Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 49099 invoked by uid 500); 28 May 2003 05:48:20 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 49088 invoked by uid 500); 28 May 2003 05:48:20 -0000 Delivered-To: apmail-httpd-site-cvs@apache.org Date: 28 May 2003 05:48:18 -0000 Message-ID: <20030528054818.48506.qmail@icarus.apache.org> From: jwoolley@apache.org To: httpd-site-cvs@apache.org Subject: cvs commit: httpd-site/xdocs Announcement download.xml index.xml X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N jwoolley 2003/05/27 22:48:18 Modified: docs Announcement download.html index.html docs/apreq index.html xdocs Announcement download.xml index.xml Log: get ready for 2.0.46 Revision Changes Path 1.14 +228 -187 httpd-site/docs/Announcement Index: Announcement =================================================================== RCS file: /home/cvs/httpd-site/docs/Announcement,v retrieving revision 1.13 retrieving revision 1.14 diff -u -d -u -r1.13 -r1.14 --- Announcement 24 Sep 2002 22:31:08 -0000 1.13 +++ Announcement 28 May 2003 05:48:18 -0000 1.14 @@ -1,190 +1,231 @@ - Apache 2.0.42 Released --------------------------------------------- -The Apache HTTP Server Project is proud to announce the fifth public -release of Apache 2.0. This is primarily a bug-fix release, including -updates to the experimental caching module, the removal of several -memory leaks, and fixes for several segfaults, one of which could have -been used as a denial-of-service against mod_dav. A complete list of -the changes since 2.0.40 is given at the end of this document. + Apache 2.0.46 Released + The Apache Software Foundation and the Apache HTTP Server Project are + pleased to announce the ninth public release of the Apache 2.0 + HTTP Server. This Announcement notes the significant changes in + 2.0.46 as compared to 2.0.45. -Apache 2.0 offers numerous enhancements, improvements, and performance -boosts over the 1.3 codebase. The most visible and noteworthy addition -is the ability to run Apache in a hybrid thread/process mode on any -platform that supports both threads and processes. This has been shown -to improve the scalability of the Apache HTTP Server significantly in -our testing. Apache 2.0 also includes support for filtered I/O. This -allows modules to modify the output of other modules before it is -sent to the client. We have also included support for IPv6 on any -platform that supports IPv6. -This version of Apache is known to work on many versions of Unix, BeOS, -OS/2, Windows, and Netware. Because of the many advances in Apache -2.0, it is expected to perform equally well on all supported platforms. -Apache 2.0 has been running on the apache.org website since December -of 2000 and has proven to be very reliable. + This version of Apache is principally a security and bug fix release. + A summary of the bug fixes is given at the end of this document. + Of particular note is that 2.0.46 addresses two security + vulnerabilities: -Apache has been the most popular web server on the Internet since -April of 1996. The August 2002 Web Server Survey by Netcraft (see -http://www.netcraft.com/survey/) found that more web servers were -using Apache than any other software; Apache runs on more than 63% -of the web servers on the Internet. + Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in + certain circumstances. This can be triggered remotely through mod_dav + and possibly other mechanisms. The crash was originally reported by + David Endler and was researched and fixed by + Joe Orton . Specific details and an analysis of the + crash will be published Friday, May 30. No more specific information + is disclosed at this time, but all Apache 2.0 users are encouraged to + upgrade now. + [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245] + + Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were + vulnerable to a denial-of-service attack on the basic authentication + module, which was reported by John Hughes . + A bug in the configuration scripts caused the apr_password_validate() + function to be thread-unsafe on platforms with crypt_r(), including + AIX and Linux. All versions of Apache 2.0 have this thread-safety + problem on platforms with no crypt_r() and no thread-safe crypt(), + such as Mac OS X and possibly others. When using a threaded MPM (which + is not the default on these platforms), this allows remote attackers + to create a denial of service which causes valid usernames and + passwords for Basic Authentication to fail until Apache is restarted. + We do not believe this bug could allow unauthorized users to gain + access to protected resources. + [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189] + The Apache Software Foundation would like to thank David Endler + and John Hughes for the responsible reporting of these issues. -We consider this release to be the best version of Apache available -and encourage users of all prior versions to upgrade. When doing so, -please keep in mind the following: -This release is not binary-compatible with previous releases, so all -modules need to be recompiled in order to work with this version. For -example, a module compiled to work with 2.0.40 will not work with 2.0.42. + This release is compatible with modules compiled for 2.0.42 and later + versions. We consider this release to be the best version of Apache + available and encourage users of all prior versions to upgrade. -If you intend to use Apache with one of the threaded MPMs, you must -ensure that the modules (and the libraries they depend on) that you -will be using are thread-safe. Please contact the vendors of -these modules to obtain this information. + Apache 2.0.46 is available for download from + http://httpd.apache.org/download.cgi -For more information and to download the release tarballs, please -visit http://httpd.apache.org/ + Please see the CHANGES_2.0 file, linked from the above page, for + a full list of changes. + Apache 2.0 offers numerous enhancements, improvements, and performance + boosts over the 1.3 codebase. For an overview of new features