- fixed script element handling in framesets
- detect repeated attributes e.g. in tables
- supports Gnu Emacs error parsing
- Word 2000 cleanup
- HTML syntax fixes
* Move most of Makefile logic into ../php4/Makefile.common.
* Move patches and files into ../php4.
* Depend on php-4.0.3pl1.
The version number bump was necessary as php4 conflicts with the old
ap-php4-4.0.3pl1 package.
Charles fixed the a.out toolchain bug (in ld) that caused the problems this
change tried to work around. Update your toolchain if it breaks for you.
(Pullup of the toolchain changes to 1.4 and 1.5 has already been requested.)
MKSHLIB_FORCE_ALL='-Wl,--whole-archive' and
MKSHLIB_UNFORCE_ALL='-Wl,--no-whole-archive'
The a.out toolchain ignores --no-whole-archive, and linking mozilla-bin
attempts to an ill fated
"collect2 ... --whole-archive ... --no-whole-archive ... -lgcc ... -lgcc"
Analysis by Richard Earnshaw in PR/11703
Changes Between Major Revisions
Changes from 1.4 to 1.6
* All changes and bugfixes in the 1.4 releases.
* Completely rewrote the LDAP caching algorithms (see [1]the
documentation on caching for more information). Here are the
highlights of the changes:
+ All cache sizes are measured in terms of cache entries.
Warning!! This affects the AuthLDAPCacheSize directive!! In
version 1.4 and before, this directive specified the size in
megabytes. Now, it specifies the size in cache entri es. If
you currently have this directive in a config file, it is
probably set way too high, and will use a significant amount
of server memory.
+ Deprecated the AuthLDAPCacheCompareOps directive. Apache will
still accept the directive, but it has no effect, other than
to generate a warning in the Apache logs.
+ The cache no longer grows without bounds. For servers with a
very active cache, this should make a big difference with
memory usage.
+ No longer use the cache management routines from the LDAP
SDK. All LDAP operations are now cached, using a cache that's
specially designed for auth_ldap's authentication methods.
+ If Apache has been compiled with MM support and auth_ldap has
been compiled with -DWITH_SHARED_LDAP_CACHE then the cache is
shared across all server instances.
+ Added a content handler that can be used to display the cache
statistics. To use it, add the following directives:
<Location /server/auth-ldap-info>
SetHandler auth-ldap-info
</Location>
* Added support for a require dn directive, and a
AuthLDAPCompareDNOnServer directive. See the documentation for
more information.
* auth_ldap now allows the user to specify any attribute when
checking for group membership, by using the AuthLDAPGroupAttribute
directive. If this directive is not specified, the default
continues to be member and uniqueMember. Patch courtesy of
Graham Leggett.
* Added another directive, AuthLDAPGroupAttributeIsDN, which says
whether to use the DN that was retrieved from the LDAP search, or
to use the username passed by the client when doing group
authorization. This directive, in conjuction with the previous
one, allows us to use things like posixGroups for checks:
AuthLDAPGroupAttribute memberuid
AuthLDAPGroupAttributeIsDN off
* Ensure that auth_ldap will follow referrals under
OpenLDAP. This behavior was turned off in previous versions.
* Allow auth_ldap to dereference aliases, using the new
AuthLDAPDereferenceAliases directive. By default, this directive
is set to always.
* Now use ldap_init() when using OpenLDAP. Unless your OpenLDAP is
really old, this probably won't affect you.
PNG is now supported, asynchronous DNS is claimed to be more stable,
couple of SSL crashes were fixed; otherwise the changes are primarily
UI fixes.
However, Asynchronous DNS seems to ignore stuff in /etc/hosts now.
vulnerabilities file will be updated.
Changes from jakarta-tomcat-3.1:
===============================================================================
6. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1
6.1 Administrative Application Enabled By Default
The administrative application (at context path "/admin") was enabled by
default in Tomcat 3.1, which allowed unauthenticated remote users to add and
remove appliations from a running Tomcat 3.1 installation if it was left
installed.
To avoid such problems, the administrative application has been removed from
the binary distribution of Tomcat 3.1.1. It can be installed if desired by:
- Downloading the source distribution of Tomcat 3.1.1.
- Modifying the "build.xml" file to remove the commenting around the
logic that creates the adminstrative application.
- Running the build.sh or build.bat script.
6.2 Case Sensitive Matches on Static Resources
In Tomcat 3.1, matches against the filenames of static resources was done in a
case insensitive manner on case insensitive platforms (such as Microsoft
Windows). This can cause sensitive information to be exposed to remote users
who experiment with differently cased request URIs.
To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static
resources in a case sensitive manner, even on Windows. This means that your
hyperlinks must specify the correct case, or a 404 error will be returned.
Because this can cause significant conversion problems for existing
applications deployed on Tomcat 3.1, a configuration option is provided to
temporarily turn off case sensitive matching. Edit the file "conf/web.xml"
and modify the value for the "caseSensitive" initialization parameter to the
default file-serving servlet.
WARNING: CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY
PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR
URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION. Note: All later
versions of Tomcat perform filename matches in a case sensitive manner.
6.3 Snoop Servlet Mappings in Example Application
In the deployment descriptor for the example application delivered with
Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and
"*.snp". Theses mappings (in particular the second one) could cause exposure
of sensitive information on the internal organization of your web application
(for example, when a non-existent page "foo.snp" is requested).
To avoid these problems, the offending mappings have been commented out.
6.4 Show Source Vulnerability
The example application delivered with Tomcat 3.1 included a mechanism to
display the source code for the JSP page examples. This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories. This vulnerability has been removed.
6.5 Requesting Unknown JSP Pages
In Tomcat 3.1, the error message in response to a request for an unknown JSP
page would include the absolute disk file pathname of the corresponding file
which could not be found, which exposes sensitive information about how your
application is deployed. The error message has been adjusted to include only
the context-relative path of the JSP page which could not be found.
6.6 Session ID Vulnerability
The algorithm used to calculate session identifiers for new sessions was
subject to attack by attempting to guess what the next session identifier will
be, and therefore hijack the session. In addition, the generated identifier
exposed sensitive information (the number of sessions that have been created
since this web application was started.
To avoid these problems, the session identifier generation algorithm has been
replaced by the algorithm used in Tomcat 3.2, which is not subject to these
attacks, and does not expose session count information.
6.7 Server Shutdown Vulnerability
In Tomcat 3.1, it was possible to establish a remote network connection to the
AJP12 connector and cause Tomcat to shut itself down. Now, this network
connection must be created from the same server that Tomcat is running on.
NOTE: While this is more secure than Tomcat 3.1 (and mirrors the protection
provided by Tomcat 3.2), it is still vulnerable to attack by users who can
create socket connections from the server. Suitable use of firewalls and
"TCP Wrappers" applications are suggested around the APJ12 port.
