httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject cvs commit: httpd-dist .htaccess Announcement.html Announcement.txt Announcement.txt.de Announcement.txt.ja
Date Thu, 21 Oct 2004 12:40:46 GMT
jim         2004/10/21 05:40:46

  Modified:    .        .htaccess Announcement.html Announcement.txt
                        Announcement.txt.de Announcement.txt.ja
  Log:
  Move of 1.3.32 binaries
  
  Revision  Changes    Path
  1.104     +4 -4      httpd-dist/.htaccess
  
  Index: .htaccess
  ===================================================================
  RCS file: /home/cvs/httpd-dist/.htaccess,v
  retrieving revision 1.103
  retrieving revision 1.104
  diff -u -r1.103 -r1.104
  --- .htaccess	27 Sep 2004 21:38:59 -0000	1.103
  +++ .htaccess	21 Oct 2004 12:40:45 -0000	1.104
  @@ -20,11 +20,11 @@
   AddDescription "Source code patch" *.patch
   AddDescription "Apache 2.0 Release Note" Announcement2
   AddDescription "Apache 1.3 Release Note" Announcement
  -AddDescription "Current Release 1.3.31" apache_1.3.31   apache_1.3.31_
  +AddDescription "Current Release 1.3.32" apache_1.3.32   apache_1.3.32_
   AddDescription "Patch to fix mod_rewrite" apache_1.3.*-fix.diff
  -AddDescription "1.3.31 compressed source" apache_1.3.31.tar.Z
  -AddDescription "1.3.31 gzipped source" apache_1.3.31.tar.gz
  -AddDescription "1.3.31 pkzipped source" apache_1.3.31.zip
  +AddDescription "1.3.32 compressed source" apache_1.3.32.tar.Z
  +AddDescription "1.3.32 gzipped source" apache_1.3.32.tar.gz
  +AddDescription "1.3.32 pkzipped source" apache_1.3.32.zip
   AddDescription "2.0.50 compressed source" httpd-2.0.50.tar.Z
   AddDescription "2.0.50 gzipped source" httpd-2.0.50.tar.gz
   AddDescription "2.0.52 compressed source" httpd-2.0.52.tar.Z
  
  
  
  1.22      +47 -84    httpd-dist/Announcement.html
  
  Index: Announcement.html
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement.html,v
  retrieving revision 1.21
  retrieving revision 1.22
  diff -u -r1.21 -r1.22
  --- Announcement.html	12 May 2004 20:09:39 -0000	1.21
  +++ Announcement.html	21 Oct 2004 12:40:45 -0000	1.22
  @@ -15,18 +15,18 @@
   <IMG SRC="../../images/apache_sub.gif" ALT="">
   
   
  -<h1>Apache HTTP Server 1.3.31 Released</h1>
  +<h1>Apache HTTP Server 1.3.32 Released</h1>
                                          
   <p> The Apache Software Foundation and The Apache HTTP Server Project are
  -   pleased to announce the release of version 1.3.31 of the Apache HTTP
  +   pleased to announce the release of version 1.3.32 of the Apache HTTP
      Server ("Apache").  This Announcement notes the significant changes
  -   in 1.3.31 as compared to 1.3.29 (1.3.30 was not released).
  -   The Announcement is also available in German, Spanish and Japanese from:</p>
  +   in 1.3.32 as compared to 1.3.31.
  +   The Announcement is also available in German and Japanese from:</p>
   <dl>   
  -  <dd><a href="http://www.apache.org/dist/httpd/Announcement.html.de"
  -    >http://www.apache.org/dist/httpd/Announcement.html.de</a></dd>
  -  <dd><a href="http://www.apache.org/dist/httpd/Announcement.txt.es"
  -    >http://www.apache.org/dist/httpd/Announcement.txt.es</a></dd>
  +  <dd><a href="http://www.apache.org/dist/httpd/Announcement.txt.de"
  +    >http://www.apache.org/dist/httpd/Announcement.txt.de</a></dd>
  +<!--  <dd><a href="http://www.apache.org/dist/httpd/Announcement.txt.es"
  +    >http://www.apache.org/dist/httpd/Announcement.txt.es</a></dd> -->
     <dd><a href="http://www.apache.org/dist/httpd/Announcement.txt.ja"
       >http://www.apache.org/dist/httpd/Announcement.txt.ja</a></dd>
   </dl>
  @@ -34,40 +34,22 @@
   <p>This version of Apache is principally a bug and security fix release.
      A partial summary of the bug fixes is given at the end of this document.
      A full listing of changes can be found in the CHANGES file.  Of
  -   particular note is that 1.3.31 addresses and fixes 4 potential
  +   particular note is that 1.3.32 addresses and fixes 1 potential
      security issue:</p>
   
