changes.txt

Apache_2.0.59-Openssl_0.9 配置tomcat. Apache_2.0.59-Openssl_0.9 配置tomcat.

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.0.59

  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
     handling.  For some RewriteRules this could lead to a pointer being
     written out of bounds.  Reported by Mark Dowd of McAfee.
     [Mark Cox]

  *) Win32: Minor fixes to build more cleanly under Visual Studio 2005
     from the command line build.  [William Rowe]

Changes with Apache 2.0.58

  *) Legal: Restored original years in copyright notices.
     [Colm MacCarthaigh]

Changes with Apache 2.0.57

  *) mod_cgid: run the get_suexec_identity hook within the request-handler
     instead of within cgid. PR 36410. [Colm MacCarthaigh] 

  *) core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282.
     [Davi Arnaut <davi haxent.com.br>]

  *) mod_proxy: Report the proxy server name correctly in the "Via:" header,
     when UseCanonicalName is Off. PR 11971. [Martin Kraemer]

  *) mod_isapi: Various trivial code-fixes to permit mod_isapi to load and
     run on Unix. [William Wrowe]

  *) HTML-escape the Expect error message.  Not classed as security as
     an attacker has no way to influence the Expect header a victim will
     send to a target site.  Reported by Thiago Zaninotti
     <thiango nstalker.com>. [Mark Cox]

Changes with Apache 2.0.56

  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
     mod_ssl: Fix a possible crash during access control checks if a
     non-SSL request is processed for an SSL vhost (such as the
     "HTTP request received on SSL port" error message when an 400
     ErrorDocument is configured, or if using "SSLEngine optional").
     PR 37791.  [Rüdiger Plüm, Joe Orton]

  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
     mod_imap: Escape untrusted referer header before outputting in HTML
     to avoid potential cross-site scripting.  Change also made to
     ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

  *) Add APR/APR-Util Compiled and Runtime Version numbers to the
     output of 'httpd -V'. [William Rowe]

  *) Ensure that the proper status line is written to the client, fixing
     incorrect status lines caused by filters which modify r->status without 
     resetting r->status_line, such as the built-in byterange filter.
     [Jeff Trawick]

  *) Default handler: Don't return output filter apr_status_t values.
     PR 31759.  [Jeff Trawick, Ruediger Pluem, Joe Orton]

  *) mod_speling: Stop crashing with certain non-file requests.  
     [Jeff Trawick]

  *) keep the Content-Length header for a HEAD with no response body.
     PR 18757 [Greg Ames]
 
  *) Modify apr[util] .h detection to avoid breakage on VPATH builds
     using Solaris make (amoung others) and avoid breakage in ./buildconf
     when srclib/apr[-util] are symlinks rather than directories proper.
     [William Rowe]

  *) Avoid server-driven negotiation when a CGI script has emitted an 
     explicit "Status:" header. PR 38070.  [Nick Kew]

  *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
     format is used. PR 27787.  [André Malo]

  *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs.  PR 34264.
     [Justin Erenkrantz]

  *) mod_cache: Correctly handle responses with a 301 status. PR 37347. 
     [Paul Querna]

  *) mod_proxy_http: Prevent data corruption of POST request bodies when
     client accesses proxied resources with SSL. PR 37145.
     [Ruediger Pluem, William Rowe]    

  *) Eliminated the NET_TIME filter, restructuring the timeout logic.
     This provides a working mod_echo on all platforms, and ensures any
     custom protocol module is at least given an initial timeout value
     based on the <VirtualHost > context's Timeout directive.
     [William Rowe]  

  *) mod_ssl: Correct issue where mod_ssl does not pick up the 
     ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton]

  *) Document the ReceiveBufferSize change done in r157583.
     [Murray Nesbitt <murray cpan.org>]

  *) mod_deflate: Merge the Vary header, instead of Setting it. Fixes
     applications that send the Vary Header themselves. PR 37559. 
     [Paul Querna]

  *) mod_dav: Fix a null pointer dereference in an error code path during the
     handling of MKCOL. [Ghassan Misherghi <ghassanm ucdavis.edu>]

  *) mod_mime_magic: Handle CRLF-format magic files so that it works with
     the default installation on Windows.  [Jeff Trawick]

  *) Write message to error log if AuthGroupFile cannot be opened.
     PR 37566.  [Rüdiger Plüm]

  *) Add ReceiveBufferSize directive to control the TCP receive buffer.
     [Eric Covener <covener gmail.com>]

  *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
     [Paul Querna]

  *) Remove the base href tag from proxy_ftp, as it breaks relative
     links for clients not using an Authorization header. [Graham Leggett,
     Jon Snow <jsnow27 gatesec.net>]

  *) http_request.c: Add missing va_end call. [André Malo]

  *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
     [Paul Querna]

  *) support/check_forensic: Fix temp file usage
     [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]

  *) Chunk filter: Fix chunk filter to create correct chunks in the case that
     a flush bucket is surrounded by data buckets. [Ruediger Pluem]

  *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
     respond to OPTIONS directly rather than via server default.
     [Roy Fielding] PR 15242

  *) Added new module mod_version, which provides version dependent
     configuration containers.  [André Malo]

  *) Add core version query function (ap_get_server_revision) and
     accompanying ap_version_t structure (minor MMN bump).
     [André Malo]

Changes with Apache 2.0.55

  *) SECURITY: CVE-2005-2700 (cve.mitre.org)
     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
     enforced in per-location context if "SSLVerifyClient optional"
     was configured in the vhost configuration.  [Joe Orton]

  *) SECURITY: CVE-2005-2970 (cve.mitre.org)
     worker MPM: Fix a memory leak which can occur after an aborted
     connection in some limited circumstances.  [Greg Ames]