introduced + after 1.3 please see -Changes since 2.0.40 ---------------------------------------------- + http://httpd.apache.org/docs-2.0/new_features_2_0.html -Changes with Apache 2.0.42 + When upgrading or installing this version of Apache, please keep + in mind the following: - *) mod_dav: Check for versioning hooks before using them. - [Greg Stein] + If you intend to use Apache with one of the threaded MPMs, you must + ensure that the modules (and the libraries they depend on) that you + will be using are thread-safe. Please contact the vendors of these + modules to obtain this information. -Changes with Apache 2.0.41 - *) The protocol version (eg: HTTP/1.1) in the request line parsing - is now case insensitive. [Jim Jagielski] + Apache 2.0.46 Major changes - *) Allow AddOutputFilterByType to add multiple filters per directive. - [Justin Erenkrantz] + Security vulnerabilities closed since Apache 2.0.45 - *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz] + *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered + remotely through mod_dav and possibly other mechanisms, causing + an Apache child process to crash. The crash was first reported + by David Endler and was researched and + fixed by Joe Orton . Details will be released + on 30 May 2003. - *) Fixed mod_disk_cache's generation of 304s - [Kris Verbeeck ] + *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability + affecting basic authentication on Unix platforms related to + thread-safety in apr_password_validate(). The problem was reported + by John Hughes - *) Add support for using fnmatch patterns in the final path - segment of an Include statement (eg.. include /foo/bar/*.conf). - and remove the noise on stderr during config dir processing. - [Joe Orton ] - *) mod_cache: cache_storage.c. Add the hostname and any request - args to the key generated for caching. This provides a unique - key for each virtual host and for each request with unique - args. [Paul J. Reder, args code provided by Kris Verbeeck] + Bugs fixed and features added since Apache 2.0.45 - *) mod_cache: Do not cache responses to GET requests with query - URLs if the origin server does not explicitly provide an - Expires header on the response (RFC 2616 Section 13.9) - [Kris Verbeeck krisv@be.ubizen.com] + *) Fix for mod_dav. Call the 'can_be_activity' callback, if provided, + when a MKACTIVITY request comes in. + [Ben Collins-Sussman ] - *) Fix memory leak in core_output_filter. [Justin Erenkrantz] + *) Perform run-time query in apxs for apr and apr-util's includes. + [Justin Erenkrantz] - *) Update OpenSSL detection to work on Darwin. - [Sander Temme ] + *) run libtool from the apr install directory (in case that is different + from the apache install directory) [Jeff Trawick] - *) Update the xslt and css to give the documentation a more - modern style. - [Andr� Malo , Gernot Winkler ] + *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez] - *) Fix some bucket memory leaks in the chunking code - [Joe Schaefer ] + *) If mod_mime_magic does not know the content-type, do not attempt to + guess. PR 16908. [Andrew Gapon ] - *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz] + *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session + caching. PR 17864. + [Andreas Leimbacher , Madhusudan Mathihalli] - *) mod_cache: added support for caching streamed responses (proxy, - CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane] + *) Add a delete flag to htpasswd. + [Thom May] - *) Add image/x-icon to httpd.conf PR 10993. - [Ian Holsman, Peter Bieringer ] + *) Fix mod_rewrite's handling of absolute URIs. The escaping routines + now work scheme dependent and the query string will only be + appended if supported by the particular scheme. [Andr� Malo] - *) Fix FileETags none operation. PR 12207. - [Justin Erenkrantz, Andrew Ho ] + *) Add another check for already compressed content in mod_deflate. + PR 19913. [Tsuyoshi SASAMOTO ] - *) Restored the experimental leader/followers MPM to working - condition and converted its thread synchronization from - mutexes to atomic CAS. [Brian Pane] + *) Fixes for VPATH builds; copying special.mk and any future .mk files + from the source tree as well as the build tree (now creates a usable + configuration for apxs), and eliminated redundant -I'nclude paths. + [William Rowe] - *) Fix Logic on non-html file removal in mod_deflate - [Kris Verbeeck ] + *) Code fixes, constness corrections and ssl_toolkit_compat.h updates + for SSLC and OpenSSL toolkit compatibility. Still work remains to + be done to cripple features based on the limitations of RSA's binary + distribution of their SSL-C toolkit. + [William Rowe, Madhusudan Mathihalli, Jeff Trawick] - *) Fix "ab -g"'s truncated year: the last digit was cut off. - [Leon Brocard ] + *) Linux 2.4+: If Apache is started as root and you code + CoreDumpDirectory, coredumps are enabled via the prctl() syscall. + [Greg Ames] - *) mod_rewrite can now sets cookies in err_headers, uses the correct - expiry date, and can now set the path as well - PR 12132,12181,12172. - [Ian Holsman / Rob Cromwell ] + *) ap_get_mime_headers_core: allocate space for the trailing null + when folding is in effect. + PR 18170 [Peter Mayne ] - *) The content-length filter no longer tries to buffer up - the entire output of a long-running request before sending - anything to the client. [Brian Pane] + *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert] - *) Win32: Lower the default stack size from 1MB to 256K. This will - allow around 8000 threads to be started per child process. - 'EDITBIN /STACK:size apache.exe' can be used to change this - value directly in the apache.exe executable. - [Bill Stoddard] + *) mod_log_config: Add the ability to log the id of the thread + processing the request via new %P formats. [Jeff Trawick] - *) Win32: Implement ThreadLimit directive in the Windows MPM. - [Bill Stoddard] + *) Use appropriate language codes for Czech (cs) and Traditional Chinese + (zh-tw) in default config files. PR 9427. [Andr� Malo] - *) Remove CacheOn config directive since it is set