--- from apache/Announcements
Apache 1.3.19 Major changes
The primary security fix is:
* The default installation could lead mod_negotiation and mod_dir or
mod_autoindex to display a directory listing instead of the
multiview'ed index.html.* files, if a very long path was created
artificially by using many slashes. Now 403 FORBIDDEN is returned.
The bug fixes are:
* The ServerRoot directive now removes trailing slashes.
* Restore functionality broken by the mod_rewrite security fix:
The mod_rewrite string arithmetic is corrected for rewrite map.
* Some possible segfault conditions have been fixed.
* Under certain circumstances, Apache did not supply the
right response headers when requiring authentication.
The main new features include:
* New configuration error reporting if the UserDir argument is set
to a relative path on Win32 or Netware [which do not support home
directories], or a relative path on any platform if that path
includes the '*' username substitution.
Selected new features that relate to Windows platforms:
* Apache on Win9x now ensures the service is stopped before removal.
* Test httpd.conf (-t) now holds the console open on "SYNTAX OK".
* Apache/Win32 no longer holds open the console on error unless
it was invoked from a shortcut with the -w option.
* mod_user was significantly refactored to assure that the UserDir
directive is parsed effectively the same across platforms, fixing
a UserDir bug introduced in 1.3.17 on the Win32 platform.
Selected new features relating to other platforms:
* Netware problems with file extension truncatation are resolved.
* Netware recognizes the SERVER/VOLUME:/PATH/FILE filename pattern.
* Netware mod_tls properly disables nagle for SSL connections,
and properly negotiates SSL based on the port.
* Startup and Shutdown issues were addressed on TPF.
when incoming IPv4 connections are captured by AF_INET6 socket (IPv4 mapped
address). not really matter for normal NetBSD installation.
I beileve IPv4 mapped address is very bad from security/access control POV.
really.
This is provided as separate package because:
# This package does not compile in mod_ssl support hooks, as it conflicts
# with IPv6 enable patch.
# IPv6 enable patch conflicts with third-party modules anyway, due to
# sanity fixes in apache module API (for example, avoid u_long for IPv4 addrs)
