From: Jim Jagielski Date: Fri, 9 Sep 2011 14:07:38 +0000 (+0000) Subject: CVE-2011-3192 X-Git-Tag: 2.0.65~120 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e233227eda5ef73fd76a8823018e8895c5d31f43;p=thirdparty%2Fapache%2Fhttpd.git CVE-2011-3192 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1167184 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index bfd9ba8b4f5..5dc059b3b89 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@  -*- coding: utf-8 -*- Changes with Apache 2.0.65 + *) SECURITY: CVE-2011-3192 (cve.mitre.org) + core: Fix handling of byte-range requests to use less memory, to avoid + denial of service. If the sum of all ranges in a request is larger than + the original file, ignore the ranges and send the complete file. + PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem, + Eric Covener] Changes with Apache 2.0.64 @@ -10,8 +16,8 @@ Changes with Apache 2.0.64 PR: 49246 [Mark Drayton, Jeff Trawick] *) SECURITY: CVE-2009-1891 (cve.mitre.org) - Fix a potential Denial-of-Service attack against mod_deflate or other - modules, by forcing the server to consume CPU time in compressing a + Fix a potential Denial-of-Service attack against mod_deflate or other + modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. [Joe Orton, Ruediger Pluem] @@ -38,7 +44,7 @@ Changes with Apache 2.0.64 is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using openssl 0.9.8l or later. - [Joe Orton, Ruediger Pluem, Hartmut Keil , + [Joe Orton, Ruediger Pluem, Hartmut Keil , Rainer Jung] *) SECURITY: CVE-2010-0434 (cve.mitre.org) @@ -66,7 +72,7 @@ Changes with Apache 2.0.64 *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] - *) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass + *) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass through on a 304 response. [Nick Kew] *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf @@ -86,7 +92,7 @@ Changes with Apache 2.0.62 (not released) *) SECURITY: CVE-2007-6388 (cve.mitre.org) mod_status: Ensure refresh parameter is numeric to prevent - a possible XSS attack caused by redirecting to other URLs. + a possible XSS attack caused by redirecting to other URLs. Reported by SecurityReason. [Mark Cox, Joe Orton] *) SECURITY: CVE-2007-5000 (cve.mitre.org) @@ -100,7 +106,7 @@ Changes with Apache 2.0.62 (not released) *) log.c: Ensure Win32 resurrects its lost robust logger processes. [William Rowe] - *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean + *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean shutdown of the server when the MaxClients is higher then 257, in a more responsive manner [Mladen Turk, William Rowe] @@ -135,7 +141,7 @@ Changes with Apache 2.0.61 *) SECURITY: CVE-2007-3304 (cve.mitre.org) prefork, worker MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. + be forced to kill processes outside its process group. [Joe Orton, Jim Jagielski] *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous. @@ -153,7 +159,7 @@ Changes with Apache 2.0.61 number reporting.) [William Rowe] *) mod_autoindex: Add in Type and Charset options to IndexOptions - directive. This allows the admin to explicitly set the + directive. This allows the admin to explicitly set the content-type and charset of the generated page and is therefore a viable workaround for buggy browsers affected by CVE-2007-4465 (cve.mitre.org). [Jim Jagielski] @@ -162,13 +168,13 @@ Changes with Apache 2.0.61 or apr_pool_create() (when apr-based error reporting is not ready). [William Rowe, Jeff Trawick] - *) log core: Fix issue which could cause piped loggers to be orphaned - and never terminate after a graceful restart. PR 40651. [Joe Orton, + *) log core: Fix issue which could cause piped loggers to be orphaned + and never terminate after a graceful restart. PR 40651. [Joe Orton, Ruediger Pluem] - *) log core: fix the new piped logger case where we couldn't connect - the replacement stderr logger's stderr to the NULL stdout stream. - Continue in this case, since the previous alternative of no error + *) log core: fix the new piped logger case where we couldn't connect + the replacement stderr logger's stderr to the NULL stdout stream. + Continue in this case, since the previous alternative of no error logging at all (/dev/null) is far worse. [William Rowe] *) mpm_winnt: Prevent the parent-child pipe from leaking into other @@ -183,10 +189,10 @@ Changes with Apache 2.0.61 version of apache?'. [William Rowe] *) mod_ssl: initialize thread locks before initializing the hardware - acceleration library, so the latter can make use of the former. + acceleration library, so the latter can make use of the former. PR 20951. [] - *) mod_ssl: Support limited buffering of request bodies to allow + *) mod_ssl: Support limited buffering of request bodies to allow per-location renegotiation to proceed. PR 12355. [Joe Orton] *) mod_cgi, mod_cgid: Don't return apr_status_t error value @@ -241,7 +247,7 @@ Changes with Apache 2.0.58 Changes with Apache 2.0.57 *) mod_cgid: run the get_suexec_identity hook within the request-handler - instead of within cgid. PR 36410. [Colm MacCarthaigh] + instead of within cgid. PR 36410. [Colm MacCarthaigh] *) core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282. [Davi Arnaut ] @@ -276,25 +282,25 @@ Changes with Apache 2.0.56 output of 'httpd -V'. [William Rowe] *) Ensure that the proper status line is written to the client, fixing - incorrect status lines caused by filters which modify r->status without + incorrect status lines caused by filters which modify r->status without resetting r->status_line, such as the built-in byterange filter. [Jeff Trawick] *) Default handler: Don't return output filter apr_status_t values. PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] - *) mod_speling: Stop crashing with certain non-file requests. + *) mod_speling: Stop crashing with certain non-file requests. [Jeff Trawick] *) keep the Content-Length header for a HEAD with no response body. PR 18757 [Greg Ames] - + *) Modify apr[util] .h detection to avoid breakage on VPATH builds using Solaris make (amoung others) and avoid breakage in ./buildconf when srclib/apr[-util] are symlinks rather than directories proper. [William Rowe] - *) Avoid server-driven negotiation when a CGI script has emitted an + *) Avoid server-driven negotiation when a CGI script has emitted an explicit "Status:" header. PR 38070. [Nick Kew] *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o @@ -303,27 +309,27 @@ Changes with Apache 2.0.56 *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264. [Justin Erenkrantz] - *) mod_cache: Correctly handle responses with a 301 status. PR 37347. + *) mod_cache: Correctly handle responses with a 301 status. PR 37347. [Paul Querna] *) mod_proxy_http: Prevent data corruption of POST request bodies when client accesses proxied resources with SSL. PR 37145. - [Ruediger Pluem, William Rowe] + [Ruediger Pluem, William Rowe] *) Eliminated the NET_TIME filter, restructuring the timeout logic. This provides a working mod_echo on all platforms, and ensures any custom protocol module is at least given an initial timeout value based on the context's Timeout directive. - [William Rowe] + [William Rowe] - *) mod_ssl: Correct issue where mod_ssl does not pick up the + *) mod_ssl: Correct issue where mod_ssl does not pick up the ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton] *) Document the ReceiveBufferSize change done in r157583. [Murray Nesbitt ] *) mod_deflate: Merge the Vary header, instead of Setting it. Fixes - applications that send the Vary Header themselves. PR 37559. + applications that send the Vary Header themselves. PR 37559. [Paul Querna] *) mod_dav: Fix a null pointer dereference in an error code path during the @@ -379,19 +385,19 @@ Changes with Apache 2.0.55 connection in some limited circumstances. [Greg Ames] *) mod_ldap: Fix PR 36563. Keep track of the number of attributes - retrieved from LDAP so that all of the values can be properly - cached even if the value is NULL. + retrieved from LDAP so that all of the values can be properly + cached even if the value is NULL. [Brad Nicholes, Ondrej Sury ] - - *) SECURITY: CVE-2005-2491 (cve.mitre.org): + + *) SECURITY: CVE-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could - be triggered by a local user through use of a carefully-crafted + be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel] *) SECURITY: CVE-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked - is used, always passing one of either C-L or T-E: chunked whenever + is used, always passing one of either C-L or T-E: chunked whenever the request includes a request body. Resolves an entire class of proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] @@ -408,7 +414,7 @@ Changes with Apache 2.0.55 invoked cgi application, to conform to the behavior of mod_cgi. [Pradeep Kumar S ] - *) mod_include: Fix possible environment variable corruption when + *) mod_include: Fix possible environment variable corruption when using nested includes. PR 12655. [Joe Orton] *) Support the suppress-error-charset setting, as with Apache 1.3.x. @@ -436,7 +442,7 @@ Changes with Apache 2.0.55 *) mod_ldap: Fix various shared memory cache handling bugs. PR 34209. [Joe Orton] - *) Fix a file descriptor leak when starting piped loggers. PR 33748. + *) Fix a file descriptor leak when starting piped loggers. PR 33748. [Joe Orton] *) mod_ldap: Avoid segfaults when opening connections if using a version @@ -446,10 +452,10 @@ Changes with Apache 2.0.55 *) SECURITY: CVE-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length - headers, remove the Content-Length, mitigating some HTTP Request + headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton] - *) proxy HTTP: If a response contains both Transfer-Encoding and a + *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, mitigating some HTTP Response Splitting attacks. [Jeff Trawick] @@ -459,7 +465,7 @@ Changes with Apache 2.0.55 *) SECURITY: CVE-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information - at "LogLevel debug" which could be triggered if configured + at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ] *) mod_userdir: Fix possible memory corruption issue. PR 34588. @@ -467,7 +473,7 @@ Changes with Apache 2.0.55 *) worker mpm: don't take down the whole server for a transient thread creation failure. PR 34514 [Greg Ames] - + *) mod_rewrite: use buffered I/O to improve performance with large RewriteMap txt: files. [Greg Ames] @@ -482,7 +488,7 @@ Changes with Apache 2.0.54 [Rüdiger Plüm ] *) mod_ldap: Added the directive LDAPConnectionTimeout to configure - the ldap socket connection timeout value. + the ldap socket connection timeout value. [Brad Nicholes] *) Correctly export all mod_dav public functions. @@ -506,10 +512,10 @@ Changes with Apache 2.0.54 *) htdigest: Fix permissions of created files. PR 33765. [Joe Orton] *) core_input_filter: Move buckets to a persistent brigade instead of - creating a new brigade. This stop a memory leak when proxying a + creating a new brigade. This stop a memory leak when proxying a Streaming Media Server. PR 33382. [Paul Querna] - *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid + *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid hiccups from additional path information passed in non-utf-8 format. [Richard Donkin , Joe Orton] *) mod_ssl: Fail at startup rather than segfault at runtime if a @@ -604,7 +610,7 @@ Changes with Apache 2.0.53 *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d. [Jeff Trawick] - + *) mod_cache: CacheDisable will only disable the URLs it was meant to disable, not all