changes.txt

Apache_2.0.59-Openssl_0.9 配置tomcat. Apache_2.0.59-Openssl_0.9 配置tomcat.

  *) mod_ext_filter: Set additional environment variables for use by
     the external filter.  PR 20944.  [Andrew Ho, Jeff Trawick]

  *) Fix buildconf errors when libtool version changes.  [Jeff Trawick]

  *) Remember an authenticated user during internal redirects if the
     redirection target is not access protected and pass it
     to scripts using the REDIRECT_REMOTE_USER environment variable.
     PR 10678, 11602.  [André Malo]

  *) mod_include: Fix a trio of bugs that would cause various unusual
     sequences of parsed bytes to omit portions of the output stream.
     PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]

  *) Update the header token parsing code to allow LWS between the
     token word and the ':' seperator.  [PR 16520]
     [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]

  *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
     [Joe Schaefer <joe+gmane sunstarsys.com>]

  *) Added FreeBSD directory layout. PR 21100.
     [Sander Holthaus <info orangexl.com>, André Malo]

  *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
     response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]

  *) mod_rewrite: Perform child initialization on the rewrite log lock.
     This fixes a log corruption issue when flock-based serialization
     is used (e.g., FreeBSD).  [Jeff Trawick]

  *) Don't respect the Server header field as set by modules and CGIs.
     As with 1.3, for proxy requests any such field is from the origin
     server; otherwise it will have our server info as controlled by
     the ServerTokens directive.  [Jeff Trawick]

Changes with Apache 2.0.47

  *) SECURITY: CVE-2003-0192 (cve.mitre.org)
     Fixed a bug whereby certain sequences of per-directory
     renegotiations and the SSLCipherSuite directive being used to
     upgrade from a weak ciphersuite to a strong one could result in
     the weak ciphersuite being used in place of the strong one.  
     [Ben Laurie]

  *) SECURITY: CVE-2003-0253 (cve.mitre.org)
     Fixed a bug in prefork MPM causing temporary denial of service
     when accept() on a rarely accessed port returns certain errors.
     Reported by Saheed Akhtar <S.Akhtar talis.com>.  [Jeff Trawick]

  *) SECURITY: CVE-2003-0254 (cve.mitre.org)
     Fixed a bug in ftp proxy causing denial of service when target
     host is IPv6 but proxy server can't create IPv6 socket.  Fixed by
     the reporter.  [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]

  *) SECURITY [VU#379828] Prevent the server from crashing when entering
     infinite loops. The new LimitInternalRecursion directive configures
     limits of subsequent internal redirects and nested subrequests, after
     which the request will be aborted.  PR 19753 (and probably others).
     [William Rowe, Jeff Trawick, André Malo]

  *) core_output_filter: don't split the brigade after a FLUSH bucket if
     it's the last bucket.  This prevents creating unneccessary empty
     brigades which may not be destroyed until the end of a keepalive
     connection.
     [Juan Rivera <Juan.Rivera citrix.com>]

  *) Add support for "streamy" PROPFIND responses.
     [Ben Collins-Sussman <sussman collab.net>]

  *) mod_cgid: Eliminate a double-close of a socket.  This resolves
     various operational problems in a threaded MPM, since on the
     second attempt to close the socket, the same descriptor was
     often already in use by another thread for another purpose.
     [Jeff Trawick]

  *) mod_negotiation: Introduce "prefer-language" environment variable,
     which allows to influence the negotiation process on request basis
     to prefer a certain language.  [André Malo]

  *) Make mod_expires' ExpiresByType work properly, including for
     dynamically-generated documents.  [Ken Coar, Bill Stoddard]

Changes with Apache 2.0.46

  *) SECURITY: CVE-2003-0245 (cve.mitre.org)
     Fixed a bug causing apr_pvsprintf() to crash by sending an overly
     long string.  This can be triggered remotely through mod_dav,
     mod_ssl, and other mechanisms.
     Reported by David Endler <DEndler iDefense.com>.  [Joe Orton]

  *) SECURITY: CVE-2003-0189 (cve.mitre.org)
     Fixed a denial-of-service vulnerability affecting basic
     authentication on Unix platforms related to thread-safety in
     apr_password_validate().
     Reported by John Hughes <john.hughes entegrity.com>.

