branches/2.0.x/CHANGES

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.0.64

  *) SECURITY: CVE-2008-2939 (cve.mitre.org)
     mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
     the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]

  *) Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass 
     through on a 304 response.  [Nick Kew]

Changes with Apache 2.0.63

  *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
     to /Device/Nul as the server is starting up, mirroring unix MPM's.
     PR: 43534  [Tom Donovan <Tom.Donovan acm.org>, William Rowe]

  *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
     by recreating the bucket allocator each time the trans pool is cleared.
     PR: 11427 #16 (follow-on)  [Tom Donovan <Tom.Donovan acm.org>]

Changes with Apache 2.0.62 (not released)

  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
     mod_status: Ensure refresh parameter is numeric to prevent
     a possible XSS attack caused by redirecting to other URLs. 
     Reported by SecurityReason.  [Mark Cox, Joe Orton]

  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
     mod_imap: Fix a cross-site scripting issue.  Reported by JPCERT.
     [Joe Orton]

  *) Introduce the ProxyFtpDirCharset directive, allowing the administrator
     to identify a default, or specific servers or paths which list their
     contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]

  *) log.c: Ensure Win32 resurrects its lost robust logger processes.
     [William Rowe]

  *) mpm_winnt: Eliminate wait_for_many_objects.  Allows the clean 
     shutdown of the server when the MaxClients is higher then 257,
     in a more responsive manner [Mladen Turk, William Rowe]

  *) Add explicit charset to the output of various modules to work around
     possible cross-site scripting flaws affecting web browsers that do not
     derive the response character set as required by  RFC2616.  One of these
     reported by SecurityReason [Joe Orton]

  *) http_protocol: Escape request method in 405 error reporting.
     This has no security impact since the browser cannot be tricked
     into sending arbitrary method strings.  [Jeff Trawick]

  *) http_protocol: Escape request method in 413 error reporting.
     Determined to be not generally exploitable, but a flaw in any case.
     PR 44014 [Victor Stinner <victor.stinner inl.fr>]

Changes with Apache 2.0.61

  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
     mod_proxy: Prevent reading past the end of a buffer when parsing
     date-related headers.  PR 41144.
     [Davi Arnaut, Nick Kew]

  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
     mod_cache: Prevent segmentation fault if a Cache-Control header has
     no value.  [Niklas Edmundsson <nikke acc.umu.se>]

  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
     mod_status: Fix a possible XSS attack against a site with a public
     server-status page and ExtendedStatus enabled, for browsers which
     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]

  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
     prefork, worker MPMs: Ensure that the parent process cannot
     be forced to kill processes outside its process group. 
     [Joe Orton, Jim Jagielski]

  *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous.
     PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray]

  *) log core: ensure we use a special pool for stderr logging, so that
     the stderr channel remains valid from the time plog is destroyed,
     until the time the open_logs hook is called again.  [William Rowe]

  *) mod_ssl: Version reporting update; displays 'compiled against'
     Apache and build-time SSL Library versions at loglevel [info],
     while reporting the run-time SSL Library version in the server
     info tags.  Helps to identify a mod_ssl built against one flavor
     of OpenSSL but running against another (also adds SSL-C version
     number reporting.)  [William Rowe]

  *) mod_autoindex: Add in Type and Charset options to IndexOptions
     directive. This allows the admin to explicitly set the 
     content-type and charset of the generated page and is therefore
     a viable workaround for buggy browsers affected by CVE-2007-4465
     (cve.mitre.org). [Jim Jagielski]

  *) main core: Emit errors during the initial apr_app_initialize()
     or apr_pool_create() (when apr-based error reporting is not ready).
     [William Rowe, Jeff Trawick]

  *) log core: Fix issue which could cause piped loggers to be orphaned 
     and never terminate after a graceful restart. PR 40651. [Joe Orton, 
     Ruediger Pluem]

  *) log core: fix the new piped logger case where we couldn't connect 
     the replacement stderr logger's stderr to the NULL stdout stream.  
     Continue in this case, since the previous alternative of no error 
     logging at all (/dev/null) is far worse. [William Rowe]

  *) mpm_winnt: Prevent the parent-child pipe from leaking into other
     spawned processes, and ensure we have a /Device/null handle for
     stdout when running as-a-service.  [William Rowe]

  *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]

  *) mod_so: Solve dev's confusion by reporting expected/seen module
     magic signatures when failing with a 'garbled' message, and solve
     user's confusion by pointing out 'perhaps compiled for a different
     version of apache?'.  [William Rowe]

  *) mod_ssl: initialize thread locks before initializing the hardware
     acceleration library, so the latter can make use of the former. 
     PR 20951. [<adunn ncipher.com>]

  *) mod_ssl: Support limited buffering of request bodies to allow 
     per-location renegotiation to proceed.  PR 12355.  [Joe Orton]

  *) mod_cgi, mod_cgid: Don't return apr_status_t error value
     from input filter chain. PR 31759 (mutated). [Jo Rhett,
     Nick Kew]

  *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
     [Jeff Trawick]

  *) proxy_http.c: Overlay existing cookies with proxied ones, ala
     httpd-2.2. [Jim Jagielski]

  *) mod_proxy: ProxyTimeout (and others) ignored due to not merging
     the *_set params. PR 11540. [Jim Jagielski]

  *) mod_isapi: Correctly present SERVER_PORT_SECURE.
     PR 40573.  [Matt Eaton <asf divinehawk.com>]

  *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
     support.  Also corrects the slashes for Windows.  PR 15993. [William Rowe]

  *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
     token parser worked while the resulting length was misinterpreted.
     PR 29098.  [Brock Bland <bbland serena.com>]

  *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
     attempts to stream the response at the client.  Log these as well.
     PR 30022, 40470.  [William Rowe, Matt Eaton <asf divinehawk.com>]

  *) mod_isapi: Ensure we walk through all the methods the developer may have
     employed to report their HTTP status result code.
     PR 16637 30033 28089.  [Matt Lewandowsky <matt iamcode.net>, William Rowe]

There was no 2.0.60

Changes with Apache 2.0.59

  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
     handling.  For some RewriteRules this could lead to a pointer being
     written out of bounds.  Reported by Mark Dowd of McAfee.
     [Mark Cox]

  *) Win32: Minor fixes to build more cleanly under Visual Studio 2005
     from the command line build.  [William Rowe]

Changes with Apache 2.0.58

  *) Legal: Restored original years in copyright notices.
     [Colm MacCarthaigh]

Changes with Apache 2.0.57

  *) mod_cgid: run the get_suexec_identity hook within the request-handler
     instead of within cgid. PR 36410. [Colm MacCarthaigh] 

  *) core: Prevent read of unitialized memory in ap_rgetline_core. PR 39282.
     [Davi Arnaut <davi haxent.com.br>]

  *) mod_proxy: Report the proxy server name correctly in the "Via:" header,
     when UseCanonicalName is Off. PR 11971. [Martin Kraemer]

  *) mod_isapi: Various trivial code-fixes to permit mod_isapi to load and
     run on Unix. [William Wrowe]

  *) HTML-escape the Expect error message.  Not classed as security as
     an attacker has no way to influence the Expect header a victim will
     send to a target site.  Reported by Thiago Zaninotti
     <thiango nstalker.com>. [Mark Cox]

Changes with Apache 2.0.56

  *) SECURITY: CVE-2005-3357 (cve.mitre.org)
     mod_ssl: Fix a possible crash during access control checks if a
     non-SSL request is processed for an SSL vhost (such as the
     "HTTP request received on SSL port" error message when an 400
     ErrorDocument is configured, or if using "SSLEngine optional").
     PR 37791.  [Rüdiger Plüm, Joe Orton]

  *) SECURITY: CVE-2005-3352 (cve.mitre.org)
     mod_imap: Escape untrusted referer header before outputting in HTML
     to avoid potential cross-site scripting.  Change also made to
     ap_escape_html so we escape quotes.  Reported by JPCERT.
     [Mark Cox]

  *) Add APR/APR-Util Compiled and Runtime Version numbers to the
     output of 'httpd -V'. [William Rowe]

  *) Ensure that the proper status line is written to the client, fixing
     incorrect status lines caused by filters which modify r->status without 
     resetting r->status_line, such as the built-in byterange filter.
     [Jeff Trawick]

  *) Default handler: Don't return output filter apr_status_t values.
     PR 31759.  [Jeff Trawick, Ruediger Pluem, Joe Orton]

  *) mod_speling: Stop crashing with certain non-file requests.  
     [Jeff Trawick]

  *) keep the Content-Length header for a HEAD with no response body.
     PR 18757 [Greg Ames]
 
  *) Modify apr[util] .h detection to avoid breakage on VPATH builds
     using Solaris make (amoung others) and avoid breakage in ./buildconf
     when srclib/apr[-util] are symlinks rather than directories proper.
     [William Rowe]

  *) Avoid server-driven negotiation when a CGI script has emitted an 
     explicit "Status:" header. PR 38070.  [Nick Kew]

  *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
     format is used. PR 27787.  [André Malo]

  *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs.  PR 34264.
     [Justin Erenkrantz]

  *) mod_cache: Correctly handle responses with a 301 status. PR 37347. 
     [Paul Querna]

  *) mod_proxy_http: Prevent data corruption of POST request bodies when
     client accesses proxied resources with SSL. PR 37145.
     [Ruediger Pluem, William Rowe]    

  *) Eliminated the NET_TIME filter, restructuring the timeout logic.
     This provides a working mod_echo on all platforms, and ensures any
     custom protocol module is at least given an initial timeout value
     based on the <VirtualHost > context's Timeout directive.
     [William Rowe]  

  *) mod_ssl: Correct issue where mod_ssl does not pick up the 
     ssl-unclean-shutdown setting when configured. PR 34452. [Joe Orton]

  *) Document the ReceiveBufferSize change done in r157583.
     [Murray Nesbitt <murray cpan.org>]

  *) mod_deflate: Merge the Vary header, instead of Setting it. Fixes
     applications that send the Vary Header themselves. PR 37559. 
     [Paul Querna]

  *) mod_dav: Fix a null pointer dereference in an error code path during the
     handling of MKCOL. [Ghassan Misherghi <ghassanm ucdavis.edu>]

  *) mod_mime_magic: Handle CRLF-format magic files so that it works with
     the default installation on Windows.  [Jeff Trawick]

  *) Write message to error log if AuthGroupFile cannot be opened.
     PR 37566.  [Rüdiger Plüm]

  *) Add ReceiveBufferSize directive to control the TCP receive buffer.
     [Eric Covener <covener gmail.com>]

  *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
     [Paul Querna]

  *) Remove the base href tag from proxy_ftp, as it breaks relative
     links for clients not using an Authorization header. [Graham Leggett,
     Jon Snow <jsnow27 gatesec.net>]

  *) http_request.c: Add missing va_end call. [André Malo]

  *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
     [Paul Querna]

  *) support/check_forensic: Fix temp file usage
     [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]

  *) Chunk filter: Fix chunk filter to create correct chunks in the case that
     a flush bucket is surrounded by data buckets. [Ruediger Pluem]

  *) mod_cgi(d): Remove block on OPTIONS method so that scripts can
     respond to OPTIONS directly rather than via server default.
     [Roy Fielding] PR 15242

  *) Added new module mod_version, which provides version dependent
     configuration containers.  [André Malo]

  *) Add core version query function (ap_get_server_revision) and
     accompanying ap_version_t structure (minor MMN bump).
     [André Malo]

Changes with Apache 2.0.55

  *) SECURITY: CVE-2005-2700 (cve.mitre.org)
     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
     enforced in per-location context if "SSLVerifyClient optional"
     was configured in the vhost configuration.  [Joe Orton]

  *) SECURITY: CVE-2005-2970 (cve.mitre.org)
     worker MPM: Fix a memory leak which can occur after an aborted
     connection in some limited circumstances.  [Greg Ames]

  *) mod_ldap: Fix PR 36563. Keep track of the number of attributes
     retrieved from LDAP so that all of the values can be properly 
     cached even if the value is NULL. 
     [Brad Nicholes, Ondrej Sury <ondrej sury.org>]
       
  *) SECURITY: CVE-2005-2491 (cve.mitre.org): 
     Fix integer overflows in PCRE in quantifier parsing which could
     be triggered by a local user through use of a carefully-crafted 
     regex in an .htaccess file.  [Philip Hazel]

  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
     proxy: Correctly handle the Transfer-Encoding and Content-Length
     headers.  Discard the request Content-Length whenever T-E: chunked
     is used, always passing one of either C-L or T-E: chunked whenever 
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]

