From release announcemenet:
After a lengthy QA process, PHP 4.3.4 is finally out!
This is a medium size maintenance release, with a fair number of bug fixes.
All users are encouraged to upgrade to 4.3.4.
Bugfix release
PHP 4.3.4 contains, among others, following important fixes, additions
and improvements:
* Fixed disk_total_space() and disk_free_space() under FreeBSD.
* Fixed FastCGI support on Win32.
* Fixed FastCGI being unable to bind to a specific IP.
* Fixed several bugs in mail() implementation on win32.
* Fixed crashes in a number of functions.
* Fixed compile failure on MacOSX 10.3 Panther.
* Over 60 various bug fixes!
For full list of changes in PHP 4.3.4, see ChangeLog:
http://www.php.net/ChangeLog-4.php#4.3.4
Major changes since 1.3.28:
Security vulnerabilities
* CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
Bugs fixed
The following noteworthy bugs were found in Apache 1.3.28 (or earlier)
and have been fixed in Apache 1.3.29:
* Within ap_bclose(), ap_pclosesocket() is now called
* consistently
for sockets and ap_pclosef() for files. Also, closesocket()
is used consistenly to close socket fd's. The previous
confusion between socket and file fd's would cause problems
with some applications now that we proactively close fd's to
prevent leakage.
* Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name.
* Prevent creation of subprocess Zombies when using CGI wrappers
such as suEXEC and cgiwrap.
Major changes since 2.8.15:
*) Upgraded to Apache 1.3.29
*) Avoid memory corruption in certificate handling caused by a heap
memory double-freeing situation.
*) Allow "HTTPS" variable to be passed through by suEXEC.
*) Clear the OpenSSL error code in pass phrase reading code to
workaround the following situation: multiple keys, all with
different passphrases -- entering the correct pass phrase at each
prompt leads to an OpenSSL error message after the last prompt.
*) Reverted the recent change where ap_cleanup_for_exec() called
ap_kill_alloc_shared(). This caused nasty side-effects in other
processes and is not necessary at all (because shared memory
segments are not inherited across exec).
*) mod_ssl was checking the OpenSSL error reason code against
SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since
OpenSSL reason codes are not unique, this isn't always the case.
It now additionally checks that the library is the SSL library.
Major changes since 1.3.28:
Security vulnerabilities
* CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
Bugs fixed
The following noteworthy bugs were found in Apache 1.3.28 (or earlier)
and have been fixed in Apache 1.3.29:
* Within ap_bclose(), ap_pclosesocket() is now called
* consistently
for sockets and ap_pclosef() for files. Also, closesocket()
is used consistenly to close socket fd's. The previous
confusion between socket and file fd's would cause problems
with some applications now that we proactively close fd's to
prevent leakage.
* Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name.
* Prevent creation of subprocess Zombies when using CGI wrappers
such as suEXEC and cgiwrap.
unfortunately.
Tidy now comes with a (static) library, thus a buildlink2.mk file is now
provided.
There's no need to set PRESERVE_FILE_TIMES in CFLAGS anymore, thus
PR pkg/20489 is fixed.
Changes with Apache 2.0.48
*) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
the AF_UNIX socket used to communicate with the cgid daemon and
the CGI script. [Jeff Trawick]
*) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
mod_rewrite which occurred if one configured a regular expression
with more than 9 captures. [André Malo]
*) mod_include: fix segfault which occured if the filename was not
set, for example, when processing some error conditions.
PR 23836. [Brian Akins <bakins@web.turner.com>, André Malo]
*) fix the config parser to support <Foo>..</Foo> containers (no
arguments in the opening tag) supported by httpd 1.3. Without
this change mod_perl 2.0's <Perl> sections are broken.
["Philippe M. Chiasson" <gozer@cpan.org>]
*) mod_cgid: fix a hash table corruption problem which could
result in the wrong script being cleaned up at the end of a
request. [Jeff Trawick]
*) Update httpd-*.conf to be clearer in describing the connection
between AddType and AddEncoding for defining the meaning of
compressed file extensions. [Roy Fielding]
*) mod_rewrite: Don't die silently when failing to open RewriteLogs.
PR 23416. [André Malo]
*) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
rewritten request using "proxy:". The code was adding multiple "proxy:"
fields in the rewritten URI. PR: 13946.
