bug-fixes, and also integrates SSL and internationalization support!
For details, see the CHANGES file in the snapshot or at
http://lynx.isc.org/current/CHANGES
No longer bother installing lynx{.cfg,.lss} to ${PREFIX}/etc/. They
weren't being looked at by default, anyway, while it remains trivial
to override the default locations via environment variables.
(hope it is the right way).
>There's another bug in RewriteMap handling in Apache 1.3.17, which
>causes ${} expansions to be completely ignored. This patch fixes it.
1. Fixed bug in server push boundary strings (CGI.pm and CGI::Push).
2. Fixed bug that occurs when uploading files with funny characters in
the name
3. Fixed non-XHTML-compliant attributes produced by textfield()
4. Added EPOC support.
5. Fixed minor XHTML bugs.
6. Made escape() and unescape() symmetric with respect to EBCDIC.
7. Removed uninitialized variable warning from CGI::Cookie.
8. Fixed bug in CGI::Pretty that causes it to print partial end tags when
the $INDENT global is changed.
9. Single quotes are changed to character entity ' for compatibility with
URLs.
* Improved documentation for mod_perl.
* Many bugfixes.
* Apache::Server->loglevel can now be modified
* allow $r->finfo to be modified
* include mod_perl hook/feature config and pod in Apache::MyConfig
* prevent $PerlRequire in a <Perl> section from triggering an endless loop
* allow modification of $r->hostname
* new Apache::test::static_modules() method
* add proper offset support to Apache::read
* change Apache::PerlRun's Apache class relationship from is-a to has-a
* Apache::SubRequest->run(1) allows ap_send_http_headers() to output
for subrequests
* Apache::{Registry,PerlRun} will now log an error if $filename is NOT_FOUND
* make extra sure Apache::Constants::AUTOLOAD does not recurse looking
for sub __AUTOLOAD
* $r->get_basic_auth_pw and $r->note_basic_auth_failure will default
$r->auth_type to "Basic" if not already set
* $r->auth_type is now writeable, e.g. $r->auth_type("Basic")
* added Apache::user method
* disable r->proxyreq checking unless PerlTransHandler is enabled and
configured
* PerlAddVar is now an ITERATE2 directive rather than TAKE2
* added Apache::Server::error_fname method
* avoid duplicate buffer copy in {read,get}_client_block by reading
directly into Perl's SV buffer
* switch usage of hard_timeout() to soft_timeout(), so if SIGALRM
happens during Apache::{print,read}, the script will continue run,
allowing proper cleanup (e.g. DESTROY)
* add PerlCleanupHandler to the {get,set}_handlers table
* quotemeta path_info in Registry regexp
* flush r->finfo cache if r->filename fails
* backed out $Apache::Server::ConfigTestOnly until proper Apache
support is in place
* Apache::ExtUtils will now generate an END routine to call ap_remove_module()
* rename Apache::{PerlRun,RegistryNG}::update_mtime to set_mtime, so
Apache::update_mtime is not overridden
* constant 'DECLINED' wasn't imported by Apache::RegistryBB
* Apache::Resource was not converting PERL_RLIMIT_AS to MB values
-) Rename mod_ssl.conf to apache_start.conf.
*) Upgraded to Apache 1.3.17 as base version.
*) Allow %{ENV:variable} in SSLRequire expressions, too.
*) Make sure the user is not able to fake the client certificate
based authentication by just entering an X.509 Subject DN
("/XX=YYY/XX=YYY/..") as the username and "password" as the
password if "SSLVerifyClient optional" is used in combination
with "SSLOptions +FakeBasicAuth".
-) Remove patch to avoid dlclose()ing on NetBSD. The mod_perl vs. perl CGI
mis-interaction seems to be gone and I wasn't able to reproduce it on my
system.
*) Fix the declaration of the module structure in mod_example.
*) Fix the handling of variable expansion look-ahead in mod_rewrite,
i.e. syntax like %{LA-U:REMOTE_USER}, and also fix the parsing of
more complicated nested RewriteMap lookups.
*) mod_status now respects ?refresh=n of 1 or greater. If the given
refresh value is not a number, ?refresh is set to 1 second.
*) Accomodate an out-of-space condition in the piped logs and the
rotatelogs.c code, and no longer churn log processes for this condition.
*) Make cgi-bin work as a regular directory when using mod_vhost_alias
with no VirtualScriptAlias directives.
*) Move the check of the Expect request header field after the hook
for ap_post_read_request, since that is the only opportunity for
modules to handle Expect extensions.
*) Eliminate caching problems of mod_autoindex results, so the last
modified date of the directory is returned as the Last-Modified
and ETag HTTP header tags are sent if IndexOptions TrackModified
directive/option is used.