  *) Added TraceEnable [on|off|extended] per-server directive to alter
     the behavior of the TRACE method.  This addresses a flaw in proxy
     conformance to RFC 2616 - previously the proxy server would accept
     a TRACE request body although the RFC prohibited it.  The default
     remains 'TraceEnable on'.  [William Rowe]

  *) Add ap_log_cerror() for logging messages associated with particular
     client connections.  [Jeff Trawick]

  *) Correct mod_cgid's argv[0] so that the full path can be delved by the
     invoked cgi application, to conform to the behavior of mod_cgi.
     [Pradeep Kumar S <pradeep.smani gmail.com>]

  *) mod_include: Fix possible environment variable corruption when 
     using nested includes.  PR 12655.  [Joe Orton]

  *) Support the suppress-error-charset setting, as with Apache 1.3.x.
     PR 31274.  [Jeff Trawick]

  *) EBCDIC: Handle chunked input from client or, with proxy, origin
     server.  [Jeff Trawick]

  *) Fix bad globbing comparison which could result in getting
     a directory listing when a file was requested. PR 34512.
     [sean <infamous41md hotmail.com>]

  *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
     was called even if mod_auth_ldap_check_user_id() was not
     (or if it didn't succeed) for non-authoritative cases.
     [Jim Jagielski]

  *) SECURITY: CVE-2005-2728 (cve.mitre.org)
     Fix cases where the byterange filter would buffer responses
     into memory.  PR 29962.  [Joe Orton]

  *) mod_proxy: Fix over-eager handling of '%' for reverse proxies.
     PR 15207.  [Jim Jagielski]

  *) mod_ldap: Fix various shared memory cache handling bugs.
     PR 34209.  [Joe Orton]

  *) Fix a file descriptor leak when starting piped loggers.  PR 33748. 
     [Joe Orton]

  *) mod_ldap: Avoid segfaults when opening connections if using a version
     of OpenLDAP older than 2.2.21.  PR 34618.  [Brad Nicholes]

  *) mod_ssl: Fix build with OpenSSL 0.9.8.  PR 35757.  [William Rowe]

  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
     core: If a request contains both Transfer-Encoding and Content-Length
     headers, remove the Content-Length, mitigating some HTTP Request 
     Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]

  *) proxy HTTP: If a response contains both Transfer-Encoding and a 
     Content-Length, remove the Content-Length and don't reuse the
     connection, mitigating some HTTP Response Splitting attacks.
     [Jeff Trawick]

  *) Prevent hangs of child processes when writing to piped loggers at
     the time of graceful restart.  PR 26467.  [Jeff Trawick]

  *) SECURITY: CVE-2005-1268 (cve.mitre.org)
     mod_ssl: Fix off-by-one overflow whilst printing CRL information
     at "LogLevel debug" which could be triggered if configured 
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]

  *) mod_userdir: Fix possible memory corruption issue.  PR 34588.
     [David Leonard <dleonard vintela.com>]

  *) worker mpm: don't take down the whole server for a transient
     thread creation failure. PR 34514 [Greg Ames]
  
  *) mod_rewrite: use buffered I/O to improve performance with large
     RewriteMap txt: files.  [Greg Ames]

  *) proxy HTTP: Rework the handling of request bodies to handle
     chunked input and input filters which modify content length, and
     avoid spooling arbitrary-sized request bodies in memory.
     PR 15859.  [Jeff Trawick]

Changes with Apache 2.0.54

  *) mod_cache: Add CacheIgnoreHeaders directive.  PR 30399.
     [Rüdiger Plüm <r.pluem t-online.de>]

  *) mod_ldap: Added the directive LDAPConnectionTimeout to configure
     the ldap socket connection timeout value.  
     [Brad Nicholes]

  *) Correctly export all mod_dav public functions.
     [Branko Čibej <brane xbc.nu>]

  *) Add a build script to create a solaris package. [Graham Leggett]

  *) worker MPM: Fix a problem which could cause httpd processes to
     remain active after shutdown.  [Jeff Trawick]

  *) Unix MPMs: Shut down the server more quickly when child processes are
     slow to exit.  [Joe Orton, Jeff Trawick]

  *) Remove formatting characters from ap_log_error() calls.  These
     were escaped as fallout from CVE-2003-0020.
     [Eric Covener <ecovener gmail.com>]

  *) mod_ssl: If SSLUsername is used, set r->user earlier.  PR 31418.
     [David Reid]

  *) htdigest: Fix permissions of created files.  PR 33765.  [Joe Orton]

  *) core_input_filter: Move buckets to a persistent brigade instead of
     creating a new brigade. This stop a memory leak when proxying a 
     Streaming Media Server. PR 33382. [Paul Querna]

  *) mod_win32: Ignore both PATH_INFO as well as PATH_TRANSLATED to avoid 
     hiccups from additional path information passed in non-utf-8 format.
     [Richard Donkin <rd9 donkin.org]

Changes with Apache 2.0.53

  *) Fix --with-apr=/usr and/or --with-apr-util=/usr.  PR 29740.
     [Max Bowsher <maxb ukf.net>]

  *) mod_proxy: Fix ProxyRemoteMatch directive.  PR 33170.
     [Rici Lake <rici ricilake.net>]

  *) mod_proxy: Respect errors reported by pre_connection hooks.
     [Jeff Trawick]

  *) --with-module can now take more than one module to be statically
     linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
     If the <modtype>-subdirectory doesn't exist it will be created and
     populated with a standard Makefile.in.  [Erik Abele]

  *) Fix the RPM spec file so that an RPM build now works. An RPM
     build now requires system installations of APR and APR-util.
     Remove some arbitrary moving around of binaries - the RPM now
     maps to the ASF build of httpd.
     [Graham Leggett]

  *) mod_dumpio, an I/O logging/dumping module, added to the
     modules/expermimental subdirectory.  [Jim Jagielski]

  *) mod_auth_ldap: Handle the inconsistent way in which the MS LDAP
     library handles special characters.  PR 24437.  [Jess Holle]

  *) Win32 MPM: Correct typo in debugging output.  [William Rowe]

  *) conf: Remove AddDefaultCharset from the default configuration because
     setting a site-wide default does more harm than good. PR 23421.
     [Roy Fielding]

  *) Add charset to example CGI scripts.  [Roy Fielding]

  *) mod_ssl: fail quickly if SSL connection is aborted rather than
     making many doomed ap_pass_brigade calls.  PR 32699.  [Joe Orton]

  *) Remove compiled-in upper limit on LimitRequestFieldSize.
     [Bill Stoddard]

  *) Start keeping track of time-taken-to-process-request again for
     mod_status if ExtendedStatus is enabled. [Jim Jagielski]

  *) mod_proxy: Handle client-aborted connections correctly.  PR 32443.
     [Janne Hietamäki, Joe Orton]

  *) Fix handling of files >2Gb on all platforms (or builds) where
     apr_off_t is larger than apr_size_t.  PR 28898.  [Joe Orton]

  *) mod_include: Fix bug which could truncate variable expansions
     of N*64 characters by one byte.  PR 32985.  [Joe Orton]

  *) Correct handling of certain bucket types in ap_save_brigade, fixing
     possible segfaults in mod_cgi with #include virtual.  PR 31247.
     [Joe Orton]

  *) Allow for the use of --with-module=foo:bar where the ./modules/foo
     directory is local only. Assumes, of course, that the required
     files are in ./modules/foo, but makes it easier to statically
     build/log "external" modules.  [Jim Jagielski]

  *) Util_ldap: Implemented the util_ldap_cache_getuserdn() API so that 
     ldap authorization only modules have access to the util_ldap 
     user cache without having to require ldap authentication as well.  
     PR 31898.  [Jari Ahonen jah progress.com, Brad Nicholes]

  *) mod_auth_ldap: Added the directive "Requires ldap-attribute" that
     allows the module to only authorize a user if the attribute value
     specified matches the value of the user object. PR 31913
     [Ryan Morgan <rmorgan pobox.com>]

  *) SECURITY: CVE-2004-0942 (cve.mitre.org)
     Fix for memory consumption DoS in handling of MIME folded request
     headers.  [Joe Orton]

  *) SECURITY: CVE-2004-0885 (cve.mitre.org)
     mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
     bypassed during an SSL renegotiation.  PR 31505.  
     [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]

  *) mod_ssl: Fail at startup rather than segfault at runtime if a
     client cert is configured with an encrypted private key.
     PR 24030.  [Joe Orton]

  *) apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
     [Joe Orton]

  *) mod_ldap: Fix format strings to use %APR_PID_T_FMT instead of %d.
     [Jeff Trawick]
 
  *) mod_cache: CacheDisable will only disable the URLs it was meant to
     disable, not all caching. PR 31128.
     [Edward Rudd <eddie omegaware.com>, Paul Querna]

  *) mod_cache: Try to correctly follow RFC 2616 13.3 on validating stale
     cache responses.  [Justin Erenkrantz]

  *) mod_rewrite: Handle per-location rules when r->filename is unset.
     Previously this would segfault or simply not match as expected,
     depending on the platform.  [Jeff Trawick]

  *) mod_rewrite: Fix 0 bytes write into random memory position.
     PR 31036. [André Malo]

  *) mod_disk_cache: Do not store aborted content.  PR 21492.
     [Rüdiger Plüm <r.pluem t-online.de>]

  *) mod_disk_cache: Correctly store cached content type.  PR 30278.
     [Rüdiger Plüm <r.pluem t-online.de>]

  *) mod_ldap: prevent the possiblity of an infinite loop in the LDAP
     statistics display. PR 29216. [Graham Leggett]

  *) mod_ldap: fix a bogus error message to tell the user which file
     is causing a potential problem with the LDAP shared memory cache.
     PR 31431 [Graham Leggett]

  *) SECURITY: CVE-2004-1834 (cve.mitre.org)
     mod_disk_cache: Do not store hop-by-hop headers.  [Justin Erenkrantz]

  *) Fix the re-linking issue when purging elements from the LDAP cache
     PR 24801.  [Jess Holle <jessh ptc.com>]
      
  *) mod_disk_cache: Fix races in saving responses.  [Justin Erenkrantz]

  *) Fix Expires handling in mod_cache.  [Justin Erenkrantz]

  *) Alter mod_expires to run at a different filter priority to allow
     proper Expires storage by mod_cache.  [Justin Erenkrantz]

Changes with Apache 2.0.52

  *) Use HTML 2.0 <hr> for error pages. PR 30732 [André Malo]

  *) Fix the global mutex crash when the global mutex is never allocated
     due to disabled/empty caches. [Jess Holle <jessh ptc.com>]

  *) Fix a segfault in the LDAP cache when it is configured switched
     off. [Jess Holle <jessh ptc.com>]

  *) SECURITY: CVE-2004-0811 (cve.mitre.org)
     Fix merging of the Satisfy directive, which was applied to
     the surrounding context and could allow access despite configured
     authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]

  *) Fix the handling of URIs containing %2F when AllowEncodedSlashes
     is enabled.  Previously, such urls would still be rejected.
     [Jeff Trawick, Bill Stoddard]

  *) mod_mem_cache: Fixed race condition causing segfault because of memory being
     freed twice, or reused after being freed.
     [J. Clar, W. Stoddard, G. Ames]
    
  *) Add -l option to rotatelogs to let it use local time rather than
     UTC.  PR 24417.  [Ken Coar, Uli Zappe <uli ritual.org>]

  *) mod_log_config: Fix a bug which prevented request completion time
     from being logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
     processing.  PR 29696.  [Alois Treindl <alois astro.ch>]

Changes with Apache 2.0.51

  *) SECURITY: CVE-2004-0786 (cve.mitre.org)
     Fix an input validation issue in apr-util which could be
     triggered by malformed IPv6 literal addresses.  [Joe Orton]

  *) SECURITY: CVE-2004-0747 (cve.mitre.org)
     Fix buffer overflow in expansion of environment variables in
     configuration file parsing.  [André Malo]

  *) SECURITY: CVE-2004-0809 (cve.mitre.org)
     mod_dav_fs: Fix a segfault in the handling of an indirect lock
     refresh.  PR 31183.  [Joe Orton]

  *) mod_include no longer checks for recursion, because that's done
     in the core. This allows for careful usage of recursive SSI.
     [André Malo]

  *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
     [chunyan sheng <shengperson yahoo.com>, André Malo]

  *) Include directives no longer refuse to process symlinks on
     directories. Instead there's now a maximum nesting level
     of included directories (128 as distributed). This is configurable
     at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch.
     PR 28492.  [André Malo]

  *) Win32: apache -k start|restart|install|config can leave stranded
     piped logger processes (eg, rotatelogs.exe) due to improper
     server shutdown on these code paths.
     [Bill Stoddard]

