[Remove entries to the current 2.0 section below, when backported]
+ *) mod_ssl: Send the Close Alert message to the peer before closing
+ the SSL session. [Madhusudan Mathihalli, Joe Orton]
+
+ *) mod_setenvif: Remove "support" for Remote_User variable which
+ never worked at all. PR 25725. [André Malo]
+
+ *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic
+ now populates r->user with the (possibly unauthenticated) user,
+ and mod_auth_digest returns 500 when a provider returns
+ AUTH_GENERAL_ERROR.
+ [Geoffrey Young]
+
+ *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
+ argumentless containers.
+ ["Philippe M. Chiasson" <gozer cpan.org>]
+
+ *) mod_isapi: GetServerVariable returned improperly terminated header
+ fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
+ [Jesse Pelton <jsp pkc.com>]
+
+ *) mod_isapi: send_response_header() failed to copy status string's
+ last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
+
+ *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
+ size. PR 20617. [Jesse Pelton <jsp pkc.com>]
+
+ *) The whole codebase was relicensed and is now available under
+ the Apache License, Version 2.0 (http://www.apache.org/licenses).
+ [Apache Software Foundation]
+
+ *) FreeBSD: Use the httpready accept filter instead of dataready on
+ newer levels of the OS. [Paul Querna <chip force-elite.com>]
+
+ *) Delete some make-generated files in the server directory during
+ "make clean" processing. PR 26552. [Jeff Trawick]
+
+ *) Fixed file extensions for real media files and removed rpm extension
+ from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
+
+ *) Unix MPMs: Stop dropping connections when the file descriptor
+ is at least FD_SETSIZE. [Jeff Trawick]
+
+ *) Add core version query function (ap_get_server_revision) and
+ accompanying ap_version_t structure (minor MMN bump).
+ [André Malo]
+
+ *) mod_rewrite: EOLs sent by external rewritemaps are now consumed
+ as whole. That way, on systems with more than one EOL character
+ rewritemap programs no longer need to switch stdout to binary
+ mode. PR 25635. [André Malo]
+
+ *) mod_rewrite: Introduce the ability to force a content handler via
+ the [handler=...] flag. [André Malo]
+
+ *) mod_rewrite: Introduce the RewriteCond -x check, which returns
+ true if the pattern is a file with execution permissions.
+ [André Malo]
+
+ *) mod_log_config: Fix corruption of buffered logs with threaded
+ MPMs. PR 25520. [Jeff Trawick]
+
+ *) Allow proxying of resources that are invoked via DirectoryIndex.
+ PR 14648. [André Malo]
+
+ *) mod_rewrite: Allow proxying and RewriteRules in directory context
+ for subrequests. PR 14648, 15114. [André Malo]
+
+ *) mod_rewrite: Allow setting of any valid HTTP response code.
+ PR 25917. [André Malo]
+
+ *) mod_rewrite: Cookie creation now works locale independent.
+ [André Malo]
+
+ *) mod_ssl: Add support for distributed session cache using 'distcache'.
+ [Geoff Thorpe <geoff geoffthorpe.net>]
+
*) mod_dav: Disallow requests with an unescaped hash character in
- the Request-URI. PR 21779. Amit Athavale <amit_athavale lycos.com>
+ the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
*) Add forensic logging module (mod_log_forensic).
[Ben Laurie]
- *) Fix segfault in mod_mem_cache cache_insert() due to cache size
- becoming negative. PR: 21285, 21287
- [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
-
- *) Add Polish translation of error messages. PR 25101.
- [Tomasz Kepczynski <tomek jot23.org>]
-
*) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration attaches
a body to the 302 response and a wrong Content-Length header.
PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]
directory, display the MPM name and some MPM properties.
[Geoffrey Young <geoff apache.org>]
- *) Fixed cache-removal order in mod_mem_cache.
- [Jean-Jacques Clar, Cliff Woolley]
-
- *) Add fatal exception hook for use by debug modules. The hook is only
- available if the --enable-exception-hook configure parm is used.
- [Jeff Trawick]
-
*) mod_ssl/mod_status: Re-enable support for output of SSL session
cache information in server-status page. [Joe Orton]
*) mod_ssl: Remove the shmht session cache, shmcb should be used
instead. [Joe Orton]
- *) mod_ssl: SSL_VERSION_LIBRARY is set to the version string from the
- SSL library used at run-time, rather than at compile-time.
- PR: 23956 [Eric Seidel <eseidel apple.com>]
-
*) mod_logio: Account for some bytes handed to the network layer prior to
dropped connections. [Jeff Trawick]
*) mod_autoindex: new directive IndexStyleSheet
[Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]
- *) Fix a long delay with CGI requests and keepalive connections on
- AIX. [Jeff Trawick]
-
*) Fix uninitialized gprof directory name in prefork MPM. PR 24450.