*) Correct an issue with Alias and ScriptAlias directives that
file path arguments were not normalized in canonical form.
This correction makes no attempt to normalize regular expression
forms of Alias or ScriptAlias.
*) Add a new LogFormat directive, %c, that will log connection
status at the end of the response.
*) Update the mime.types file to the registered media types as of 2000-10-19.
*) Restore functionality broken by the mod_rewrite security fix:
rewrite map lookup keys and default values are now expanded
so that the lookup can depend on the requested URI etc.
Convert most MESSAGE files to new syntax (${VARIABLE} gets replaced,
not @VARIABLE@, nor @@VARIABLE@@).
By default, substitutions are done for LOCALBASE, PKGNAME, PREFIX,
X11BASE, X11PREFIX; additional patterns can be added via MESSAGE_SUBST.
Clean up some packages while I'm there; add RCS tags to most MESSAGEs.
Remove some uninteresting MESSAGEs.
This bumps the version number to 4.0.4.1nb1. Also, build the php CGI
binary by statically linking against the helper library libphp4.la so we
aren't forced to install a shared library used solely by one program.
- Can do a FLOOR beyond Terabytes.
- OS X & MPE/iX ports.
- Bug fixes, especially for multibyte character sets.
- Unprintable characters in the report are now replaced by '?'.
- Traditional Chinese, Portuguese, Brazilian Portuguese, US English and
corrected French domains files.
- Rewrote the documentation on Cache files. Added some new data to How the
Web Works.
Changes since 2.0
2.1 Sun December 18 12:00:00 2000
- New Feature: new 'file_cache' and 'double_file_cache' options
provide a file based caching method (T.J. Mather)
- New Feature: new 'print_to' option for output() allows
output() to print to a filehandle as it runs.
(Chris Nokleberg)
- New Feature: new 'case_sensitive' option to allow template
variable names to be case sensitive. (Matthew Wickline)
- New Feature: new 'filter' option allows pre-parse filtering of
template files.
- Bug Fix: added single-quote escaping to HTML escaping code
(Ralph Corderoy)
- Bug Fix: fixed a noisy bug in param() when used with 'associate'
(William Ward)
- Doc Fix: broke out FAQ into separate file.
2.2 Sat December 23 12:00:00 2000
- Bug Fix: fixed memory leak in global_vars implementation
(Ade Olonoh)
- Bug Fix: fixed file_cache not reloading templates on changes
(T.J. Mather)
- Bug Fix: fixed broken error checking in param() (Mark Stosberg)
* Make NetBSD PHP extensions_dir equal the compiled-in default for PHP4.
* Install the PEAR PHP4 script repository and tools.
* Use the source's install target instead of homegrown one.
- Fixed the various pdf_open_*() functions (Daniel)
- Fixed a bug that could cause invalid INI entries to be used under certain
circumstances (Zeev)
- Fixed a bug in the Apache module that could cause invalid INI values to
propogate to different virtual hosts, if one or more of the virtual
hosts was configured with engine=Off (Zeev)
- Fixed possible crash bugs in the session module (Sascha)
- Fixed the ODBC module to build properly with Solid 3.0 and OpenLink (Dan
Kalowsky)
- Fixed possible corruption of line number information in PHP scripts (Zeev,
Zend Engine)
- Fixed a few possible crashes in functions that use user-defined callbacks
(Zeev, Zend Engine)
when incoming IPv4 connections are captured by AF_INET6 socket (IPv4 mapped
address). not really matter for normal NetBSD installation.
I beileve IPv4 mapped address is very bad from security/access control POV.
really.
From the changelog:
Amaya 4.2.1
22 December, 2000
Bug fixes
* The Docttype was not generated for HTML documents after
creation of a new HTML element.
* Doing a transformation on an HTML document crashed
Amaya without saving the edited document.
Amaya 4.2
21 December, 2000
New features
* Amaya is now able to read and save UTF8 documents but
it's only able to display ASCII and ISO-latin-1
characters and some mathematical symbols. For other
characters it keeps the Unicode value of the character
and displays a '?'. When an encoding is not supported
by Amaya, the document is not parsed.
* MathML: attributes rowalign and columnalign are
interpreted.
* MathML 2.0: new attributes mathvariant, mathsize,
mathcolor, mathbackground, linebreak
* Annotations: new configuration options for disabling
the automatic download of local and remote annotations
each time Amaya is started for users who frequently
work without network access. Note that this new option
is enabled by default; users who prefer the previous
behavior of always querying annotation servers can
select that behavior from the Annotations/Configure...
dialog by unchecking the 'Disable remote autoload at
each startup' and checking the two 'Autoload' boxes.
