[Remove entries to the current 2.0 section below, when backported]
- *) mod_rewrite: Allow setting of any valid HTTP response code.
- PR 25917. [André Malo]
+ *) mod_deflate: New option for DEFLATE output file (force-gzip),
+ new output filter 'INFLATE' for uncompressing responses.
+ [Nick Kew <Nick at WebThing dot com>, Ian Holsman]
- *) mod_rewrite: Cookie creation now works locale independent.
+ *) Added new module mod_version, which provides version dependent
+ configuration containers. [André Malo]
+
+ *) Accept URLs for the ServerAdmin directive. If the supplied
+ argument is not recognized as an URL, assume it's a mail address.
+ PR 28174. [André Malo]
+
+ *) mod_rewrite no longer confuses the RewriteMap caches if
+ different maps defined in different virtual hosts use the
+ same map name. PR 26462. [André Malo]
+
+ *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
+ format is used. PR 27787. [André Malo]
+
+ *) Fix a bunch of cases where the return code of the regex compiler
+ was not checked properly. This affects: mod_setenvif, mod_usertrack,
+ mod_proxy, mod_proxy_ftp and core. PR 28218. [André Malo]
+
+ *) mod_usertrack: Escape the cookie name before pasting into the
+ regexp. [André Malo]
+
+ *) Enable special ErrorDocument value 'default' which restores the
+ canned server response for the scope of the directive.
+ [Geoffrey Young]
+
+ *) Allow Digest providers to return AUTH_DENIED to propagate a 401
+ status and terminate the provider chain prior to checking the password.
+ [Geoffrey Young]
+
+ *) Allow RequestHeader directives to be conditional. PR 27951.
+ [Vincent Deffontaines <vincent gryzor.com>, André Malo]
+
+ *) Fix segfault in mod_expires, which occured under certain
+ circumstances. PR 28047. [André Malo]
+
+ *) mod_logio no longer removes the EOS bucket. PR 27928.
+ [Bojan Smojver <bojan rexursive.com>]
+
+ *) mod_rewrite no longer turns forward proxy requests into reverse proxy
+ requests. PR 28125 [ast domdv.de, André Malo]
+
+ *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
+ PR 27985. [André Malo]
+
+ *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
+ Don't place script socket inside default server root instead of
+ actual server root. PR 27886. [Jeff Trawick]
+
+ *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
+ is set in r->subprocess_env allow mismatched query strings to pass.
+ PR 27758. [Paul Querna <chip force-elite.com>, Geoffrey Young]
+
+ *) mod_dav: Fix a problem that could cause crashes when manipulating
+ locks on some platforms. [Jeff Trawick]
+
+ *) Satisfy directives now can be influenced by a surrounding <Limit>
+ container. PR 14726. [André Malo]
+
+ *) htpasswd: use apr_temp_dir_get() and general cleanup
+ [Guenter Knauf <eflash gmx.net>, Thom May]
+
+ *) mod_proxy: Fix handling of non-200 success status codes when
+ "ProxyErrorOverride On" is configured. PR 20183.
+ [Marcus Janson <marcus.janson tre.se>, Joe Orton]
+
+ *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize
+ directive (previously NetWare-only) to override default thread
+ stack size for threads which handle client connections. Required
+ for some third-party modules on platforms with small default
+ thread stack size. [Jeff Trawick]
+
+ *) mod_rewrite: Support for recognizing SSL variables in RewriteCond
+ using the new "SSL:" format. [Joe Orton, Madhusudan Mathihalli]
+
+ *) mod_setenvif: Remove "support" for Remote_User variable which
+ never worked at all. PR 25725. [André Malo]
+
+ *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic
+ now populates r->user with the (possibly unauthenticated) user,
+ and mod_auth_digest returns 500 when a provider returns
+ AUTH_GENERAL_ERROR.
+ [Geoffrey Young]
+
+ *) mod_isapi: GetServerVariable returned improperly terminated header
+ fields given "ALL_HTTP" or "ALL_RAW". PR 20656.
+ [Jesse Pelton <jsp pkc.com>]
+
+ *) mod_isapi: send_response_header() failed to copy status string's
+ last character. PR 20619. [Jesse Pelton <jsp pkc.com>]
+
+ *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
+ size. PR 20617. [Jesse Pelton <jsp pkc.com>]
+
+ *) The whole codebase was relicensed and is now available under
+ the Apache License, Version 2.0 (http://www.apache.org/licenses).