but never checked. - No sense wasting cycles on unused code. Besides, the only truly - bug free code is deleted code. :) [Paul J. Reder] + *) mod_auth_ldap: Use generic whitespace character class when parsing + "require" directives, instead of literal spaces only. PR 17135. + [Andr� Malo] - *) BufferLogs are now run-time enabled, and the log_config now has 2 new - callbacks to allow a 3rd party module to actually do the writing of the - log file [Ian Holsman] + *) Hook mod_rewrite's type checker before mod_mime's one. That way the + RewriteRule [T=...] Flag should work as expected now. PR 19626. + [Andr� Malo] - *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs. - [Andr� Malo, Astrid Ke�ler ] + *) htpasswd: Check the processed file on validity. If a line is not empty + and not a comment, it must contain at least one colon. Otherwise exit + with error code 7. [Kris Verbeeck , Thom May] - *) Fix Segfault in mod_cache. [Kris Verbeeck ] + *) Fix a problem that caused httpd to be linked with incorrect flags + on some platforms when mod_so was enabled by default, breaking + DSOs on AIX. PR 19012 [Jeff Trawick] - *) Fix a null pointer dereference in the merge_env_dir_configs - function of the mod_env module. PR 11791 - [Paul J. Reder] + *) By default, use the same CC and CPP with which APR was built. + The user can override with CC and CPP environment variables. + [Jeff Trawick] - *) New option to ServerTokens 'maj[or]'. Only show the major version - Also Surfaced this directive in the standard config (default FULL) - [Ian Holsman] + *) Fix ap_construct_url() so that it surrounds IPv6 literal address + strings with []. This fixes certain types of redirection. + PR 19207. [Jeff Trawick] - *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite - maps. The dbm type (e.g., ndbm, gdbm) can be specified on the - RewriteMap directive. PR 10644 [Jeff Trawick] + *) forward port of buffer overflow fixes for htdigest. [Thom May] - *) Fixed mod_rewrite's RewriteMap prg: support so that request/response - pairs will no longer get out of sync with each other. PR 9534 - [Cliff Woolley] + *) Added AllowEncodedSlashes directive to permit control of whether + the server will accept encoded slashes ('%2f') in the URI path. + Default condition is off (the historical behaviour). This permits + environments in which the path-info needs to contain encoded + slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. + [Ken Coar] - *) Fixes required to get quoted and escaped command args working in - mod_ext_filter. PR 11793 [Paul J. Reder] + *) When using Redirect in directory context, append requested query + string if there's no one supplied by configuration. PR 10961. + [Andr� Malo] - *) mod-proxy: handle proxied responses with no status lines - [JD Silvester , Brett Huttley ] + *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise + the pattern will not always match as desired. PR 12596. + [Andr� Malo] - *) Fix bug where environment or command line arguments containing - non-ASCII-7 characters would cause the Win32 child process creation - to fail. PR 11854 [William Rowe] + *) mod_autoindex now emits and accepts modern query string parameter + delimiters (;). Thus column headers no longer contain unescaped + ampersands. PR 10880 [Andr� Malo] - *) Bug #11213.. make module loading error messages more informative - [Ian Darwin ] + *) Enable ap_sock_disable_nagle for Windows. This along with the + addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle + to be disabled for Windows. [Allan Edwards] - *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman] + *) Correct a mis-correlation between mpm_common.c and mpm_common.h; + This patch reverts us to pre-2.0.46 behavior, using the + ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle + was never compiled on Win32. [Allan Edwards, William Rowe] - *) mod_disk_cache works much better. This module should still - be considered experimental. [Eric Prud'hommeaux] + *) Fix a build problem with passing unsupported --enable-layout + args to apr and apr-util. This broke binbuild.sh as well as + user-specified layout parameters. PR 18649 [Justin Erenkrantz, + Jeff Trawick] + + *) If a Date response header was already set in the headers array, + this value was ignored in favour of the current time. This meant + that Date headers on proxied requests where rewritten when they + should not have been. PR: 14376 [Graham Leggett] + + *) Add code to buildconf that produces an httpd.spec file from + httpd.spec.in, using build/get-version.sh from APR. + [Graham Leggett] + + *) Fixed a segfault when multiple ProxyBlock directives were used. + PR: 19023 [Sami Tikka ] + + *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability + identified and reported by Robert Howard that + where device names faulted the running OS2 worker process. + The fix is actually in APR 0.9.4. [Brian Havard] + + *) Forward port: Escape special characters (especially control + characters) in mod_log_config to make a clear distinction between + client-supplied strings (with special characters) and server-side + strings. This was already introduced in version 1.3.25. + [Andr� Malo] + + *) mod_deflate: Check also err_headers_out for an already set + Content-Encoding: gzip header. This prevents gzip compressed content + from a CGI script from being compressed once more. PR 17797. + [Andr� Malo] - *) Performance improvement for keepalive requests: when setting - aside a small file for potential concatenation with the next - response on the connection, set aside the file descriptor rather - than copying the file into the heap. [Brian Pane] 1.24 +18 -19 httpd-site/docs/download.html Index: download.html =================================================================== RCS file: /home/cvs/httpd-site/docs/download.html,v retrieving revision 1.23 retrieving revision 1.24 diff -u -d -u -r1.23 -r1.24 --- download.html 14 Apr 2003 18:19:17 -0000 1.23 +++ download.html 28 May 2003 05:48:18 -0000 1.24 @@ -105,17 +105,16 @@ Apache -2.0.45 is the best available version +2.0.46 is the best available version
-