Bug fixes
* Annotations: Annotations didn't work under Windows,
when Amaya was installed in a directory with a space on
its name (e.g., Program Files). Similarly, annotations
on local documents didn't work if the path to this
document had a space.
* After doing a form POST, Amaya always proposed to save
the answer sent back by the server, even if it could
understand its content type (bug introduced in the 4.0
version).
* Since version 4.1, it's possible to change the user
preferences directory by setting the APP_HOME variable
in the win-thot.rc file. However, the user preferences
were still being read from the default location.
* After a crash, modified documents with a space in their
name were not restored.
* When Amaya crashed during a text insertion, the last
inserted text was lost.
* Configure failed to read the version numbers in
/usr/include/libjpeg.h and /usr/include/png.h (thanks
to Patrik Hagglund).
* Updating of German and Italian translations.
* Contribution from Johannes Zellner for enabling
tear-off menus on Unix platforms.
* The command Save As added the suffix ".html" to SVG and
MathML documents.
* Amaya was sometimes confusing MathML and SVG elements:
Schema ids were based on the compiling time (in
seconds) and Amaya used ids to detect whether two
elements belong to the same schema or not. That method
doesn't work with computers that are able to compile
more than one schema per second. Now, Amaya checks
schema names instead of schema ids.
* Selection: When the hyphanation was active the
selection didn't work correctly.
* Print: The command Print crashed when the document
included XLink attributes.
* Print: In some cases Amaya hanged during the printing
or generated too short pages.
* Windows: The dialogue Underline didn't work correctly.
* Windows: Improving drawing functions and a part of the
program print.
* SVG: CSS rules of the SVG element style were not
interpreted when printing.
* SVG: Images can be created and edited freely within an
SVG drawing
* SVG: When changing the xlink:href attribute of elements
image and use in SVG, those elements are redisplayed
according to the new value of the attribute.
* SVG: When the user created a mathematical expression
into a SVG, the math element was displayed before the
user selected a position. This was confusing.
* HTML: Amaya hanged when the META Content-Type was
quoted by simple quotes.
Amaya 4.1
23 November, 2000
New features
* Annotations: localization of the Local Filter menu.
* Windows: It's now possible to change the value of the
user's preferences directory. To do so, edit the
win-thot.rc and add a variable called APP_HOME in the
[amaya] section. The value of this variable should be
the path to directory. This is interesting if you want
to install Amaya in an NFS drive, but store the user's
preferences locally.
* When the encoding of a XML document is not set, it uses
the default enconding (UTF 8). This version of Amaya
doesn't handle UTF 8 and this document shouldn't be
edited with Amaya. In many cases these documents
contain only ASCII characters and can be interperted
correctly as ISOlatin-1encoded documents. It is why
Amaya proposes to set the ISOlatin-1encoding when it's
not found.
Bug fixes
* Open the Log file and close it. Then open the source
view and close it: all other wiews of that document are
also closed
* The entry "Show parsing errors" (previously "Show Log
file") is now located in the Views menu
* Amaya didn't find out the encoding when it is given by
a META element. It works now.
* When saving a HTML document as XML a wrong DOCTYPE was
generated: it said the document was HTML 4.0 whereas it
was XHTML 1.0 actually.
* In a XHTML document, if you copy and paste an anchor
with both a name and an id, the name of the pasted
element was changed to make it unique, but not the id.
* The MakeBook command didn't work well on remote
documents that included images and could crash Amaya.
* The default Windows geometry was too small for some
views and documents.
* Spell checker: some options didn't reflect the current
value. The special characters entry wasn't working
under Windows.
* MathML: entity LeftAngleBracket was not recognized by
the parser
* MathML: the entity InvisibleTimes was displayed with a
too large space on Windows platforms.
* SVG: element style is now recognized and the CSS rules
it contains are applied as expected.
* SVG: element use is recognized and handled correctly
* SVG: comments and PIs were not displayed correctly in
the structure view
* SVG: text elements were displayed a bit below their
normal position
* SVG: in some cases polylines and polygons were resized
by mistake
* SVG: when printing the background of the whole SVG or
group was painted if there was a CSS rule fill
* SVG: elements are now created with the right default
colors (fill=black, stroke=none).
* Annotations: the Annotation element (pencil icon)
wasn't being skipped always when resolving an XPointer.
This problem could occur with orphan and document
annotations.
* Annotations: ID attributes were not always being
searched correctly in the document's tree.
* Annotations: The Windows annotations project was
missing from the source tar package.
Amaya 4.0
10 November, 2000
New features
* Support for a subset of the SVG graphics format, namely
basic shapes, text, images, and foreignObject (the
later is useful to include HTML fragments or MathML
expressions in drawings).
* Support for native MathML and SVG documents.