  *) SECURITY: CVE-2004-0751 (cve.mitre.org)
     mod_ssl: Fix a segfault in the SSL input filter which could be
     triggered if using "speculative" mode, for instance by a 
     proxy request to an SSL server.  PR 30134.  [Joe Orton]

  *) mod_rewrite: Add %{SSL:...} and %{HTTPS} variable lookups.
     PR 30464.  [Joe Orton, Madhusudan Mathihalli]

  *) mod_ssl: Add new 'ssl_is_https' optional function.  [Joe Orton]

  *) Prevent CGI script output which includes a Content-Range header
     from being passed through the byterange filter.  [Joe Orton]

  *) Satisfy directives now can be influenced by a surrounding <Limit>
     container.  PR 14726.  [André Malo]

  *) mod_rewrite now officially supports RewriteRules in <Proxy> sections.
     PR 27985.  [André Malo]

  *) mod_disk_cache: Implement binary format for on-disk header files.
     [Brian Akins <bakins web.turner.com>, Justin Erenkrantz]

  *) mod_disk_cache: Optimize network performance of disk cache subsystem by
     allowing zero-copy (sendfile) writes and other miscellaneous fixes.
     [Justin Erenkrantz]

  *) mod_cache, mod_disk_cache, mod_mem_cache: Refactor cache modules, and
     switch to the provider API instead of hooks.  [Justin Erenkrantz]

  *) mod_autoindex: Don't truncate the directory listing if a stat()
     call fails (for instance on a >2Gb file).  PR 17357.
     [Joe Orton]

  *) Makefile fix: httpd is linked against LIBS given to the
     'make' invocation.  PR 7882.  [Joe Orton]

  *) WinNT MPM: Fix a broken log message at termination.  PR 28063.
     [Eider Oliveira <eider bol.com.br>]

  *) Prevent Win32 pool corruption at startup [Allan Edwards]

  *) mod_ssl: Add "SSLUserName" directive to set r->user based on a
     chosen SSL environment variable.  PR 20957. 
     [Martin v. Loewis <martin v.loewis.de>]

  *) suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
     [Zvi Har'El <rl math.technion.ac.il>]

  *) apachectl: Fix a problem finding envvars if sbindir != bindir.
     PR 30723.  [Friedrich Haubensak <hsk imb-jena.de>]

  *) mod_ssl: Build on RHEL 3.  PR 18989.  [Justin Erenkrantz]

  *) SECURITY: CVE-2004-0748 (cve.mitre.org)
     mod_ssl: Fix a potential infinite loop.  PR 29964.  [Joe Orton]

  *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
     PR 18989.  [Joe Orton]

  *) mod_userdir: Ensure that the userdir identity is used for
     suexec userdir access in a virtual host which has suexec configured.  
     PR 18156.  [Joshua Slive]

  *) mod_rewrite no longer confuses the RewriteMap caches if
     different maps defined in different virtual hosts use the
     same map name. PR 26462.  [André Malo]

  *) mod_setenvif: Remove "support" for Remote_User variable which
     never worked at all. PR 25725.  [André Malo]

  *) Backport from 2.1 / Regression from 1.3: mod_headers now knows
     again the functionality of the ErrorHeader directive. But instead
     using this misnomer additional flags to the Header directive were
     introduced ("always" and "onsuccess", defaulting to the latter).
     PR 28657.  [André Malo]

  *) Use the higher performing 'httpready' Accept Filter on all platforms 
     except FreeBSD < 4.1.1. [Paul Querna]

  *) mod_usertrack: Escape the cookie name before pasting into the
     regexp.  [André Malo]

  *) Extend the SetEnvIf directive to capture subexpressions of the
     matched value.  [André Malo]

  *) Recursive Include directives no longer crash. The server stops
     including configuration files after a certain nesting level (128
     as distributed). This is configurable at compile time using the
     -DAP_MAX_INCLUDE_DEPTH switch. PR 28370.  [André Malo]

  *) mod_dir: the trailing-slash behaviour is now configurable using the
     DirectorySlash directive.  [André Malo]

  *) Allow proxying of resources that are invoked via DirectoryIndex.
     PR 14648, 15112, 29961.  [André Malo]

  *) util_ldap: Switched the lock types on the shared memory cache 
     from thread reader/writer locks to global mutexes in order to 
     provide cross process cache protection. [Brad Nicholes]
     
  *) util_ldap: Reworked the cache locking scheme to eliminate duplicate 
     cache entries in the credentials cache due to race conditions.
     [Brad Nicholes]
     
  *) util_ldap: Enhanced the util_ldap cache-info display to show more 
     detail about the contents and current state of the cache. 
     [Brad Nicholes]
     
  *) Enable the option to support anonymous shared memory in mod_ldap.
     This makes the cache work on Linux again. [Graham Leggett]

  *) Enable special ErrorDocument value 'default' which restores the
     canned server response for the scope of the directive.
     [Geoffrey Young, André Malo]

  *) work around MSIE Digest auth bug - if AuthDigestEnableQueryStringHack
     is set in r->subprocess_env allow mismatched query strings to pass.
     PR 27758.  [Paul Querna, Geoffrey Young]

  *) Accept URLs for the ServerAdmin directive. If the supplied
     argument is not recognized as an URL, assume it's a mail address.
     PR 28174.  [André Malo, Paul Querna]

  *) initialize server arrays prior to calling ap_setup_prelinked_modules
     so that static modules can push Defines values when registering
     hooks just like DSO modules can ["Philippe M. Chiasson" <gozer cpan.org>]

  *) Small fix to allow reverse proxying to an ftp server. Previously
     an attempt to do this would try and connect to 0.0.0.0, regardless
     of the server specified. PR 24922
     [Pascal Terjan <pterjan@linuxfr.org>]

  *) Add the NOTICE file to the rpm spec file in compliance with the
     Apache v2.0 license. [Graham Leggett]
 
  *) RPM spec file changes: changed default dependancy to link to db4
     instead of db3. Fixed complaints about unpackaged files.
     [Graham Leggett]
 
Changes with Apache 2.0.50

  *) SECURITY: CVE-2004-0493 (cve.mitre.org)
     Close a denial of service vulnerability identified by Georgi
     Guninski which could lead to memory exhaustion with certain
     input data.  [Jeff Trawick]

  *) mod_cgi: Handle output on stderr during script execution on Unix
     platforms; preventing deadlock when stderr output fills pipe buffer.
     Also fixes case where stderr from nph- scripts could be lost.
     PR 22030, 18348.  [Joe Orton, Jeff Trawick]

  *) mod_alias now emits a warning if it detects overlapping *Alias*
     directives.  [André Malo]

  *) mod_rewrite no longer turns forward proxy requests into reverse proxy
     requests. PR 28125  [ast domdv.de, André Malo]

  *) ap_set_sub_req_protocol and ap_finalize_sub_req_protocol are now
     exported on Win32 and Netware as well (minor MMN bump).  PR 28523.
     [Edward Rudd <eddie omegaware.com>, André Malo]

  *) Restore the ability to disable the use of AcceptEx on Win9x systems
     automatically (broken in 2.0.49). PR 28529.  [André Malo]

  *) <VirtualHost myhost> now applies to all IP addresses for myhost
     instead of just the first one reported by the resolver.  This
     corrects a regression since 1.3.  [Jeff Trawick]

  *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
     against ServerRoot PR#26602 [Brad Nicholes]
       
  *) SECURITY: CVE-2004-0488 (cve.mitre.org)
     mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
     (trusted) client certificate subject DN which exceeds 6K in length.
     [Joe Orton]

  *) mod_dav_fs: Fix MKCOL response for missing parent collections, which 
     caused issues for the Eclipse WebDAV extension.
     PR 29034.  [Joe Orton]

  *) mod_deflate: Fix memory consumption (which was proportional to the
     response size).  PR 29318.  [Joe Orton]

  *) mod_ssl: Log the errors returned on failure to load or initialize
     a crypto accelerator engine.  [Joe Orton]

  *) Allow RequestHeader directives to be conditional. PR 27951.
     [Vincent Deffontaines <vincent gryzor.com>, André Malo]

  *) Allow LimitRequestBody to be reset to unlimited. PR 29106
     [André Malo]

  *) Fix a bunch of cases where the return code of the regex compiler
     was not checked properly. This affects: mod_setenvif, mod_usertrack,
     mod_proxy, mod_proxy_ftp and core. PR 28218.  [André Malo]

  *) mod_ssl: Fix a potential segfault in the 'shmcb' session cache for
     small cache sizes.  PR 27751.  [Geoff Thorpe <geoff geoffthorpe.net>]

  *) Remove 2Gb log file size restriction on some 32-bit platforms.
     PR 13511.  [Joe Orton]

  *) mod_logio no longer removes the EOS bucket. PR 27928.
     [Bojan Smojver <bojan rexursive.com>]

  *) htpasswd no longer refuses to process files that contain empty
     lines.  [André Malo]

  *) Regression from 1.3: At startup, suexec now will be checked for
     availability, the setuid bit and user root. The works only if
     httpd is compiled with the shipped APR version (0.9.5).
     PR 28287.  [André Malo]

  *) Unix MPMs: Stop dropping connections when the file descriptor
     is at least FD_SETSIZE.  [Jeff Trawick]

  *) Fix handling of IPv6 numeric strings in mod_proxy.  [Jeff Trawick]

  *) mod_isapi: send_response_header() failed to copy status string's 
     last character.  PR 20619.  [Jesse Pelton <jsp pkc.com>]

  *) Fix a segfault when requests for shared memory fails and returns
     NULL. Fix a segfault caused by a lack of bounds checking on the
     cache.  PR 24801.  [Graham Leggett]

  *) Throw an error message if an attempt is made to use the LDAPTrustedCA
     or LDAPTrustedCAType directives in a VirtualHost. PR 26390
     [Brad Nicholes]

  *) Fix a potential segfault if the bind password in the LDAP cache
     is NULL.  PR 28250.  [Jari Ahonen <jah progress.com>]

  *) Quotes cannot be used around require group and require dn
     directives, update the documentation to reflect this. Also add
     quotes around the dn and group within debug messages, to make it
     more obvious why authentication is failing if quotes are used in
     error.  PR 19304.  [Graham Leggett]

  *) The Microsoft LDAP SDK escapes filters for us, stop util_ldap
     from escaping filters twice when the backslash character is used.
     PR 24437.  [Jess Holle <jessh ptc.com>]

  *) Overhaul handling of LDAP error conditions, so that the util_ldap_*
     functions leave the connections in a sane state after errors have
     occurred. PR 27748, 17274, 17599, 18661, 21787, 24595, 24683, 27134,
     27271 [Graham Leggett]
                                                                                
  *) mod_ldap calls ldap_simple_bind_s() to validate the user
     credentials.  If the bind fails, the connection is left
     in an unbound state.  Make sure that the ldap connection
     record is updated to show that the connection is no longer
     bound. [Brad Nicholes]

  *) Ensure that lines in the request which are too long are 
     properly terminated before logging.
     [Tsurutani Naoki <turutani scphys.kyoto-u.ac.jp>]

  *) Update the bind credentials for the cached LDAP connection to 
     reflect the last bind.  This prevents util_ldap from creating 
     unnecessary connections rather than reusing cached connections.
     [Brad Nicholes]
     
  *) mod_isapi: GetServerVariable returned improperly terminated header 
     fields given "ALL_HTTP" or "ALL_RAW".  PR 20656.
     [Jesse Pelton <jsp pkc.com>]

  *) mod_isapi: GetServerVariable("ALL_RAW") returned the wrong buffer
     size.  PR 20617.  [Jesse Pelton <jsp pkc.com>]

  *) mod_dav: Fix a problem that could cause crashes when manipulating 
     locks on some platforms.  [Jeff Trawick]

  *) mod_headers no longer crashes if an empty header value should
     be added.  [André Malo]

  *) Fix segfault in mod_expires, which occured under certain
     circumstances. PR 28047.  [André Malo]

  *) htpasswd: use apr_temp_dir_get() and general cleanup
     [Guenter Knauf <eflash gmx.net>, Thom May]

  *) mod_ssl: Fix memory leak in session cache handling.  PR 26562
     [Madhusudan Mathihalli]

  *) mod_ssl: Fix potential segfaults when performing SSL shutdown from
     a pool cleanup.  PR 27945.  [Joe Orton]

  *) Add forensic logging module (mod_log_forensic).
     [Ben Laurie]

  *) logresolve: Allow size of log line buffer to be overridden at
     build time (MAXLINE).  PR 27793.  [Jeff Trawick]

  *) Fix the comment delimiter in htdbm so that it correctly parses the 
     username comment.  Also add a terminate function to allow NetWare 
     to pause the output before the screen is destroyed.
     [Guenter Knauf <eflash gmx.net>, Brad Nicholes] 
  