caching. PR 31128. [Edward Rudd , Paul Querna] @@ -637,7 +643,7 @@ Changes with Apache 2.0.53 *) Fix the re-linking issue when purging elements from the LDAP cache PR 24801. [Jess Holle ] - + *) mod_disk_cache: Fix races in saving responses. [Justin Erenkrantz] *) Fix Expires handling in mod_cache. [Justin Erenkrantz] @@ -667,7 +673,7 @@ Changes with Apache 2.0.52 *) mod_mem_cache: Fixed race condition causing segfault because of memory being freed twice, or reused after being freed. [J. Clar, W. Stoddard, G. Ames] - + *) Add -l option to rotatelogs to let it use local time rather than UTC. PR 24417. [Ken Coar, Uli Zappe ] @@ -709,7 +715,7 @@ Changes with Apache 2.0.51 *) SECURITY: CVE-2004-0751 (cve.mitre.org) mod_ssl: Fix a segfault in the SSL input filter which could be - triggered if using "speculative" mode, for instance by a + triggered if using "speculative" mode, for instance by a proxy request to an SSL server. PR 30134. [Joe Orton] *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups. @@ -749,7 +755,7 @@ Changes with Apache 2.0.51 *) Prevent Win32 pool corruption at startup [Allan Edwards] *) mod_ssl: Add "SSLUserName" directive to set r->user based on a - chosen SSL environment variable. PR 20957. + chosen SSL environment variable. PR 20957. [Martin v. Loewis ] *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs. @@ -767,7 +773,7 @@ Changes with Apache 2.0.51 PR 18989. [Joe Orton] *) mod_userdir: Ensure that the userdir identity is used for - suexec userdir access in a virtual host which has suexec configured. + suexec userdir access in a virtual host which has suexec configured. PR 18156. [Joshua Slive] *) mod_rewrite no longer confuses the RewriteMap caches if @@ -783,7 +789,7 @@ Changes with Apache 2.0.51 introduced ("always" and "onsuccess", defaulting to the latter). PR 28657. [André Malo] - *) Use the higher performing 'httpready' Accept Filter on all platforms + *) Use the higher performing 'httpready' Accept Filter on all platforms except FreeBSD < 4.1.1. [Paul Querna] *) mod_usertrack: Escape the cookie name before pasting into the @@ -803,18 +809,18 @@ Changes with Apache 2.0.51 *) Allow proxying of resources that are invoked via DirectoryIndex. PR 14648, 15112, 29961. [André Malo] - *) util_ldap: Switched the lock types on the shared memory cache - from thread reader/writer locks to global mutexes in order to + *) util_ldap: Switched the lock types on the shared memory cache + from thread reader/writer locks to global mutexes in order to provide cross process cache protection. [Brad Nicholes] - - *) util_ldap: Reworked the cache locking scheme to eliminate duplicate + + *) util_ldap: Reworked the cache locking scheme to eliminate duplicate cache entries in the credentials cache due to race conditions. [Brad Nicholes] - - *) util_ldap: Enhanced the util_ldap cache-info display to show more - detail about the contents and current state of the cache. + + *) util_ldap: Enhanced the util_ldap cache-info display to show more + detail about the contents and current state of the cache. [Brad Nicholes] - + *) Enable the option to support anonymous shared memory in mod_ldap. This makes the cache work on Linux again. [Graham Leggett] @@ -841,11 +847,11 @@ Changes with Apache 2.0.51 *) Add the NOTICE file to the rpm spec file in compliance with the Apache v2.0 license. [Graham Leggett] - + *) RPM spec file changes: changed default dependancy to link to db4 instead of db3. Fixed complaints about unpackaged files. [Graham Leggett] - + Changes with Apache 2.0.50 *) SECURITY: CVE-2004-0493 (cve.mitre.org) @@ -877,13 +883,13 @@ Changes with Apache 2.0.50 *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] - + *) SECURITY: CVE-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] - *) mod_dav_fs: Fix MKCOL response for missing parent collections, which + *) mod_dav_fs: Fix MKCOL response for missing parent collections, which caused issues for the Eclipse WebDAV extension. PR 29034. [Joe Orton] @@ -925,7 +931,7 @@ Changes with Apache 2.0.50 *) Fix handling of IPv6 numeric strings in mod_proxy. [Jeff Trawick] - *) mod_isapi: send_response_header() failed to copy status string's + *) mod_isapi: send_response_header() failed to copy status string's last character. PR 20619. [Jesse Pelton ] *) Fix a segfault when requests for shared memory fails and returns @@ -953,30 +959,30 @@ Changes with Apache 2.0.50 functions leave the connections in a sane state after errors have occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134, 27271 [Graham Leggett] - + *) mod_ldap calls ldap_simple_bind_s() to validate the user credentials. If the bind fails, the connection is left in an unbound state. Make sure that the ldap connection record is updated to show that the connection is no longer bound. [Brad Nicholes] - *) Ensure that lines in the request which are too long are + *) Ensure that lines in the request which are too long are properly terminated before logging. [Tsurutani Naoki ] - *) Update the bind credentials for the cached LDAP connection to - reflect the last bind. This prevents util_ldap from creating + *) Update the bind credentials for the cached LDAP connection to + reflect the last bind. This prevents util_ldap from creating unnecessary connections rather than reusing cached connections. [Brad Nicholes] - - *) mod_isapi: GetServerVariable returned improperly terminated header + + *) mod_isapi: GetServerVariable returned improperly terminated header fields given "ALL_HTTP" or "ALL_RAW". PR 20656. [Jesse Pelton ] *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer size. PR 20617. [Jesse Pelton ] - *) mod_dav: Fix a problem that could cause crashes when manipulating + *) mod_dav: Fix a problem that could cause crashes when manipulating locks on some platforms. [Jeff Trawick] *) mod_headers no longer