR 19012  [Jeff Trawick]
  +
  +    *) By default, use the same CC and CPP with which APR was built.
  +       The user can override with CC and CPP environment variables.
  +       [Jeff Trawick]
  +
  +    *) Fix ap_construct_url() so that it surrounds IPv6 literal address
  +       strings with [].  This fixes certain types of redirection.
  +       PR 19207.  [Jeff Trawick]
  +
  +    *) forward port of buffer overflow fixes for htdigest. [Thom May]
  +
  +    *) Added AllowEncodedSlashes directive to permit control of whether
  +       the server will accept encoded slashes ('%2f') in the URI path.
  +       Default condition is off (the historical behaviour).  This permits
  +       environments in which the path-info needs to contain encoded
  +       slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
  +       [Ken Coar]
  +
  +    *) When using Redirect in directory context, append requested query
  +       string if there's no one supplied by configuration. PR 10961.
  +       [André Malo]
  +
  +    *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
  +       the pattern will not always match as desired. PR 12596.
  +       [André Malo]
  +
  +    *) mod_autoindex now emits and accepts modern query string parameter
  +       delimiters (;). Thus column headers no longer contain unescaped
  +       ampersands. PR 10880  [André Malo]
  +
  +    *) Enable ap_sock_disable_nagle for Windows. This along with the 
  +       addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
  +       to be disabled for Windows. [Allan Edwards]
  +
  +    *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
  +       This patch reverts us to pre-2.0.46 behavior, using the 
  +       ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
  +       was never compiled on Win32. [Allan Edwards, William Rowe]
  +
  +    *) Fix a build problem with passing unsupported --enable-layout
  +       args to apr and apr-util.  This broke binbuild.sh as well as
  +       user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
  +       Jeff Trawick]
  +
  +    *) If a Date response header was already set in the headers array,
  +       this value was ignored in favour of the current time. This meant
  +       that Date headers on proxied requests where rewritten when they
  +       should not have been. PR: 14376 [Graham Leggett]
  +
  +    *) Add code to buildconf that produces an httpd.spec file from
  +       httpd.spec.in, using build/get-version.sh from APR.
  +       [Graham Leggett]
  +
  +    *) Fixed a segfault when multiple ProxyBlock directives were used.
  +       PR: 19023 [Sami Tikka <sami.tikka@f-secure.com>]
  +
  +    *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability 
  +       identified and reported by Robert Howard <rihoward@rawbw.com> that 
  +       where device names faulted the running OS2 worker process.
  +       The fix is actually in APR 0.9.4.  [Brian Havard]
  +
  +    *) Forward port: Escape special characters (especially control
  +       characters) in mod_log_config to make a clear distinction between
  +       client-supplied strings (with special characters) and server-side
  +       strings. This was already introduced in version 1.3.25.
  +       [André Malo]
  +
  +    *) mod_deflate: Check also err_headers_out for an already set
  +       Content-Encoding: gzip header. This prevents gzip compressed content
  +       from a CGI script from being compressed once more. PR 17797.
  +       [André Malo]
   
  
  
  
  1.34      +2 -2      httpd-dist/README.html
  
  Index: README.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/README.html,v
  retrieving revision 1.33
  retrieving revision 1.34
  diff -u -d -u -r1.33 -r1.34
  --- README.html	1 Apr 2003 16:55:45 -0000	1.33
  +++ README.html	28 May 2003 05:47:23 -0000	1.34
  @@ -36,10 +36,10 @@
   
   <pre>Always signatures to validate package authenticity, <i>e.g.</i>,
   % pgpk -a KEYS
  -% pgpv httpd-2.0.45.tar.gz.asc
  +% pgpv httpd-2.0.46.tar.gz.asc
   <i>or</i>,
   % pgp -ka KEYS
  -% pgp httpd-2.0.45.tar.gz.asc
  +% pgp httpd-2.0.46.tar.gz.asc
   </PRE>
   
   <p>We offer MD5 hashes as an alternative to validate the integrity
  
  
  
  1.31      +1 -1      httpd-dist/binaries/win32/HEADER.html
  
  Index: HEADER.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/binaries/win32/HEADER.html,v
  retrieving revision 1.30
  retrieving revision 1.31
  diff -u -d -u -r1.30 -r1.31
  --- HEADER.html	1 Apr 2003 16:32:33 -0000	1.30
  +++ HEADER.html	28 May 2003 05:47:24 -0000	1.31
  @@ -6,7 +6,7 @@
   <li><a href="#winsock">Windows 95 Apache Users Read This First</a></li>
   <li><a href="#xpbug">Windows XP Apache Users Read This First</a><br/></li>
   <li><a href="#zonealarm">ZoneAlarm (or other firewall) Users Read This First</a></li>
  -<li><a href="#stable" style="color:purple;">The current stable release is Apache
2.0.45</a><br/></li>
  +<li><a href="#stable" style="color:purple;">The current stable release is Apache
2.0.46</a><br/></li>
   <li><a href="#old" style="color:green;">The old stable release is Apache 1.3.27</a></li>
   <li><a href="#msi">MSI Binary Distribution Packages</a></li>
   <li><a href="TROUBLESHOOTING.html">Troubleshooting MSI Installation Problems</a></li>
  
  
  
  1.38      +7 -7      httpd-dist/binaries/win32/README.html
  
  Index: README.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/binaries/win32/README.html,v
  retrieving revision 1.37
  retrieving revision 1.38
  diff -u -d -u -r1.37 -r1.38
  --- README.html	1 Apr 2003 23:51:51 -0000	1.37
  +++ README.html	28 May 2003 05:47:24 -0000	1.38
  @@ -82,11 +82,11 @@
      responsibility to determine the compatibility between any firewall product
      and the Apache HTTP Server.</p>
   
  -<h2><a name="stable">The current stable release is Apache 2.0.45</a></h2>
  +<h2><a name="stable">The current stable release is Apache 2.0.46</a></h2>
   
   <p>Apache 2.0 is released for General Availability.</p>
   
  -<p>The Apache Group is proud to present the fifth public release
  +<p>The Apache HTTP Server Project is proud to present the ninth public release
      of Apache 2.0.  Apache 2.0 has been running on the Apache.org website 
      since December of 2000 and has proven to be very reliable.</p>
   
  @@ -103,14 +103,14 @@
   
   <p>Because the distribution tree has changed, we haven't yet identified an 
      effective way to incorporate the source tree into the binary distribution.
  -   You will find the source package in <a href="../../httpd-2.0.45-win32-src.zip"
  -   >/dist/httpd/httpd-2.0.45-win32-src.zip</a>.  That -win32-src.zip file contains

  +   You will find the source package in <a href="../../httpd-2.0.46-win32-src.zip"
  +   >/dist/httpd/httpd-2.0.46-win32-src.zip</a>.  That -win32-src.zip file contains

      <strong>only</strong> source and build files, and contains <strong>no</strong>
      binaries.</p>
   
  -<p>Introduced for 2.0.45, we will distribute a -symbols.zip file containing the
  -   debugging symbols for the released binary distribution.  These may be used
  -   in conjunction with most modern Win32 debugging tools, including the freely
  +<p>Since 2.0.45, we distribute a -symbols.zip file containing the debugging
  +   symbols for the released binary distribution.  These may be used in
  +   conjunction with most modern Win32 debugging tools, including the freely
      available WinDbg utility.  For most users there is no need to download these
      symbols; they are most useful for developers to review crash dumps generated 
      by Dr. Watson.</p>
  
  
  

Mime
View raw message