+ [Apache Software Foundation]
+
+ *) FreeBSD: Use the httpready accept filter instead of dataready on
+ newer levels of the OS. [Paul Querna <chip force-elite.com>]
+
+ *) Delete some make-generated files in the server directory during
+ "make clean" processing. PR 26552. [Jeff Trawick]
+
+ *) Unix MPMs: Stop dropping connections when the file descriptor
+ is at least FD_SETSIZE. [Jeff Trawick]
+
+ *) Add core version query function (ap_get_server_revision) and
+ accompanying ap_version_t structure (minor MMN bump).
[André Malo]
- *) mod_usertrack no longer inspects the Cookie2 header for
- the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
+ *) mod_rewrite: EOLs sent by external rewritemaps are now consumed
+ as whole. That way, on systems with more than one EOL character
+ rewritemap programs no longer need to switch stdout to binary
+ mode. PR 25635. [André Malo]
- *) mod_usertrack no longer overwrites other cookies.
- PR 26002. [Scott Moore <apache nopdesign.com>]
+ *) mod_rewrite: Introduce the ability to force a content handler via
+ the [handler=...] flag. [André Malo]
- *) Make REMOTE_PORT variable available in mod_rewrite.
- PR 25772. [André Malo]
+ *) mod_rewrite: Introduce the RewriteCond -x check, which returns
+ true if the pattern is a file with execution permissions.
+ [André Malo]
- *) Allow unescaped error logs via compile time switch
- "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".
- [Geoffrey Young <geoff modperlcookbook.org>, André Malo]
+ *) Allow proxying of resources that are invoked via DirectoryIndex.
+ PR 14648. [André Malo]
- *) proxy_http fix: mod_proxy hangs when both KeepAlive and
- ProxyErrorOverride are enabled, and a non-200 response without a
- body is generated by the backend server. (e.g.: a client makes a
- request containing the "If-Modified-Since" and "If-None-Match"
- headers, to which the backend server respond with status 304.)
- [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
+ *) mod_rewrite: Allow proxying and RewriteRules in directory context
+ for subrequests. PR 14648, 15114. [André Malo]
+
+ *) mod_rewrite: Allow setting of any valid HTTP response code.
+ PR 25917. [André Malo]
+
+ *) mod_rewrite: Cookie creation now works locale independent.
+ [André Malo]
*) mod_ssl: Add support for distributed session cache using 'distcache'.
[Geoff Thorpe <geoff geoffthorpe.net>]
*) mod_dav: Disallow requests with an unescaped hash character in
the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
- *) Add forensic logging module (mod_log_forensic).
- [Ben Laurie]
-
- *) Fix segfault in mod_mem_cache cache_insert() due to cache size
- becoming negative. PR: 21285, 21287
- [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
-
*) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration attaches
a body to the 302 response and a wrong Content-Length header.
PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]
header fields can be set for return even on errors or external
redirects. [Ken Coar]
- *) Fix some piped log problems: bogus "piped log program '(null)'
- failed" messages during restart and problem with the logger
- respawning again after Apache is stopped. PR 21648, PR 24805.
- [Jeff Trawick]
-
*) Fix <Limit> and <LimitExcept> parsing to require a closing '>'
in the initial container. PR 25414.
[Geoffrey Young <geoff apache.org>]
directory, display the MPM name and some MPM properties.
[Geoffrey Young <geoff apache.org>]
- *) Fixed cache-removal order in mod_mem_cache.
- [Jean-Jacques Clar, Cliff Woolley]
-
- *) Add fatal exception hook for use by debug modules. The hook is only
- available if the --enable-exception-hook configure parm is used.
- [Jeff Trawick]
-
*) mod_ssl/mod_status: Re-enable support for output of SSL session
cache information in server-status page. [Joe Orton]
*) Fix uninitialized gprof directory name in prefork MPM. PR 24450.
[Chris Knight <Christopher.D.Knight nasa.gov>]
- *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
- [Matthieu Estrade <apache moresecurity.org>]
-
- *) mod_setenvif: Fix the regex optimizer, which under circumstances
- treated the supplied regex as literal string. PR 24219.
- [André Malo]
-
*) Log an error when requests for URIs which fail to map to a valid
filesystem name are rejected with 403. [Jeff Trawick]
*) Switch to APR 1.0 API.
- *) Fix mod_include's expression parser to recognize strings correctly
- even if they start with an escaped token. [André Malo]
-
*) Major overhaul of mod_include's filter parser. The new parser code
is expected to be more robust and should catch all of the edge cases
that were not handled by the previous one. This includes a binary
*) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
PR 14223. [André Malo]
- *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
- could lead to a 400 (Bad Request) response. [André Malo]
-
*) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
the current rewrite state was just used as lookup path, which lead to
strange and often useless results. Related to PR 8493. [André Malo]
*) mod_ext_filter: Add the ability to filter request bodies.