  *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
     when a MKACTIVITY request comes in.
     [Ben Collins-Sussman <sussman collab.net>]

  *) Perform run-time query in apxs for apr and apr-util's includes.
     [Justin Erenkrantz]

  *) run libtool from the apr install directory (in case that is different
     from the apache install directory) [Jeff Trawick]

  *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]

  *) If mod_mime_magic does not know the content-type, do not attempt to
     guess.  PR 16908.  [Andrew Gapon <agapon telcordia.com>]

  *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
     caching. PR 17864.
     [Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]

  *) Add a delete flag to htpasswd.
     [Thom May]

  *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
     now work scheme dependent and the query string will only be
     appended if supported by the particular scheme.  [André Malo]

  *) Add another check for already compressed content in mod_deflate.
     PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]

  *) Fixes for VPATH builds; copying special.mk and any future .mk files 
     from the source tree as well as the build tree (now creates a usable
     configuration for apxs), and eliminated redundant -I'nclude paths.
     [William Rowe]

  *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
     for SSLC and OpenSSL toolkit compatibility.  Still work remains to
     be done to cripple features based on the limitations of RSA's binary 
     distribution of their SSL-C toolkit.
     [William Rowe, Madhusudan Mathihalli, Jeff Trawick]

  *) Linux 2.4+: If Apache is started as root and you code 
     CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
     [Greg Ames]

  *) ap_get_mime_headers_core: allocate space for the trailing null
     when folding is in effect.
     PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]

  *) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]

  *) mod_log_config: Add the ability to log the id of the thread 
     processing the request via new %P formats.  [Jeff Trawick]

  *) Use appropriate language codes for Czech (cs) and Traditional Chinese
     (zh-tw) in default config files. PR 9427.  [André Malo]

  *) mod_auth_ldap: Use generic whitespace character class when parsing
     "require" directives, instead of literal spaces only. PR 17135.
     [André Malo]

  *) Hook mod_rewrite's type checker before mod_mime's one. That way the
     RewriteRule [T=...] Flag should work as expected now. PR 19626.
     [André Malo]

  *) htpasswd: Check the processed file on validity. If a line is not empty
     and not a comment, it must contain at least one colon. Otherwise exit
     with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]

  *) Fix a problem that caused httpd to be linked with incorrect flags
     on some platforms when mod_so was enabled by default, breaking 
     DSOs on AIX.  PR 19012  [Jeff Trawick]

  *) By default, use the same CC and CPP with which APR was built.
     The user can override with CC and CPP environment variables.
     [Jeff Trawick]

  *) Fix ap_construct_url() so that it surrounds IPv6 literal address
     strings with [].  This fixes certain types of redirection.
     PR 19207.  [Jeff Trawick]

  *) forward port of buffer overflow fixes for htdigest. [Thom May]

  *) Added AllowEncodedSlashes directive to permit control of whether
     the server will accept encoded slashes ('%2f') in the URI path.
     Default condition is off (the historical behaviour).  This permits
     environments in which the path-info needs to contain encoded
     slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.  [Ken Coar]

  *) When using Redirect in directory context, append requested query
     string if there's no one supplied by configuration. PR 10961.
     [André Malo]

  *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
     the pattern will not always match as desired. PR 12596.
     [André Malo]

  *) mod_autoindex now emits and accepts modern query string parameter
     delimiters (;). Thus column headers no longer contain unescaped
     ampersands. PR 10880  [André Malo]

  *) Enable ap_sock_disable_nagle for Windows. This along with the 
     addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
     to be disabled for Windows. [Allan Edwards]

