Apache 2.0.39 Released
June 19, 2002
From the Apache Project:
The Apache HTTP Server Project is proud to announce the third public release of Apache 2.0. Apache 2.0 has been running on the Apache.org
website since December of 2000 and has proven to be very reliable.
This version of Apache is principally a security and bug fix
release. A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.39 addresses and fixes the issues noted
in CAN-2002-0392 (mitre.org) [CERT VU#944335] regarding a vulnerability
in the handling of chunked transfer encoding. We would like to thank
Mark Litchfield of ngssoftware.com for discovering and reporting the
Apache 2.0 offers numerous enhancements, improvements and performance
boosts over the 1.3 codebase. The most visible and noteworthy addition
is the ability to run Apache in a hybrid thread/process mode on any
platform that supports both threads and processes. This has shown to
improve the scalability of the Apache HTTP Server significantly in
our testing. Apache 2.0 also includes support for filtered I/O. This
allows modules to modify the output of other modules before it is
sent to the client. We have also included support for IPv6 on any
platform that supports IPv6.
This version of Apache is known to work on many versions of Unix, BeOS,
OS/2, Windows, and Netware. Because of many of the advancements in
Apache 2.0, the initial release of Apache is expected to perform equally
well on all supported platforms.
There are new snapshots of the Apache httpd source available every 6
hours from http://cvs.apache.org/snapshots/ - please download and test
if you feel brave. We don't guarantee anything except that it will
take up disk space, but if you have the time and skills, please
give it a spin on your platforms.
Apache has been the most popular web server on the Internet since
April of 1996. The March 2002 WWW server site survey by Netcraft (see
http://www.netcraft.com/survey/) found that more web servers were
using Apache than any other software; Apache runs on more than 54%
of the web servers on the Internet.
For more information and to download the release tarballs, please
Changes since Apache 2.0.36
Changes with Apache 2.0.39
Fixed a build problem in htpasswd.c on Win32.
[Guenter Knauf , Cliff Woolley]
Changes with Apache 2.0.38
Rewrite htpasswd to use APR. The removes the annoying warning about
tmpnam being unsafe. [Ryan Bloom]
We must set the MIME-type for .shtml files to text/html if we want them
to be parsed for SSI tags. Add the config for that to the default
config file so that it is easier to enable .shtml parsing.
[Dave Dyer ]
Fixed a problem with 'make install' on ReliantUnix.
[Jean-frederic Clere ]
Make the default_handler catch all requests that aren't served by
another handler. This also gets us to return a 404 if a directory
is requested, there is no DirectoryIndex, and mod_autoindex isn't
loaded. [Justin Erenkrantz]
Fixed the handling of nested if-statements in shtml files.
PR 9866 [Brian Pane]
Allow 'make install DESTDIR=/path'. This allows packagers to install
into a directory different from the one that was configured. This
also mirrors the root= feature from 1.3. We cannot use prefix=,
because both APR and APR-util resolve their installation paths at
configuration time. This means that there is no variable prefix
to replace. [Andreas Hasenack ]
AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
These levels of AIX don't have a thundering herd problem with
accept(). [Jeff Trawick]
prefork MPM: Ignore mutex errors during graceful restart. For
certain types of mutexes (particularly SysV semaphores), we
should expect to occasionally fail to obtain or release the
mutex during restart processing. [Jeff Trawick]
Fix install-bindist.sh so that it finds any perl instead of just
early perl 5.x versions. This is consistent with a build/install
from source, and it allows the perl scripts installed by a bindist
to work on systems with perl 5.6. [Jeff Trawick]
Fix apxs so that the makefile created by "apxs -g" works on AIX and
Tru64 (and probably some other platforms). [Jeff Trawick]
Allow CGI scripts to return their Content-Length. This also fixes a
hang on HEAD requests seen on certain platforms (such as FreeBSD).
Added log rotation based on file size to the RotateLog support
utility. [Brad Nicholes]
Fix some casting in mod_rewrite which broke random maps.
PR 9770 [Allan Edwards, Greg Ames, Jeff Trawick]
Changes with Apache 2.0.37
allow POST method over SSL when per-directory client cert
authentication is used with 'SSLOptions +OptRenegotiate' enabled
and a client cert was found in the ssl session cache.