* Support for collaborative annotations, based on RDF,
XPointer, and XLink..
* A single structure view displays the structure of
equations and drawings along with the document
structure.
* Generates XHTML document with the right charset.
* Three new profiles: XHTML-transitional, XHTML-strict,
XHTML-basic. In these profiles, Amaya checks the validy
of the (X)HTML documents it loads, and it allows the
user to create only elements and attributes
corresponding to the chosen profile.
* MathML: attributes macros, display, overflow, altimg
and alttext are now available for the top-level math
element. Attribute alttext is rendered in the Alternate
view. Attribute linethickness allows to control the
aspect of fraction bars.
Many improvements to math formatting.
Keys -> and <- move the caret according to the MathML
structure.
* Upgraded libwww to release 5.3.1
* Added the HTTP reason string to the the save error
dialog box.
* Spanish translation of the Amaya dialogues contributed
by Pedro Pablo Fabrega
* The inline documentation is now available in French
(other translations are welcome).
* New menu (Special/Create Remove IDs) to add or remove
ID attributes to/from elements, either globally or
within a selection.
* Searching is case insensitive by default.
* The dialog box of link creation allows you to browse
local files.
* When the selection is within a link (an anchor with an
attribute href), the status line displays the URI of
the target.
* The geometry of windows is now expressed in pixels.
Users may have to update their configuration
(Special/Preferences/Window Geometry menu).
Bug fixes
* When the selected OPTION in a SELECT within a FORM had
no content and no value attribute, the value posted for
the SELECT element was some random garbage.
* Amaya hung when reading a textarea with an initial
value.
* When converting a document from HTML to XHTML, Amaya
did not check whether the id's it created were valid.
For instance, it generated id's starting with a digit.
* The charset given in the XML declaration was ignored by
Amaya.
* 24 bits per pixel images were not handled correctly on
Unix platforms (thanks to Walter Bächi)
* Saving a document source crashed Amaya when it followed
an aborted closing of that document source.
* When the BODY element of an (X)HTML document is
selected, command Delete is no longer refused: it let
you with an empty BODY element.
* When a background image is not repeated, Amaya takes
into account the transparency now (Unix and Windows
platforms).
* After a synchronisation Amaya considered that both the
source view and the formatted view should be saved. Now
the user can decide to save either the source or the
formatted view but only one of them.
* The text editing is now more robust.
* When browsing a remote URL, Amaya systematically added
a "/" end character to the URL if the URL didn't finish
by an extension.
* It was hard to create an area Polygon because the
selection hid the associated image.
* When a paragraph with a top margin was reformatted,
included lines (excepted the last one) were shifted by
error.
* In the Structure view, an anchor repeated the attribute
ID of its parent.
* Opening an image that didn' have an extension resulted
in a crash.
Windows bugs
* The menu Background Image on Windows platforms crashed
Amaya.
* On Windows platforms, sometimes Amaya didn't display
background images correctly.
* Some colors (like border colors) were not correctly
displayed on Windows platforms.
* Each time the user clicked on the button Math, a new
Math palette was generated, now only one palette is
displayed.
* It was the same for the dialogue Search/Replace.
* When all entries of a submenu were hidden in the
current profile, the submenu entry was not removed. Now
it works like on Unix platforms.
* Troubles after a cancel of the operation "Close
Dcument".
Changes are:
* Search facility of the URL toolbar
* Improved the password dialog
* File type association works better
* Improved windows settings file
* UI improvements
* Printing support - still a bit unstable (no print preview yet, but
you can print to file)
* Transfer window works better
* 3D borders on tables fixed
* JavaScript confirm dialog fixed
October 21, 2000, Version 3.0.18
- Fixed file upload bugs (Sascha)
October 11, 2000, Version 3.0.17
- Fixed output functions (Sascha)
- Added odbc_tables() (Frank)
- Fixed htmlspecialchars/htmlentities inconsistencies (Rasmus)
- Added is_uploaded_file() (Zeev)
- Clean up htmlspecialchars/htmlentities inconsistencies (Rasmus)
- Add optional charset parameter to sybase_[p]connect (alf@alpha.ulatina.ac.cr)
- Fixed incorrect handling of 0-precision strings (e.g., %4.0s)
in printf (Ken Coar)
- You can now call Ora_Error() without prameters to get the reason
for a failed connection attempt. (Kirill Maximov)
- Fixed crash in OCIFetchStatement() when trying to read after
all data has already been read. (Thies)
- Added --enable-sigchild. Use this option if you encounter
<defunc> processes when using Oracle 8i. (Thies)
- Uncommitted outstanding OCI8 transactions are now rolled back
before the connection is closed. (Thies)
- Improved configure checks for Oracle 8i. (Thies)
- Added imap_mime_header_decode() function (Skalski)
out of date - it was based on a.out OBJECT_FMT, and added entries in the
generated PLISTs to reflect the symlinks that ELF packages uses. It also
tried to be clever, and removed and recreated any symbolic links that were
created, which has resulted in some fun, especially with packages which
use dlopen(3) to load modules. Some recent changes to our ld.so to bring
it more into line with other Operating Systems also exposed some cracks.