[Eider Oliveira <eider@bol.com.br>]
*) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
expires as directed in RFC 2616. [Thomas Castelle tcastelle@generali.fr]
*) Ensure that ssl-std.conf is generated at configure time, and switch
to using the expanded config variables to work the same as
httpd-std.conf PR: 19611
[Thom May]
*) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
[Hartmut Keil <Hartmut.Keil@adnovum.ch>]
*) mod_autoindex: If a directory contains a file listed in the
DirectoryIndex directive, the folder icon is no longer replaced
by the icon of that file. PR 9587.
[David Shane Holden <dpejesh@yahoo.com>]
*) Fixed mod_usertrack to not get false positive matches on the
user-tracking cookie's name. PR 16661.
[Manni Wood <manniwood@planet-save.com>]
*) mod_cache: Fix the cache code so that responses can be cached
if they have an Expires header but no Etag or Last-Modified
headers. PR 23130.
[bjorn@exoweb.net]
*) mod_log_config: Fix %b log format to write really "-" when 0 bytes
were sent (e.g. with 304 or 204 response codes). [Astrid Keßler]
*) Modify ap_get_client_block() to note if it has seen EOS.
[Justin Erenkrantz]
*) Fix a bug, where mod_deflate sometimes unconditionally compressed the
content if the Accept-Encoding header contained only other tokens than
"gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
*) Avoid an infinite recursion, which occured if the name of an included
config file or directory contained a wildcard character. PR 22194.
[André Malo]
*) mod_ssl: Fix a problem setting variables that represent the
client certificate chain. PR 21371 [Jeff Trawick]
*) Unix: Handle permissions settings for flock-based mutexes in
unixd_set_global|proc_mutex_perms(). Allow the functions to be
called for any type of mutex. PR 20312 [Jeff Trawick]
*) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
*) Fix a misleading message from the some of the threaded MPMs when
MaxClients has to be lowered due to the setting of ServerLimit.
[Jeff Trawick]
*) Lower the severity of the "listener thread didn't exit" message
to debug, as it is of interest only to developers. PR 9011
[Jeff Trawick]
*) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
[Cliff Woolley, Jean-Jacques Clar]
*) Install config.nice into the build/ directory to make
minor version upgrades easier. [Joshua Slive]
*) Fix mod_deflate so that it does not call deflate() without checking
first whether it has something to deflate. (Currently this causes
deflate to generate a fatal error according to the zlib spec.)
PR 22259. [Stas Bekman]
*) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
identity spoof is encountered.
[Sander Striker]
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.
PR 20195. [André Malo]
*) ab: Overlong credentials given via command line no longer clobber
the buffer. [André Malo]
*) mod_deflate: Don't attempt to hold all of the response until we're
done. [Justin Erenkrantz]
*) Assure that we block properly when reading input bodies with SSL.
PR 19242. [David Deaves <David.Deaves@dd.id.au>, William Rowe]
*) Update mime.types to include latest IANA and W3C types. [Roy Fielding]
*) mod_ext_filter: Set additional environment variables for use by
the external filter. PR 20944. [Andrew Ho, Jeff Trawick]
*) Fix buildconf errors when libtool version changes. [Jeff Trawick]
*) Remember an authenticated user during internal redirects if the
redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.
PR 10678, 11602. [André Malo]
*) mod_include: Fix a trio of bugs that would cause various unusual
sequences of parsed bytes to omit portions of the output stream.
PR 21095. [Ron Park <ronald.park@cnet.com>, André Malo, Cliff Woolley]
*) Update the header token parsing code to allow LWS between the
token word and the ':' seperator. [PR 16520]
[Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.com>]
*) Eliminate creation of a temporary table in ap_get_mime_headers_core()
[Joe Schaefer <joe+gmane@sunstarsys.com>]
*) Added FreeBSD directory layout. PR 21100.
[Sander Holthaus <info@orangexl.com>, André Malo]
*) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo]
*) mod_rewrite: Perform child initialization on the rewrite log lock.
This fixes a log corruption issue when flock-based serialization
is used (e.g., FreeBSD). [Jeff Trawick]
*) Don't respect the Server header field as set by modules and CGIs.
As with 1.3, for proxy requests any such field is from the origin
server; otherwise it will have our server info as controlled by
the ServerTokens directive. [Jeff Trawick]
New in version 2.24:
* Added a bunch of MIME types.
* Fix minor problem with returning unknown protocol on some errors.
* Changed the config-file option for diabling symlink checking from "nosymlink" to "nosymlinkcheck" to make its function clearer.
* Allow blank lines in the config file.
* Handle more than one SIGHUP and SIGUSR2 (Cameron Gregory).