[Chris Knight <Christopher.D.Knight nasa.gov>]
- *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
- [Matthieu Estrade <apache moresecurity.org>]
-
- *) mod_autoindex: Add 'XHTML' option in order to allow switching between
- HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
-
- *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
- [André Malo]
-
- *) mod_setenvif: Fix the regex optimizer, which under circumstances
- treated the supplied regex as literal string. PR 24219.
- [André Malo]
-
- *) mod_ssl: Fix segfault on a non-SSL request if the the 'c' log
- format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
-
*) Log an error when requests for URIs which fail to map to a valid
filesystem name are rejected with 403. [Jeff Trawick]
*) Switch to APR 1.0 API.
- *) Fix mod_include's expression parser to recognize strings correctly
- even if they start with an escaped token. [André Malo]
-
*) Major overhaul of mod_include's filter parser. The new parser code
is expected to be more robust and should catch all of the edge cases
that were not handled by the previous one. This includes a binary
*) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
PR 14223. [André Malo]
- *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
- could lead to a 400 (Bad Request) response. [André Malo]
-
*) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
the current rewrite state was just used as lookup path, which lead to
strange and often useless results. Related to PR 8493. [André Malo]
*) mod_rewrite: RewriteRules in server context using the force
type feature [T=...] no longer disable MultiViews. [André Malo]
- *) mod_rewrite: In external rewrite maps lookup keys containing
- a newline now cause a lookup failure. PR 14453.
- [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
-
*) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
[André Malo]
*) Fix some broken log messages in WinNT MPM.
[Juan Rivera <Juan.Rivera citrix.com>]
- *) Add support for IMT minor-type wildcards (e.g., text/*) to
- ExpiresByType. PR#7991 [Ken Coar]
-
*) prefork MPM: Use the right permissions for the directory created
for gprof support. [Jim Carlson <jcarlson jnous.com>]
the current locale. level values are now really parsed as integers.
PR 17564. [André Malo]
- *) Added the WindowsSocketsWorkaround directive for Windows NT/2000/XP
- to work around problems with certain VPN and Firewall products that
- have buggy AcceptEx implementations.
- [Allan Edwards w/ suggestions from Bill Stoddard & Bill Rowe]
-
*) Extend mod_negotiation to evaluate the environment variables
no-gzip and gzip-only-text/html the same way as mod_deflate does.
[André Malo]
Changes with Apache 2.0.49
+ *) Fix mod_include's expression parser to recognize strings correctly
+ even if they start with an escaped token. [André Malo]
+
+ *) Add fatal exception hook for use by diagnostic modules. The hook
+ is only available if the --enable-exception-hook configure parm
+ is used and the EnableExceptionHook directive has been set to
+ "on". [Jeff Trawick]
+
+ *) Allow mod_auth_digest to work with sub-requests with different
+ methods than the original request. PR 25040.
+ [Josh Dady <jpd indecisive.com>]
+
+ *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
+ [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
+
+ *) The whole codebase was relicensed and is now available under
+ the Apache License, Version 2.0 (http://www.apache.org/licenses).
+ [Apache Software Foundation]
+
+ *) Fixed cache-removal order in mod_mem_cache.
+ [Jean-Jacques Clar, Cliff Woolley]
+
+ *) mod_setenvif: Fix the regex optimizer, which under circumstances
+ treated the supplied regex as literal string. PR 24219.
+ [André Malo]
+
+ *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
+ instead of mmn. [André Malo]
+
+ *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
+ could lead to a 400 (Bad Request) response. [André Malo]
+
+ *) Keep focus of ITERATE and ITERATE2 on the current module when
+ the module chooses to return DECLINE_CMD for the directive.
+ PR 22299. [Geoffrey Young <geoff apache.org>]
+
+ *) Add support for IMT minor-type wildcards (e.g., text/*) to
+ ExpiresByType. PR#7991 [Ken Coar]
+
+ *) Fix segfault in mod_mem_cache cache_insert() due to cache size
+ becoming negative. PR: 21285, 21287
+ [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
+
+ *) core.c: If large file support is enabled, allow any file that is
+ greater than AP_MAX_SENDFILE to be split into multiple buckets.
+ This allows Apache to send files that are greater than 2gig.
+ Otherwise we run into 32/64 bit type mismatches in the file size.
+ [Brad Nicholes]
+
+ *) proxy_http fix: mod_proxy hangs when both KeepAlive and
+ ProxyErrorOverride are enabled, and a non-200 response without a
+ body is generated by the backend server. (e.g.: a client makes a
+ request containing the "If-Modified-Since" and "If-None-Match"
+ headers, to which the backend server respond with status 304.)
+ [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
+
+ *) mod_dav: Reject requests which include an unescaped fragment in the
+ Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
+
+ *) Build array of allowed methods with proper dimensions, fixing
+ possible memory corruption. [Jeff Trawick]
+
+ *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
+ PR 15057. [Otmar Lendl <lendl nic.at>]
+
+ *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
+ [Joe Orton]
+
+ *) mod_usertrack no longer inspects the Cookie2 header for
+ the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
+
+ *) mod_usertrack no longer overwrites other cookies.