+ Modify bsd.pkg.mk and its shared object handling, so that PLISTs now contain
the ELF symlinks.
+ Don't mess about with file system entries when handling shared objects in
bsd.pkg.mk, since it's likely that libtool and the BSD *.mk processing will
have got it right, and have a much better idea than we do.
+ Modify PLISTs to contain "ELF symlinks"
+ On a.out platforms, delete any "ELF symlinks" from the generated PLISTs
+ On ELF platforms, no extra processing needs to be done in bsd.pkg.mk
+ Modify print-PLIST target in bsd.pkg.mk to add dummy symlink entries on
a.out platforms
+ Update the documentation in Packages.txt
With many thanks to Thomas Klausner for keeping me honest with this.
General:
- Fixed X selections so that we no longer try to pass UTF-8 encoded text
in STRING atoms.
- Improved the table layout code so that now we render tables very close
to the big name browsers, one or two small issues left
- Added many missing attributes to the HTML export code so that at least
we pass on the attributes we understand.
- Support for sub sup and strike elements.
- We now parse param elements before emitting the object requested signal
so that we can make an informed choice about whether or not the object
is supported.
Editor:
- We now hook to the gnome-spell component to do spelling.
- Rename the idl and oafinfo to bring us in line with the new naming
conventions
- The editor control now exposes an interface for issuing editor commands
Ebrowser:
- New component to support simple browsing tasks.
pkgsrc version) include:
* Various cookie fixes.
* New build system.
* Code to deal with before/after scripts.
* Rewrite of Apache directives.
In addition, mod_dtcl is now a project of the Apache Software Foundation.
See http://tcl.apache.org/ for details.
grautiutiously reinstalled whenever "perl" is reinstalled. For the
NetBSD package, the dependence on autoconf and automake has already
been removed, so it remained only to patch the configure script.
4.0.3 include many bugfixes (including one bad interaction with mod_perl which
caused segfaults) and additions of several new functions. Several new PHP
modules were also added to the main distribution, including new database
extensions and OpenSSL, and some bugs with improperly closing database
connections was fixed.
Instead of using pkgsrc makefile magic to select between IPv6 support
and non-support do so by the NetBSD version number: on 1.5 and newer
systems, compile IPv6 support and detect kernel support for it at runtime.
This has the additional benefits of being easy to feed back and additionaly
brings IPv6 to mozilla on NetBSD even if build outside of pkgsrc.
This is a minor release that mainly provides bug fixes and small
enhancements that have been commited to CVS since the last release.
Vladimir Koslov provided indispensable help for testing and preparing the
Win32 release. Special thanks to Wayne Davison, Art Barstow, Peter
Stamfest, Zhu Qun-Ying, Jens Meggers, Ken Olum for their contributions.
* Summary of principal changes (the ChangeLog provides a detailed account)
+ The following sample applications could core dump
under Windows: head.c, getheaders.c, chunk.c, chunkbody.c,
multichunk.c
+ When retrieving an object from the cache, the HTTP headers
associated with the object weren't stored in the HTResponse object.
+ The cache garbage collector could go into an endless loop.
+ The HTResponse object now returns the HTTP reason.
+ Update of expat to version 19990728.
+ Optimization, enhancements, and bugs fixes to the HTRDF module
+ Some memory leaks and compiler warning fixes.
+ The robot could hang when accessing local files.
+ Optimization of the HTChunk and HTHash modules.
* Outstanding bugs
+ The webbot crashes from time to time under Windows. It
seems to be a problem while reading the robots.txt file,
there the application frees a request that's still registred
in the Windows async. loop.,
+ The tiny.c sample application doesn't prompt the user with
a text input.
+ Interpretation of FD_CLOSE under Windows.
+ The FTP implementation has memory leaks and doesn't
remember the path or authentication information correctly.
+ Compiling with -O2 and -Wall reveals some unitialized
variables in HTDIR and HTFTP.
* To do
+ Compile the answers to the libwww survey (volunteers are welcome).
- fixed script element handling in framesets
- detect repeated attributes e.g. in tables
- supports Gnu Emacs error parsing
- Word 2000 cleanup
- HTML syntax fixes
* Move most of Makefile logic into ../php4/Makefile.common.
* Move patches and files into ../php4.
* Depend on php-4.0.3pl1.