  *) Fix crash when Apache was started with no Listen directives.
     [Michael Corcoran <mcorcoran warpsolutions.com>]

  *) core_output_filter: Fix bug that could result in sending
     garbage over the network when module handlers construct
     bucket brigades containing multiple file buckets all referencing
     the same open file descriptor. [Bojan Smojver]

  *) Fix memory corruption problem with ap_custom_response() function.
     The core per-dir config would later point to request pool data
     that would be reused for different purposes on different requests.
     [Jeff Trawick, based on an old 1.3 patch submitted by Will Lowe]

  *) Win32: Tweak worker thread accounting routines to eliminate
     server hang when number of Listen directives in httpd.conf
     is greater than or equal to the setting of ThreadsPerChild.
     [Bill Stoddard]

Changes with Apache 2.0.49

  *) SECURITY: CVE-2004-0174 (cve.mitre.org)
     Fix starvation issue on listening sockets where a short-lived
     connection on a rarely-accessed listening socket will cause a
     child to hold the accept mutex and block out new connections until
     another connection arrives on that rarely-accessed listening socket.
     With Apache 2.x there is no performance concern about enabling the 
     logic for platforms which don't need it, so it is enabled everywhere
     except for Win32.  [Jeff Trawick]

  *) mod_cgid: Fix storage corruption caused by use of incorrect pool.
     [Jeff Trawick]

  *) Win32: find_read_listeners was not correctly handling multiple
     listeners on the Win32DisableAcceptEx path.  [Bill Stoddard]

  *) Fix bug in mod_usertrack when no CookieName is set.  PR 24483.
     [Manni Wood <manniwood planet-save.com>]

  *) Fix some piped log problems: bogus "piped log program '(null)'
     failed" messages during restart and problem with the logger
     respawning again after Apache is stopped.  PR 21648, PR 24805.
     [Jeff Trawick]

  *) Fixed file extensions for real media files and removed rpm extension
     from mime.types. PR 26079.  [Allan Sandfeld <kde carewolf.com>]

  *) Remove compile-time length limit on request strings. Length is
     now enforced solely with the LimitRequestLine config directive.
     [Paul J. Reder]

  *) mod_ssl: Send the Close Alert message to the peer before closing
     the SSL session.  PR 27428.  [Madhusudan Mathihalli, Joe Orton]

  *) SECURITY: CVE-2004-0113 (cve.mitre.org)
     mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
     PR 27106.  [Joe Orton]

  *) mod_ssl: Fix bug in passphrase handling which could cause spurious
     failures in SSL functions later.  PR 21160.  [Joe Orton]

  *) mod_log_config: Fix corruption of buffered logs with threaded
     MPMs.  PR 25520.  [Jeff Trawick]

  *) Fix mod_include's expression parser to recognize strings correctly
     even if they start with an escaped token.  [André Malo]

  *) Add fatal exception hook for use by diagnostic modules.  The hook
     is only available if the --enable-exception-hook configure parm 
     is used and the EnableExceptionHook directive has been set to 
     "on".  [Jeff Trawick]

  *) Allow mod_auth_digest to work with sub-requests with different
     methods than the original request.  PR 25040.
     [Josh Dady <jpd indecisive.com>]

  *) fix "Expected </Foo>> but saw </Foo>" errors in nested,
     argumentless containers.
     ["Philippe M. Chiasson" <gozer cpan.org>]

  *) mod_auth_ldap: Fix some segfaults in the cache logic.  PR 18756.
     [Matthieu Estrade <apache moresecurity.org>, Brad Nicholes]

  *) mod_cgid: Restart the cgid daemon if it crashes.  PR 19849
     [Glenn Nielsen <glenn apache.org>]

  *) The whole codebase was relicensed and is now available under
     the Apache License, Version 2.0 (http://www.apache.org/licenses).
     [Apache Software Foundation]

  *) Fixed cache-removal order in mod_mem_cache.
     [Jean-Jacques Clar, Cliff Woolley]

  *) mod_setenvif: Fix the regex optimizer, which under circumstances
     treated the supplied regex as literal string. PR 24219.
     [André Malo]

  *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
     instead of mmn. [André Malo]

  *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules
     could lead to a 400 (Bad Request) response.  [André Malo]

  *) Keep focus of ITERATE and ITERATE2 on the current module when
     the module chooses to return DECLINE_CMD for the directive.
     PR 22299.  [Geoffrey Young <geoff apache.org>]

  *) Add support for IMT minor-type wildcards (e.g., text/*) to
     ExpiresByType.  PR#7991  [Ken Coar]

  *) Fix segfault in mod_mem_cache cache_insert() due to cache size
     becoming negative.  PR: 21285, 21287
     [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar]

  *) core.c: If large file support is enabled, allow any file that is
     greater than AP_MAX_SENDFILE to be split into multiple buckets.
     This allows Apache to send files that are greater than 2gig.
     Otherwise we run into 32/64 bit type mismatches in the file size.
     [Brad Nicholes]

  *) proxy_http fix: mod_proxy hangs when both KeepAlive and
     ProxyErrorOverride are enabled, and a non-200 response without a
     body is generated by the backend server. (e.g.: a client makes a
     request containing the "If-Modified-Since" and "If-None-Match"
     headers, to which the backend server respond with status 304.)
     [Graham Wiseman <gwiseman fscinternet.com>, Richard Reiner]

  *) mod_dav: Reject requests which include an unescaped fragment in the
     Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]

  *) Build array of allowed methods with proper dimensions, fixing
     possible memory corruption.  [Jeff Trawick]

  *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID.
     PR 15057.  [Otmar Lendl <lendl nic.at>]

  *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944
     [Joe Orton]

  *) mod_usertrack no longer inspects the Cookie2 header for
     the cookie name. PR 11475.  [Chris Darrochi <chrisd pearsoncmg.com>]

  *) mod_usertrack no longer overwrites other cookies.
     PR 26002.  [Scott Moore <apache nopdesign.com>]

  *) worker MPM: fix stack overlay bug that could cause the parent
     process to crash.  [Jeff Trawick]

  *) Win32: Add Win32DisableAcceptEx directive. This Windows
     NT/2000/CP directive is useful to work around bugs in some 
     third party layered service providers like virus scanners, 
     VPN and firewall products, that do not properly handle 
     WinSock 2 APIs.  Use this directive if your server is issuing
     AcceptEx failed messages.
     [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick]

  *) Make REMOTE_PORT variable available in mod_rewrite.
     PR 25772.  [André Malo]

  *) Fix a long delay with CGI requests and keepalive connections on
     AIX.  [Jeff Trawick]

  *) mod_autoindex: Add 'XHTML' option in order to allow switching between
     HTML 3.2 and XHTML 1.0 output. PR 23747.  [André Malo]

  *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
     [André Malo]

  *) mod_ssl: Advertise SSL library version as determined at run-time rather
     than at compile-time.  PR 23956.  [Eric Seidel <seidel apple.com>]

  *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log
     format code is used.  PR 22741.  [Gary E. Miller <gem rellim.com>]

  *) Fix build with parallel make.  PR 24643.  [Joe Orton]

  *) mod_rewrite: In external rewrite maps lookup keys containing
     a newline now cause a lookup failure. PR 14453.
     [Cedric Gavage <cedric.gavage unixtech.be>, André Malo]

  *) Backport major overhaul of mod_include's filter parser from 2.1.
     The new parser code is expected to be more robust and should
     catch all of the edge cases that were not handled by the previous one.
     The 2.1 external API changes were hidden by a wrapper which is
     expected to keep the API backwards compatible.  [André Malo]

  *) Add a hook (insert_error_filter) to allow filters to re-insert
     themselves during processing of error responses. Enable mod_expires
     to use the new hook to include Expires headers in valid error
     responses. This addresses an RFC violation. It fixes PRs 19794,
     24884, and 25123. [Paul J. Reder]

  *) Add Polish translation of error messages.  PR 25101.
     [Tomasz Kepczynski <tomek jot23.org>]

  *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet
     supported for BeOS or OS/2 MPMs.)  [Jeff Trawick, Brad Nicholes,
     Bill Stoddard]

  *) Add mod_status hook to allow modules to add to the mod_status
     report.  [Joe Orton]

  *) Fix htdbm to generate comment fields in DBM files correctly.
     [Justin Erenkrantz]

  *) mod_dav: Use bucket brigades when reading PUT data. This avoids
     problems if the data stream is modified by an input filter. PR 22104.
     [Tim Robbins <tim robbins.dropbear.id.au>, André Malo]

  *) Fix RewriteBase directive to not add double slashes.  [André Malo]

  *) Improve 'configure --help' output for some modules.  [Astrid Keßler]

  *) Correct UseCanonicalName Off to properly check incoming port number.
     [Jim Jagielski]

  *) Fix slow graceful restarts with prefork MPM.  [Joe Orton]

  *) Fix a problem with namespace mappings being dropped in mod_dav_fs;
     if any property values were set which defined namespaces these
     came out mangled in the PROPFIND response.  PR 11637.
     [Amit Athavale <amit_athavale persistent.co.in>]

  *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
     the destination resource gives a 401.  PR 15571.  [Joe Orton]

  *) SECURITY: CVE-2003-0020 (cve.mitre.org)
     Escape arbitrary data before writing into the errorlog. Unescaped
     errorlogs are still possible using the compile time switch
     "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".  [Geoffrey Young, André Malo]

  *) mod_autoindex / core: Don't fail to show filenames containing
     special characters like '%'. PR 13598.  [André Malo]
 
  *) mod_status: Report total CPU time accurately when using a threaded
     MPM.  PR 23795.  [Jeff Trawick]

  *) Fix memory leak in handling of request bodies during reverse
     proxy operations.  PR 24991. [Larry Toppi <larry.toppi citrix.com>]

  *) Win32 MPM: Implement MaxMemFree to enable setting an upper
     limit on the amount of storage used by the bucket brigades
     in each server thread. [Bill Stoddard]

  *) Modified the cache code to be header-location agnostic. Also
     fixed a number of other cache code bugs related to PR 15852.
     Includes a patch submitted by Sushma Rai <rsushma novell.com>.
     This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
     closing the PR since that is what they are using. [Paul J. Reder]

  *) complain via error_log when mod_include's INCLUDES filter is
     enabled, but the relevant Options flag allowing the filter to run
     for the specific resource wasn't set, so that the filter won't
     silently get skipped. next remove itself, so the warning will be
     logged only once [Stas Bekman, Jeff Trawick, Bill Rowe]

  *) mod_info: HTML escape configuration information so it displays 
     correctly. PR 24232. [Thom May]
     
  *) Restore the ability to add a description for directories that
     don't contain an index file.  (Broken in 2.0.48) [André Malo]

  *) Fix a problem with the display of empty variables ("SetEnv foo") in
     mod_include.  PR 24734  [Markus Julen <mj zermatt.net>]

  *) mod_log_config: Log the minutes component of the timezone correctly.
     PR 23642.  [Hong-Gunn Chew <hgbug gunnet.org>]

  *) mod_proxy: Fix cases where an invalid status-line could be sent 
     to the client.  PR 23998.  [Joe Orton]

  *) mod_ssl: Fix segfaults at startup if other modules which use OpenSSL
     are also loaded.  [Joe Orton]

  *) mod_ssl: Use human-readable OpenSSL error strings in logs; use
     thread-safe interface for retrieving error strings.  [Joe Orton]

  *) mod_expires: Initialize ExpiresDefault to NULL instead of "" to
     avoid reporting an Internal Server error if it is used without
     having been set in the httpd.conf file. PR: 23748, 24459
     [André Malo, Liam Quinn  <liam htmlhelp.com>]

  *) mod_autoindex: Don't omit the <tr> start tag if the SuppressIcon
     option is set. PR 21668.  [Jesse Tie-Ten-Quee <highos highos.com>]

  *) mod_include no longer allows an ETag header on 304 responses.
     PR 19355. [Geoffrey Young <geoff apache.org>, André Malo]

  *) EBCDIC: Convert header fields to ASCII before sending (broken
     since 2.0.44). [Martin Kraemer]

  *) Fix the inability to log errors like exec failure in
     mod_ext_filter/mod_cgi script children.  This was broken after 
     such children stopped inheriting the error log handle.  
     [Jeff Trawick]

  *) Fix mod_info to use the real config file name, not the default
     config file name.  [Aryeh Katz <aryeh secured-services.com>]

  *) Set the scoreboard state to indicate logging prior to running 
     logging hooks so that server-status will show 'L' for hung loggers
     instead of 'W'.  [Jeff Trawick]