'SSLOptions +OptRengotiate' will use client cert in from the ssl
session cache when there is no cert chain in the cache. prior to
the fix this situation would result in a FORBIDDEN response and
error message "Cannot find peer certificate chain"
ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
one was already sent. PR 9644 [Jeff Trawick]
Fix the display of the default name for the mime types config
file. PR 9729 [Matthew Brecknell ]
Fix the working directory *for WinNT/2K/XP services only* to
change to the Apache directory (one level above the location
of Apache.exe, in the case that Apache.exe resides in bin/.)
Solves the case of ServerRoot /foo paths where /foo was not
on the same drive as /winnt/system32. [William Rowe]
Make 2.0's "AcceptMutex" startup message now "completely"
match how 1.3 does it. [Jim Jagielski]
Implement a fixed size memory cache using a priority queue
Fix apxs to allow "apxs -q installbuilddir" and to allow
querying certain other variables from config_vars.mk. PR 9316
Added the "detached" attribute to the cgi_exec_info_t internals
so that Win32 and Netware won't create a new window or console
for each CGI invoked. PR 8387
[Brad Nicholes, William Rowe]
Consolidated the command line parameters and attributes that are
manipulated by the optional function ap_cgi_build_command() in
mod_cgi into a single structure.
Get rid of uninitialized value errors with "apxs -q" on certain
variables. [Stas Bekman ]
Fix apxs to allow it to work when the build directory is somewhere
besides server-root/build. PR 8453
[Jeff Trawick and a host of others]
Allow ap_discard_request_body to be called multiple times in the
same request. Essentially, ap_http_filter keeps track of whether
it has sent an EOS bucket up the stack, if so, it will only ever
send an EOS bucket for this request.
[Ryan Bloom, Justin Erenkrantz, Greg Stein]
Remove all special mod_ssl URIs. This also fixes the bug where
redirecting (.*) will allow an SSL protected page to be viewed
without SSL. [Ryan Bloom]
Fix the binary build install script so that the build logic
created by "apxs -g" will work when the user has a binary
build. [Jeff Trawick]
Allow instdso.sh to work with full paths to the shared module.
NetWare: Enabled CGI functionality and added mod_cgi as a built
in module for NetWare [Brad Nicholes]
Changed cgi and piped log behavior to accept 65536 characters
on Win32 (matching Linux) before deadlocking between outputing
client stdin, slurping the output from stdout and then the stderr
stream. PR 8179 [William Rowe]
Fixed Win32 wintty.exe support to assure the window title is valid.
Elimiates possible gpfault or garbage title without the -t option.
Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
brigades and input filters. [Justin Erenkrantz]
Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
body. [Justin Erenkrantz]
NetWare: Piping log entries through RotateLogs using the
CustomLogs directive is finally supported now that we have
the pipes and spawning functionality working.
Detect overflow when reading the hex bytes forming a chunk line.
Allow RewriteMap prg:'s to take command-line arguments. PR 8464.
[James Tait ]
Correctly return 413 when an invalid chunk size is given on
input. Also modify ap_discard_request_body to not do anything
on sub-requests or when the connection will be dropped.
Fix the TIME_* SSL var lookups to be threadsafe. PR 9469.
Ensure that apr_brigade_write() flushes in all of the cases that
it should to avoid conditions in some modules that could cause
large amounts of data to be buffered. [Cliff Woolley]
Fix problem where mod_cache/mod_disk_cache was incorrectly
stripping the content_type from cached responses.
apachectl passes through any httpd options. Note: apachectl
should be used in preference to httpd since it ensures that any
appropriate environment variables have been set up.
Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
PR 7810 [Colm MacCarthaigh ]
Fix suexec execution of CGI scripts from mod_include.
PR 7791, 8291 [Colm MacCarthaigh ]
Fix segfaults at startup on some platforms when mod_auth_digest,
mod_suexec, or mod_ssl were used as DSO's due to the way they
were tracking the current init phase since DSO's get completely
unloaded and reloaded between phases. PR 9413.
[Tsuyoshi Sasamoto , Brad Nicholes]
Fix mod_include's handling of regular expressions in