DVD Plaza
Sat 1st Nov '03, 9:52am
Security vulnerabilities closed since Apache 2.0.47
* SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick]
* SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo]
Bugs fixed and features added since Apache 2.0.47
* mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo]
* fix the config parser to support <Foo>..</Foo> containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's <Perl> sections are broken. ["Philippe M. Chiasson" <gozer@cpan.org>]
* mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick]
* Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding]
* mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo]
* mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira <eider@bol.com.br>]
* cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle <tcastelle@generali.fr>]
* Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May]
* mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil <Hartmut.Keil@adnovum.ch>]
* mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden <dpejesh@yahoo.com>]
* Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood <manniwood@planet-save.com>]
* mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. [bjorn@exoweb.net]
* mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
* Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz]
* Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
* Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [André Malo]
* mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick]
* Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick]
* ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
* Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick]
* Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick]
* MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar]
* Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive]
* Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman]
* mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker]
* mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [André Malo]
* ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo]
* mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz]
* Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves <David.Deaves@dd.id.au>, William Rowe]
* Update mime.types to include latest IANA and W3C types. [Roy Fielding]
* mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
* Fix buildconf errors when libtool version changes. [Jeff Trawick]
* Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo]
* mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park <ronald.park@cnet.com>, André Malo, Cliff Woolley]
* Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.com>]
* Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer <joe+gmane@sunstarsys.com>]
* Added FreeBSD directory layout. PR 21100. [Sander Holthaus <info@orangexl.com>, André Malo]
* Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo]
* mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick]
* Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick]
* SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick]
* SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo]
Bugs fixed and features added since Apache 2.0.47
* mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo]
* fix the config parser to support <Foo>..</Foo> containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's <Perl> sections are broken. ["Philippe M. Chiasson" <gozer@cpan.org>]
* mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick]
* Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding]
* mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo]
* mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira <eider@bol.com.br>]
* cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle <tcastelle@generali.fr>]
* Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May]
* mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil <Hartmut.Keil@adnovum.ch>]
* mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden <dpejesh@yahoo.com>]
* Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood <manniwood@planet-save.com>]
* mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. [bjorn@exoweb.net]
* mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
* Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz]
* Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
* Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [André Malo]
* mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick]
* Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick]
* ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
* Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick]
* Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick]
* MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar]
* Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive]
* Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman]
* mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker]
* mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [André Malo]
* ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo]
* mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz]
* Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves <David.Deaves@dd.id.au>, William Rowe]
* Update mime.types to include latest IANA and W3C types. [Roy Fielding]
* mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
* Fix buildconf errors when libtool version changes. [Jeff Trawick]
* Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo]
* mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park <ronald.park@cnet.com>, André Malo, Cliff Woolley]
* Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.com>]
* Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer <joe+gmane@sunstarsys.com>]
* Added FreeBSD directory layout. PR 21100. [Sander Holthaus <info@orangexl.com>, André Malo]
* Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo]
* mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick]
* Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick]