APACHE 1.3 STATUS: -*-text-*- Last modified at [$Date$] Release: 1.3.42: Released and Retired February 2, 2010. 1.3.41: Released January 19, 2008. 1.3.40: Tagged January 4, 2008. Not released. 1.3.39: Released September 7, 2007. 1.3.38: Tagged August 10, 2007. Not released. 1.3.37: Tagged July 27, 2006. Announced July 28, 2006. 1.3.36: Tagged May 14, 2006. Announced May 17, 2006. 1.3.35: Tagged April 24, 2006. Announced May 1, 2006. 1.3.34: Tagged October 13, 2005. Announced October 18, 2005. 1.3.33: Tagged October 27, 2004. Announced October 29, 2004. 1.3.32: Tagged October 18, 2004. Not formally released. 1.3.31: Tagged May 7, 2004. Announced May 11, 2004. 1.3.30: Tagged April 9, 2004. Not released. 1.3.29: Tagged October 24, 2003. Announced Oct 29, 2003. 1.3.28: Tagged July 16, 2003. Announced ?? 1.3.27: Tagged September 30, 2002. Announced Oct 3, 2002. 1.3.26: Tagged June 18, 2002. 1.3.25: Tagged June 17, 2002. Not released. 1.3.24: Tagged Mar 21, 2002. Announced Mar 22, 2002. 1.3.23: Tagged Jan 21, 2002. 1.3.22: Tagged Oct 8, 2001. Announced Oct 12, 2001. 1.3.21: Not released. (Pulled for htdocs/manual config mismatch. t/r Oct 5, 2001) 1.3.20: Tagged and rolled May 15, 2001. Announced May 21, 2001. 1.3.19: Tagged and rolled Feb 26, 2001. Announced Mar 01, 2001. 1.3.18: Tagged and rolled Not released. (Pulled because of an incorrect unescaping fix. t/r Feb 19, 2001) 1.3.17: Tagged and rolled Jan 26, 2001. Announced Jan 29, 2001. 1.3.16: Not released. (Pulled because of vhosting bug. t/r Jan 20, 2001) 1.3.15: Not released. (Pulled due to CVS dumping core during the tagging when it reached src/os/win32/) 1.3.14: Tagged and Rolled Oct 10, 2000. Released/announced on the 13th. 1.3.13: Not released. (Pulled in the "first minutes" due to a Netware build bug) 1.3.12: Tagged and rolled Feb. 23, 2000. Released/announced on the 25th. 1.3.11: Tagged and rolled Jan. 19, 2000. Released/announced on the 21st. 1.3.10: Not released. (Pulled at "last minute" due to a build bug in the MPE port) 1.3.9: Tagged and rolled on Aug. 16, 1999. Released and announced on 19th. 1.3.8: Not released. 1.3.7: Not released. 1.3.6: Tagged and rolled on Mar. 22, 1999. Released and announced on 24th. 1.3.5: Not released. 1.3.4: Tagged and rolled on Jan. 9, 1999. Released on 11th, announced on 12th. 1.3.3: Tagged and rolled on Oct. 7, 1998. Released on 9th, announced on 10th. 1.3.2: Tagged and rolled on Sep. 21, 1998. Announced and released on 23rd. 1.3.1: Tagged and rolled on July 19, 1998. Announced and released. 1.3.0: Tagged and rolled on June 1, 1998. Announced and released on the 6th. 2.0 : Available for general use, see httpd-2.0 repository ** THIS BRANCH IS CLOSED TO DEVELOPMENT AND MAINTENANCE ** POST-RETIREMENT SECURITY PATCHES: (for distribution in the official patches directory) *) CVE-2011-3368/CVE-2011-4317 http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch +1: trawick, wrowe *) CVE-2012-0053 http://people.apache.org/~trawick/1.3-CVE-2012-0053-r1234837.patch +1: trawick, wrowe, rjung trawick: I'll update the security doc once I get an idea of whether or not a patch will be made available. UNADDRESSED ISSUES: *) mod_rewrite on Win32: change the mutex mechanism for RewriteLog to something more reliable; Apache on Win32 will often exit(1) currently if RewriteLog is enabled Patch is here: http://people.apache.org/~colm/mod_rewrite-win32loglock.diff Message-ID: <1404e5910504010716389dd7da@mail.gmail.com> From: Eric Covener Subject: [1.3 PATCH] Win32 RewriteLog deadlock +1: trawick, wrowe, colm (tested on XP and Vista, but not 9x). *) mod_log_config: Cleanup log_header_out function to allow multiple headers like Set-Cookie to be logged properly. PR 27787 http://people.apache.org/~colm/mod_log_config.diff jerenkrantz asks: Isn't this what apr_table_merge is for? nd replies: yep. But cookies won't be merged, because browsers don't support it. jerenkrantz: Couldn't we copy the table and merge the values somehow? This just seems like a lot of code to duplicate what we have already. *shrug* +1: colm * backport fix for mod_log_config logging "0" for %b [1.3 PATCH] backport 2.0 fix to log "-" for %b... Message-ID: +1: trawick, nd * mod_whatkilledus: log the address of active request_rec and/or conn_rec (if any); this provides a head start to coredump analysis; this updates Apache 1.3 to the level of code I've been giving out for some time http://www.apache.org/~trawick/whatkilledus.txt +1: trawick. colm * PR: 27023 Cookie could not delivered if the cookie made before proxy module. * isn't ap_die() broken with recognizing recursive errors Message-Id: <3F8C56E3.8050501@attglobal.net> +1: jeff, jim * Current vote on 3 PRs for inclusion: Bugz #17877 (passing chunked encoding thru proxy) (still checking if RFC compliant... vote is on the correctness of the patch code only). +1: jim, chuck, minfrin Bugz #9181 (Unable to set headers on non-2XX responses) +1: Martin, Jim Gnats #10246 (Add ProxyConnAllow directive) +0: Martin (or rather -.5, see dev@ Message <20020529215048.A56015@deejai2.mch.fsc.net>) * htpasswd.c