[Philipp Reisner <philipp.reisner linbit.com>]
- *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
- [Glenn Nielsen <glenn apache.org>]
-
*) Fix some broken log messages in WinNT MPM.
[Juan Rivera <Juan.Rivera citrix.com>]
- *) Add support for IMT minor-type wildcards (e.g., text/*) to
- ExpiresByType. PR#7991 [Ken Coar]
-
*) prefork MPM: Use the right permissions for the directory created
for gprof support. [Jim Carlson <jcarlson jnous.com>]
the current locale. level values are now really parsed as integers.
PR 17564. [André Malo]
- *) Added the WindowsSocketsWorkaround directive for Windows NT/2000/XP
- to work around problems with certain VPN and Firewall products that
- have buggy AcceptEx implementations.
- [Allan Edwards w/ suggestions from Bill Stoddard & Bill Rowe]
-
*) Extend mod_negotiation to evaluate the environment variables
no-gzip and gzip-only-text/html the same way as mod_deflate does.
[André Malo]
[Apache 2.1.0-dev includes those bug fixes and changes with the
Apache 2.0.xx tree as documented, and except as noted, below.]
+Changes with Apache 2.0.50
+
+ *) mod_ssl: Fix memory leak in session cache handling. PR 26562
+ [Madhusudan Mathihalli]
+
+ *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
+ a pool cleanup. PR 27945. [Joe Orton]
+
+ *) Add forensic logging module (mod_log_forensic).
+ [Ben Laurie]
+
+ *) logresolve: Allow size of log line buffer to be overridden at
+ build time (MAXLINE). PR 27793. [Jeff Trawick]
+
+ *) Fix the comment delimiter in htdbm so that it correctly parses the
+ username comment. Also add a terminate function to allow NetWare
+ to pause the output before the screen is destroyed.
+ [Guenter Knauf <eflash gmx.net>, Brad Nicholes]
+
+ *) Fix crash when Apache was started with no Listen directives.
+ [Michael Corcoran <mcorcoran warpsolutions.com>]
+
+ *) core_output_filter: Fix bug that could result in sending
+ garbage over the network when module handlers construct
+ bucket brigades containing multiple file buckets all referencing
+ the same open file descriptor. [Bojan Smojver]
+
+ *) Fix memory corruption problem with ap_custom_response() function.
+ The core per-dir config would later point to request pool data
+ that would be reused for different purposes on different requests.
+ [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]
+
+ *) Win32: Tweak worker thread accounting routines to eliminate
+ server hang when number of Listen directives in httpd.conf
+ is greater than or equal to the setting of ThreadsPerChild.
+ [Bill Stoddard]
+
Changes with Apache 2.0.49
+ *) SECURITY: CAN-2004-0174 (cve.mitre.org)
+ Fix starvation issue on listening sockets where a short-lived
+ connection on a rarely-accessed listening socket will cause a
+ child to hold the accept mutex and block out new connections until
+ another connection arrives on that rarely-accessed listening socket.
+ With Apache 2.x there is no performance concern about enabling the
+ logic for platforms which don't need it, so it is enabled everywhere
+ except for Win32. [Jeff Trawick]
+
+ *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
+ [Jeff Trawick]
+
+ *) Win32: find_read_listeners was not correctly handling multiple
+ listeners on the Win32DisableAcceptEx path. [Bill Stoddard]
+
+ *) Fix bug in mod_usertrack when no CookieName is set. PR 24483.
+ [Manni Wood <manniwood planet-save.com>]
+
+ *) Fix some piped log problems: bogus "piped log program '(null)'
+ failed" messages during restart and problem with the logger
+ respawning again after Apache is stopped. PR 21648, PR 24805.
+ [Jeff Trawick]
+
+ *) Fixed file extensions for real media files and removed rpm extension
+ from mime.types. PR 26079. [Allan Sandfeld <kde carewolf.com>]
+
+ *) Remove compile-time length limit on request strings. Length is
+ now enforced solely with the LimitRequestLine config directive.
+ [Paul J. Reder]
+
+ *) mod_ssl: Send the Close Alert message to the peer before closing
+ the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton]
+
+ *) SECURITY: CAN-2004-0113 (cve.mitre.org)
+ mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
+ PR 27106. [Joe Orton]
+
+ *) mod_ssl: Fix bug in passphrase handling which could cause spurious
+ failures in SSL functions later. PR 21160. [Joe Orton]
+
+ *) mod_log_config: Fix corruption of buffered logs with threaded
+ MPMs. PR 25520. [Jeff Trawick]
+
+ *) Fix mod_include's expression parser to recognize strings correctly
+ even if they start with an escaped token. [André Malo]
+
+ *) Add fatal exception hook for use by diagnostic modules. The hook
+ is only available if the --enable-exception-hook configure parm
+ is used and the EnableExceptionHook directive has been set to
+ "on". [Jeff Trawick]
+
+ *) Allow mod_auth_digest to work with sub-requests with different
+ methods than the original request. PR 25040.