+ PR 26002. [Scott Moore <apache nopdesign.com>]
+
+ *) worker MPM: fix stack overlay bug that could cause the parent
+ process to crash. [Jeff Trawick]
+
+ *) Win32: Add Win32DisableAcceptEx directive. This Windows
+ NT/2000/CP directive is useful to work around bugs in some
+ third party layered service providers like virus scanners,
+ VPN and firewall products, that do not properly handle
+ WinSock 2 APIs. Use this directive if your server is issuing
+ AcceptEx failed messages.
+ [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
+
+ *) Make REMOTE_PORT variable available in mod_rewrite.
+ PR 25772. [André Malo]
+
+ *) Fix a long delay with CGI requests and keepalive connections on
+ AIX. [Jeff Trawick]
+
+ *) mod_autoindex: Add 'XHTML' option in order to allow switching between
+ HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo]
+
+ *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
+ [André Malo]
+
+ *) mod_ssl: Advertise SSL library version as determined at run-time rather
+ than at compile-time. PR 23956. [Eric Seidel <seidel apple.com>]
+
+ *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
+ format code is used. PR 22741. [Gary E. Miller <gem rellim.com>]
+
+ *) Fix build with parallel make. PR 24643. [Joe Orton]
+
+ *) mod_rewrite: In external rewrite maps lookup keys containing
+ a newline now cause a lookup failure. PR 14453.
+ [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]
+
+ *) Backport major overhaul of mod_include's filter parser from 2.1.
+ The new parser code is expected to be more robust and should
+ catch all of the edge cases that were not handled by the previous one.
+ The 2.1 external API changes were hidden by a wrapper which is
+ expected to keep the API backwards compatible. [André Malo]
+
*) Add a hook (insert_error_filter) to allow filters to re-insert
themselves during processing of error responses. Enable mod_expires
to use the new hook to include Expires headers in valid error
responses. This addresses an RFC violation. It fixes PRs 19794,
24884, and 25123. [Paul J. Reder]
+ *) Add Polish translation of error messages. PR 25101.
+ [Tomasz Kepczynski <tomek jot23.org>]
+
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
- supported for BeOS, OS/2, or Win32 MPMs.) [Jeff Trawick,
- Brad Nicholes]
+ supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
+ Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) Fix slow graceful restarts with prefork MPM. [Joe Orton]
- *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
- if any property values were set which defined namespaces these
+ *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
+ if any property values were set which defined namespaces these
came out mangled in the PROPFIND response. PR 11637.
[Amit Athavale <amit_athavale persistent.co.in>]
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
- *) SECURITY [CAN-2003-0020]: Escape arbitrary data before writing
- into the errorlog. [André Malo]
+ *) SECURITY: CAN-2003-0020 (cve.mitre.org)
+ Escape arbitrary data before writing into the errorlog. Unescaped
+ errorlogs are still possible using the compile time switch
+ "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]
*) Win32: During a graceful restart, threads in the new process
were accessing scoreboard slots still in use by active threads in
- the the old process. [Bill Stoddard]
+ the old process. [Bill Stoddard]
Changes with Apache 2.0.36
Changes with Apache 2.0.17
- *) If a higher-level filter handles the the byterange aspects of a
+ *) If a higher-level filter handles the byterange aspects of a
request, then the byterange filter should not try to redo the
work. The most common case of this happening, is a byterange
request going through the proxy, and the origin server handles
[jun-ichiro hagino <itojun iijlab.net>]
*) The ap_f* functions should flush data to the filter that is passed
- in, not the the filter after the one passed in.
+ in, not the filter after the one passed in.
[Ryan Morgan <rmorgan covalent.net>]
*) Make ab work again by changing its native types to apr types and formats.
*) Add a hook, create_request. This hook allows modules to modify
a request while it is being created. This hook is called for all
request_rec's, main request, sub request, and internal redirect.
- When this hook is called, the the r->main, r->prev, r->next
+ When this hook is called, the r->main, r->prev, r->next
pointers have been set, so modules can determine what kind of
request this is. [Ryan Bloom]
*) Expand APR for WinNT to fully accept and return utf-8 encoded
Unicode file names and paths for Win32, and tag the Content-Type
- from mod_autoindex to reflect that charset if the the feature
+ from mod_autoindex to reflect that charset if the feature
macro APR_HAS_UNICODE_FS is true. [William Rowe]
*) Compute the content length (and add appropriate header field) for
*) SECURITY: Numerous changes to mod_imap in a general cleanup
including fixing a possible buffer overflow. This cleanup also
- was done with 1.3 code as a basis, see the the previous note
+ was done with 1.3 code as a basis, see the previous note
about mod_include. [Dean Gaudet]
*) SECURITY: If a htaccess file can not be read due to bad