and htdigest.c use tmpnam()... consider using mkstemp() when available. Message-ID: Status: * Dean's "unescaping hell" (unescaping the various URI components at the right time and place, esp. unescaping the host name). Message-ID: Status: * Martin observed a core dump because a ipaddr_chain struct contains a NULL-"server" pointer when being dereferenced by invoking "httpd -S". Message-ID: <20010213231854.A20932@deejai2.mch.fsc.net> Status: Workaround enabled. Clean solution can come after 1.3.19 * long pathnames with many components and no AllowOverride None Workaround is to define with AllowOverride None, which is something all sites should do in any case. Status: Marc was looking at it. (Will asks 'wasn't this patched?') * Ronald Tschalär's patch to mod_proxy to allow other modules to set headers too (needed by mod_auth_digest) Message-ID: <199907080712.JAA28269@chill.innovation.ch> Status: Available Patches (Most likely, will be ported to 2.0 as appropriate): * A rewrite of ap_unparse_uri_components() by Jeffrey W. Baker to more fully close some segfault potential. Message-ID: Status: Jim +1 (for 1.3.19), Martin +0 * Andrew Ford's patch (1999/12/05) to add absolute times to mod_expires Message-ID: Status: Martin +1, Jim +1, Ken +1 (on concept) * Raymond S Brand's path to mod_autoindex to fix the header/readme include processing so the envariables are correct for the included documents. (Actually, there are two variants in the patch message, for two different ways of doing it.) Message-ID: <384AA242.B93F8B5@rsbx.net> Status: Martin +1(concept) * Jayaram's patch (10/27/99) for bugfix to mod_autoindex IndexIgnore should hide the files with this file- extension in directory listings. This was NOT happening because the total filename was being compared with the file-extension. Status: Martin +1(untested), Ken +1(untested) * Salvador Ortiz Garcia ' patch to allow DirectoryIndex to refer to URIs for non-static resources. MID: Status: Ken +1 (on concept), Lars +1 (on concept) * Brian Havard's patch to remove dependency of mod_auth_dbm on mod_auth. (PR#2598) Message-ID: <199905170830.SAA31549@silk.apana.org.au> Status: Lars +1 (on concept), Ken +1 (on concept), Martin +1(untested) * Aidan Cully's patch to allow assignment of 'ownership' of resources to either the server UID or the file's owner. Message-ID: <37306CB4.8EA9D76C@Golux.Com> Status: Ken +1, Dean +1, Randy +1, Lars +0, Jim +1 In progress: Needs patch: * get_path_info bug; ap_get_remote_host should be ap_vformatter instead. See: * URI issues - RFC2068 requires a server to recognize its own IP addr(s) in dot notation, we do this fine if the user follows the dns-caveats documentation... we should handle it in the case the user doesn't ever supply a dot-notation address. * Problems dealing with .-rooted domain names such as "twinlark." versus "twinlark.arctic.org.". See the thread containing Message-ID: <19980203211817.06723@deejai.mch.sni.de> for more details. In particular this affects the correctness of the proxy and the vhost mechanism. * proxy_*_canon routines use r->proxyreq incorrectly. See Open issues: * Should we provide a way to force CustomError responses past IE's 'prettify-if-less-than-N-bytes' bogosity? * general/3787: SERVER_PORT is always 80 if client comes to any port => needs review by the protocol guys, I think. * All DBMs suffer from confusion in dbmmanage (perl script) since the dbmmanage creates in the first-matched dbm format. This is not necessarily the library that Apache was built with. Aught to rewrite dbmmanage with the proper library for clean administration. * Marc's socket options like source routing (kill them?) Marc, Martin say Yes * In ap_bclose() there's no test that (fb->fd != -1) -- so it's possible that it'll do something completely bogus when it's used for read-only things. - Dean Gaudet * Roy's HTTP/1.1 Wishlist items: 1) byte range error handling * use of spawnvp in uncompress_child in mod_mime_magic - doesn't use the new child_info structure, is this still safe? Needs to be looked at. * suexec doesn't understand argv parameters; e.g. fails even when "ls" is in the same directory because suexec is trying to stat a file called "ls -l". A patch for this is available at http://www.xnet.com/~emarshal/suexec.diff and it's not bad except that it doesn't handle programs with spaces in the filename (think win32, or samba-mounted filesystems). There are several PR's to this and I don't see for security reasons why we can't accomodate it, though it does add complexity to suexec.c. Accepting quoted executable names solves that issue, except that the exec cmd="" parsing needs to accept escaped quotes. PR #1120 Brian: +1 Status: Already resolved in Apache 2.0 - exec is defined as passing the cmd="" argument as argv[0], which means it is -only- the file name to execute (with spaces allowed in the name.) Win32/Netware specific issues: * mod_rewrite's cache isn't threadsafe, needs a mutex on Win32/Netware (and OS/2?) * apparently either "BrowserMatch" or the "nokeepalive" variable cause instability - see PR#1729.