   <ul>
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">
  -       CAN-2003-0987 (cve.mitre.org)</a><br>
  -       In <code>mod_digest</code>, verify whether the nonce returned in the
client 
  -       response is one we issued ourselves.  This problem does not affect
  -       <code>mod_auth_digest</code>.</li>
  -
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">
  -       CAN-2003-0020 (cve.mitre.org)</a><br>
  -       Escape arbitrary data before writing into the errorlog.</li>
  -
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">
  -       CAN-2004-0174 (cve.mitre.org)</a><br>
  -       Fix starvation issue on listening sockets where a short-lived
  -       connection on a rarely-accessed listening socket will cause a
  -       child to hold the accept mutex and block out new connections until
  -       another connection arrives on that rarely-accessed listening socket.</li>
  -
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993">
  -       CAN-2003-0993 (cve.mitre.org)</a><br>
  -       Fix parsing of Allow/Deny rules using IP addresses without a
  -       netmask; issue is only known to affect big-endian 64-bit
  -       platforms</li>
  +<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">
  +       CAN-2004-0492 (cve.mitre.org)</a><br>
  +       Reject responses from a remote server if sent an invalid
  +       (negative) Content-Length.</li>
   </ul>
   
  -<p>We consider Apache 1.3.31 to be the best version of Apache 1.3 available
  +<p>We consider Apache 1.3.32 to be the best version of Apache 1.3 available
      and we strongly recommend that users of older versions, especially of
      the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
      releases will be made in the 1.2.x family.</p>
   
  -<p>Apache 1.3.31 is available for download from</p>
  +<p>Apache 1.3.32 is available for download from</p>
   <dl>
       <dd><a href="http://httpd.apache.org/download.cgi">http://httpd.apache.org/download.cgi</a></dd>
   </dl>
  @@ -125,79 +107,60 @@
      of the servers on the Internet are running Apache or one of its
      variants.</p>
   
  -<h2>Apache 1.3.31 Major changes</h2>
  +<h2>Apache 1.3.32 Major changes</h2>
   <h3>Security vulnerabilities</h3>
   