The version number bump was necessary as php4 conflicts with the old
ap-php4-4.0.3pl1 package.
Charles fixed the a.out toolchain bug (in ld) that caused the problems this
change tried to work around. Update your toolchain if it breaks for you.
(Pullup of the toolchain changes to 1.4 and 1.5 has already been requested.)
MKSHLIB_FORCE_ALL='-Wl,--whole-archive' and
MKSHLIB_UNFORCE_ALL='-Wl,--no-whole-archive'
The a.out toolchain ignores --no-whole-archive, and linking mozilla-bin
attempts to an ill fated
"collect2 ... --whole-archive ... --no-whole-archive ... -lgcc ... -lgcc"
Analysis by Richard Earnshaw in PR/11703
Changes Between Major Revisions
Changes from 1.4 to 1.6
* All changes and bugfixes in the 1.4 releases.
* Completely rewrote the LDAP caching algorithms (see [1]the
documentation on caching for more information). Here are the
highlights of the changes:
+ All cache sizes are measured in terms of cache entries.
Warning!! This affects the AuthLDAPCacheSize directive!! In
version 1.4 and before, this directive specified the size in
megabytes. Now, it specifies the size in cache entri es. If
you currently have this directive in a config file, it is
probably set way too high, and will use a significant amount
of server memory.
+ Deprecated the AuthLDAPCacheCompareOps directive. Apache will
still accept the directive, but it has no effect, other than
to generate a warning in the Apache logs.
+ The cache no longer grows without bounds. For servers with a
very active cache, this should make a big difference with
memory usage.
+ No longer use the cache management routines from the LDAP
SDK. All LDAP operations are now cached, using a cache that's
specially designed for auth_ldap's authentication methods.
+ If Apache has been compiled with MM support and auth_ldap has
been compiled with -DWITH_SHARED_LDAP_CACHE then the cache is
shared across all server instances.
+ Added a content handler that can be used to display the cache
statistics. To use it, add the following directives:
<Location /server/auth-ldap-info>
SetHandler auth-ldap-info
</Location>
* Added support for a require dn directive, and a
AuthLDAPCompareDNOnServer directive. See the documentation for
more information.
* auth_ldap now allows the user to specify any attribute when
checking for group membership, by using the AuthLDAPGroupAttribute
directive. If this directive is not specified, the default
continues to be member and uniqueMember. Patch courtesy of
Graham Leggett.
* Added another directive, AuthLDAPGroupAttributeIsDN, which says
whether to use the DN that was retrieved from the LDAP search, or
to use the username passed by the client when doing group
authorization. This directive, in conjuction with the previous
one, allows us to use things like posixGroups for checks:
AuthLDAPGroupAttribute memberuid
AuthLDAPGroupAttributeIsDN off
* Ensure that auth_ldap will follow referrals under
OpenLDAP. This behavior was turned off in previous versions.
* Allow auth_ldap to dereference aliases, using the new
AuthLDAPDereferenceAliases directive. By default, this directive
is set to always.
* Now use ldap_init() when using OpenLDAP. Unless your OpenLDAP is
really old, this probably won't affect you.
PNG is now supported, asynchronous DNS is claimed to be more stable,
couple of SSL crashes were fixed; otherwise the changes are primarily
UI fixes.
However, Asynchronous DNS seems to ignore stuff in /etc/hosts now.
vulnerabilities file will be updated.
Changes from jakarta-tomcat-3.1:
===============================================================================
6. SECURITY VULNERABILITIES FIXED IN TOMCAT 3.1.1
6.1 Administrative Application Enabled By Default
The administrative application (at context path "/admin") was enabled by
default in Tomcat 3.1, which allowed unauthenticated remote users to add and
remove appliations from a running Tomcat 3.1 installation if it was left
installed.
To avoid such problems, the administrative application has been removed from
the binary distribution of Tomcat 3.1.1. It can be installed if desired by:
- Downloading the source distribution of Tomcat 3.1.1.
- Modifying the "build.xml" file to remove the commenting around the
logic that creates the adminstrative application.
- Running the build.sh or build.bat script.
6.2 Case Sensitive Matches on Static Resources
In Tomcat 3.1, matches against the filenames of static resources was done in a
case insensitive manner on case insensitive platforms (such as Microsoft
Windows). This can cause sensitive information to be exposed to remote users
who experiment with differently cased request URIs.
To avoid such problems, Tomcat 3.1.1 performs filename comparisons for static
resources in a case sensitive manner, even on Windows. This means that your
hyperlinks must specify the correct case, or a 404 error will be returned.
Because this can cause significant conversion problems for existing
applications deployed on Tomcat 3.1, a configuration option is provided to
temporarily turn off case sensitive matching. Edit the file "conf/web.xml"
and modify the value for the "caseSensitive" initialization parameter to the
default file-serving servlet.