crashes if an empty header value should @@ -1000,11 +1006,11 @@ Changes with Apache 2.0.50 *) logresolve: Allow size of log line buffer to be overridden at build time (MAXLINE). PR 27793. [Jeff Trawick] - *) Fix the comment delimiter in htdbm so that it correctly parses the - username comment. Also add a terminate function to allow NetWare + *) Fix the comment delimiter in htdbm so that it correctly parses the + username comment. Also add a terminate function to allow NetWare to pause the output before the screen is destroyed. - [Guenter Knauf , Brad Nicholes] - + [Guenter Knauf , Brad Nicholes] + *) Fix crash when Apache was started with no Listen directives. [Michael Corcoran ] @@ -1030,7 +1036,7 @@ Changes with Apache 2.0.49 connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. - With Apache 2.x there is no performance concern about enabling the + With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32. [Jeff Trawick] @@ -1072,8 +1078,8 @@ Changes with Apache 2.0.49 even if they start with an escaped token. [André Malo] *) Add fatal exception hook for use by diagnostic modules. The hook - is only available if the --enable-exception-hook configure parm - is used and the EnableExceptionHook directive has been set to + is only available if the --enable-exception-hook configure parm + is used and the EnableExceptionHook directive has been set to "on". [Jeff Trawick] *) Allow mod_auth_digest to work with sub-requests with different @@ -1153,9 +1159,9 @@ Changes with Apache 2.0.49 process to crash. [Jeff Trawick] *) Win32: Add Win32DisableAcceptEx directive. This Windows - NT/2000/CP directive is useful to work around bugs in some - third party layered service providers like virus scanners, - VPN and firewall products, that do not properly handle + NT/2000/CP directive is useful to work around bugs in some + third party layered service providers like virus scanners, + VPN and firewall products, that do not properly handle WinSock 2 APIs. Use this directive if your server is issuing AcceptEx failed messages. [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick] @@ -1237,7 +1243,7 @@ Changes with Apache 2.0.49 *) mod_autoindex / core: Don't fail to show filenames containing special characters like '%'. PR 13598. [André Malo] - + *) mod_status: Report total CPU time accurately when using a threaded MPM. PR 23795. [Jeff Trawick] @@ -1260,9 +1266,9 @@ Changes with Apache 2.0.49 silently get skipped. next remove itself, so the warning will be logged only once [Stas Bekman, Jeff Trawick, Bill Rowe] - *) mod_info: HTML escape configuration information so it displays + *) mod_info: HTML escape configuration information so it displays correctly. PR 24232. [Thom May] - + *) Restore the ability to add a description for directories that don't contain an index file. (Broken in 2.0.48) [André Malo] @@ -1272,7 +1278,7 @@ Changes with Apache 2.0.49 *) mod_log_config: Log the minutes component of the timezone correctly. PR 23642. [Hong-Gunn Chew ] - *) mod_proxy: Fix cases where an invalid status-line could be sent + *) mod_proxy: Fix cases where an invalid status-line could be sent to the client. PR 23998. [Joe Orton] *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL @@ -1296,14 +1302,14 @@ Changes with Apache 2.0.49 since 2.0.44). [Martin Kraemer] *) Fix the inability to log errors like exec failure in - mod_ext_filter/mod_cgi script children. This was broken after - such children stopped inheriting the error log handle. + mod_ext_filter/mod_cgi script children. This was broken after + such children stopped inheriting the error log handle. [Jeff Trawick] *) Fix mod_info to use the real config file name, not the default config file name. [Aryeh Katz ] - *) Set the scoreboard state to indicate logging prior to running + *) Set the scoreboard state to indicate logging prior to running logging hooks so that server-status will show 'L' for hung loggers instead of 'W'. [Jeff Trawick] @@ -1386,14 +1392,14 @@ Changes with Apache 2.0.48 *) mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick] - *) Unix: Handle permissions settings for flock-based mutexes in + *) Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick] *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick] - *) Fix a misleading message from the some of the threaded MPMs when - MaxClients has to be lowered due to the setting of ServerLimit. + *) Fix a misleading message from the some of the threaded MPMs when + MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick] *) Lower the severity of the "listener thread didn't exit" message @@ -1472,7 +1478,7 @@ Changes with Apache 2.0.47 Fixed a bug whereby certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in - the weak ciphersuite being used in place of the strong one. + the weak ciphersuite being used in place of the strong one. [Ben Laurie] *) SECURITY: CVE-2003-0253 (cve.mitre.org) @@ -1556,18 +1562,18 @@ Changes with Apache 2.0.46 *) Add another check for already compressed content in mod_deflate. PR 19913. [Tsuyoshi SASAMOTO ] - *) Fixes for VPATH builds; copying special.mk and any future .mk files + *) Fixes for VPATH builds; copying special.mk and any future .mk files from the source tree as well as the build tree (now creates a usable configuration for apxs), and eliminated redundant -I'nclude paths. [William Rowe] *) Code fixes, constness corrections and ssl_toolkit_compat.h updates for SSLC and OpenSSL toolkit compatibility. Still work remains to - be done to cripple features based on the limitations of RSA's binary + be done to cripple features based on the limitations of RSA's binary distribution of their SSL-C toolkit. [William Rowe, Madhusudan Mathihalli, Jeff Trawick] - *) Linux 2.4+: If Apache is started as root and you code + *) Linux 2.4+: If Apache is started as root and you code