This release fixes security problems affecting the Windows platform - described in - - CAN-2003-0016 and - - CAN-2003-0017. It also contains bug fixes and some new features. +

This release fixes security problems described in + + CAN-2003-0245 and + + CAN-2003-0189. It also contains bug fixes and some new features. For details see the Official Announcement and the CHANGES_2.0 list.

Apache 2.0 add-in modules are not compatible with Apache 1.3 modules. @@ -125,24 +124,24 @@

@@ -94,18 +94,40 @@
- Apache 2.0.45 Released + Apache 2.0.46 Released
-

The Apache HTTP Server Project is proud to announce the -eighth public release of Apache 2.0.

-

Since the new effort began with release 2.0.42 to retain configuration -and module-interface stability in the Apache 2.0 series, there should be -no required changes in configuration or third-party module binaries to -upgrade from 2.0.42 or later. We continue to make every effort to maintain -this easy upgrade path in future 2.0 releases.

+

The Apache HTTP Server Project is proud to announce the +ninth public release of Apache 2.0.

+

This version of Apache is principally a security and bug fix release. + Of particular note is that 2.0.46 addresses two security + vulnerabilities:

+

Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in + certain circumstances. This can be triggered remotely through mod_dav + and possibly other mechanisms. The crash was originally reported by + David Endler <DEndler@iDefense.com> and was researched and fixed by + Joe Orton <jorton@redhat.com>. Specific details and an analysis of the + crash will be published Friday, May 30. No more specific information + is disclosed at this time, but all Apache 2.0 users are encouraged to + upgrade now.
+ [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]

+

Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were + vulnerable to a denial-of-service attack on the basic authentication + module, which was reported by John Hughes <john.hughes@entegrity.com>. + A bug in the configuration scripts caused the apr_password_validate() + function to be thread-unsafe on platforms with crypt_r(), including + AIX and Linux. All versions of Apache 2.0 have this thread-safety + problem on platforms with no crypt_r() and no thread-safe crypt(), + such as Mac OS X and possibly others. When using a threaded MPM (which + is not the default on these platforms), this allows remote attackers + to create a denial of service which causes valid usernames and + passwords for Basic Authentication to fail until Apache is restarted. + We do not believe this bug could allow unauthorized users to gain + access to protected resources.
+ [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]

+

For further details, see the announcement.