WARNING: CHANGING THIS SETTING WILL RE-INTRODUCE THE SECURITY VULNERABILITY
PRESENT IN TOMCAT 3.1 -- IT IS *STRONGLY* RECOMMENDED THAT YOU CORRECT YOUR
URLS TO MATCH CORRECTLY INSTEAD OF USING THIS OPTION. Note: All later
versions of Tomcat perform filename matches in a case sensitive manner.
6.3 Snoop Servlet Mappings in Example Application
In the deployment descriptor for the example application delivered with
Tomcat 3.1, a "snoop" servlet was mapped to URL patterns "/snoop" and
"*.snp". Theses mappings (in particular the second one) could cause exposure
of sensitive information on the internal organization of your web application
(for example, when a non-existent page "foo.snp" is requested).
To avoid these problems, the offending mappings have been commented out.
6.4 Show Source Vulnerability
The example application delivered with Tomcat 3.1 included a mechanism to
display the source code for the JSP page examples. This mechanism could
be used to bypass the restrictions on displaying sensitive information in
the WEB-INF and META-INF directories. This vulnerability has been removed.
6.5 Requesting Unknown JSP Pages
In Tomcat 3.1, the error message in response to a request for an unknown JSP
page would include the absolute disk file pathname of the corresponding file
which could not be found, which exposes sensitive information about how your
application is deployed. The error message has been adjusted to include only
the context-relative path of the JSP page which could not be found.
6.6 Session ID Vulnerability
The algorithm used to calculate session identifiers for new sessions was
subject to attack by attempting to guess what the next session identifier will
be, and therefore hijack the session. In addition, the generated identifier
exposed sensitive information (the number of sessions that have been created
since this web application was started.
To avoid these problems, the session identifier generation algorithm has been
replaced by the algorithm used in Tomcat 3.2, which is not subject to these
attacks, and does not expose session count information.
6.7 Server Shutdown Vulnerability
In Tomcat 3.1, it was possible to establish a remote network connection to the
AJP12 connector and cause Tomcat to shut itself down. Now, this network
connection must be created from the same server that Tomcat is running on.
NOTE: While this is more secure than Tomcat 3.1 (and mirrors the protection
provided by Tomcat 3.2), it is still vulnerable to attack by users who can
create socket connections from the server. Suitable use of firewalls and
"TCP Wrappers" applications are suggested around the APJ12 port.
*) Allow absolute pathnames in the -socket argument.
*) Don't invoke suexec when the user/group for the fastcgi application
is the same as the apache main server. This is consistent with
apache's suexec handling.
*) Reset the apache drop dead timer upon successful read or writes
to/from the client. This eliminates timeouts that were occuring
during the large file transfers to/from slow clients.
*) Support generic wrappers such as cgiwrap by eliminating dependencies
on Apache's SUEXEC, renaming the FastCgiSuexec directive
FastCgiWrapper and eliminating any checks regarding the target
application (this is the repsonibility of the wrapper).
*) Fix a nasty bug that occurred when a client aborted a POST request
before the connection to a dynamic FastCGI application was opened.
Changes since 1.60
2000-09-24 Hans de Graaff <hans@degraaff.org>
* Checkbot 1.62 released
2000-09-16 Hans de Graaff <hans@degraaff.org>
* checkbot.pl (send_mail): Only mention URL in the subject of the
mail if one is given through the --url option.
(check_external): The ALEPH web server is also broken with respect
to HEAD requests.
2000-09-04 Hans de Graaff <hans@degraaff.org>
* checkbot.pl (check_external): JavaWebServer is also broken with
respect to HEAD requests.
2000-08-26 Hans de Graaff <hans@degraaff.org>
* checkbot.pl (create_page): Add --style option which allows a
link to a CSS file to be included in each Checkbot page.
2000-08-20 Nick Hibma <n_hibma@qubesoft.com>
* checkbot.pl (check_external): Some servers don't set the Server:
header. Check to see if the server field is set in a response to
avoid warnings.
* checkbot.pl (add_checked): Add --enable-virtual option to use
hostname instead of IP address to distinguish servers. This allows
checking of multiple virtual servers.
2000-08-13 Hans de Graaff <hans@degraaff.org>
* Makefile.PL: Add a check for HTML::Parser. Require latest
version, 3.10, because I'm not sure older versions work correctly.
2000-06-29 Hans de Graaff <hans@degraaff.org>
* Checkbot 1.61 released
* Makefile.PL (chk_version): Add version checked for in output.
2000-06-18 Larry Gilbert <larry@n2h2.com>
* checkbot.pl (check_external): Use GET instead of HEAD for
confused closed-source servers.