CoreDumpDirectory, coredumps are enabled via the prctl() syscall. [Greg Ames] @@ -1577,7 +1583,7 @@ Changes with Apache 2.0.46 *) Fix --enable-mods-shared=most and other variants. [Aaron Bannert] - *) mod_log_config: Add the ability to log the id of the thread + *) mod_log_config: Add the ability to log the id of the thread processing the request via new %P formats. [Jeff Trawick] *) Use appropriate language codes for Czech (cs) and Traditional Chinese @@ -1596,7 +1602,7 @@ Changes with Apache 2.0.46 with error code 7. [Kris Verbeeck , Thom May] *) Fix a problem that caused httpd to be linked with incorrect flags - on some platforms when mod_so was enabled by default, breaking + on some platforms when mod_so was enabled by default, breaking DSOs on AIX. PR 19012 [Jeff Trawick] *) By default, use the same CC and CPP with which APR was built. @@ -1627,13 +1633,13 @@ Changes with Apache 2.0.46 delimiters (;). Thus column headers no longer contain unescaped ampersands. PR 10880 [André Malo] - *) Enable ap_sock_disable_nagle for Windows. This along with the - addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle + *) Enable ap_sock_disable_nagle for Windows. This along with the + addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle to be disabled for Windows. [Allan Edwards] *) Correct a mis-correlation between mpm_common.c and mpm_common.h; - This patch reverts us to pre-2.0.46 behavior, using the - ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle + This patch reverts us to pre-2.0.46 behavior, using the + ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle was never compiled on Win32. [Allan Edwards, William Rowe] *) Fix a build problem with passing unsupported --enable-layout @@ -1689,8 +1695,8 @@ Changes with Apache 2.0.45 *) Simpler, faster code path for request header scanning [Brian Pane] *) SECURITY: Eliminated leaks of several file descriptors to child - processes, such as CGI scripts. This fix depends on the APR library - release 0.9.2 or later (0.9.3 was distributed with the httpd + processes, such as CGI scripts. This fix depends on the APR library + release 0.9.2 or later (0.9.3 was distributed with the httpd source tarball for Apache 2.0.45.) PR 17206 [Christian Kratzer , Bjoern A. Zeeb ] @@ -1704,14 +1710,14 @@ Changes with Apache 2.0.45 directive. PR 17462. [André Malo] *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when - all worker threads are busy. + all worker threads are busy. [Igor Nazarenko ] - *) Keep the subrequest filter in place when a subrequest is + *) Keep the subrequest filter in place when a subrequest is redirected. PR 15423. [Jeff Trawick] - *) you can now specify the compression level for mod_deflate. - [Ian Holsman, Stephen Pierzchala , + *) you can now specify the compression level for mod_deflate. + [Ian Holsman, Stephen Pierzchala , Michael Schroepl ] *) mod_deflate: Extend the DeflateFilterNote directive to @@ -1741,22 +1747,22 @@ Changes with Apache 2.0.45 default configuration. PR 12877. [André Malo] *) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL - and standardized the LDAP SSL support across the various LDAP SDKs. - Isolated the SSL functionality to mod_ldap rather than speading it + and standardized the LDAP SSL support across the various LDAP SDKs. + Isolated the SSL functionality to mod_ldap rather than speading it across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA - and LDAPTrustedCAType directives to mod_ldap to allow for a more + and LDAPTrustedCAType directives to mod_ldap to allow for a more common method of specifying the SSL certificate. [Dave Ward, Brad Nicholes] - *) Fixed mod_ssl's SSLCertificateChain initialization to no longer - skip the first cert of the chain by default. This misbehavior + *) Fixed mod_ssl's SSLCertificateChain initialization to no longer + skip the first cert of the chain by default. This misbehavior was introduced in 2.0.34. PR 14560 [Madhusudan Mathihalli] *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot be started on Unix because of such problems as bad permissions, bad shebang line, etc. [Jeff Trawick] - *) Fix 64-bit problem in mod_ssl input logic. + *) Fix 64-bit problem in mod_ssl input logic. [Madhusudan Mathihalli ] *) Fix potential memory leaks in mod_deflate on malformed data. PR 16046. @@ -1783,7 +1789,7 @@ Changes with Apache 2.0.45 attempt to use the cache if it didn't exist. Also fixed some memory leaks which were due to not releasing LDAP resources on error conditions. [Brad Nicholes] - + *) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by mod_rewrite proxied URLs will not be escaped accidentally by mod_proxy's fixup. PR 16368 [André Malo] @@ -1824,11 +1830,11 @@ Changes with Apache 2.0.45 metafile searched for does not exist. PR 12353 [Owen Rees ] - *) Introduce debugging symbols for Win32 release builds, both .pdb - and .dbg files (older debuggers and Dr. Watson-type utilities + *) Introduce debugging symbols for Win32 release builds, both .pdb + and .dbg files (older debuggers and Dr. Watson-type utilities on WinNT or Win9x don't support the newer .pdb flavor.) [Allen Edwards, William Rowe] - + *) Fix bug where 'Satisfy Any' without an AuthType lost all MIME information (and more). Related to PR 9076. [André Malo] @@ -1845,7 +1851,7 @@ Changes with Apache 2.0.45 *) Enable the -n name parameter on NetWare to allow the administrator to rename the Apache console screen [Brad Nicholes] - + *) Fixed piped access logs on Win32 by disabling OTHER_CHILD support by default in APR. More development is required to deploy OTHER_CHILD on Win32. [William Rowe] @@ -1860,8 +1866,8 @@ Changes with Apache 2.0.45 This resolves problems on AIX when building a DSO with apxs+gcc. [Jeff Trawick] - *) Added character set support to mod_auth_LDAP to allow it to - convert extended characters