   <p>
  -   The main security vulnerabilities addressed in 1.3.31 are:
  +   The main security vulnerabilities addressed in 1.3.32 are:
   </p>
   <ul>
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987">
  -     o CAN-2003-0987 (cve.mitre.org)</a><br>
  -       In <code>mod_digest</code>, verify whether the nonce returned in the
client 
  -       response is one we issued ourselves.  This problem does not affect
  -       <code>mod_auth_digest</code>.</li>
  -
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020">
  -       CAN-2003-0020 (cve.mitre.org)</a><br>
  -       Escape arbitrary data before writing into the errorlog.</li>
  -
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174">
  -       CAN-2004-0174 (cve.mitre.org)</a><br>
  -       Fix starvation issue on listening sockets where a short-lived
  -       connection on a rarely-accessed listening socket will cause a
  -       child to hold the accept mutex and block out new connections until
  -       another connection arrives on that rarely-accessed listening socket.</li>
  -
  -<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993">
  -       CAN-2003-0993 (cve.mitre.org)</a><br>
  -       Fix parsing of Allow/Deny rules using IP addresses without a
  -       netmask; issue is only known to affect big-endian 64-bit
  -       platforms</li>
  +<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492">
  +       CAN-2004-0492 (cve.mitre.org)</a><br>
  +       Reject responses from a remote server if sent an invalid
  +       (negative) Content-Length.</li>
   </ul>
   <h3>New features</h3>
   <p>
      New features that relate to specific platforms:
   </p>
   <ul>
  -  <li>Linux 2.4+: If Apache is started as root and you code<code>CoreDumpDirectory</code>,
  -      coredumps are enabled via the <code>prctl()</code> syscall.</li>
  +  <li>Win32: Improve error reporting after a failed attempt to spawn a 
  +       piped log process or rewrite map process.</li>
   </ul>
   <p>
      New features that relate to specific platforms:
   </p>
   <ul>
  -  <li>Add <code>mod_whatkilledus</code> and <code>mod_backtrace</code>
(experimental) for
  -       reporting diagnostic information after a child process crash.</li>
  -
  -  <li>Add fatal exception hook for running diagnostic code after a
  -       crash.  </li>
  -
  -  <li>Forensic logging module added (<code>mod_log_forensic</code>)</li>
  -     
  -  <li><code>'%X'</code> is now accepted as an alias for <code>'%c'</code>
in the
  -       <code>LogFormat</code> directive. This allows you to configure logging
  -       to still log the connection status even with <code>mod_ssl</code></li>
  +  <li>Added new compile-time flag: <code>UCN_OFF_HONOR_PHYSICAL_PORT</code>.
  +       It controls how <code>UseCanonicalName Off</code> determines the port
value if
  +       the client doesn't provide one in the <code>Host</code> header. If defined
during
  +       compilation, <code>UseCanonicalName Off</code> will use the physical
port number
  +       to generate the canonical name. If not defined, it tries the current
  +       <code>Port</code> value followed by the default port for the current
scheme.</li>
   </ul>
   <p>
   <h3>Bugs fixed</h3>
   <p>
  -   The following bugs were found in Apache 1.3.29 (or earlier) and have been fixed in
  -   Apache 1.3.31:
  +   The following bugs were found in Apache 1.3.31 (or earlier) and have been fixed in
  +   Apache 1.3.32:
   </p>
   <ul>
  -  <li>Fix memory corruption problem with <code>ap_custom_response()</code>
function.
  -       The core per-dir config would later point to request pool data
  -       that would be reused for different purposes on different requests.</li>
  -
  -  <li><code>mod_usertrack</code> no longer inspects the <code>Cookie2</code>
header for
  -       the cookie name. It also no longer overwrites other cookies.</li>
  -
  -  <li>Fix bug causing core dump when using <code>CookieTracking</code>
without
  -       specifying a <code>CookieName</code> directly.</li>
  -
  -  <li><code>UseCanonicalName off</code> was ignoring the client provided
  -       port information.</li>
  +     <li><code>mod_rewrite</code>: Fix query string handling for proxied
URLs. PR 14518.</li>
  +                                                                                
  +     <li><code>mod_rewrite</code>: Fix 0 bytes write into random memory
position.
  +       PR 31036.</li>
  +
  +     <li><code>mod_digest</code>: Fix nonce string calculation since
1.3.31 which
  +       would force re-authentication for every connection if
  +       <code>AuthDigestRealmSeed</code> was not configured.  PR 30920.</li>
  +
  +     <li>Fix trivial bug in <code>mod_log_forensic</code> that caused
the child
  +       to seg fault when certain invalid requests were fired at it with
  +       forensic logging is enabled.  PR 29313.</li>
  +
  +     <li>No longer breaks mod_dav, frontpage and others.  Repair a patch
  +       in 1.3.31 which prevented discarding the request body for requests
  +       that will be keptalive but are not currently keptalive. PR 29237.</li>
   </li>
   </ul>
   
  
  
  
  1.19      +44 -78    httpd-dist/Announcement.txt
  
  Index: Announcement.txt
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement.txt,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- Announcement.txt	12 May 2004 20:09:39 -0000	1.18
  +++ Announcement.txt	21 Oct 2004 12:40:45 -0000	1.19
  @@ -1,49 +1,32 @@
   
  -                   Apache HTTP Server 1.3.31 Released
  +                   Apache HTTP Server 1.3.32 Released
   
      The Apache Software Foundation and The Apache HTTP Server Project are
  -   pleased to announce the release of version 1.3.31 of the Apache HTTP
  +   pleased to announce the release of version 1.3.32 of the Apache HTTP
      Server ("Apache").  This Announcement notes the significant changes
  -   in 1.3.31 as compared to 1.3.29 (1.3.30 was not released).  The
  -   Announcement is also available in German, Spanish and Japanese from:
  +   in 1.3.32 as compared to 1.3.31.  The Announcement is also available
  +   in German, Spanish and Japanese from:
   