Changes with Apache 2.0.48

  *) SECURITY: CVE-2003-0789 (cve.mitre.org)
     mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
     communicate with the cgid daemon and the CGI script.
     [Jeff Trawick]

  *) SECURITY: CVE-2003-0542 (cve.mitre.org)
     Fix buffer overflows in mod_alias and mod_rewrite which occurred
     if one configured a regular expression with more than 9 captures.
     [André Malo]

  *) mod_include: fix segfault which occured if the filename was not
     set, for example, when processing some error conditions.
     PR 23836.  [Brian Akins <bakins web.turner.com>, André Malo]

  *) fix the config parser to support <Foo>..</Foo> containers (no
     arguments in the opening tag) supported by httpd 1.3. Without
     this change mod_perl 2.0's <Perl> sections are broken.
     ["Philippe M. Chiasson" <gozer cpan.org>]

  *) mod_cgid: fix a hash table corruption problem which could
     result in the wrong script being cleaned up at the end of a
     request.  [Jeff Trawick]

  *) Update httpd-*.conf to be clearer in describing the connection
     between AddType and AddEncoding for defining the meaning of
     compressed file extensions. [Roy Fielding]

  *) mod_rewrite: Don't die silently when failing to open RewriteLogs.
     PR 23416.  [André Malo]

  *) mod_rewrite: Fix mod_rewrite's support of the [P] option to send
     rewritten request using "proxy:". The code was adding multiple "proxy:"
     fields in the rewritten URI. PR: 13946.
     [Eider Oliveira <eider bol.com.br>]

  *) cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and
     expires as directed in RFC 2616. [Thomas Castelle <tcastelle generali.fr>]

  *) Ensure that ssl-std.conf is generated at configure time, and switch
     to using the expanded config variables to work the same as
     httpd-std.conf PR: 19611
     [Thom May]

  *) mod_ssl: Fix segfaults after renegotiation failure. PR 21370
     [Hartmut Keil <Hartmut.Keil adnovum.ch>]

  *) mod_autoindex: If a directory contains a file listed in the
     DirectoryIndex directive, the folder icon is no longer replaced
     by the icon of that file. PR 9587.
     [David Shane Holden <dpejesh yahoo.com>]

  *) Fixed mod_usertrack to not get false positive matches on the
     user-tracking cookie's name.  PR 16661.
     [Manni Wood <manniwood planet-save.com>]

  *) mod_cache: Fix the cache code so that responses can be cached
     if they have an Expires header but no Etag or Last-Modified
     headers. PR 23130.
     [<bjorn exoweb.net>]

  *) mod_log_config: Fix %b log format to write really "-" when 0 bytes
     were sent (e.g. with 304 or 204 response codes).  [Astrid Keßler]

  *) Modify ap_get_client_block() to note if it has seen EOS.
     [Justin Erenkrantz]

  *) Fix a bug, where mod_deflate sometimes unconditionally compressed the
     content if the Accept-Encoding header contained only other tokens than
     "gzip" (such as "deflate"). PR 21523.  [Joe Orton, André Malo]

  *) Avoid an infinite recursion, which occured if the name of an included
     config file or directory contained a wildcard character. PR 22194.
     [André Malo]

  *) mod_ssl: Fix a problem setting variables that represent the
     client certificate chain.  PR 21371  [Jeff Trawick]

  *) Unix: Handle permissions settings for flock-based mutexes in 
     unixd_set_global|proc_mutex_perms().  Allow the functions to be
     called for any type of mutex.  PR 20312  [Jeff Trawick]

  *) ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]

  *) Fix a misleading message from the some of the threaded MPMs when 
     MaxClients has to be lowered due to the setting of ServerLimit.  
     [Jeff Trawick]

  *) Lower the severity of the "listener thread didn't exit" message
     to debug, as it is of interest only to developers.  PR 9011
     [Jeff Trawick]

  *) MPMs: The bucket brigades subsystem now honors the MaxMemFree setting.
     [Cliff Woolley, Jean-Jacques Clar]

  *) Install config.nice into the build/ directory to make
     minor version upgrades easier. [Joshua Slive]

  *) Fix mod_deflate so that it does not call deflate() without checking
     first whether it has something to deflate. (Currently this causes
     deflate to generate a fatal error according to the zlib spec.)
     PR 22259. [Stas Bekman]

  *) mod_ssl: Fix FakeBasicAuth for subrequest.  Log an error when an
     identity spoof is encountered.
     [Sander Striker]

  *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
     containing the .htaccess file is requested without a trailing slash.
     PR 20195.  [André Malo]

  *) ab: Overlong credentials given via command line no longer clobber
     the buffer.  [André Malo]

  *) mod_deflate: Don't attempt to hold all of the response until we're
     done.  [Justin Erenkrantz]

  *) Assure that we block properly when reading input bodies with SSL.
     PR 19242.  [David Deaves <David.Deaves dd.id.au>, William Rowe]

  *) Update mime.types to include latest IANA and W3C types.  [Roy Fielding]

  *) mod_ext_filter: Set additional environment variables for use by
     the external filter.  PR 20944.  [Andrew Ho, Jeff Trawick]

  *) Fix buildconf errors when libtool version changes.  [Jeff Trawick]

  *) Remember an authenticated user during internal redirects if the
     redirection target is not access protected and pass it
     to scripts using the REDIRECT_REMOTE_USER environment variable.
     PR 10678, 11602.  [André Malo]

  *) mod_include: Fix a trio of bugs that would cause various unusual
     sequences of parsed bytes to omit portions of the output stream.
     PR 21095. [Ron Park <ronald.park cnet.com>, André Malo, Cliff Woolley]

  *) Update the header token parsing code to allow LWS between the
     token word and the ':' seperator.  [PR 16520]
     [Kris Verbeeck <kris.verbeeck advalvas.be>, Nicel KM <mnicel yahoo.com>]

  *) Eliminate creation of a temporary table in ap_get_mime_headers_core()
     [Joe Schaefer <joe+gmane sunstarsys.com>]

  *) Added FreeBSD directory layout. PR 21100.
     [Sander Holthaus <info orangexl.com>, André Malo]

  *) Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP
     response. PR 21085. [Glenn Nielsen <glenn apache.org>, André Malo]

  *) mod_rewrite: Perform child initialization on the rewrite log lock.
     This fixes a log corruption issue when flock-based serialization
     is used (e.g., FreeBSD).  [Jeff Trawick]

  *) Don't respect the Server header field as set by modules and CGIs.
     As with 1.3, for proxy requests any such field is from the origin
     server; otherwise it will have our server info as controlled by
     the ServerTokens directive.  [Jeff Trawick]

Changes with Apache 2.0.47

  *) SECURITY: CVE-2003-0192 (cve.mitre.org)
     Fixed a bug whereby certain sequences of per-directory
     renegotiations and the SSLCipherSuite directive being used to
     upgrade from a weak ciphersuite to a strong one could result in
     the weak ciphersuite being used in place of the strong one.  
     [Ben Laurie]

  *) SECURITY: CVE-2003-0253 (cve.mitre.org)
     Fixed a bug in prefork MPM causing temporary denial of service
     when accept() on a rarely accessed port returns certain errors.
     Reported by Saheed Akhtar <S.Akhtar talis.com>.  [Jeff Trawick]

  *) SECURITY: CVE-2003-0254 (cve.mitre.org)
     Fixed a bug in ftp proxy causing denial of service when target
     host is IPv6 but proxy server can't create IPv6 socket.  Fixed by
     the reporter.  [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]

  *) SECURITY [VU#379828] Prevent the server from crashing when entering
     infinite loops. The new LimitInternalRecursion directive configures
     limits of subsequent internal redirects and nested subrequests, after
     which the request will be aborted.  PR 19753 (and probably others).
     [William Rowe, Jeff Trawick, André Malo]

  *) core_output_filter: don't split the brigade after a FLUSH bucket if
     it's the last bucket.  This prevents creating unneccessary empty
     brigades which may not be destroyed until the end of a keepalive
     connection.
     [Juan Rivera <Juan.Rivera citrix.com>]

  *) Add support for "streamy" PROPFIND responses.
     [Ben Collins-Sussman <sussman collab.net>]

  *) mod_cgid: Eliminate a double-close of a socket.  This resolves
     various operational problems in a threaded MPM, since on the
     second attempt to close the socket, the same descriptor was
     often already in use by another thread for another purpose.
     [Jeff Trawick]

  *) mod_negotiation: Introduce "prefer-language" environment variable,
     which allows to influence the negotiation process on request basis
     to prefer a certain language.  [André Malo]

  *) Make mod_expires' ExpiresByType work properly, including for
     dynamically-generated documents.  [Ken Coar, Bill Stoddard]

Changes with Apache 2.0.46

  *) SECURITY: CVE-2003-0245 (cve.mitre.org)
     Fixed a bug causing apr_pvsprintf() to crash by sending an overly
     long string.  This can be triggered remotely through mod_dav,
     mod_ssl, and other mechanisms.
     Reported by David Endler <DEndler iDefense.com>.  [Joe Orton]

  *) SECURITY: CVE-2003-0189 (cve.mitre.org)
     Fixed a denial-of-service vulnerability affecting basic
     authentication on Unix platforms related to thread-safety in
     apr_password_validate().
     Reported by John Hughes <john.hughes entegrity.com>.

  *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
     when a MKACTIVITY request comes in.
     [Ben Collins-Sussman <sussman collab.net>]

  *) Perform run-time query in apxs for apr and apr-util's includes.
     [Justin Erenkrantz]

  *) run libtool from the apr install directory (in case that is different
     from the apache install directory) [Jeff Trawick]

  *) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]

  *) If mod_mime_magic does not know the content-type, do not attempt to
     guess.  PR 16908.  [Andrew Gapon <agapon telcordia.com>]

  *) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
     caching. PR 17864.
     [Andreas Leimbacher <andreasl67 yahoo.de>, Madhusudan Mathihalli]

  *) Add a delete flag to htpasswd.
     [Thom May]

  *) Fix mod_rewrite's handling of absolute URIs. The escaping routines
     now work scheme dependent and the query string will only be
     appended if supported by the particular scheme.  [André Malo]

  *) Add another check for already compressed content in mod_deflate.
     PR 19913. [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]

  *) Fixes for VPATH builds; copying special.mk and any future .mk files 
     from the source tree as well as the build tree (now creates a usable
     configuration for apxs), and eliminated redundant -I'nclude paths.
     [William Rowe]

  *) Code fixes, constness corrections and ssl_toolkit_compat.h updates
     for SSLC and OpenSSL toolkit compatibility.  Still work remains to
     be done to cripple features based on the limitations of RSA's binary 
     distribution of their SSL-C toolkit.
     [William Rowe, Madhusudan Mathihalli, Jeff Trawick]

  *) Linux 2.4+: If Apache is started as root and you code 
     CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
     [Greg Ames]

  *) ap_get_mime_headers_core: allocate space for the trailing null
     when folding is in effect.
     PR 18170 [Peter Mayne <PeterMayne SPAM_SUX.ap.spherion.com>]

  *) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]

  *) mod_log_config: Add the ability to log the id of the thread 
     processing the request via new %P formats.  [Jeff Trawick]

  *) Use appropriate language codes for Czech (cs) and Traditional Chinese
     (zh-tw) in default config files. PR 9427.  [André Malo]

  *) mod_auth_ldap: Use generic whitespace character class when parsing
     "require" directives, instead of literal spaces only. PR 17135.
     [André Malo]

  *) Hook mod_rewrite's type checker before mod_mime's one. That way the
     RewriteRule [T=...] Flag should work as expected now. PR 19626.
     [André Malo]

  *) htpasswd: Check the processed file on validity. If a line is not empty
     and not a comment, it must contain at least one colon. Otherwise exit
     with error code 7. [Kris Verbeeck <Kris.Verbeeck ubizen.com>, Thom May]

  *) Fix a problem that caused httpd to be linked with incorrect flags
     on some platforms when mod_so was enabled by default, breaking 
     DSOs on AIX.  PR 19012  [Jeff Trawick]

  *) By default, use the same CC and CPP with which APR was built.
     The user can override with CC and CPP environment variables.
     [Jeff Trawick]

  *) Fix ap_construct_url() so that it surrounds IPv6 literal address
     strings with [].  This fixes certain types of redirection.
     PR 19207.  [Jeff Trawick]

  *) forward port of buffer overflow fixes for htdigest. [Thom May]

  *) Added AllowEncodedSlashes directive to permit control of whether
     the server will accept encoded slashes ('%2f') in the URI path.
     Default condition is off (the historical behaviour).  This permits
     environments in which the path-info needs to contain encoded
     slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.  [Ken Coar]