2000-06-18 Hans de Graaff <hans@degraaff.org>
* Makefile.PL (chk_version): require URI 1.07 as it contains bug
fixes for using Base URLs.
* checkbot.pl: Change email and web address
2000-04-30 Hans de Graaff <graaff@xs4all.nl>
Version 2.6 of WWWOFFLE released : Sat Nov 18 19:15:00 2000
-----------------------------------------------------------
Bug Fixes:
Improve HTML modification for unterminated tags. Allow passworded pages to be
fetched. Improve compilation on non-Linux systems. Fix bug with proxy config
file entry. Fix an error with not truncating files. Fix an error with
dir-perm and file-perm. Fix problem when getting pages with passwords. Fix
problem deleting pages with passwords.
Documentation
Added a note to the FAQ about DoS attacks and ipchains.
*NOTE* If upgrading from version 2.[2345] then you will need to convert your
cache to the new format, see the file CONVERT for details.
*NOTE* If upgrading from version 2.4[abc] the max-size option in the Purge
section of the configuration file has changed. See CHANGES.CONF.
*NOTE* If upgrading from version 2.[123] the setting of the times of monitoring
URLs has changed, check the monitor index and correct where needed.
*NOTE* If upgrading from version 1.x or 2.[01] then you will need to delete
your cache since conversion from those formats is no longer provided.
Version 2.6-beta of WWWOFFLE released : Sun Oct 22 10:30:00 2000
----------------------------------------------------------------
Bug Fixes:
Handle usernames specified in URLs including the '@' character. Fix problems
deleting URLs with arguments. Fix bug with recursive fetching in same dir.
Retry the select system call if it is interrupted.
Win32 Bug Fixes:
Fix for local web-pages not being opened in binary mode. Compilation fixes.
Internal Changes:
Re-examined all URL-encoding and URL-decoding issues (small cache change).
Ensure that the canonical form of the URL is used throughout.
Changed the URLs in the indexes for monitor, delete & refresh.
Documentation
Re-written the README.CONF file with new layout and more information.
Added three more questions to the FAQ and updated several others.
Configuration File
Allow many of the configuration file options be selectable on a URL by URL basis.
Move some configuration file options around and create some new sections.
Allow purge ages to be specified in larger units (weeks, months, years).
Allow re-request times to be specified in larger units (minutes, hours, days).
New Configuration Options
Add the ability to demoronise HTML (replace bogus characters with real ones).
Add the ability to remove meta refresh tags that redirect browsers.
Added the option to convert redirections to DontGet pages to errors.
Allow the HTML modifications to happen to pages viewed when online.
Add timeouts to DNS lookups to stop WWWOFFLE servers hanging up.
Add the option to enable the use of lock files (defaults to disabled).
New Features
Remove the index of the latest pages (was slow on big caches).
Add an index of the pages that were in the outgoing directory last time.
Change the don't cache option so that pages are not requested when offline.
Allow password protected URLs to be deleted.
Aliased pages now use a redirect rather than re-writing the URL.
Make it safe to have symlinks in the cache.
Searching
Changed the ht://Dig search URLs in WWWOFFLE from /htdig/* to /search/htdig/*.
Allow the use of UdmSearch instead of ht://Dig.
Contrib
Improved the audit-usage.pl script to show cache hit/miss status for requests.
* During installation, install a default file, then copy over a real
config file during post-installation if it doesn't already exist.
* During de-installation, remove the real config file if it doesn't
differ from the default config file.
The INSTALL/DEINSTALL scripts could probably serve as a model for how other
packages should deal with config files.
Translate elvi didn't correctly parse -from or -to
New elvi: britannica, stockquote (nasdaq, quote.com, yahoo), jake
Updated elvi: freshmeat
Don't open new screen(1)s by default
Zorch usage of local variables (not POSIX)
1.5_BETA for other architectures. While it may build on some others too,
it will not work due to toolchain issues.
There is no realistic hope to have those toolchain changes pulled up to the
(now nearly dead) 1.4 branch.
Closes PR 11342.
o small documentation fix
o compilation issues with older perls fixed
o library initialization when using sockets fixed
o library fixes ("Rob Saccoccio" <robs@ipass.net>)
o compilation issues with newer gcc
o completely untested OPEN and READLINE methods
o sfio version compiles again
o General clean-ups
o Allow attaching/detaching
o Changed DESTROY behaviour
o Fixed default warn/die handler of old interface
o Document new interface
* Run regxpcom and regchrome at package install time. (Otherwise time stamp
changes can cause the registry to be regenerated the first time Mozilla is
started up anyway.)
* Arrange to have user-{locale,skins}.rdf generated automatically.