  -        http://www.apache.org/dist/httpd/Announcement.txt.de
  -        http://www.apache.org/dist/httpd/Announcement.txt.es
  -        http://www.apache.org/dist/httpd/Announcement.txt.ja
  +        http://www.apache.org/dist/httpd/Announcement.html.de
  +        http://www.apache.org/dist/httpd/Announcement.html.es
  +        http://www.apache.org/dist/httpd/Announcement.html.ja
   
      This version of Apache is principally a bug and security fix release.
      A partial summary of the bug fixes is given at the end of this document.
      A full listing of changes can be found in the CHANGES file.  Of
  -   particular note is that 1.3.31 addresses and fixes 4 potential
  -   security issues:
  +   particular note is that 1.3.32 addresses and fixes 1 potential
  +   security issue:
   
  -     o CAN-2003-0987 (cve.mitre.org)
  -       In mod_digest, verify whether the nonce returned in the client 
  -       response is one we issued ourselves.  This problem does not affect
  -       mod_auth_digest.
  -
  -     o CAN-2003-0020 (cve.mitre.org)
  -       Escape arbitrary data before writing into the errorlog.
  -
  -     o CAN-2004-0174 (cve.mitre.org)
  -       Fix starvation issue on listening sockets where a short-lived
  -       connection on a rarely-accessed listening socket will cause a
  -       child to hold the accept mutex and block out new connections until
  -       another connection arrives on that rarely-accessed listening socket.
  -       This only affects some platforms, such as Solaris, AIX and
  -       IRIX. Linux is unaffected.
  -
  -     o CAN-2003-0993 (cve.mitre.org) 
  -       Fix parsing of Allow/Deny rules using IP addresses without a
  -       netmask; issue is only known to affect big-endian 64-bit
  -       platforms
  +     o CAN-2004-0492 (cve.mitre.org)
  +       Reject responses from a remote server if sent an invalid
  +       (negative) Content-Length.
   
  -   We consider Apache 1.3.31 to be the best version of Apache 1.3 available
  +   We consider Apache 1.3.32 to be the best version of Apache 1.3 available
      and we strongly recommend that users of older versions, especially of
      the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
      releases will be made in the 1.2.x family.
   
  -   Apache 1.3.31 is available for download from:
  +   Apache 1.3.32 is available for download from:
      
          http://httpd.apache.org/download.cgi
   
  @@ -92,65 +75,48 @@
      Apache 2.0 for better performance, stability and security on their
      platforms.
   
  -                     Apache 1.3.31 Major changes
  +                     Apache 1.3.32 Major changes
   
     Security vulnerabilities
   
  -     * CAN-2003-0987 (cve.mitre.org)
  -       In mod_digest, verify whether the nonce returned in the client 
  -       response is one we issued ourselves.  This problem does not affect
  -       mod_auth_digest.
  -
  -     * CAN-2003-0020 (cve.mitre.org)
  -       Escape arbitrary data before writing into the errorlog.
  -
  -     * CAN-2004-0174 (cve.mitre.org)
  -       Fix starvation issue on listening sockets where a short-lived
  -       connection on a rarely-accessed listening socket will cause a
  -       child to hold the accept mutex and block out new connections until
  -       another connection arrives on that rarely-accessed listening socket.
  -
  -     * CAN-2003-0993 (cve.mitre.org) 
  -       Fix parsing of Allow/Deny rules using IP addresses without a
  -       netmask; issue is only known to affect big-endian 64-bit
  -       platforms
  +     * CAN-2004-0492 (cve.mitre.org)
  +       Reject responses from a remote server if sent an invalid
  +       (negative) Content-Length.
   
     New features
   
      New features that relate to specific platforms:
   
  -     * Linux 2.4+: If Apache is started as root and you code
  -       CoreDumpDirectory, core dumps are enabled via the prctl() syscall.
  +     * Win32: Improve error reporting after a failed attempt to spawn a 
  +       piped log process or rewrite map process.
   
      New features that relate to all platforms:
   
  -     * Add mod_whatkilledus and mod_backtrace (experimental) for
  -       reporting diagnostic information after a child process crash.
  -
  -     * Add fatal exception hook for running diagnostic code after a
  -       crash.  
  -
  -     * Forensic logging module added (mod_log_forensic)
  -     
  -     * '%X' is now accepted as an alias for '%c' in the
  -       LogFormat directive. This allows you to configure logging
  -       to still log the connection status even with mod_ssl
  +     * Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
  +       It controls how UseCanonicalName Off determines the port value if
  +       the client doesn't provide one in the Host header. If defined during
  +       compilation, UseCanonicalName Off will use the physical port number
  +       to generate the canonical name. If not defined, it tries the current
  +       Port value followed by the default port for the current scheme.
   