  *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
     This patch reverts us to pre-2.0.46 behavior, using the 
     ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
     was never compiled on Win32. [Allan Edwards, William Rowe]

  *) Fix a build problem with passing unsupported --enable-layout
     args to apr and apr-util.  This broke binbuild.sh as well as
     user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
     Jeff Trawick]

  *) If a Date response header was already set in the headers array,
     this value was ignored in favour of the current time. This meant
     that Date headers on proxied requests where rewritten when they
     should not have been. PR: 14376 [Graham Leggett]

  *) Add code to buildconf that produces an httpd.spec file from
     httpd.spec.in, using build/get-version.sh from APR.
     [Graham Leggett]

  *) Fixed a segfault when multiple ProxyBlock directives were used.
     PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]

  *) SECURITY: CVE-2003-0134 (cve.mitre.org)
     OS2: Fix a Denial of Service vulnerability identified and
     reported by Robert Howard <rihoward rawbw.com> that where device
     names faulted the running OS2 worker process.  The fix is
     actually in APR 0.9.4.  [Brian Havard]

  *) SECURITY: CVE-2003-0083 (cve.mitre.org)
     Forward port: Escape special characters (especially control
     characters) in mod_log_config to make a clear distinction between
     client-supplied strings (with special characters) and server-side
     strings. This was already introduced in version 1.3.25.
     [André Malo]

  *) mod_deflate: Check also err_headers_out for an already set
     Content-Encoding: gzip header. This prevents gzip compressed content
     from a CGI script from being compressed once more. PR 17797.
     [André Malo]

Changes with Apache 2.0.45

  *) Fix possible segfaults under obscure error conditions within the
     cgid daemon.  [Jeff Trawick, William Rowe]

  *) SECURITY: CVE-2003-0132 (cve.mitre.org)
     Close a Denial of Service vulnerability identified by David
     Endler <DEndler iDefense.com> on all platforms.  An unlimited
     stream of newlines were acceptable between requests where each
     <lf> would allocate an 80 byte buffer, leading very quickly to
     memory exahustion.  [Brian Pane]

  *) Added an rpm build script.
     [Graham Leggett, Joe Orton <jorton redhat.com>]

  *) Simpler, faster code path for request header scanning  [Brian Pane]

  *) SECURITY:  Eliminated leaks of several file descriptors to child
     processes, such as CGI scripts.  This fix depends on the APR library 
     release 0.9.2 or later (0.9.3 was distributed with the httpd 
     source tarball for Apache 2.0.45.)  PR 17206
     [Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]

  *) Fix path handling of mod_rewrite, especially on non-unix systems.
     There was some confusion between local paths and URL paths.
     PR 12902.  [André Malo]

  *) Prevent endless loops of internal redirects in mod_rewrite by
     aborting after exceeding a limit of internal redirects. The
     limit defaults to 10 and can be changed using the RewriteOptions
     directive. PR 17462.  [André Malo]

  *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
     all worker threads are busy. 
     [Igor Nazarenko <igor_nazarenko hotmail.com>]

  *) Keep the subrequest filter in place when a subrequest is 
     redirected.  PR 15423.  [Jeff Trawick]

  *) you can now specify the compression level for mod_deflate. 
     [Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>, 
     Michael Schroepl <Michael.Schroepl telekurs.de>]

  *) mod_deflate: Extend the DeflateFilterNote directive to
     allow accurate logging of the filter's in- and outstream.
     [André Malo]

  *) Allow SSLMutex to select/use the full range of APR locking
     mechanisms available to it. Also, fix the bug that SSLMutex uses
     APR_LOCK_DEFAULT no matter what.  PR 8122  [Jim Jagielski,
     Martin Kutschker <martin.t.kutschker blackbox.net>]

  *) Restore the ability of htdigest.exe to create files that contain
     more than one user. PR 12910.  [André Malo]

  *) Improve bina