used in the user ID to UTF-8 + *) Added character set support to mod_auth_LDAP to allow it to + convert extended characters used in the user ID to UTF-8 before authenticating against the LDAP directory. The new directive AuthLDAPCharsetConfig is used to specify the config file that contains the character set conversion table. @@ -1883,7 +1889,7 @@ Changes with Apache 2.0.45 *) Change the ulimit command used by apachectl on AIX so that it works in all locales. [Jeff Trawick] - *) mod_ext_filter: Fix a problem building argument lists which + *) mod_ext_filter: Fix a problem building argument lists which occasionally caused exec to fail. PR 15491. [Jeff Trawick] Changes with Apache 2.0.44 @@ -1894,7 +1900,7 @@ Changes with Apache 2.0.44 *) mod_mime: Workaround to prevent a segfault if r->filename=NULL [Brian Pane] - + *) Reorder the definitions for mod_ldap and mod_auth_ldap within config.m4 to make sure the parent mod_ldap is defined first. This ensures that mod_ldap comes before mod_auth_ldap in the @@ -1908,7 +1914,7 @@ Changes with Apache 2.0.44 *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move implementation of MCacheMaxStreamingBuffer from mod_cache to mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the - lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should + lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should eliminate the need for explicitly coding MCacheMaxStreamingBuffer in most configurations. [Bill Stoddard] @@ -1930,7 +1936,7 @@ Changes with Apache 2.0.44 patterns [André Malo ] *) Add version string to provider API. [Justin Erenkrantz] - + *) build: './configure && make' now works without an in-tree apr and apr-util. [Wilfredo Sanchez] @@ -1975,7 +1981,7 @@ Changes with Apache 2.0.44 *) Add --[enable|disable]-v4-mapped configure option to control whether or not Apache expects to handle IPv4 connections - on IPv6 listening sockets. Either setting will work on + on IPv6 listening sockets. Either setting will work on systems with the IPV6_V6ONLY socket option. --enable-v4-mapped must be used on systems that always allow IPv4 connections on IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats) @@ -1994,11 +2000,11 @@ Changes with Apache 2.0.44 envariable setting according to the server IP address which received the request. [Ken Coar] - *) mod_cgid: Terminate CGI scripts when the client connection + *) mod_cgid: Terminate CGI scripts when the client connection drops. PR 8388 [Jeff Trawick] - *) Rearrange OpenSSL engine initialization to support RAND - redirection on crypto accelerator. + *) Rearrange OpenSSL engine initialization to support RAND + redirection on crypto accelerator. [Frederic DONNAT ] *) Always emit Vary header if mod_deflate is involved in the @@ -2010,8 +2016,8 @@ Changes with Apache 2.0.44 [Detlev Vendt ] *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION - notification is received before the HttpExtensionProc() returns - HSE_STATUS_PENDING. This only affected isapi .dll's configured + notification is received before the HttpExtensionProc() returns + HSE_STATUS_PENDING. This only affected isapi .dll's configured with the ISAPIFakeAsync on directive. PR 11918 [John DeSetto , William Rowe] @@ -2026,7 +2032,7 @@ Changes with Apache 2.0.44 once per worker, indicating that the CacheRoot needs to be set. [Paul J. Reder] - *) Fix a bug where we keep files open until the end of a + *) Fix a bug where we keep files open until the end of a keepalive connection, which can result in: (24)Too many open files: file permissions deny server access especially on threaded servers. [Greg Ames, Jeff Trawick] @@ -2076,7 +2082,7 @@ Changes with Apache 2.0.44 the client terminates the connection before the response is completely sent [Bojan Smojver ] - *) Fix some problems in the perchild MPM. + *) Fix some problems in the perchild MPM. [Jonas Eriksson ] *) Change the CacheRoot processing to check for a required @@ -2087,13 +2093,13 @@ Changes with Apache 2.0.44 cache file name cannot be opened. This also updates the docs accordingly. [Paul J. Reder] - *) Introduce the EnableSendfile directive, allowing users of NFS + *) Introduce the EnableSendfile directive, allowing users of NFS shares to disable sendfile mechanics when they either fail - outright or provide intermitantly corrupted data. PR + outright or provide intermitantly corrupted data. PR [William Rowe] - *) Resolve the error "An operation was attempted on something - that is not a socket. : winnt_accept: AcceptEx failed. + *) Resolve the error "An operation was attempted on something + that is not a socket. : winnt_accept: AcceptEx failed. Attempting to recover." for users of various firewall and anti-virus software on Windows. PR 8325 [William Rowe] @@ -2145,11 +2151,11 @@ Changes with Apache 2.0.43 well as some other dynamically-generated content. [Jeff Trawick] *) Fix a mutex problem in mod_ssl session cache support which - could lead to an infinite loop. PR 12705 + could lead to an infinite loop. PR 12705 [Amund Elstad , Jeff Trawick] *) SECURITY: CVE-2002-1156 (cve.mitre.org) - Fix the exposure of CGI source when a POST request is sent to + Fix the exposure of CGI source when a POST request is sent to a location where both DAV and CGI are enabled. [Ryan Bloom] *) Allow the UserDir directive to accept a list of directories. @@ -2160,7 +2166,7 @@ Changes with Apache 2.0.43 received. [Bojan Smojver ] *) SuExec needs to use the same default directory as the rest of - server, namely /usr/local/apache2. + server, namely /usr/local/apache2. [SangBeom han ] *) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN. @@ -2258,8 +2264,8 @@ Changes with Apache 2.0.41 anything to the client. [Brian Pane] *) Win32: Lower the default stack size from 1MB to 256K. This will - allow around 8000 threads to be started per child