* Slight change to handle_newconnect() to better deal with unexpected errors from accept(), such as running out of file descriptors (Alex Keahan).
* Added optional minimum rate to throttles.
* Stats syslog messages downgraded from LOG_NOTICE to LOG_INFO.
* Use unsigned short consistently for port number.
* Prohibit slashes in the Host: header (Marcus Breiing).
* Added a -dd data_dir flag and corresponding config-file option.
* Got rid of the old timer-based zombie process reaper, replacing it with a SIGCHLD handler.
* Changed the idle connection checking from using a separate timer for each connection to using a single timer that checks all active connections.
* Correction to missing-slash directory redirect with query string.
* Added a watchdog alarm handler that forces a core dump if thttpd stops running its timers for too long.
* Don't send Content-Length header on 304 Not Modified responses.
* Allow user-agent log entries to be up to 200 characters long, instead only of 80.
* Fixed buffer overflow bug in defang().
* Re-arranged the order of calling de_dotdot() so that it doesn't get applied to query strings.
* Some fixes for the syslogtocern script (paul fox).
* Changed configure script to use "gcc -dumpversion" instead of "gcc --version" (Ed Goforth).
* Changed most uses of \r and \n to \015 and \012 (Jens Bauer).
* In ssi.c, lack of PATH_INFO is now non-fatal (David Phillips).
* Some improvements to fdwatch (David Burgess).
o fixes for basic authorisation. from <ecu@ipv42.net>
o always display file size in directory index mode
o add .xbel, .xml & .xsl -> text/xml mappings. from
<wiz@danbala.ifoer.tuwien.ac.at>
o fixes for basic authorisation. from <ecu@ipv42.net>
o always display file size in directory index mode
o add .xbel, .xml & .xsl -> text/xml mappings. from
<wiz@danbala.ifoer.tuwien.ac.at>
Fixed memory leak with Content-Type at http.c:37
Workaround broken cfmakeraw on AIX
Users can enter own shell command for executing external programs.
Commands in X are executed in xterm, not on console.
Do not send Range on refresh
More information on image files in Info menu.
Allow opening of a link in a new window (target="_blank").
Serbian translation
Added "id" attribute to the <img> tag.
Serbian Cyrillic letters
Updated Hungarian translation
Table frame and rules when no border attribute present
Fixed spelling errors found by Francois Gouget's program
Fixed crash in frames introduced in Tue Jun 17 23:15:46 MET DST 2003
Add slash after URLs like ftp://host:1234
Anchors allowed in frame locations
No char with code 13 when pasting in OS/2
Aggressive cache is in cache dialog, not in HTTP bugs dialog
302 redirects are not cached
Fixed redirect left after reloading cached document
Do not send "Range" when cache expires
Fixed some languages (removed name ELinks)
Updated Russian localization
Fixed \001 in bookmarks and window title when title contained 0xa0
Fixed bug that can't happen in select_mainmenu
Fixed numbers on links not consistent with internal order. Still not
perfect but better than it used to be.
structures and rendered documents together, and deduce
templates that could have performed the transformation.
It is a companion to Template and Template::Extract; their
relationship is shown below:
Template: ($template + $data) ==> $document # normal
Template::Extract: ($document + $template) ==> $data # tricky
Template::Generate: ($data + $document) ==> $template # very tricky
This module is considered experimental.
template extraction functionality. It can take a rendered document
and its template together, and get the original data structure
back, effectively reversing the "process" function.
This module is considered experimental. If you just wish to extract
RSS-type information out of a HTML document, WWW::SherlockSearch
may be a more robust solution.
Version 2.10 provides a few trivial new features and applies fixes to
some small bugs. For example, you can now use IN instead of = in a
loop, e.g. FOREACH item IN list. The WRAPPER configuration option is
new, and Template::Context and Template::Stash now both implement
define_vmethod() methods which make it easier to define new virtual
methods.
Version 2.09 contained mostly bug fixes and minor enhancements.
Version 2.08 added compile time constant folding which can result in a
significant performance boost when processing templates. It also
offered several other minor enhancements and bug fixes.
curses.buildlink2.mk. This was wrong because we _really_ do want to
express that we want _n_curses when we include the buildlink2.mk file.
We should have a better way to say that the NetBSD curses doesn't
quite work well enough. In fact, it's far better to depend on ncurses
by default, and exceptionally note when it's okay to use NetBSD curses
for specific packages. We will look into this again in the future.
