rse 98/02/18 00:31:00
Modified: src CHANGES Log: Include the changelog for 1.2.5 and 1.2.6 to the 1.3 tree because we already have the changlog entries there for 1.2.x-1.2.4 so we should keep it in sync now, too. Revision Changes Path 1.634 +143 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.633 retrieving revision 1.634 diff -u -r1.633 -r1.634 --- CHANGES 1998/02/14 13:43:58 1.633 +++ CHANGES 1998/02/18 08:30:58 1.634 @@ -1407,6 +1407,149 @@ *) PORT: Added Windows NT support [Ben Laurie and Ambarish Malpani <[EMAIL PROTECTED]>] +Changes with Apache 1.2.6 + + *) mod_include when using XBitHack Full would send ETags in addition to + sending Last-Modifieds. This is incorrect HTTP/1.1 behaviour. + [Dean Gaudet] PR#1133 + + *) SECURITY: When a client connects to a particular port/addr, and + gives a Host: header ensure that the virtual host requested can + actually be reached via that port/addr. [Ed Korthof <[EMAIL PROTECTED]>] + + *) Support virtual hosts with wildcard port and/or multiple ports + properly. [Ed Korthof <[EMAIL PROTECTED]>] + + *) Fixed some case-sensitivity issues according to RFC2068. + [Dean Gaudet] + + *) Set r->allowed properly in mod_asis.c, mod_dir.c, mod_info.c, + and mod_include.c. [Dean Gaudet] + + *) Variable 'cwd' was being used pointlessly before being set. + [Ken Coar] PR#1738 + + *) SIGURG doesn't exist on all platforms. + [Mark Andrew Heinrich <[EMAIL PROTECTED]>] + + *) When an error occurs during a POST, or other operation with a + request body, the body has to be read from the net before allowing + a keepalive session to continue. [Roy Fielding] PR#1399 + + *) When an error occurs in fcntl() locking suggest the user look up + the docs for LockFile. [Dean Gaudet] + + *) table_set() and table_unset() did not deal correctly with + multiple occurrences of the same key. [Stephen Scheck + <[EMAIL PROTECTED]>, Ben Laurie] PR#1604 + + *) send_fd_length() did not calculate total_bytes_sent properly in error + cases. [Ben Reser <[EMAIL PROTECTED]>] PR#1366 + + *) r->connection->user was allocated in the wrong pool causing corruption + in some cases when used with mod_cern_meta. [Dean Gaudet] PR#1500 + + *) mod_proxy was sending HTTP/1.1 responses to ftp requests by mistake. + Also removed the auto-generated link to www.apache.org that was the + source of so many misdirected bug reports. [Roy Fielding, Marc Slemko] + + *) Multiple "close" tokens may have been set in the "Connection" + header, not an error, but a waste. + [EMAIL PROTECTED] PR#1683 + + *) "basic" and "digest" auth tokens should be tested case-insensitive. + [EMAIL PROTECTED] PR#1599, PR#1666 + + *) It appears the "257th byte" bug (see + htdocs/manual/misc/known_client_problems.html#257th-byte) can happen + at the 256th byte as well. Fixed. [Dean Gaudet] + + *) mod_rewrite would not handle %3f properly in some situations. + [Ralf Engelschall] + + *) Apache could generate improperly chunked HTTP/1.1 responses when + the bputc() or rputc() functions were used by modules (such as + mod_include). [Dean Gaudet] + + *) #ifdef wrap a few #defines in httpd.h to make life easier on + some ports. [Ralf Engelschall] + + *) Fix MPE compilation error in mod_usertrack.c. [Mark Bixby] + + *) Quote CC='$(CC)' to improve recurse make calls. [Martin Kraemer] + + *) Avoid B_ERROR redeclaration on sysvr4 systems. [Martin Kraemer] + +Changes with Apache 1.2.5 + + *) SECURITY: Fix a possible buffer overflow in logresolve. This is + only an issue on systems without a MAXDNAME define or where + the resolver returns domain names longer than MAXDNAME. [Marc Slemko] + + *) Fix an improper length in an ap_snprintf call in proxy_date_canon(). + [Marc Slemko] + + *) Fix core dump in the ftp proxy when reading incorrectly formatted + directory listings. [Marc Slemko] + + *) SECURITY: Fix possible minor buffer overflow in the proxy cache. + [Marc Slemko] + + *) SECURITY: Eliminate possible buffer overflow in cfg_getline, which + is used to read various types of files such as htaccess and + htpasswd files. [Marc Slemko] + + *) SECURITY: Ensure that the buffer returned by ht_time is always + properly null terminated. [Marc Slemko] + + *) SECURITY: General mod_include cleanup, including fixing several + possible buffer overflows and a possible infinite loop. This cleanup + was done against 1.3 code and then backported to 1.2, the result + is a large difference (due to indentation cleanup in 1.3 code). + Users interested in seeing a smaller set of relevant differences + should consider comparing against src/modules/standard/mod_include.c + from the 1.3b3 release. Non-indentation changes to mod_include + between 1.2 and 1.3 were minimal. [Dean Gaudet, Marc Slemko] + + *) SECURITY: Numerous changes to mod_imap in a general cleanup + including fixing a possible buffer overflow. This cleanup also + was done with 1.3 code as a basis, see the the previous note + about mod_include. [Dean Gaudet] + + *) SECURITY: If a htaccess file can not be read due to bad + permissions, deny access to the directory with a HTTP_FORBIDDEN. + The previous behavior was to ignore the htaccess file if it could not + be read. This change may make some setups with unreadable + htaccess files stop working. PR#817 [Marc Slemko] + + *) SECURITY: no2slash() was O(n^2) in the length of the input. + Make it O(n). This inefficiency could be used to mount a denial + of service attack against the Apache server. Thanks to + Michal Zalewski <[EMAIL PROTECTED]> for reporting + this. [Dean Gaudet] + + *) mod_include used uninitialized data for some uses of && and ||. + [Brian Slesinsky <[EMAIL PROTECTED]>] PR#1139 + + *) mod_imap should decline all non-GET methods. + [Jay Bloodworth <[EMAIL PROTECTED]>] + + *) suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour] + + *) mod_userdir was modifying r->finfo in cases where it wasn't setting + r->filename. Since those two are meant to be in sync with each other + this is a bug. ["Paul B. Henson" <[EMAIL PROTECTED]>] + + *) mod_include did not properly handle all possible redirects from sub- + requests. [Ken Coar] + + *) Inetd mode (which is buggy) uses timeouts without having setup the + jmpbuffer. [Dean Gaudet] PR#1064 + + *) Work around problem under Linux where a child will start looping + reporting a select error over and over. + [Rick Franchuk <[EMAIL PROTECTED]>] PR#1107 + Changes with Apache 1.2.4 *) The ProxyRemote change in 1.2.3 introduced a bug resulting in the proxy