process. - 'EDITBIN /STACK:size apache.exe' can be used to change this + allow around 8000 threads to be started per child process. + 'EDITBIN /STACK:size apache.exe' can be used to change this value directly in the apache.exe executable. [Bill Stoddard] @@ -2301,11 +2307,11 @@ Changes with Apache 2.0.41 *) mod-proxy: handle proxied responses with no status lines [JD Silvester , Brett Huttley ] - *) Fix bug where environment or command line arguments containing + *) Fix bug where environment or command line arguments containing non-ASCII-7 characters would cause the Win32 child process creation to fail. PR 11854 [William Rowe] - *) Bug #11213.. make module loading error messages more informative + *) Bug #11213.. make module loading error messages more informative [Ian Darwin ] *) thread safety & proxy-ftp [Alexey Panchenko , Ian Holsman] @@ -2327,12 +2333,12 @@ Changes with Apache 2.0.41 Changes with Apache 2.0.40 - *) SECURITY: CVE-2002-0661 (cve.mitre.org) - Close a very significant security hole that - applies only to the Win32, OS2 and Netware platforms. Unix was not + *) SECURITY: CVE-2002-0661 (cve.mitre.org) + Close a very significant security hole that + applies only to the Win32, OS2 and Netware platforms. Unix was not affected, Cygwin may be affected. Certain URIs will bypass security - and allow users to invoke or access any file depending on the system - configuration. Without upgrading, a single .conf change will close + and allow users to invoke or access any file depending on the system + configuration. Without upgrading, a single .conf change will close the vulnerability. Add the following directive in the global server httpd.conf context before any other Alias or Redirect directives; RedirectMatch 400 "\\\.\." @@ -2348,8 +2354,8 @@ Changes with Apache 2.0.40 [William Rowe] *) SECURITY: CVE-2002-0654 (cve.mitre.org) - Close a path-revealing exposure in cgi/cgid when we - fail to invoke a script. The modules would report "couldn't create + Close a path-revealing exposure in cgi/cgid when we + fail to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path of the script. Reported by Jim Race . [Bill Stoddard] @@ -2366,7 +2372,7 @@ Changes with Apache 2.0.40 *) mod-deflate now checks to make sure that 'gzip-only-text/html' is set to 1, so we can exclude things from the general case with browsermatch. [Ian Holsman, Andre Schild ] - + *) Accept multiple leading /'s for requests within the DocumentRoot. PR 10946 [William Rowe, David Shane Holden ] @@ -2383,7 +2389,7 @@ Changes with Apache 2.0.40 *) Restore the ability to specify host names on Listen directives. PR 11030. [Jeff Trawick, David Shane Holden ] - *) When deciding on the default address family for listening sockets, + *) When deciding on the default address family for listening sockets, make sure we can actually bind to an AF_INET6 socket before deciding that we should default to AF_INET6. This fixes a startup problem on certain levels of OpenUNIX. PR 10235. [Jeff Trawick] @@ -2416,9 +2422,9 @@ Changes with Apache 2.0.40 Comment them out in the default config file to make the default install as simple as possible; Correct the english 500 error to be more understandable; Add a Swedish translation. - [Thomas Sjogren , + [Thomas Sjogren , Erik Abele , Rich Bowen, Joshua Slive] - + *) Increase the limit on file descriptors per process in apachectl. [Brian Pane] @@ -2465,7 +2471,7 @@ Changes with Apache 2.0.40 when running in a vhost if the filter definition is not found in the vhost. PR 10147 [Jeff Trawick] - *) Support WinNT CGI invocation through ScriptInterpreterSource + *) Support WinNT CGI invocation through ScriptInterpreterSource 'registry' for script interpreter paths and names with non-ascii characters in the executable filepath. [William Rowe] @@ -2516,7 +2522,7 @@ Changes with Apache 2.0.38 tmpnam being unsafe. [Ryan Bloom] *) We must set the MIME-type for .shtml files to text/html if we want them - to be parsed for SSI tags. Add the config for that to the default + to be parsed for SSI tags. Add the config for that to the default config file so that it is easier to enable .shtml parsing. [Dave Dyer ] @@ -2532,10 +2538,10 @@ Changes with Apache 2.0.38 PR 9866 [Brian Pane] *) Allow 'make install DESTDIR=/path'. This allows packagers to install - into a directory different from the one that was configured. This + into a directory different from the one that was configured. This also mirrors the root= feature from 1.3. We cannot use prefix=, - because both APR and APR-util resolve their installation paths at - configuration time. This means that there is no variable prefix + because both APR and APR-util resolve their installation paths at + configuration time. This means that there is no variable prefix to replace. [Andreas Hasenack ] *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT. @@ -2549,7 +2555,7 @@ Changes with Apache 2.0.38 *) Fix install-bindist.sh so that it finds any perl instead of just early perl 5.x versions. This is consistent with a build/install - from source, and it allows the perl scripts installed by a bindist + from source, and it allows the perl scripts installed by a bindist to work on systems with perl 5.6. [Jeff Trawick] *) Fix apxs so that the makefile created by "apxs -g" works on AIX and @@ -2584,7 +2590,7 @@ Changes with Apache 2.0.37 file. PR 9729 [Matthew Brecknell ] *) Fix the working directory *for WinNT/2K/XP services only* to - change to the Apache directory (one level above the location + change to the Apache directory (one level above the location of Apache.exe, in the case that Apache.exe resides in bin/.) Solves the case of ServerRoot /foo paths where /foo was not on the same drive as /winnt/system32. [William Rowe] @@ -2596,7 +2602,7 @@ Changes with Apache 2.0.37 [Ian Holsman] *) Fix apxs to