Download | New Features in Apache 2.0 | 1.9 +0 -0 httpd-site/docs/apreq/index.html Index: index.html =================================================================== RCS file: /home/cvs/httpd-site/docs/apreq/index.html,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -u -r1.8 -r1.9 1.10 +228 -187 httpd-site/xdocs/Announcement Index: Announcement =================================================================== RCS file: /home/cvs/httpd-site/xdocs/Announcement,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -u -r1.9 -r1.10 --- Announcement 24 Sep 2002 22:31:09 -0000 1.9 +++ Announcement 28 May 2003 05:48:18 -0000 1.10 @@ -1,190 +1,231 @@ - Apache 2.0.42 Released --------------------------------------------- -The Apache HTTP Server Project is proud to announce the fifth public -release of Apache 2.0. This is primarily a bug-fix release, including -updates to the experimental caching module, the removal of several -memory leaks, and fixes for several segfaults, one of which could have -been used as a denial-of-service against mod_dav. A complete list of -the changes since 2.0.40 is given at the end of this document. + Apache 2.0.46 Released + The Apache Software Foundation and the Apache HTTP Server Project are + pleased to announce the ninth public release of the Apache 2.0 + HTTP Server. This Announcement notes the significant changes in + 2.0.46 as compared to 2.0.45. -Apache 2.0 offers numerous enhancements, improvements, and performance -boosts over the 1.3 codebase. The most visible and noteworthy addition -is the ability to run Apache in a hybrid thread/process mode on any -platform that supports both threads and processes. This has been shown -to improve the scalability of the Apache HTTP Server significantly in -our testing. Apache 2.0 also includes support for filtered I/O. This -allows modules to modify the output of other modules before it is -sent to the client. We have also included support for IPv6 on any -platform that supports IPv6. -This version of Apache is known to work on many versions of Unix, BeOS, -OS/2, Windows, and Netware. Because of the many advances in Apache -2.0, it is expected to perform equally well on all supported platforms. -Apache 2.0 has been running on the apache.org website since December -of 2000 and has proven to be very reliable. + This version of Apache is principally a security and bug fix release. + A summary of the bug fixes is given at the end of this document. + Of particular note is that 2.0.46 addresses two security + vulnerabilities: -Apache has been the most popular web server on the Internet since -April of 1996. The August 2002 Web Server Survey by Netcraft (see -http://www.netcraft.com/survey/) found that more web servers were -using Apache than any other software; Apache runs on more than 63% -of the web servers on the Internet. + Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in + certain circumstances. This can be triggered remotely through mod_dav + and possibly other mechanisms. The crash was originally reported by + David Endler and was researched and fixed by + Joe Orton . Specific details and an analysis of the + crash will be published Friday, May 30. No more specific information + is disclosed at this time, but all Apache 2.0 users are encouraged to + upgrade now. + [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245] + + Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were + vulnerable to a denial-of-service attack on the basic authentication + module, which was reported by John Hughes . + A bug in the configuration scripts caused the apr_password_validate() + function to be thread-unsafe on platforms with crypt_r(), including + AIX and Linux. All versions of Apache 2.0 have this thread-safety + problem on platforms with no crypt_r() and no thread-safe crypt(), + such as Mac OS X and possibly others. When using a threaded MPM (which + is not the default on these platforms), this allows remote attackers + to create a denial of service which causes valid usernames and + passwords for Basic Authentication to fail until Apache is restarted. + We do not believe this bug could allow unauthorized users to gain + access to protected resources. + [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189] + The Apache Software Foundation would like to thank David Endler + and John Hughes for the responsible reporting of these issues. -We consider this release to be the best version of Apache available -and encourage users of all prior versions to upgrade. When doing so, -please keep in mind the following: -This release is not binary-compatible with previous releases, so all -modules need to be recompiled in order to work with this version. For -example, a module compiled to work with 2.0.40 will not work with 2.0.42. + This release is compatible with modules compiled for 2.0.42 and later + versions. We consider this release to be the best version of Apache + available and encourage users of all prior versions to upgrade. -If you intend to use Apache with one of the threaded MPMs, you must -ensure that the modules (and the libraries they depend on) that you -will be using are thread-safe. Please contact the vendors of -these modules to obtain this information. + Apache 2.0.46 is available for download from + http://httpd.apache.org/download.cgi -For more information and to download the release tarballs, please -visit http://httpd.apache.org/ + Please see the CHANGES_2.0 file, linked from the above page, for + a full list of changes. + Apache 2.0 offers numerous enhancements, improvements, and performance + boosts over the 1.3 codebase. For an overview of new features introduced + after 1.3 please see -Changes since 2.0.40 ---------------------------------------------- + http://httpd.apache.org/docs-2.0/new_features_2_0.html -Changes with Apache 2.0.42 + When upgrading or installing this version of Apache, please keep + in mind the following: - *) mod_dav: Check for versioning hooks before using them. - [Greg Stein] + If you intend to use Apache with one of the threaded MPMs, you must + ensure that the modules (and the libraries they depend on) that you + will be using are thread-safe. Please contact the vendors of these + modules to obtain this information. -Changes with Apache 2.0.41 - *) The protocol version (eg: HTTP/1.1) in the request line parsing - is now case insensitive. [Jim Jagielski] + Apache 2.0.46 Major changes - *) Allow AddOutputFilterByType to add multiple filters per directive. - [Justin Erenkrantz] + Security vulnerabilities closed since Apache 2.0.45 - *) Remove warnings with Sun's Forte compiler. [Justin Erenkrantz] + *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered + remotely through mod_dav and possibly other mechanisms, causing + an Apache child process to crash. The crash was first reported + by David Endler and was researched and + fixed by Joe Orton . Details will be released + on 30 May 2003. - *) Fixed mod_disk_cache's generation of 304s - [Kris Verbeeck ] + *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability + affecting basic authentication on Unix platforms related to + thread-safety in apr_password_validate(). The problem was reported + by John Hughes - *) Add support for using fnmatch patterns in the final path - segment of an Include statement (eg.. include /foo/bar/*.conf). - and remove the noise on stderr during config dir processing. - [Joe Orton ] - *) mod_cache: cache_storage.c. Add the hostname and any request - args to the key generated for caching. This provides a unique - key for each virtual host and for each request with unique - args. [Paul J. Reder, args code provided by Kris Verbeeck] + Bugs fixed and features added since Apache 2.0.45 - *) mod_cache: Do not cache responses to GET requests with query - URLs if the origin server does not explicitly provide an - Expires header on the response (RFC 2616 Section 13.9) - [Kris Verbeeck krisv@be.ubizen.com] + *) Fix for mod_dav. Call the 'can_be_activity' callback, if provided, + when a MKACTIVITY request comes in. + [Ben Collins-Sussman ] - *) Fix memory leak in core_output_filter. [Justin Erenkrantz] + *) Perform run-time query in apxs for apr and apr-util's includes. + [Justin Erenkrantz] - *) Update OpenSSL detection to work on Darwin. - [Sander Temme ] + *) run libtool from the apr install directory (in case that is different + from the apache install directory) [Jeff Trawick] - *) Update the xslt and css to give the documentation a more - modern style. - [Andr� Malo , Gernot Winkler ] + *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez] - *) Fix some bucket memory leaks in the chunking code - [Joe Schaefer ] + *) If mod_mime_magic does not know the content-type, do not attempt to + guess. PR 16908. [Andrew Gapon ] - *) Add ModMimeUsePathInfo directive. [Justin Erenkrantz] + *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session + caching. PR 17864. + [Andreas Leimbacher , Madhusudan Mathihalli] - *) mod_cache: added support for caching streamed responses (proxy, - CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane] + *) Add a delete flag to htpasswd. + [Thom May] - *) Add image/x-icon to httpd.conf PR 10993. - [Ian Holsman, Peter Bieringer ] + *) Fix mod_rewrite's handling of absolute URIs. The escaping routines + now work scheme dependent and the query string will only be + appended if supported by the particular scheme. [Andr� Malo] - *) Fix FileETags none operation. PR 12207. - [Justin Erenkrantz, Andrew Ho ] + *) Add another check for already compressed content in mod_deflate. + PR 19913. [Tsuyoshi SASAMOTO ] - *) Restored the experimental leader/followers MPM to working - condition and converted its thread synchronization from - mutexes to atomic CAS. [Brian Pane] + *) Fixes for VPATH builds; copying special.mk and any future .mk files + from the source tree as well as the build tree (now creates a usable + configuration for apxs), and eliminated redundant -I'nclude paths. + [William Rowe] - *) Fix Logic on non-html file removal in mod_deflate - [Kris Verbeeck ] + *) Code fixes, constness corrections and ssl_toolkit_compat.h updates + for SSLC and OpenSSL toolkit compatibility. Still work remains to + be done to cripple features based on the limitations of RSA's binary + distribution of their SSL-C toolkit. + [William Rowe, Madhusudan Mathihalli, Jeff Trawick] - *) Fix "ab -g"'s truncated year: the last digit was cut off. - [Leon Brocard ] + *) Linux 2.4+: If Apache is started as root and you code + CoreDumpDirectory, coredumps are enabled via the prctl() syscall. + [Greg Ames] - *) mod_rewrite can now sets cookies in err_headers, uses the correct - expiry date, and can now set the path as well - PR 12132,12181,12172. - [Ian Holsman / Rob Cromwell ] + *) ap_get_mime_headers_core: allocate space for the trailing null + when folding is in effect. + PR 18170 [Peter Mayne ] - *) The content-length filter no longer tries to buffer up - the entire output of a long-running request before sending - anything to the client. [Brian Pane] + *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert] - *) Win32: Lower the default stack size from 1MB to 256K. This will - allow around 8000 threads to be started per child process. - 'EDITBIN /STACK:size apache.exe' can be used to change this - value directly in the apache.exe executable. - [Bill Stoddard] + *) mod_log_config: Add the ability to log the id of the thread + processing the request via new %P formats. [Jeff Trawick] - *) Win32: Implement ThreadLimit directive in the Windows MPM. - [Bill Stoddard] + *) Use appropriate language codes for Czech (cs) and Traditional Chinese + (zh-tw) in default config files. PR 9427. [Andr� Malo] - *) Remove CacheOn config directive since it is set but never checked. - No sense wasting cycles on unused code. Besides, the only truly - bug free code