  *) When using Redirect in directory context, append requested query
     string if there's no one supplied by configuration. PR 10961.
     [André Malo]

  *) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
     the pattern will not always match as desired. PR 12596.
     [André Malo]

  *) mod_autoindex now emits and accepts modern query string parameter
     delimiters (;). Thus column headers no longer contain unescaped
     ampersands. PR 10880  [André Malo]

  *) Enable ap_sock_disable_nagle for Windows. This along with the 
     addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle 
     to be disabled for Windows. [Allan Edwards]

  *) Correct a mis-correlation between mpm_common.c and mpm_common.h;
     This patch reverts us to pre-2.0.46 behavior, using the 
     ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle 
     was never compiled on Win32. [Allan Edwards, William Rowe]

  *) Fix a build problem with passing unsupported --enable-layout
     args to apr and apr-util.  This broke binbuild.sh as well as
     user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
     Jeff Trawick]

  *) If a Date response header was already set in the headers array,
     this value was ignored in favour of the current time. This meant
     that Date headers on proxied requests where rewritten when they
     should not have been. PR: 14376 [Graham Leggett]

  *) Add code to buildconf that produces an httpd.spec file from
     httpd.spec.in, using build/get-version.sh from APR.
     [Graham Leggett]

  *) Fixed a segfault when multiple ProxyBlock directives were used.
     PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]

  *) SECURITY: CVE-2003-0134 (cve.mitre.org)
     OS2: Fix a Denial of Service vulnerability identified and
     reported by Robert Howard <rihoward rawbw.com> that where device
     names faulted the running OS2 worker process.  The fix is
     actually in APR 0.9.4.  [Brian Havard]

  *) SECURITY: CVE-2003-0083 (cve.mitre.org)
     Forward port: Escape special characters (especially control
     characters) in mod_log_config to make a clear distinction between
     client-supplied strings (with special characters) and server-side
     strings. This was already introduced in version 1.3.25.
     [André Malo]

  *) mod_deflate: Check also err_headers_out for an already set
     Content-Encoding: gzip header. This prevents gzip compressed content
     from a CGI script from being compressed once more. PR 17797.
     [André Malo]

Changes with Apache 2.0.45

  *) Fix possible segfaults under obscure error conditions within the
     cgid daemon.  [Jeff Trawick, William Rowe]

  *) SECURITY: CVE-2003-0132 (cve.mitre.org)
     Close a Denial of Service vulnerability identified by David
     Endler <DEndler iDefense.com> on all platforms.  An unlimited
     stream of newlines were acceptable between requests where each
     <lf> would allocate an 80 byte buffer, leading very quickly to
     memory exahustion.  [Brian Pane]

  *) Added an rpm build script.
     [Graham Leggett, Joe Orton <jorton redhat.com>]

  *) Simpler, faster code path for request header scanning  [Brian Pane]

  *) SECURITY:  Eliminated leaks of several file descriptors to child
     processes, such as CGI scripts.  This fix depends on the APR library 
     release 0.9.2 or later (0.9.3 was distributed with the httpd 
     source tarball for Apache 2.0.45.)  PR 17206
     [Christian Kratzer <ck cksoft.de>, Bjoern A. Zeeb <bz zabbadoz.net>]

  *) Fix path handling of mod_rewrite, especially on non-unix systems.
     There was some confusion between local paths and URL paths.
     PR 12902.  [André Malo]

  *) Prevent endless loops of internal redirects in mod_rewrite by
     aborting after exceeding a limit of internal redirects. The
     limit defaults to 10 and can be changed using the RewriteOptions
     directive. PR 17462.  [André Malo]

  *) Win32: Avoid busy wait (consuming all the CPU idle cycles) when
     all worker threads are busy. 
     [Igor Nazarenko <igor_nazarenko hotmail.com>]

  *) Keep the subrequest filter in place when a subrequest is 
     redirected.  PR 15423.  [Jeff Trawick]

  *) you can now specify the compression level for mod_deflate. 
     [Ian Holsman, Stephen Pierzchala <stephen pierzchala.com>, 
     Michael Schroepl <Michael.Schroepl telekurs.de>]

  *) mod_deflate: Extend the DeflateFilterNote directive to
     allow accurate logging of the filter's in- and outstream.
     [André Malo]

  *) Allow SSLMutex to select/use the full range of APR locking
     mechanisms available to it. Also, fix the bug that SSLMutex uses
     APR_LOCK_DEFAULT no matter what.  PR 8122  [Jim Jagielski,
     Martin Kutschker <martin.t.kutschker blackbox.net>]

  *) Restore the ability of htdigest.exe to create files that contain
     more than one user. PR 12910.  [André Malo]

  *) Improve binary compatibility of the core between debug (aka
     maintainer-mode) and a non-debug compile.
     [Sander Striker]

  *) mod_usertrack: don't set the cookie in subrequests. This works
     around the problem that cookies were set twice during fast internal
     redirects. PR 13211.  [André Malo]

  *) mod_autoindex no longer forgets output format and enabled version
     sort in linked column headers.  [André Malo]

  *) Use .sv instead of .se as extension for Swedish documents in the
     default configuration. PR 12877.  [André Malo]

  *) Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL
     and standardized the LDAP SSL support across the various LDAP SDKs.  
     Isolated the SSL functionality to mod_ldap rather than speading it 
     across mod_auth_ldap and mod_ldap.  Also added LDAPTrustedCA
     and LDAPTrustedCAType directives to mod_ldap to allow for a more 
     common method of specifying the SSL certificate.
     [Dave Ward, Brad Nicholes]

  *) Fixed mod_ssl's SSLCertificateChain initialization to no longer 
     skip the first cert of the chain by default.  This misbehavior 
     was introduced in 2.0.34.  PR 14560  [Madhusudan Mathihalli]

  *) mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
     be started on Unix because of such problems as bad permissions,
     bad shebang line, etc.  [Jeff Trawick]

  *) Fix 64-bit problem in mod_ssl input logic.  
     [Madhusudan Mathihalli <madhusudan_mathihalli hp.com>]

  *) Fix potential memory leaks in mod_deflate on malformed data.  PR 16046.
     [Justin Erenkrantz]

  *) Rewrite ap_xml_parse_input to use bucket brigades.  PR 16134.
     [Justin Erenkrantz]

  *) Fix segfault which occurred when a section in an included
     configuration file was not closed. PR 17093.  [André Malo]

  *) Enhance the behavior of mod_isapi's WriteClient() callback to
     provide better emulation for isapi modules that presume that the
     first WriteClient() call may send status and headers.  An example
     of WriteClient() abuse is the foxisapi module, which relies on
     that assumpion and now works.  [William Rowe, Milan Kosina]

  *) Check the return value of ap_run_pre_connection(). So if the
     pre_connection phase fails (without setting c->aborted)
     ap_run_process_connection is not executed. [Stas Bekman]

  *) Fixed a problem with mod_ldap which caused it to fault when caching
     was disabled.  Needed to make sure that the code did not
     attempt to use the cache if it didn't exist. Also fixed some memory
     leaks which were due to not releasing LDAP resources on error
     conditions.  [Brad Nicholes]
     
  *) Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
     mod_rewrite proxied URLs will not be escaped accidentally by
     mod_proxy's fixup. PR 16368  [André Malo]

  *) While processing filters on internal redirects, remember seen EOS
     buckets also in the request structure of the redirect issuer(s). This
     prevents filters (such as mod_deflate) from adding garbage to the
     response. PR 14451.  [André Malo]

  *) suexec: Be more pedantic when cleaning environment. Clean it
     immediately after startup. PR 2790, 10449.
     [Jeff Stewart <jws purdue.edu>, André Malo]

  *) Fix apxs to insert LoadModule directives only outside of sections.
     PR 8712, 9012.  [André Malo]

  *) Fix suexec compile error under SUNOS4, where strerror() doesn't
     exist. PR 5913, 9977.
     [Jonathan W Miner <Jonathan.W.Miner lmco.com>]

  *) Fix If header parsing when a non-mod_dav lock token is passed to it.
     PR 16452.  [Justin Erenkrantz]

  *) mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
     not specified. Now it assumes "/" as already documented. PR 16937.
     [André Malo]

  *) Try to log an error if a piped log program fails.  Try to
     restart a piped log program in more failure situations.  Fix an
     existing problem with error handling in piped_log_spawn().  Use
     new APR apr_proc_create() features to prevent Apache from starting
     on Unix* in most cases where a piped log program can be started,
     and add log messages for the other situations.  *Other platforms
     already failed Apache initialization if a piped log program
     couldn't be started.  PR 15761  [Jeff Trawick]

  *) Fix mod_cern_meta to not create empty metafiles when the
     metafile searched for does not exist.  PR 12353
     [Owen Rees <owen_rees hp.com>]

  *) Introduce debugging symbols for Win32 release builds, both .pdb 
     and .dbg files (older debuggers and Dr. Watson-type utilities 
     on WinNT or Win9x don't support the newer .pdb flavor.)
     [Allen Edwards, William Rowe]
 
  *) Fix bug where 'Satisfy Any' without an AuthType lost all MIME
     information (and more). Related to PR 9076.  [André Malo]

  *) mod_file_cache: fix segfault serving mmaped cached files.
     [Bill Stoddard]

  *) mod_file_cache: fixed a segfault when multiple MMapFile directives
     were used.  PR 16313.  [Cliff Woolley]

  *) Fix a nasty segfault in mmap_bucket_setaside() caused by passing
     an incompatible pointer type to mmap_bucket_destroy(void*).
     [Gerard Eviston <geviston bigpond.net.au>]

  *) Enable the -n name parameter on NetWare to allow the
     administrator to rename the Apache console screen
     [Brad Nicholes]
     
  *) Fixed piped access logs on Win32 by disabling OTHER_CHILD
     support by default in APR.  More development is required
     to deploy OTHER_CHILD on Win32.  [William Rowe]

  *) Use saner default config values for suexec. PR 15713.
     [Thom May <thom planetarytramp.net>]

  *) mod_rewrite: Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
     (or SymlinksIfOwnermatch) is set. PR 12395.  [André Malo]

  *) apxs: Include any special APR ld flags when linking the DSO.
     This resolves problems on AIX when building a DSO with apxs+gcc.
     [Jeff Trawick]

  *) Added character set support to mod_auth_LDAP to allow it to 
     convert extended characters used in the user ID to UTF-8 
     before authenticating against the LDAP directory. The new
     directive AuthLDAPCharsetConfig is used to specify the config
     file that contains the character set conversion table.
     [Brad Nicholes]

  *) Don't remove the Content-Length from responses in mod_proxy
     PR: 8677 [Brian Pane]

  *) Ensure LDAP version is set to v3 on every bind. PR 14235.
     [Sergey A. Lipnevich <sergeyli pisem.net>]

  *) Fix mod_ldap to open an existing shared memory file should one
     already exist. PR 12757. [Scooter Morris <scooter gene.com>,
     Graham Leggett]

  *) Fix the ulimit command used by apachectl on Tru64.  PR 13609.
     [Joseph Senulis <Joseph.Senulis dnr.state.wi.us>, Jeff Trawick]

  *) Change the ulimit command used by apachectl on AIX so that it
     works in all locales.  [Jeff Trawick]

  *) mod_ext_filter: Fix a problem building argument lists which 
     occasionally caused exec to fail.  PR 15491.  [Jeff Trawick]

Changes with Apache 2.0.44

  *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option
     from Apache 1.3.  PR 14276
     [David Shane Holden <dpejesh yahoo.com>, William Rowe]

  *) mod_mime: Workaround to prevent a segfault if r->filename=NULL
     [Brian Pane]
 
  *) Reorder the definitions for mod_ldap and mod_auth_ldap within
     config.m4 to make sure the parent mod_ldap is defined first.
     This ensures that mod_ldap comes before mod_auth_ldap in the
     httpd.conf file, which is necessary for mod_auth_ldap to load.
     PR 14256  [Graham Leggett]

  *) Fix the building of cgi command lines when the query string
     contains '='.  PR 13914  [Ville Skyttä <ville.skytta iki.fi>,
     Jeff Trawick]

  *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move
     implementation of MCacheMaxStreamingBuffer from mod_cache to
     mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the
     lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should 
     eliminate the need for explicitly coding MCacheMaxStreamingBuffer
     in most configurations. [Bill Stoddard]

  *) mod_cache: Fix PR 15113, a core dump in cache_in_filter when
     a redirect occurs. The code was passing a format string and
     integer to apr_pstrcat. Changed to apr_psprintf.
     [Paul J. Reder]

  *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL
     as set by apr-util in util_ldap.c. This should allow mod_ldap
     to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme
     <somme oslo.westerngeco.slb.com>, Graham Leggett]