allow "apxs -q installbuilddir" and to allow - querying certain other variables from config_vars.mk. PR 9316 + querying certain other variables from config_vars.mk. PR 9316 [Jeff Trawick] *) Added the "detached" attribute to the cgi_exec_info_t internals @@ -2604,7 +2610,7 @@ Changes with Apache 2.0.37 for each CGI invoked. PR 8387 [Brad Nicholes, William Rowe] - *) Consolidated the command line parameters and attributes that are + *) Consolidated the command line parameters and attributes that are manipulated by the optional function ap_cgi_build_command() in mod_cgi into a single structure. [Brad Nicholes] @@ -2613,13 +2619,13 @@ Changes with Apache 2.0.37 variables. [Stas Bekman ] *) Fix apxs to allow it to work when the build directory is somewhere - besides server-root/build. PR 8453 + besides server-root/build. PR 8453 [Jeff Trawick and a host of others] *) Allow ap_discard_request_body to be called multiple times in the same request. Essentially, ap_http_filter keeps track of whether it has sent an EOS bucket up the stack, if so, it will only ever - send an EOS bucket for this request. + send an EOS bucket for this request. [Ryan Bloom, Justin Erenkrantz, Greg Stein] *) Remove all special mod_ssl URIs. This also fixes the bug where @@ -2650,9 +2656,9 @@ Changes with Apache 2.0.37 *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request body. [Justin Erenkrantz] - - *) NetWare: Piping log entries through RotateLogs using the - CustomLogs directive is finally supported now that we have + + *) NetWare: Piping log entries through RotateLogs using the + CustomLogs directive is finally supported now that we have the pipes and spawning functionality working. [Brad Nicholes] @@ -2707,8 +2713,8 @@ Changes with Apache 2.0.37 *) Fix a file permissions problem which prevented mod_disk_cache from working on Unix. [Jeff Trawick] - *) Add "-k start|restart|graceful|stop" support to httpd for the Unix - MPMs. These have semantics very similar to the old apachectl + *) Add "-k start|restart|graceful|stop" support to httpd for the Unix + MPMs. These have semantics very similar to the old apachectl commands of the same name. [Justin Erenkrantz, Jeff Trawick] *) Make sure that the runtime dir is created by make install. @@ -2763,7 +2769,7 @@ Changes with Apache 2.0.37 *) Make apxs look in the correct directory for envvars. It was broken when sbindir != bindir. PR 8869 [Andreas Sundström ] - + *) Fix mod_deflate corruption when using multiple buckets. PR 9014. [Asada Kazuhisa ] @@ -2812,7 +2818,7 @@ Changes with Apache 2.0.37 PR 8170. [Thom May ] *) Win32: During a graceful restart, threads in the new process - were accessing scoreboard slots still in use by active threads in + were accessing scoreboard slots still in use by active threads in the old process. [Bill Stoddard] Changes with Apache 2.0.36 @@ -2833,7 +2839,7 @@ Changes with Apache 2.0.36 because it caused very long vhost id's to be unusable with mod_ssl. PR 8572. [Cliff Woolley] - *) Fix the link to the description of the CoredumpDirectory + *) Fix the link to the description of the CoredumpDirectory directive in the server-wide document. PR 8643. [Jeff Trawick] *) Fixed SHMCB session caching. [Aaron Bannert, Cliff Woolley] @@ -2913,9 +2919,9 @@ Changes with Apache 2.0.36 *) SECURITY: CVE-2002-1592 (cve.mitre.org) [CERT VU#165803] Added the APLOG_TOCLIENT flag to ap_log_rerror() to - explicitly tell the server that warning messages should be sent - to the client in addition to being recorded in the error log. - Prior to this change, ap_log_rerror() always sent warning + explicitly tell the server that warning messages should be sent + to the client in addition to being recorded in the error log. + Prior to this change, ap_log_rerror() always sent warning messages to the client. In one case, a faulty CGI script caused the server to send a warning message to the client that contained the full path to the CGI script. This could be considered a @@ -2955,11 +2961,11 @@ Changes with Apache 2.0.36 cache entry. [Bill Stoddard] *) Introduced -E startup_logfile_name option to httpd to allow admins - to begin logging errors immediately. This provides Win32 users + to begin logging errors immediately. This provides Win32 users an alternative to sending startup errors to the event viewer, and allows other daemon tool authors an alternative to logging to stderr. - [William Rowe] - + [William Rowe] + *) Fix subreqs with non-defined Content-Types being served improperly. [Justin Erenkrantz] @@ -2986,12 +2992,12 @@ Changes with Apache 2.0.36 PR 8004 [William Rowe] *) worker MPM: Fix a situation where a child exited without releasing - the accept mutex. Depending on the OS and mutex mechanism this + the accept mutex. Depending on the OS and mutex mechanism this could result in a hang. [Jeff Trawick] *) Update the instructions for how to get started with mod_example. [Stas Bekman] - + *) Fix PidFile to default to rel_runtimedir instead of rel_logfiledir. PR 7841. [Andreas Hasenack ] @@ -3008,7 +3014,7 @@ Changes with Apache 2.0.36 expected a status. PR 10010 [Graham Leggett] *) Deprecated the apr_lock.h API. Please see the following files - for the improved thread and process locking and signaling: + for the improved thread and process locking and signaling: apr_proc_mutex.h, apr_thread_mutex.h, apr_thread_rwlock.h, apr_thread_cond.h, and apr_global_mutex.h. [Aaron Bannert] @@ -3017,7 +3023,7 @@ Changes with Apache 2.0.36 [Ryan Morgan ] *) Fix parsing of some AP_DECLARE_DATA declarations so that the filter - handle declarations are recognized. This fixes problems loading + handle declarations are recognized. This fixes problems loading mod_autoindex on some platforms. [Brian Havard] *) add optional fixup hook to proxy [Daniel Lopez ] @@ -3046,9 +3052,9 @@ Changes with Apache 2.0.35 "