+ [Josh Dady <jpd indecisive.com>]
+
+ *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
+ argumentless containers.
+ ["Philippe M. Chiasson" <gozer cpan.org>]
+
+ *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756.
+ [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]
+
+ *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849
+ [Glenn Nielsen <glenn apache.org>]
+
+ *) The whole codebase was relicensed and is now available under
+ the Apache License, Version 2.0 (http://www.apache.org/licenses).
+ [Apache Software Foundation]
+
+ *) Fixed cache-removal order in mod_mem_cache.
+ [Jean-Jacques Clar, Cliff Woolley]
+
+ *) mod_setenvif: Fix the regex optimizer, which under circumstances
+ treated the supplied regex as literal string. PR 24219.
+ [André Malo]
+
+ *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
+ instead of mmn. [André Malo]
+
+ *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
+ could lead to a 400 (Bad Request) response. [André Malo]
+
+ *) Keep focus of ITERATE and ITERATE2 on the current module when
+ the module chooses to return DECLINE_CMD for the directive.
+ PR 22299. [Geoffrey Young <geoff apache.org>]
+
+ *) Add support for IMT minor-type wildcards (e.g., text/*) to
+ ExpiresByType. PR#7991 [Ken Coar]
+
+ *) Fix segfault in mod_mem_cache cache_insert() due to cache size
+ becoming negative. PR: 21285, 21287
+ [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]
+
+ *) core.c: If large file support is enabled, allow any file that is
+ greater than AP_MAX_SENDFILE to be split into multiple buckets.
+ This allows Apache to send files that are greater than 2gig.
+ Otherwise we run into 32/64 bit type mismatches in the file size.
+ [Brad Nicholes]
+
+ *) proxy_http fix: mod_proxy hangs when both KeepAlive and
+ ProxyErrorOverride are enabled, and a non-200 response without a
+ body is generated by the backend server. (e.g.: a client makes a
+ request containing the "If-Modified-Since" and "If-None-Match"
+ headers, to which the backend server respond with status 304.)
+ [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]
+
+ *) mod_dav: Reject requests which include an unescaped fragment in the
+ Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
+
+ *) Build array of allowed methods with proper dimensions, fixing
+ possible memory corruption. [Jeff Trawick]
+
+ *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
+ PR 15057. [Otmar Lendl <lendl nic.at>]
+
+ *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
+ [Joe Orton]
+
+ *) mod_usertrack no longer inspects the Cookie2 header for
+ the cookie name. PR 11475. [Chris Darrochi <chrisd pearsoncmg.com>]
+
+ *) mod_usertrack no longer overwrites other cookies.
+ PR 26002. [Scott Moore <apache nopdesign.com>]
+
+ *) worker MPM: fix stack overlay bug that could cause the parent
+ process to crash. [Jeff Trawick]
+
+ *) Win32: Add Win32DisableAcceptEx directive. This Windows
+ NT/2000/CP directive is useful to work around bugs in some
+ third party layered service providers like virus scanners,
+ VPN and firewall products, that do not properly handle
+ WinSock 2 APIs. Use this directive if your server is issuing
+ AcceptEx failed messages.
+ [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]
+
+ *) Make REMOTE_PORT variable available in mod_rewrite.
+ PR 25772. [André Malo]
+
*) Fix a long delay with CGI requests and keepalive connections on
AIX. [Jeff Trawick]
[Tomasz Kepczynski <tomek jot23.org>]
*) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
- supported for BeOS, OS/2, or Win32 MPMs.) [Jeff Trawick,
- Brad Nicholes]
+ supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes,
+ Bill Stoddard]
*) Add mod_status hook to allow modules to add to the mod_status
report. [Joe Orton]
*) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
the destination resource gives a 401. PR 15571. [Joe Orton]
- *) SECURITY [CAN-2003-0020]: Escape arbitrary data before writing
- into the errorlog. [André Malo]
+ *) SECURITY: CAN-2003-0020 (cve.mitre.org)
+ Escape arbitrary data before writing into the errorlog. Unescaped
+ errorlogs are still possible using the compile time switch
+ "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) mod_autoindex / core: Don't fail to show filenames containing
special characters like '%'. PR 13598. [André Malo]