  *) Fix critical bug in new --enable-v4-mapped configure option
     implementation which broke IPv4 listening sockets on some
     systems.  [hiroyuki hanai <hanai imgsrc.co.jp>]

  *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex
     patterns [André Malo <nd perlig.de>]

  *) Add version string to provider API.  [Justin Erenkrantz]
 
  *) build: './configure && make' now works without an in-tree
     apr and apr-util. [Wilfredo Sanchez]

  *) mod_negotiation: Set the appropriate mime response headers
     (Content-Type, charset, Content-Language and Content-Encoding)
     for negotated type-map "Body:" responses (such as the error
     pages.)  [André Malo <nd perlig.de>]

  *) mod_log_config: Allow '%%' escaping in CustomLog format
     strings to insert a literal, single '%'.
     [André Malo <nd perlig.de>]

  *) mod_autoindex: AddDescription directives for directories
     now work as in Apache 1.3, where no trailing '/' is
     specified on the directory name.  Previously, the trailing
     '/' *had* to be specified, which was incompatible with
     Apache 1.3.  PR 7990  [Jeff Trawick]

  *) Fix for PR 14556. The expiry calculations in mod_cache were
     trying to perform "now + ((date - lastmod) * factor)" where
     date == lastmod resulting in "now + 0". The code now follows
     the else path (using the default expiration) if date is
     equal to lastmod. [Sergey <rx armstrike.com>, Paul J. Reder]

  *) Use AP_DECLARE in the debug versions of ap_strXXX in case the
     default calling convention is not the same as the one used by
     AP_DECLARE.  [Juan Rivera <Juan.Rivera citrix.com>]

  *) mod_cache: Don't cache response header fields designated
     as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1).
     [Estrade Matthieu <estrade-m ifrance.com>, Brian Pane]

  *) mod_cgid: Handle environment variables containing newlines.
     PR 14550  [Piotr Czejkowski <apache czarny.eu.org>, Jeff
     Trawick]

  *) Move mod_ext_filter out of experimental and into filters.
     [Jeff Trawick]

  *) Fixed a memory leak in mod_deflate with dynamic content.
     PR 14321  [Ken Franken <kfranken decisionmark.com>]

  *) Add --[enable|disable]-v4-mapped configure option to control
     whether or not Apache expects to handle IPv4 connections
     on IPv6 listening sockets.  Either setting will work on 
     systems with the IPV6_V6ONLY socket option.  --enable-v4-mapped
     must be used on systems that always allow IPv4 connections on
     IPv6 listening sockets.  PR 14037 (Bugzilla), PR 7492 (Gnats)
     [Jeff Trawick]

  *) This fixes a problem where the underlying cache code
     indicated that there was one more element on the cache
     than there actually was. This happened since element 0
     exists but is not used. This code allocates the correct
     number of useable elements and reports the number of
     actually used elements. The previous code only allowed
     MCacheMaxObjectCount-1 objects to be stored in the
     cache. [Paul J. Reder]

  *) mod_setenvif: Add SERVER_ADDR special keyword to allow
     envariable setting according to the server IP address
     which received the request.  [Ken Coar]

  *) mod_cgid: Terminate CGI scripts when the client connection 
     drops.  PR 8388  [Jeff Trawick]

  *) Rearrange OpenSSL engine initialization to support RAND 
     redirection on crypto accelerator. 
     [Frederic DONNAT <frederic.donnat zencod.com>]

  *) Always emit Vary header if mod_deflate is involved in the
     request.  [André Malo <nd perlig.de>]

  *) mod_isapi: Stop unsetting the 'empty' query string result with
     a NULL argument in ecb->lpszQueryString, eliminating segfaults
     for some ISAPI modules.  PR 14399
     [Detlev Vendt <detlev.vendt brillit.de>]

  *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION
     notification is received before the HttpExtensionProc() returns 
     HSE_STATUS_PENDING.  This only affected isapi .dll's configured 
     with the ISAPIFakeAsync on directive.  PR 11918
     [John DeSetto <jdesetto radiantsystems.com>, William Rowe]

  *) mod_isapi: Fix the issue where all results from mod_isapi would
     run through the core die handler resulting in invalid responses
     or access log entries.  PR 10216 [William Rowe]

  *) Improves the user friendliness of the CacheRoot processing
     over my last pass. This version avoids the pool allocations
     but doesn't avoid all of the runtime checks. It no longer
     terminates during post-config processing. An error is logged
     once per worker, indicating that the CacheRoot needs to be set.
     [Paul J. Reder]

  *) Fix a bug where we keep files open until the end of a 
     keepalive connection, which can result in:
     (24)Too many open files: file permissions deny server access
     especially on threaded servers.  [Greg Ames, Jeff Trawick]

  *) Fix a bug in which mod_proxy sent an invalid Content-Length
     when a proxied URL was invoked as a server-side include within
     a page generated in response to a form POST.  [Brian Pane]

  *) Added code to process min and max file size directives and to
     init the expirychk flag in mod_disk_cache. Added a clarifying
     comment to cache_util.   [Paul J. Reder]

  *) The value emitted by ServerSignature now mimics the Server HTTP
     header as controlled by ServerTokens.  [Francis Daly <deva daoine.org>]

  *) Gracefully handly retry situations in the SSL input filter,
     by following the SSL libraries' retry semantics.
     [William Rowe]

  *) Terminate CGI scripts when the client connection drops.  This
     fix only applies to some normal paths in mod_cgi.  mod_cgid
     is still busted.  PR 8388  [Jeff Trawick]

  *) Fix a bug where 416 "Range not satisfiable" was being
     returned for content that should have been redirected.
     [Greg Ames]

  *) Fix memory leak in mod_ssl from internal SSL library allocations
     within SSL_get_peer_certificate and X509_get_pubkey.
     [Zvi Har'El <rl math.technion.ac.il>
      Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].

  *) mod_ssl uses free() inappropriately in several places, to free
     memory which has been previously allocated inside OpenSSL.
     Such memory should be freed with OPENSSL_free(), not with free().
     [Nadav Har'El <nyh math.technion.ac.il>,
      Madhusudan Mathihalli <madhusudan_mathihalli hp.com>].

  *) Emit a message to the error log when we return 404 because
     the URI contained '%2f'.  (This was previously nastily silent
     and difficult to debug.)  [Ken Coar]

  *) Fix streaming output from an nph- CGI script.  CGI:IRC now
     works.  PR 8482  [Jeff Trawick]

  *) More accurate logging of bytes sent in mod_logio when
     the client terminates the connection before the response
     is completely sent  [Bojan Smojver <bojan rexursive.com>]

  *) Fix some problems in the perchild MPM.  
     [Jonas Eriksson <jonas webkonsulterna.com>]

  *) Change the CacheRoot processing to check for a required
     value at config time. This saves a lot of wasted processing
     if the mod_disk_cache module is loaded but no CacheRoot
     was provided. This fix also adds code to log an error
     and avoid useless pallocs and procesing when the computed
     cache file name cannot be opened. This also updates the
     docs accordingly.  [Paul J. Reder]

  *) Introduce the EnableSendfile directive, allowing users of NFS 
     shares to disable sendfile mechanics when they either fail
     outright or provide intermitantly corrupted data.  PR 
     [William Rowe]

  *) Resolve the error "An operation was attempted on something 
     that is not a socket.  : winnt_accept: AcceptEx failed. 
     Attempting to recover." for users of various firewall and
     anti-virus software on Windows.  PR 8325  [William Rowe]

  *) Add the ProxyBadHeader directive, which gives the admin some
     control on how mod_proxy should handle bogus HTTP headers from
     proxied servers. This allows 2.0 to "emulate" 1.3's behavior if
     desired. [Jim Jagielski]

  *) Change the LDAP modules to export their symbols correctly
     during a Windows build. Add dsp files for Windows. Update
     README.ldap file for Windows build instructions.
     [Andre Schild <A.Schild aarboard.ch>]

  *) Performance improvements for the code that generates HTTP
     response headers  [Brian Pane]

  *) Add -S as a synonym for -t -DDUMP_VHOSTS.
     [Thom May <thom planetarytramp.net>]

  *) Fix a bug with dbm rewrite maps which caused the wrong value to
     be used when the key was not found in the dbm.  PR 13204
     [Jeff Trawick]

  *) Fix a problem with streaming script output and mod_cgid.
     [Jeff Trawick]

  *) Add ap_register_provider/ap_lookup_provider API.
     [John K. Sterling <john sterls.com>, Justin Erenkrantz]

Changes with Apache 2.0.43

  *) SECURITY: CVE-2002-0840 (cve.mitre.org)
     HTML-escape the address produced by ap_server_signature() against
     this cross-site scripting vulnerability exposed by the directive
     'UseCanonicalName Off'.  Also HTML-escape the SERVER_NAME
     environment variable for CGI and SSI requests.  It's safe to
     escape as only the '<', '>', and '&' characters are affected,
     which won't appear in a valid hostname.  Reported by Matthew
     Murphy <mattmurphy kc.rr.com>.  [Brian Pane]

  *) Fix a core dump in mod_cache when it attemtped to store uncopyable
     buckets. This happened, for instance, when a file to be cached
     contained SSI tags to execute a CGI script (passed as a pipe
     bucket). [Paul J. Reder]

  *) Ensure that output already available is flushed to the network
     when the content-length filter realizes that no new output will
     be available for a while.  This helps some streaming CGIs as
     well as some other dynamically-generated content.  [Jeff Trawick]

  *) Fix a mutex problem in mod_ssl session cache support which
     could lead to an infinite loop.  PR 12705  
     [Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]

  *) SECURITY: CVE-2002-1156 (cve.mitre.org)
     Fix the exposure of CGI source when a POST request is sent to 
     a location where both DAV and CGI are enabled. [Ryan Bloom]

  *) Allow the UserDir directive to accept a list of directories.
     This matches what Apache 1.3 does.  Also add documentation for
     this feature. [Jay Ball <jay veggiespam.com>]

  *) New Module: mod_logio. adds the ability to log bytes sent and
     received. [Bojan Smojver <bojan rexursive.com>]

  *) SuExec needs to use the same default directory as the rest of
     server, namely /usr/local/apache2.  
     [SangBeom han <sbhan os.korea.ac.kr>]

  *) Get mod_auth_ldap to retry connections on LDAP_SERVER_DOWN.
     [Thomas Bennett <thomas.bennett eds.com>, Graham Leggett]

  *) Make sure the contents of the WWW-Authenticate header is
     passed on a 4xx error by proxy. Previously all headers
     were dropped, resulting in the browser being unable to
     authenticate. [Dr Richard Reiner <rreiner fscinternet.com>,
     Richard Danielli <rdanielli fscinternet.com>, Graham Wiseman
     <gwiseman fscinternet.com>, David Henderson
     <dhenderson fscinternet.com>]

  *) Make mod_cache's CacheMaxStreamingBuffer directive work
     properly for virtual hosts that override server-wide mod_cache
     setttings.  [Matthieu Estrade <estrade-m ifrance.com>]

  *) Add -p option to apxs to allow programs to be compiled with apxs.
     [Justin Erenkrantz]

Changes with Apache 2.0.42

  *) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121]
     mod_dav: Check for versioning hooks before using them.
     [Greg Stein]

Changes with Apache 2.0.41

  *) The protocol version (eg: HTTP/1.1) in the request line parsing
     is now case insensitive. [Jim Jagielski]

  *) Allow AddOutputFilterByType to add multiple filters per directive.
     [Justin Erenkrantz]

  *) Remove warnings with Sun's Forte compiler.  [Justin Erenkrantz]

  *) Fixed mod_disk_cache's generation of 304s
     [Kris Verbeeck <Kris.Verbeeck ubizen.com>]

  *) Add support for using fnmatch patterns in the final path
     segment of an Include statement (eg.. include /foo/bar/*.conf).
     and remove the noise on stderr during config dir processing.
     [Joe Orton <jorton redhat.com>]

  *) mod_cache: cache_storage.c. Add the hostname and any request
     args to the key generated for caching. This provides a unique
     key for each virtual host and for each request with unique
     args. [Paul J. Reder, args code provided by Kris Verbeeck]

  *) mod_cache: Do not cache responses to GET requests with query
     URLs if the origin server does not explicitly provide an
     Expires header on the response (RFC 2616 Section 13.9)
     [Kris Verbeeck <krisv be.ubizen.com>]

  *) Fix memory leak in core_output_filter.  [Justin Erenkrantz]

  *) Update OpenSSL detection to work on Darwin.
     [Sander Temme <sctemme covalent.net>]

  *) Update the xslt and css to give the documentation a more
     modern style.
     [André Malo <nd perlig.de>, Gernot Winkler <greh o3media.de>]