  *) mod_ldap: Fix PR 36563. Keep track of the number of attributes
     retrieved from LDAP so that all of the values can be properly 
     cached even if the value is NULL. 
     [Brad Nicholes, Ondrej Sury <ondrej sury.org>]
       
  *) SECURITY: CVE-2005-2491 (cve.mitre.org): 
     Fix integer overflows in PCRE in quantifier parsing which could
     be triggered by a local user through use of a carefully-crafted 
     regex in an .htaccess file.  [Philip Hazel]

  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
     proxy: Correctly handle the Transfer-Encoding and Content-Length
     headers.  Discard the request Content-Length whenever T-E: chunked
     is used, always passing one of either C-L or T-E: chunked whenever 
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]

  *) Added TraceEnable [on|off|extended] per-server directive to alter
     the behavior of the TRACE method.  This addresses a flaw in proxy
     conformance to RFC 2616 - previously the proxy server would accept
     a TRACE request body although the RFC prohibited it.  The default
     remains 'TraceEnable on'.  [William Rowe]

  *) Add ap_log_cerror() for logging messages associated with particular
     client connections.  [Jeff Trawick]

  *) Correct mod_cgid's argv[0] so that the full path can be delved by the
     invoked cgi application, to conform to the behavior of mod_cgi.
     [Pradeep Kumar S <pradeep.smani gmail.com>]

  *) mod_include: Fix possible environment variable corruption when 
     using nested includes.  PR 12655.  [Joe Orton]

  *) Support the suppress-error-charset setting, as with Apache 1.3.x.
     PR 31274.  [Jeff Trawick]

  *) EBCDIC: Handle chunked input from client or, with proxy, origin
     server.  [Jeff Trawick]

  *) Fix bad globbing comparison which could result in getting
     a directory listing when a file was requested. PR 34512.
     [sean <infamous41md hotmail.com>]

  *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
     was called even if mod_auth_ldap_check_user_id() was not
     (or if it didn't succeed) for non-authoritative cases.
     [Jim Jagielski]

  *) SECURITY: CVE-2005-2728 (cve.mitre.org)
     Fix cases where the byterange filter would buffer responses
     into memory.  PR 29962.  [Joe Orton]

  *) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
     PR 15207.  [Jim Jagielski]

  *) mod_ldap: Fix various shared memory cache handling bugs.
     PR 34209.  [Joe Orton]

  *) Fix a file descriptor leak when starting piped loggers.  PR 33748. 
     [Joe Orton]

  *) mod_ldap: Avoid segfaults when opening connections if using a version
     of OpenLDAP older than 2.2.21.  PR 34618.  [Brad Nicholes]

  *) mod_ssl: Fix build with OpenSSL 0.9.8.  PR 35757.  [William Rowe]

  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
     core: If a request contains both Transfer-Encoding and Content-Length
     headers, remove the Content-Length, mitigating some HTTP Request 
     Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]

  *) proxy HTTP: If a response contains both Transfer-Encoding and a 
     Content-Length, remove the Content-Length and don't reuse the
     connection, mitigating some HTTP Response Splitting attacks.
     [Jeff Trawick]

  *) Prevent hangs of child processes when writing to piped loggers at
     the time of graceful restart.  PR 26467.  [Jeff Trawick]

  *) SECURITY: CVE-2005-1268 (cve.mitre.org)
     mod_ssl: Fix off-by-one overflow whilst printing CRL information
     at "LogLevel debug" which could be triggered if configured 
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]

  *) mod_userdir: Fix possible memory corruption issue.  PR 34588.
     [David Leonard <dleonard vintela.com>]

  *) worker mpm: don't take down the whole server for a transient
     thread creation failure. PR 34514 [Greg Ames]
  
  *) mod_rewrite: use buffered I/O to improve performance with large
     RewriteMap txt: files.  [Greg Ames]

  *) proxy HTTP: Rework the handling of request bodies to handle
     chunked input and input filters which modify content length, and
     avoid spooling arbitrary-sized request bodies in memory.
     PR 15859.  [Jeff Trawick]

Changes with Apache 2.0.54

  *) mod_cache: Add CacheIgnoreHeaders directive.  PR 30399.
     [Rüdiger Plüm <r.pluem t-online.de>]

  *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
     the ldap socket connection timeout value.  
     [Brad Nicholes]

  *) Correctly export all mod_dav public functions.
     [Branko Čibej <brane xbc.nu>]

  *) Add a build script to create a solaris package. [Graham Leggett]

  *) worker MPM: Fix a problem which could cause httpd processes to
     remain active after shutdown.  [Jeff Trawick]

  *) Unix MPMs: Shut down the server more quickly when child processes are
     slow to exit.  [Joe Orton, Jeff Trawick]

  *) Remove formatting characters from ap_log_error() calls.  These
     were escaped as fallout from CVE-2003-0020.
     [Eric Covener <ecovener gmail.com>]

  *) mod_ssl: If SSLUsername is used, set r->user earlier.  PR 31418.
     [David Reid]

  *) htdigest: Fix permissions of created files.  PR 33765.  [Joe Orton]

  *) core_input_filter: Move buckets to a persistent brigade instead of
     creating a new brigade. This stop a memory leak when proxying a 
     Streaming Media Server. PR 33382. [Paul Querna]

  *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid 
     hiccups from additional path information passed in non-utf-8 format.
     [Richard Donkin <rd9 donkin.org]

Changes with Apache 2.0.53

  *) Fix --with-apr=/usr and/or --with-apr-util=/usr.  PR 29740.
     [Max Bowsher <maxb ukf.net>]

  *) mod_proxy: Fix ProxyRemoteMatch directive.  PR 33170.
     [Rici Lake <rici ricilake.net>]

  *) mod_proxy: Respect errors reported by pre_connection hooks.
     [Jeff Trawick]