is deleted code. :) [Paul J. Reder] + *) mod_auth_ldap: Use generic whitespace character class when parsing + "require" directives, instead of literal spaces only. PR 17135. + [Andr� Malo] - *) BufferLogs are now run-time enabled, and the log_config now has 2 new - callbacks to allow a 3rd party module to actually do the writing of the - log file [Ian Holsman] + *) Hook mod_rewrite's type checker before mod_mime's one. That way the + RewriteRule [T=...] Flag should work as expected now. PR 19626. + [Andr� Malo] - *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs. - [Andr� Malo, Astrid Ke�ler ] + *) htpasswd: Check the processed file on validity. If a line is not empty + and not a comment, it must contain at least one colon. Otherwise exit + with error code 7. [Kris Verbeeck , Thom May] - *) Fix Segfault in mod_cache. [Kris Verbeeck ] + *) Fix a problem that caused httpd to be linked with incorrect flags + on some platforms when mod_so was enabled by default, breaking + DSOs on AIX. PR 19012 [Jeff Trawick] - *) Fix a null pointer dereference in the merge_env_dir_configs - function of the mod_env module. PR 11791 - [Paul J. Reder] + *) By default, use the same CC and CPP with which APR was built. + The user can override with CC and CPP environment variables. + [Jeff Trawick] - *) New option to ServerTokens 'maj[or]'. Only show the major version - Also Surfaced this directive in the standard config (default FULL) - [Ian Holsman] + *) Fix ap_construct_url() so that it surrounds IPv6 literal address + strings with []. This fixes certain types of redirection. + PR 19207. [Jeff Trawick] - *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite - maps. The dbm type (e.g., ndbm, gdbm) can be specified on the - RewriteMap directive. PR 10644 [Jeff Trawick] + *) forward port of buffer overflow fixes for htdigest. [Thom May] - *) Fixed mod_rewrite's RewriteMap prg: support so that request/response - pairs will no longer get out of sync with each other. PR 9534 - [Cliff Woolley] + *) Added AllowEncodedSlashes directive to permit control of whether + the server will accept encoded slashes ('%2f') in the URI path. + Default condition is off (the historical behaviour). This permits + environments in which the path-info needs to contain encoded + slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639. + [Ken Coar] - *) Fixes required to get quoted and escaped command args working in - mod_ext_filter. PR 11793 [Paul J. Reder] + *) When using Redirect in directory context, append requested query + string if there's no one supplied by configuration. PR 10961. + [Andr� Malo] - *) mod-proxy: handle proxied responses with no status lines - [JD Silvester , Brett Huttley ] + *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise + the pattern will not always match as desired. PR 12596. + [Andr� Malo] - *) Fix bug where environment or command line arguments containing - non-ASCII-7 characters would cause the Win32 child process creation - to fail. PR 11854 [William Rowe] + *) mod_autoindex now emits and accepts modern query string parameter + delimiters (;). Thus column headers no longer contain unescaped + ampersands. PR 10880 [Andr� Malo] - *) Bug #11213.. make module loading error messages more informative - [Ian Darwin ] + *) Enable ap_sock_disable_nagle for Windows. This along with the + addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle + to be disabled for Windows. [Allan Edwards] - *) thread safety & proxy-ftp [Alexey Panchenko alexey@liwest.ru, Ian Holsman] + *) Correct a mis-correlation between mpm_common.c and mpm_common.h; + This patch reverts us to pre-2.0.46 behavior, using the + ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle + was never compiled on Win32. [Allan Edwards, William Rowe] - *) mod_disk_cache works much better. This module should still - be considered experimental. [Eric Prud'hommeaux] + *) Fix a build problem with passing unsupported --enable-layout + args to apr and apr-util. This broke binbuild.sh as well as + user-specified layout parameters. PR 18649 [Justin Erenkrantz, + Jeff Trawick] + + *) If a Date response header was already set in the headers array, + this value was ignored in favour of the current time. This meant + that Date headers on proxied requests where rewritten when they + should not have been. PR: 14376 [Graham Leggett] + + *) Add code to buildconf that produces an httpd.spec file from + httpd.spec.in, using build/get-version.sh from APR. + [Graham Leggett] + + *) Fixed a segfault when multiple ProxyBlock directives were used. + PR: 19023 [Sami Tikka ] + + *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability + identified and reported by Robert Howard that + where device names faulted the running OS2 worker process. + The fix is actually in APR 0.9.4. [Brian Havard] + + *) Forward port: Escape special characters (especially control + characters) in mod_log_config to make a clear distinction between + client-supplied strings (with special characters) and server-side + strings. This was already introduced in version 1.3.25. + [Andr� Malo] + + *) mod_deflate: Check also err_headers_out for an already set + Content-Encoding: gzip header. This prevents gzip compressed content + from a CGI script from being compressed once more. PR 17797. + [Andr� Malo] - *) Performance improvement for keepalive requests: when setting - aside a small file for potential concatenation with the next - response on the connection, set aside the file descriptor rather - than copying the file into the heap. [Brian Pane] 1.23 +19 -20 httpd-site/xdocs/download.xml Index: download.xml =================================================================== RCS file: /home/cvs/httpd-site/xdocs/download.xml,v retrieving revision 1.22 retrieving revision 1.23 diff -u -d -u -r1.22 -r1.23 --- download.xml 14 Apr 2003 18:19:17 -0000 1.22 +++ download.xml 28 May 2003 05:48:18 -0000 1.23 @@ -52,14 +52,13 @@

Apache -2.0.45 is the best available version +2.0.46 is the best available version -

This release fixes security problems affecting the Windows platform - described in - - CAN-2003-0016 and - - CAN-2003-0017. It also contains bug fixes and some new features. +

This release fixes security problems described in + + CAN-2003-0245 and + + CAN-2003-0189. It also contains bug fixes and some new features. For details see the Official Announcement and the

  • Unix Source: -httpd-2.0.45.tar.gz -[PGP] -[MD5]
    • +httpd-2.0.46.tar.gz +[PGP] +[MD5]
  • Unix Source: -httpd-2.0.45.tar.Z -[PGP] -[MD5]
    • +httpd-2.0.46.tar.Z +[PGP] +[MD5]
  • Win32 Source: -httpd-2.0.45-win32-src.zip -[PGP] -[MD5]
    • +httpd-2.0.46-win32-src.zip +[PGP] +[MD5]
  • Win32 Binary (MSI Installer): -apache_2.0.45-win32-x86-no_ssl.msi -[PGP] -[MD5]
    • +apache_2.0.46-win32-x86-no_ssl.msi +[PGP] +[MD5]
  • Other files
    • 1.41 +38 -12 httpd-site/xdocs/index.xml Index: index.xml =================================================================== RCS file: /home/cvs/httpd-site/xdocs/index.xml,v retrieving revision 1.40 retrieving revision 1.41 diff -u -d -u -r1.40 -r1.41 --- index.xml 1 Apr 2003 16:26:27 -0000 1.40 +++ index.xml 28 May 2003 05:48:18 -0000 1.41 @@ -15,9 +15,9 @@ with the current HTTP standards.

    Apache has been the most popular web server on the Internet since -April of 1996. The August 2002 Netcraft Web Server Survey -found that 63% of the web sites on the Internet are using Apache, thus +April of 1996. The May 2003 Netcraft Web Server Survey +found that 62% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.

    The Apache HTTP Server is a project of the

    -
    -Apache 2.0.45 Released +
    +Apache 2.0.46 Released

    The Apache HTTP Server Project is proud to announce the -eighth public release of Apache 2.0.

    +href="http://www.apache.org/dist/httpd/Announcement2.html">announce the +ninth public release of Apache 2.0.

    -

    Since the new effort began with release 2.0.42 to retain configuration -and module-interface stability in the Apache 2.0 series, there should be -no required changes in configuration or third-party module binaries to -upgrade from 2.0.42 or later. We continue to make every effort to maintain -this easy upgrade path in future 2.0 releases.

    +

    This version of Apache is principally a security and bug fix release. + Of particular note is that 2.0.46 addresses two security + vulnerabilities:

    + +

    Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in + certain circumstances. This can be triggered remotely through mod_dav + and possibly other mechanisms. The crash was originally reported by + David Endler <DEndler@iDefense.com> and was researched and fixed by + Joe Orton <jorton@redhat.com>. Specific details and an analysis of the + crash will be published Friday, May 30. No more specific information + is disclosed at this time, but all Apache 2.0 users are encouraged to + upgrade now.
    + [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]

    + +

    Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were + vulnerable to a denial-of-service attack on the basic authentication + module, which was reported by John Hughes <john.hughes@entegrity.com>. + A bug in the configuration scripts caused the apr_password_validate() + function to be thread-unsafe on platforms with crypt_r(), including + AIX and Linux. All versions of Apache 2.0 have this thread-safety + problem on platforms with no crypt_r() and no thread-safe crypt(), + such as Mac OS X and possibly others. When using a threaded MPM (which + is not the default on these platforms), this allows remote attackers + to create a denial of service which causes valid usernames and + passwords for Basic Authentication to fail until Apache is restarted. + We do not believe this bug could allow unauthorized users to gain + access to protected resources.
    + [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]

    + +

    For further details, see the announcement.

    Download |