- SECURITY: CAN-2003-0460 (cve.mitre.org)
Fix the rotatelogs support program on Win32 and OS/2 to ignore
special control characters received over the pipe. Previously
such characters could cause it to quit logging and exit.
[André Malo]
- Prevent the server from crashing when entering infinite loops. The
new LimitInternalRecursion directive configures limits of subsequent
internal redirects and nested subrequests, after which the request
will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, Jim Jagielski, André Malo]
- Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
response. PR 21085. [Glenn Nielsen <glenn@apache.org>, André Malo]
- Removed BIND_NOSTART from HP/UX shl_load() logic for loadable
Apache modules, so that statics are initialized when the module
is loaded (especially critical for c++ modules on HPUX.)
[William Rowe, Noah Arliss <narliss@netegrity.com>]
- Win32 build system changes; always recompile buildmark.c (used for
Apache -v 'server built' messages) even when Apache is built from
within the IDE; build test_char.h and uri_delims.h from within the
ApacheCore.dsp project. PR 12706. [William Rowe]
- Introduce Win32 .pdb diagnostic symbols into the Apache 1.3 build
(as created in Apache 2.0.45 and later.) Makes debugging and
analysis of crash dumps and Dr. Watson logs trivial. Requires the
Win32 binary builder to set aside the exact .pdb files that match
the released binaries (.exe/.so files) for reference by users and
developers. [William Rowe]
- Make sure the accept mutex is released before calling child exit
hooks and cleanups. Otherwise, modules can segfault in such code
and, with pthread mutexes, leave the server deadlocked. Even if
the module doesn't segfault, if it performs extensive processing
it can temporarily prevent the server from accepting new
connections. [Jeff Trawick]
- Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme. [André Malo]
- Use appropriate language codes for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427. [André Malo]
- Don't block synchronous signals (e.g., SIGSEGV) while waiting for
and holding a pthread accept mutex. [Jeff Trawick]
- AIX: Change the default accept mechanism from pthread back to
fcntl. Idle child cleanup doesn't work when the child selected
for termination by the parent is waiting on a pthread mutex, and
because the AIX kernel's notion of hot process is apparently the
same as Apache's, it is common for the Apache parent to continually
select a child for termination that the kernel will leave waiting
on the mutex for extended periods of time. There are other
concerns with pthread mutexes as well, such as the ability to
deadlock the server if a child process segfaults while holding the
mutex. [Jeff Trawick]
- Fix a pair of potential buffer overflows in htdigest
[Martin Schulze <joey@infodrom.org>, Thom May]
- A newly created child now has a start_time of 0, to prevent
mod_status from displaying a bogus value for the "time to
process most recent request" column for freshly-started children
in a previously-used scoreboard slot. [Martin Kraemer]
- When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[André Malo]
- Fix path handling of mod_rewrite, especially on non-unix systems.
There was some confusion between local paths and URL paths.
PR 12902. [André Malo]
- backport from 2.x series: Prevent endless loops of internal redirects
in mod_rewrite by aborting after exceeding a limit of internal redirects.
The limit defaults to 10 and can be changed using the RewriteOptions
directive. PR 17462. [André Malo]
- Use the correct locations of srm.conf and access.conf when tailoring
the httpd.conf during the install process. PR 9446.
[Stanislav Brabec <utx@penguin.cz>]
- suexec: Be more pedantic when cleaning environment. Clean it
immediately after startup. PR 2790, 10449.
[Jeff Stewart <jws@purdue.edu>, André Malo]
- Fix apxs to insert LoadModule/AddModule directives only outside of
sections. PR 8712, 9012. [André Malo]
- Fix suexec compile error under SUNOS4, where strerror() doesn't
exist. PR 5913, 9977.
[Jonathan W Miner <Jonathan.W.Miner@lmco.com>]
- Unix build: Add support for environment variable
EXTRA_LDFLAGS_SHLIB, which allows the user to add to the hard-coded
ld flags specified for DSOs. Compare with the existing LDFLAGS_SHLIB
environment variable, which allows the user to completely replace the
hard-coded ld flags specified for DSOs. [Jeff Trawick]
- mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
not specified. Now it assumes "/" as already documented. PR 16937.
[André Malo]
- In configure always assume suexec-umask to be an octal value by
prepending a "0". PR 16984. [André Malo]
- Fix typo in suexec -V output. PR 9034.
[Youichirou Koga <y-koga@apache.or.jp>]
- Fix bug where 'Satisfy Any' without an AuthType resulted in an
"Internal Server Error" response. PR 9076. [André Malo]
- mod_rewrite: Allow "RewriteEngine Off" even if no
"Options FollowSymlinks" (or SymlinksIfOwnermatch) is set.
PR 12395. [André Malo]
- Change the log messages for setsockopt(TCP_NODELAY) and
getsockname() failures to log the client IP address and to
change the log level to debug. [Jeff Trawick]
- Correction to mod_negotation for Win32, OS2, Netware etc, where
case insensitive requests such as the HEADER or README search
from autoindex would fail to match HEADER.html (because the
system internally looked for the case-sensitive header.* pattern.)