     Bugs fixed
   
  -   The following noteworthy bugs were found in Apache 1.3.29 (or earlier)
  -   and have been fixed in Apache 1.3.31:
  -
  -     * Fix memory corruption problem with ap_custom_response() function.
  -       The core per-dir config would later point to request pool data
  -       that would be reused for different purposes on different requests.
  -
  -     * mod_usertrack no longer inspects the Cookie2 header for
  -       the cookie name. It also no longer overwrites other cookies.
  -
  -     * Fix bug causing core dump when using CookieTracking without
  -       specifying a CookieName directly.
  -
  -     * UseCanonicalName off was ignoring the client provided
  -       port information.
  +   The following noteworthy bugs were found in Apache 1.3.31 (or earlier)
  +   and have been fixed in Apache 1.3.32:
   
  +     * mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
  +                                                                                
  +     * mod_rewrite: Fix 0 bytes write into random memory position.
  +       PR 31036.
  +
  +     * mod_digest: Fix nonce string calculation since 1.3.31 which
  +       would force re-authentication for every connection if
  +       AuthDigestRealmSeed was not configured.  PR 30920.
  +
  +     * Fix trivial bug in mod_log_forensic that caused the child
  +       to seg fault when certain invalid requests were fired at it with
  +       forensic logging is enabled.  PR 29313.
  +
  +     * No longer breaks mod_dav, frontpage and others.  Repair a patch
  +       in 1.3.31 which prevented discarding the request body for requests
  +       that will be keptalive but are not currently keptalive. PR 29237.
  
  
  
  1.5       +50 -85    httpd-dist/Announcement.txt.de
  
  Index: Announcement.txt.de
  ===================================================================
  RCS file: /home/cvs/httpd-dist/Announcement.txt.de,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- Announcement.txt.de	12 May 2004 20:02:08 -0000	1.4
  +++ Announcement.txt.de	21 Oct 2004 12:40:45 -0000	1.5
  @@ -1,54 +1,34 @@
   
  -                   Apache HTTP Server 1.3.31 freigegeben
  +                   Apache HTTP Server 1.3.32 freigegeben
   
      Wir, die Apache Software Foundation und das Apache HTTP Server Projekt, 
  -   freuen uns, die Freigabe der Version 1.3.31 des Apache HTTP Servers 
  +   freuen uns, die Freigabe der Version 1.3.32 des Apache HTTP Servers 
      ("Apache") bekannt zu geben. Diese Ankündigung führt die wesentlichen 
  -   Änderungen von 1.3.31 gegenüber 1.3.29 auf (die Version 1.3.30 wurde nicht
  -   freigegeben). Die Ankündigung ist auch in englischer Sprache sowie
  -   spanischer und japanischer Übersetzung unter
  -
  -        http://www.apache.org/dist/httpd/Announcement.txt
  -        http://www.apache.org/dist/httpd/Announcement.txt.es
  -        http://www.apache.org/dist/httpd/Announcement.txt.ja
  +   Änderungen von 1.3.32 gegenüber 1.3.31 auf. Die Ankündigung ist auch
  +   in englischer Sprache sowie spanischer und japanischer Übersetzung unter
  +
  +        http://www.apache.org/dist/httpd/Announcement.html
  +        http://www.apache.org/dist/httpd/Announcement.html.es
  +        http://www.apache.org/dist/httpd/Announcement.html.ja
   
      verfügbar.
   
      Diese Version des Apache ist vornehmlich ein Bug-Fix- und Sicherheits-
      Update. Eine kurze Zusammenfassung der Bug-Fixes ist am Ende des Dokumentes
      aufgeführt. Die vollständige Liste der Änderungen ist in der CHANGES-
  -   Datei zu finden. Apache 1.3.31 behebt insbesondere 4 mögliche
  -   Sicherheitslücken:
  +   Datei zu finden. Apache 1.3.32 behebt insbesondere 1 mögliche
  +   Sicherheitslücke:
  +
  +     o CAN-2004-0492 (cve.mitre.org)
  +       Abweisen von Antworten eines entfernten Servers, wenn ein
  +       ungültiger (negativer) Content-Length-Header gesendet wurde.
   
