httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject please post to usenet, someone...
Date Mon, 27 Jan 1997 11:28:31 GMT

Could someone post this to USENET?  My news server's disk is currently
full (oh, dean.....)  Thanks.



---------- Forwarded message ----------
Date: Mon, 27 Jan 1997 03:21:35 -0800 (PST)
From: Brian Behlendorf <>
Subject: Apache 1.2b6 Released!

After a long month of grueling TCP sleuthing, bug tracking, and
security-hole-squishing, the sixth beta of Apache 1.2 has now been
released.  Yet again, there are significant number of bugfixes and a few
enhancements - if you are running a beta of 1.2 at all, you should upgrade
to 1.2b6, for both stability and security reasons.  We hope that there
will be only one more beta after this, as a release candidate, and if
there's no problems with that 1.2 final will be released.  A complete list
of changes appears below. 

Most significantly, we have replaced a majority of the calls to "sprintf" 
to "snprintf", which should help prevent the type of stack-scribbling hole
as was found recently in mod_cookies.  Because "snprintf" isn't in
libraries on all machines, we have provided our own snprintf utility - if
your platform has an "snprintf" routine which is considered stable and
robust, let us know at and we will consider having it
use the native version on your platform. By default Apache will use its
own snprintf routine. 

Another major bug fix involved tracking down the FIN_WAIT_2 problem many
of you have noted.  This is a very complex problem, as it involves finding
and triggering related bugs in server and client TCP/IP kernel stacks and
client software.  We think we have found the best solution, and have
instrumented error reporting to help track down related problems - if you
still have a problem with sockets hanging in FIN_WAIT_2 status let us
know.  Note that some vendors, such as BSDI, have started supplying kernel
patches to force FIN_WAIT_2 connections to time out, which certainly helps
alleviate the problem. 

Finally, the "suexec" functionality has been significantly enhanced,
incorporating fixes for both functionality and security.  If you use the
setuid features of Apache at all you should upgrade. 

There are many more fixes, but you get the idea.  1.2b5 was never publicly
released, we built it and then found a serious problem right after doing
so, and chose to fix the problem and release 1.2b6. 

As usual, thank you for using Apache!

   The Apache Group


Changes with Apache 1.2b6

  *) Allow whitespace in imagemap mapfile coordinates. [Marc Slemko]

  *) Fix typo introduced in fix for potential infinite loop around
     accept() in child_main(). This change caused the rev to 1.2b6.
     1.2b5 was never a public beta.

Changes with Apache 1.2b5

  *) Change KeepAlive semantics (On|Off instead of a number), add
     MaxKeepAliveRequests directive. [Alexei Kosut]

  *) Various NeXT compilation patches, as well as a change in
     regex/regcomp.c since that file also used a NEXT define.
     [Andreas Koenig]

  *) Allow * to terminate the end of a directory match in mod_dir.
     Allows /~* to match for both /~joe and /~joe/. [David Bronder]

  *) Don't call can_exec() if suexec_enabled. Calling this requires
     scripts executed by the suexec wrapper to be world executable, which
     defeats one of the advantages of running the wrapper. [Randy Terbush]

  *) Portability Fix: IRIX complained with 'make clean' about *pure* (removed)
     [Jim Jagielski]
  *) Migration from sprintf() to snprintf() to avoid buffer
     overflows. [Marc Slemco]

  *) Provide portable snprintf() implementation (ap_snprintf)
     as well as *cvt family. [Jim Jagielski]

  *) Portability Fix: NeXT lacks unistd.h so we wrap it's inclusion
     [Jim Jagielski]

  *) Remove mod_fastcgi.c from the distribution. This module appears
     to be maintained more through the Open Market channels and should
     continue to be easily available at

  *) Fixed bug in modules/Makefile that wouldn't allow building in more
     than one subdirectory (or cleaning, either). [Jeremy Laidman]

  *) mod_info assumed that the config files were relative to ServerRoot.
     [Ken the Rodent]

  *) CGI scripts called as an error document resulting from failed
     CGI execution would hang waiting for POST'ed data. [Rob Hartill]

  *) Log reason when mod_dir returns access HTTP_FORBIDDEN
     [Ken the Rodent]

  *) Properly check errno to prevent display of a directory index
     when server receives a long enough URL to confuse stat().
     [Marc Slemko]

  *) Several security enhancements to suexec wrapper. It is _highly_
     recommended that previously installed versions of the wrapper
     be replaced with this version.  [Randy Terbush, Jason Dour]

	- ~user execution now properly restricted to ~user's home
	  directory and below.
	- execution restricted to UID/GID > 100
	- restrict passed environment to known variables
	- call setgid() before initgroups() (portability fix)
	- remove use of setenv() (portability fix)

  *) Add HTTP/1.0 response forcing. [Ben Laurie]

  *) Add access control via environment variables. [Ben Laurie]

  *) Add rflush() function. [Alexei Kosut]

  *) remove duplicate pcalloc() call in new_connection().

  *) Fix incorrect comparison which could allow number of children =
     MaxClients + 1 if less than HARD_SERVER_LIMIT. Also fix potential
     problem if StartServers > HARD_SERVER_LIMIT. [Ed Korthof]

  *) Updated support for OSes (MachTen, ULTRIX, Paragon, ISC, OpenBSD
     AIX PS/2, CONVEXOS. [Jim Jagielski]

  *) Replace instances of inet_ntoa() with inet_addr() for ProxyBlock.
     It's more portable. [Martin Kraemer]

  *) Replace references to make in Makefile.tmpl with $(MAKE).
     [Chuck Murcko]

  *) Add ProxyBlock directive w/IP address caching. Add IP address
     caching to NoCache directive as well. ProxyBlock works with all
     handlers; NoCache now also works with FTP for anonymous logins.
     Still more code cleanup. [Chuck Murcko]

  *) Add "header parse" API hook [Ben Laurie]

  *) Fix byte ordering problems for REMOTE_PORT [Chuck Murcko]

  *) suEXEC wrapper was freeing memory that had not been malloc'ed.

  *) Correctly allow access and auth directives in <Files> sections in
     server config files. [Alexei Kosut]

  *) Fix bug with ServerPath that could cause certain files to be not
     found by the server. [Alexei Kosut] 

  *) Fix handling of ErrorDocument so that it doesn't remove a trailing
     double-quote from text and so that it properly checks for unsupported
     status codes using the new index_of_response interface. [Roy Fielding] 

  *) Multiple fixes to the lingering_close code in order to avoid being
     interrupted by a stray timeout, to avoid lingering on a connection
     that has already been aborted or never really existed, to ensure that
     we stop lingering as soon as any error condition is received, and to
     prevent being stuck indefinitely if the read blocks.  Also improves
     reporting of error conditions.  [Marc Slemko and Roy Fielding]

  *) Fixed initialization of parameter structure for sigaction.
     [, Adrian Filipi-Martin]

  *) Fixed reinitializing the parameters before each call to accept and
     select, and removed potential for infinite loop in accept.
     [Roy Fielding, after useful PR from]

  *) Fixed condition where, if a child fails to fork, the scoreboard would
     continue to say SERVER_STARTING forever. Eventually, the main process
     would refuse to start new children because count_idle_servers() will
     count those SERVER_STARTING entries and will always report that there
     are enough idle servers. [Phillip Vandry]

  *) Fixed bug in bcwrite regarding failure to account for partial writes.
     Avoided calling bflush() when the client is pipelining requests.
     Removed unnecessary flushes from http_protocol. [Dean Gaudet]
  *) Added description of "." mode in server-status [Jim Jagielski]

View raw message