PR 7300 [William Rowe]
- Correction to mod_autoindex so that only text/* files (prefering
/html, then /plain, then some other flavor) can be recovered
from a multiview-based HEADER or README subrequest.
[William Rowe]
- Improvements to mod_usertrack that allows for a regular (verbose)
as well as "compact" version of the tracking cookie (the new
'CookieFormat' directive), and the ability to prepend a string
to the cookie via the 'CookiePrefix' directive.
[Pål Løberg <pallo@initio.no>, with cleanup by Jim Jagielski]
- Certain 3rd party modules would bypass the Apache API and not
invoke ap_cleanup_for_exec() before creating sub-processes.
To such a child process, Apache's file descriptors (lock
fd's, log files, sockets) were accessible, allowing them
direct access to Apache log file etc. Where the OS allows,
we now add proactive close functions to prevent these file
descriptors from leaking to the child processes.
[Jim Jagielski, Martin Kraemer]
- Prevent obscenely large values of precision in ap_vformatter
from clobbering a buffer. [Sander Striker, Jim Jagielski]
- NetWare: implemented ap_os_default_port() to resolve the
correct default port based on the request method. This fixes
a URL reconstruction problem on a redirect.
[Pavel Novy (novy@feld.cvut.cz)]
- Added new ap_register_cleanup_ex() API function which allows
for a "magic" cleanup function to be run at register time
rather than at cleanup time. Also added the
ap_note_cleanups_for_(socket|fd|file)_ex() API functions
which allows for control over whether that magic cleanup
should be called or not. This does not change the default
behavior of the non-"ex" function (eg: ap_register_cleanup).
[Jim Jagielski, concept by Ben Laurie]
- PORT: Take advantage of OpenBSD's arc4random() function for the
initial secret [Henning Brauer <hb-apache-dev at bsws.de>]
- If Listen directive is not a port, but just an IP, emit an
error condition as this case is ambiguous.
[Rich Bowen, Justin Erenkrantz, Cliff Woolley]
- Update timeout algorithm in free_proc_chain. If a subprocess
did not exit immediately, the thread would sleep for 3 seconds
before checking the subprocess exit status again. In a very
common case when the subprocess was an HTTP server CGI script,
the CGI script actually exited a fraction of a second into the 3
second sleep, which effectively limited the server to serving one
CGI request every 3 seconds across a persistent connection.
PRs 6961, 8664 [Bill Stoddard]
- mod_setenvif: Add SERVER_ADDR special keyword to allow
envariable setting according to the server IP address
which received the request. [Ken Coar]
- PORT: Enable SINGLE_LISTEN_UNSERIALIZED_ACCEPT for AIX 4.3.2
and above. Update AIX configure logic to allow higher AIX
release numbers without having to change Apache.
[Jeff Trawick]
discovered in version 1.3.26 including these security fixes:
- SECURITY: CAN-2002-0840 (cve.mitre.org)
Prevent a cross-site scripting vulnerability in the default
error page. The issue could only be exploited if the directive
UseCanonicalName is set to Off and a server is being run at
a domain that allows wildcard DNS. [Matthew Murphy]
- SECURITY CAN-2002-0843 (cve.mitre.org)
Fix some possible overflows in ab.c that could be exploited by
a malicious server. Reported by David Wagner. [Jim Jagielski]
- SECURITY CAN-2002-0839 (cve.mitre.org)
Add the new directive 'ShmemUIDisUser'. By default, Apache
will no longer set the uid/gid of SysV shared memory scoreboard
to User/Group, and it will therefore stay the uid/gid of
the parent Apache process. This is actually the way it should
be, however, some implementations may still require this, which
can be enabled by 'ShmemUIDisUser On'. Reported by iDefense.
[Jim Jagielski]
buildlink2.mk files back into the main trunk. This provides sufficient
buildlink2 infrastructure to start merging other packages from the
buildlink2 branch that have already been converted to use the buildlink2
framework.
bump PKGREVISION.
Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002)
*) Fixed off-by-one buffer overflow bug in the compatibility
functionality (mapping of old directives to new ones).
*) Fixed memory leak in processing of CA certificates.
*) In case there is actually a certificate chain in the session cache,
we now use the value of SSL_get_peer_certificate(ssl) to verify as
it will have been removed from the chain before it was put in the
cache.
*) Seed the PRNG with a maximum of 1K from the internal scoreboard.
Custom mod_ssl eapi patch used for now, since update of mod_ssl for 1.3.26
isn't available yet.
This fixes the CAN-2002-0392 (mitre.org) [CERT VU#944335] security
issue. For full list of changes, see
http://www.apache.org/dist/httpd/CHANGES_1.3
Relevant changes from version 1.3.23 include:
* Prevent invalid client hostnames from appearing in the log file.
* Various mod_proxy improvements, such as the new ProxyIOBufferSize
directive.
* The new ''IgnoreCase' keyword to the IndexOptions directive.
* mod_rewrite's 'rnd' was broken and has been fixed.
* The '-S' option of 'apxs' was not able to handle quotes; also 'apxs'
is now rebuilt when options are changed.
* proxy now correctly handles Cookies and X-Cache headers.