  -     o CAN-2003-0987 (cve.mitre.org)
  -       In mod_digest wird der vom Client verwendete "Nonce"-Wert nun
  -       verifiziert, ob er mit dem vom Server erzeugten korrespondiert.
  -       Dieses Problem betrifft nicht das mod_auth_digest-Modul.
  -
  -     o CAN-2003-0020 (cve.mitre.org)
  -       Daten beliebiger Herkunft werden maskiert, bevor sie ins
  -       Fehlerprotokoll geschrieben werden.
  -
  -     o CAN-2004-0174 (cve.mitre.org)
  -       Korrektur von "verhungernden" lauschenden Sockets, wo eine
  -       kurzlebige Verbindung an einem selten verbundenen, lauschenden Socket
  -       einen Kindprozess veranlasst, den Accept-Mutex nicht freizugeben und
  -       neue Verbindungen solange zu blockieren, bis eine weitere Verbindung
  -       auf dem selten verbundenen Socket eintrifft. Dieses Problem betrifft
  -       nur bestimmte Plattformen, wie Solaris, AIX und IRIX. Linux ist nicht
  -       betroffen.
  -     
  -     o CAN-2003-0993 (cve.mitre.org) 
  -       Korrektur des Parsers für Allow-/Deny-Regeln, die IP-Adressen ohne
  -       Angabe einer Netmask verwenden. Das Problem ist lediglich auf
  -       Big-Endian-64-bit-Plattformen bekannt.
  -     
  -   Wir betrachten den Apache 1.3.31 als die beste verfügbare Version des
  +   Wir betrachten den Apache 1.3.32 als die beste verfügbare Version des
      Apache 1.3 und wir empfehlen Benutzern älterer Versionen, insbesondere
      der Familien 1.1.x und 1.2.x, umgehend die Aufrüstung. Für die 1.2.x-
      Familie werden keine weiteren Releases mehr erstellt.
   
  -   Apache 1.3.31 steht unter folgender Adresse zum Download bereit:
  +   Apache 1.3.32 steht unter folgender Adresse zum Download bereit:
   
          http://httpd.apache.org/download.cgi
   
  @@ -101,68 +81,53 @@
      besseren Performance, Stabilität und Sicherheit auf den Apache 2.0 zu
      wechseln.
   
  -               Wesentliche Änderungen des Apache 1.3.31
  +               Wesentliche Änderungen des Apache 1.3.32
   
      Sicherheitslücken
   
  -     o CAN-2003-0987 (cve.mitre.org)
  -       Im mod_digest wird der vom Client verwendete "Nonce"-Wert nun
  -       verifiziert, ob er mit dem vom Server erzeugten korrespondiert.
  -       Dieses Problem betrifft nicht das mod_auth_digest-Modul.
  -
  -     o CAN-2003-0020 (cve.mitre.org)
  -       Daten beliebiger Herkunft werden maskiert, bevor sie ins
  -       Fehlerprotokoll geschrieben werden.
  -
  -     o CAN-2004-0174 (cve.mitre.org)
  -       Korrektur von "verhungernden" lauschenden Sockets, wo eine
  -       kurzlebige Verbindung an einem selten verbundenen, lauschenden Socket
  -       einen Kindprozess veranlaßt, den Accept-Mutex festzuhalten und neue
  -       Verbindungen solange zu blockieren, bis eine weitere Verbindung auf
  -       auf dem selten verbundenen Socket eintrifft.
  -     
  -     o CAN-2003-0993 (cve.mitre.org) 
  -       Korrektur des Parsers für Allow-/Deny-Regeln, die IP-Adressen ohne
  -       Angabe einer Netmask verwenden. Das Problem ist lediglich auf
  -       Big-Endian-64-bit-Plattformen bekannt.
  +     * CAN-2004-0492 (cve.mitre.org)
  +       Antworten eines entfernten Servers werden abgewiesen, wenn ein
  +       ungültiger (negativer) Content-Length-Header gesendet wurde.
   