* Fixed a problem in TPF when we were using the wrong subpool when
opening the error log.
* pthread accept() mutexes on Solaris were broken (since we were
not linking against pthread)
the EAPI patches from modssl-2.8.7-1.3.23. Also, link against the MM
Shared Memory library (devel/libmm) to provide shared memory support in
Apache/EAPI. For example, this allows mod_ssl to use a high-performance
RAM-based session cache instead of a disk-based one.
The main new features in 1.3.23 (compared to 1.3.22) are:
* HTTP/1.1 support for mod_proxy.
* Other mod_proxy improvements.
* The new 'FileETag' directive to allow one to build the
format of the ETag via runtime directives.
* Addition of a 'filter callback' function to enable modules to
intercept the output byte stream for dynamic page caching.
The following bugs were found in Apache 1.3.22 and have been fixed in
Apache 1.3.23:
* Fix incorrect "Content-Length" header in the 416 response.
* Revert mod_negotation's handling of path_info and query_args
to the 1.3.20 behavior (PRs: 8628, 8582, 8538).
* Prevent an Apache module from being loaded or added twice due
to duplicate LoadModule or AddModule directives.
from source instead of installing from a binary package (problem noted in
private email by George Coulouris <george@coulouris.org>. Also move the
ownership of SSL-related config directories to the www/ap-ssl package.
apxs are now installed with "${INSTALL} -c -o ${LIBOWN} -g ${LIBGRP}",
which should do the right thing regardless of the platform. ${INSTALL} is
replaced with the full path to the install program used by pkgsrc, which
should be /usr/bin/install on NetBSD, and /usr/ucb/install on Solaris.
This should fix pkg/14232 by Pierre Bourgin.
using the pkgsrc expat library instead of the builtin one (this is to
avoid conflicts between expat libraries when an expat XML parser is loaded
by either mod_perl or mod_php), and:
Security vulnerabilities
* A vulnerability was found in the split-logfile support program. A
request with a specially crafted Host: header could allow any file
with a .log extension on the system to be written to.
* A vulnerability was found when Multiviews are used to negotiate
the directory index. In some configurations, requesting a URI with
a QUERY_STRING of M=D could return a directory listing rather than
the expected index page.
General bug fixes and improvements
* Bug fixes
* The supplied icons are now also distributed in PNG format
* New directives have been added to the mod_usertrack module, The
first, CookieDomain, can be used to customise the Domain
attribute.
* A new directive, AcceptMutex, allows run-time configuration of the
mutex type used for accept serialization.
* mod_auth has been enhanced to allow access to a document to be
controlled based on the owner of the file being served.
* A new directive, AcceptFilter, has been added to control BSD
accept filters at run-time. The functionality can postpone the
requirement for a child process to handle a new connection until
an HTTP request has arrived, therefore increasing the number of
connections that a given number of child processes can handle
On NetBSD, we need to link libgcc.a whole-archive so that certain symbols
from the C++ implementation (__get_eh_context, etc.) referenced by DSOs
written in C++ will resolve correctly. This makes php4-sablot work with
mod_php4.so (from ap-php4) on ELF platforms when loaded by Apache's httpd.
NetBSD Packages Collection (pkgsrc) changes:
* Modify French page in same way as the English page. Translation
provided by Remi Zara <remi_zara@mac.com> in private e-mail.
* Use EAPI patches from mod_ssl-2.8.4-1.3.20.
* Unify repeated SED replacement info for config.layout, apache.sh,
DEINSTALL, and INSTALL into one location, FILES_SUBST.
* Modify patch to apxs to use 0:0 instead of root:wheel, as some
non-NetBSD systems don't have a wheel group.
The general bug fixes:
* Eliminate a potential segfault if an invalid floating point value
is passed to the ap_snprintf() function, on platforms supporting
isnan() and isinf().
* Fix a possible segfault at startup in the detection of a default
ServerName or IP string when no ServerName was specified.
* Fixed mod_proxy to retain empty headers, as allowed by RFC2068.
* Properly resolve the location of ndbm on Linux and some glibc2
builds, where ndbm.h is in the nonstandard db1/ subdir.
The main new features include:
* Enhanced rotatelogs to allow a UTC offset to be specified, and
the format logfile names with human-readable date/time stamps.
* Added the NOESCAPE (NS) flag to RewriteRule, to disable *all*
normal URI escaping. Note incautious use can give unexpected
results or introduce security risks.
* Added the '\' character to RewriteRule to allow escaping of
special characters. Allows embedding of both the '$' and '%'
characters in the results, so 'foo\$1' translates to 'foo$1'
rather than 'foo\<value of $1>'.
* Added the -V flag to suexec, to display the compile-time settings
with which it was built. (Only valid for root or the HTTPD_USER
username.)
* Introduced EBCDIC conversion configuration options, controlling the
conversion based on MIME type or file suffix.
the updated EAPI patches from mod_ssl-2.8.3-1.3.19 which includes the
following fix:
*) Fixed EAPI context usage in http_request.c: a context pointer
potentially can be NULL requests and can cause a segfault if
dereferenced.