  -Neuerungen
  +   Neuerungen
   
       Neue Funktionen, die sich auf bestimmte Plattformen beziehen:
   
  -     * Linux 2.4+: Wenn der Apache als root startet und CoreDumpDirectory
  -       gesetzt ist, sind Speicherauszüge mittels des Systemaufrufes
  -       prctl() aktiviert.
  +     * Win32: Verbesserte Fehlermeldung bei einem mißglückten Versuch, einen
  +       Piped-Log- oder Rewrite-Map-Prozess zu starten. 
   
       Neue Funktionen für alle Plattformen:
   
  -     * neue Zusatzmodule: mod_whatkilledus und mod_backtrace (experimentell)
  -       zur Auswertung von Diagnosedaten nach dem Absturz eines Kindprozesses.
  -
  -     * Hinzufügen eines Hooks für schwere Ausnahmefehler zur Verwendung von 
  -       Diagnosemodulen nach einem Absturz.
  -
  -     * Neues Modul zur forensischen Protokollierung (mod_log_forensic)
  -
  -     * '%X' wird von der Direktive LogFormat jetzt als Alias für '%c'
  -       akzeptiert. Das ermöglicht nun auch mit mod_ssl die Protokollierung des
  -       Verbindungsstatus.
  +     * Neues Kompilierungs-Flag: UCN_OFF_HONOR_PHYSICAL_PORT.
  +       Es bestimmt, wie UseCanonicalName Off den Port ermittelt, wenn der
  +       Client keinen im Host-Header übermittelt hat. Falls zur
  +       Kompilierung angegeben, verwendet UseCanonicalName Off die physische
  +       Portnummer, um den kanonischen Namen zu bilden. Wird das Flag nicht
  +       gesetzt, werden zunächst der aktuelle Port und dann der Standardport
  +       für das aktuelle Schema versucht.
  +      
               
      Behobene Fehler
   
  -    Die folgenden nennenswerten Fehler wurden im Apache 1.3.29 (oder
  -    früher) gefunden und im Apache 1.3.31 behoben:
  -
  -     * Korrektur von Speicherkorruptionen bei der Funktion
  -       ap_custom_response(). Die per-dir-Grunkonfiguration würde später auf
  -       Daten des Request-Pools zeigen, die für verschiedene Zwecke bei
  -       verschiedenen Anfragen wieder benutzt würden.
  -
  -     * mod_usertrack überprüft nicht länger den Cookie2-Header auf den 
  -       Cookienamen. Es überschreibt auch keine anderen Cookies mehr.
  +    Die folgenden nennenswerten Fehler wurden im Apache 1.3.31 (oder
  +    früher) gefunden und im Apache 1.3.32 behoben:
   
  -     * Korrektur eines Fehlers, der einen Speicherauszug verursachte, wenn
  -       CookieTracking ohne direkte Angabe eines Cookienamens verwendet wurde.
  +     * mod_rewrite: Die Query-String-Behandlung von Proxy-URLs wurde
  +       korrigiert. PR 14518.
   
  -     * UseCanonicalName off hatte den vom Client übermittelten Port ignoriert.
  +     * mod_rewrite: Korrektur von 0-Bytes-Schreibzugriffen auf zufällige
  +       Speicherpositionen. PR 31036.
   
  +     * mod_digest: Korrektur der Nonce-Berechnung (seit 1.3.31), die eine
  +       Re-Authentisierung für jede Verbindung erforderte, wenn der 
  +       AuthDigestRealmSeed nicht konfiguriert war.  PR 30920.
  +
  +     * Korrektur eines trivialen Fehlers in mod_log_forensic, der bei 
  +       Kindprozessen zu Speicherzugriffsverletzungen führte, wenn bestimmte 
  +       ungültige Anfragen an diesen geschickt wurden, während die forensische
  +       Protokollierung aktiviert war. PR 29313.
  +
  +     * mod_dav, Frontpage und andere werden nicht mehr gestört. Korrektur
  +       eines Patches in 1.3.31, welches die Löschung des Request-Bodies bei
  +       Anfragen verhinderte, die für Keep-Alive vorgesehen waren, jedoch
  +       während der Bearbeitung abgebrochen wurden. PR 29237.
  
  
  
  1.4       +43 -77    httpd-dist/Announcement.txt.ja
  
  	<<Binary file>>
  
  

Mime
View raw message