  *) Fix some bucket memory leaks in the chunking code
     [Joe Schaefer <joe+apache sunstarsys.com>]

  *) Add ModMimeUsePathInfo directive.  [Justin Erenkrantz]

  *) mod_cache: added support for caching streamed responses (proxy,
     CGI, etc) with optional CacheMaxStreamingBuffer setting [Brian Pane]

  *) Add image/x-icon to httpd.conf PR 10993.
     [Ian Holsman, Peter Bieringer <pb bieringer.de>]

  *) Fix FileETags none operation.  PR 12207.
     [Justin Erenkrantz, Andrew Ho <andrew tellme.com>]

  *) Restored the experimental leader/followers MPM to working
     condition and converted its thread synchronization from
     mutexes to atomic CAS.  [Brian Pane]

  *) Fix Logic on non-html file removal in mod_deflate
     [Kris Verbeeck <Kris.Verbeeck ubizen.com>]

  *) Fix "ab -g"'s truncated year: the last digit was cut off.
     [Leon Brocard <acme astray.com>]

  *) mod_rewrite can now sets cookies in err_headers, uses the correct
     expiry date, and can now set the path as well
     PR 12132,12181,12172.
     [Ian Holsman / Rob Cromwell <apachechangelog robcromwell.com>]

  *) The content-length filter no longer tries to buffer up
     the entire output of a long-running request before sending
     anything to the client.  [Brian Pane]

  *) Win32: Lower the default stack size from 1MB to 256K. This will
     allow around 8000 threads to be started per child process. 
     'EDITBIN /STACK:size apache.exe' can be used to change this 
     value directly in the apache.exe executable.
     [Bill Stoddard]

  *) Win32: Implement ThreadLimit directive in the Windows MPM.
     [Bill Stoddard]

  *) Remove CacheOn config directive since it is set but never checked.
     No sense wasting cycles on unused code. Besides, the only truly
     bug free code is deleted code. :)   [Paul J. Reder]

  *) BufferLogs are now run-time enabled, and the log_config now has 2 new
     callbacks to allow a 3rd party module to actually do the writing of the
     log file [Ian Holsman]

  *) Correct ISAPIReadAheadBuffer to default to 49152, per mod_isapi docs.
     [André Malo, Astrid Keßler <kess kess-net.de>]

  *) Fix Segfault in mod_cache. [Kris Verbeeck <Kris.Verbeeck ubizen.com>]

  *) Fix a null pointer dereference in the merge_env_dir_configs
     function of the mod_env module. PR 11791
     [Paul J. Reder]

  *) New option to ServerTokens 'maj[or]'. Only show the major version
     Also Surfaced this directive in the standard config (default FULL)
     [Ian Holsman]

  *) Change mod_rewrite to use apr-util's dbm support for dbm rewrite
     maps.  The dbm type (e.g., ndbm, gdbm) can be specified on the
     RewriteMap directive.  PR 10644  [Jeff Trawick]

  *) Fixed mod_rewrite's RewriteMap prg: support so that request/response
     pairs will no longer get out of sync with each other.  PR 9534
     [Cliff Woolley]

  *) Fixes required to get quoted and escaped command args working in
     mod_ext_filter. PR 11793 [Paul J. Reder]

  *) mod-proxy: handle proxied responses with no status lines
     [JD Silvester <jsilves uwo.ca>, Brett Huttley <brett huttley.net>]

  *) Fix bug where environment or command line arguments containing 
     non-ASCII-7 characters would cause the Win32 child process creation
     to fail.  PR 11854  [William Rowe]

  *) Bug #11213.. make module loading error messages more informative 
     [Ian Darwin <Ian779 darwinsys.com>]

  *) thread safety & proxy-ftp [Alexey Panchenko <alexey liwest.ru>, Ian Holsman]

  *) mod_disk_cache works much better. This module should still
     be considered experimental. [Eric Prud'hommeaux]

  *) Performance improvement for keepalive requests: when setting
     aside a small file for potential concatenation with the next
     response on the connection, set aside the file descriptor rather
     than copying the file into the heap.  [Brian Pane]

  *) Modified version check on openssl so that it finds the executable
     first and then performs a check of the version, only warning the
     user if they chose, or we selected, an old version of OpenSSL.
     This change also allows the code to work for non-openssl libraries
     selected via the --with-ssl=dir option, which can override the
     automated library check in any case.  [Roy Fielding]

Changes with Apache 2.0.40

  *) SECURITY: CVE-2002-0661 (cve.mitre.org) 
     Close a very significant security hole that 
     applies only to the Win32, OS2 and Netware platforms.  Unix was not 
     affected, Cygwin may be affected.  Certain URIs will bypass security
     and allow users to invoke or access any file depending on the system 
     configuration.  Without upgrading, a single .conf change will close 
     the vulnerability.  Add the following directive in the global server
     httpd.conf context before any other Alias or Redirect directives;
         RedirectMatch 400 "\\\.\."
     Reported by Auriemma Luigi <bugtest sitoverde.com>.
     [Brad Nicholes]

  *) SECURITY: CVE-2002-0654 (cve.mitre.org)
     Close a path-revealing exposure in multiview type
     map negotiation (such as the default error documents) where the
     module would report the full path of the typemapped .var file when
     multiple documents or no documents could be served based on the mime
     negotiation.  Reported by Auriemma Luigi <bugtest sitoverde.com>.
     [William Rowe]

  *) SECURITY: CVE-2002-0654 (cve.mitre.org)
     Close a path-revealing exposure in cgi/cgid when we 
     fail to invoke a script.  The modules would report "couldn't create 
     child process /path-to-script/script.pl" revealing the full path
     of the script.  Reported by Jim Race <jrace qualys.com>.
     [Bill Stoddard]

  *) Set aside the apr-iconv and apr_xlate() features for the Win32
     build of 2.0.40 so development can be completed.  A patch, from
     <http://www.apache.org/dist/httpd/patches/apply_to_2.0.40/>
     will be available for those that wish to work with apr-iconv.
     [William Rowe]

  *) Fix proxy so that it is possible to access ftp: URLs via a proxy
     chain. [Peter Van Biesen <peter.vanbiesen vlafo.be>]

  *) mod-deflate now checks to make sure that 'gzip-only-text/html' is
     set to 1, so we can exclude things from the general case with
     browsermatch. [Ian Holsman, Andre Schild <A.Schild aarboard.ch>]
  
  *) Accept multiple leading /'s for requests within the DocumentRoot.
     PR 10946  [William Rowe, David Shane Holden <dpejesh yahoo.com>]

  *) Solved the reports of .pdf byterange failures on Win32 alone.
     APR's sendfile for the win32 platform collapses header and trailer
     buffers into a single buffer.  However, we destroyed the pointers
     to the header buffer if a trailer buffer was present.  PR 10781
     [William Rowe]

  *) mod_ext_filter: Add the ability to enable or disable a filter via
     an environment variable.  Add the ability to register a filter of
     type other than AP_FTYPE_RESOURCE.  [Jeff Trawick]

  *) Restore the ability to specify host names on Listen directives.
     PR 11030.  [Jeff Trawick, David Shane Holden <dpejesh yahoo.com>]

  *) When deciding on the default address family for listening sockets, 
     make sure we can actually bind to an AF_INET6 socket before
     deciding that we should default to AF_INET6.  This fixes a startup
     problem on certain levels of OpenUNIX.  PR 10235.  [Jeff Trawick]

  *) Replace usage of atol() to parse strings when we might want a
     larger-than-long value with apr_atoll(), which returns long long.
     This allows HTTPD to deal with larger files correctly.
     [Shantonu Sen <ssen apple.com>]

  *) mod_ext_filter: Ignore any content-type parameters when checking if
     the response should be filtered.  Previously, "intype=text/html"
     wouldn't match something like "text/html;charset=8859_1".
     [Jeff Trawick]

  *) mod_ext_filter: Set up environment variables for external programs.
     [Craig Sebenik <craig netapp.com>]

  *) Modified the HTTP_IN filter to immediately append the EOS (end of
     stream) bucket for C-L POST bodies, saving a roundtrip and allowing
     the caller to determine that no content remains without prefetching
     additional POST body.  [William Rowe]

  *) Get proxy ftp to work over IPv6.  [Shoichi Sakane <sakane kame.net>]

  *) Look for OpenSSL libraries in /usr/lib64.  [Peter Poeml <poeml suse.de>]

  *) Update SuSE layout.  [Peter Poeml <poeml suse.de>]

  *) Changes to the internationalized error documents:
     Comment them out in the default config file to make the default
     install as simple as possible; Correct the english 500 error to
     be more understandable; Add a Swedish translation.
     [Thomas Sjogren <thomas northernsecurity.net>, 
      Erik Abele <erik codefaktor.de>, Rich Bowen, Joshua Slive]
     
  *) Increase the limit on file descriptors per process in apachectl.
     [Brian Pane]

  *) Fix a dependency error when building ApacheMonitor, so that Win32
     and MSVC now trust that the project is current (when it is).
     [James Cox <imajes php.net>]

  *) mod_ext_filter: don't segfault if content-type is not set.  PR 10617.
     [Arthur P. Smith <apsmith aps.org>, Jeff Trawick]

  *) APR-Util Renames pending have been completed [Thom May]

  *) Performance improvements for the code that reads request
     headers (ap_rgetline_core() and related functions)  [Brian Pane]

  *) Add a new directive: MaxMemFree.  MaxMemFree makes it possible
     to configure the maximum amount of memory the allocators will
     hold on to for reuse.  Anything over the MaxMemFree threshold
     will be free()d.  This directive is useful when uncommon large
     peaks occur in memory usage.  It should _not_ be used to mask
     defective modules' memory use.  [Sander Striker]

  *) Fixed the Content-Length filter so that HTTP/1.0 requests to CGI
     scripts would not result in a truncated response.
     [Ryan Bloom, Justin Erenkrantz, Cliff Woolley]

  *) Add a filter_init parameter to the filter registration functions
     so that a filter can execute arbitrary code before the handlers
     are invoked.  This resolves a problem where mod_include requests
     would incorrectly return a 304.  [Justin Erenkrantz]

  *) Fix a long-standing bug in 2.0, CGI scripts were being called
     with relative paths instead of absolute paths.  Apache 1.3 used
     absolute paths for everything except for SuExec, this brings back
     that standard.  [Ryan Bloom]

  *) Fix infinite loop due to two HTTP_IN filters being present for
     internally redirected requests.  PR 10146.  [Justin Erenkrantz]

  *) Switch conn_rec->keepalive to an enumeration rather than a bitfield.
     [Justin Erenkrantz]

  *) Fix mod_ext_filter to look in the main server for filter definitions
     when running in a vhost if the filter definition is not found in
     the vhost.  PR 10147  [Jeff Trawick]

  *) Support WinNT CGI invocation through ScriptInterpreterSource 
     'registry' for script interpreter paths and names with non-ascii
     characters in the executable filepath.  [William Rowe]

  *) Support the -w flag on to keep the Win32 console open on error.
     [William Rowe]

  *) Normalize the hostname value in the request_rec to all-lowercase
     [Perry Harrington <pedward webcom.com>]

  *) Fix WinNT cgi 500 errors when QUERY_ARGS or other strings include
     extended characters (non US-ASCII) in non-utf8 format.  This brings
     Win32 back into CGI/1.1 compliance, and leaves charset decoding up
     to the cgi application itself.  [William Rowe]

  *) Major overhaul of mod_dav, mod_dav_fs and the experimental/cache
     modules to bring them up to the current apr/apr-util APIs.
     [William Rowe]

  *) Fix segfault in mod_mem_cache most frequently observed when
     serving the same file to multiple clients on an MP machine.
     [Bill Stoddard]

  *) mod_rewrite can now set cookies  (RewriteRule (.*) - [CO=name:$1:.domain])
     [Brian Degenhardt <bmd mp3.com>, Ian Holsman]

  *) Fix perchild to work with apachectl by adding -k support to perchild.
     PR 10074  [Jeff Trawick]

  *) Fix a silly htpasswd.c logic error that incorrectly reported that
     both -c and -n had been used.  PR 9989  [Cliff Woolley]

  *) Fixed a mod_include error case in which no HTTP response was sent
     to the client if an shtml document contained an unterminated SSI
     directive [Brian Pane]

  *) Improve ap_get_client_block implementation by using APR-util brigade
     helper functions and relying on current filter assumptions.
     [Justin Erenkrantz]

Changes with Apache 2.0.39

  *) Fixed a build problem in htpasswd.c on Win32.
     [Guenter Knauf <eflash gmx.net>, Cliff Woolley]

Changes with Apache 2.0.38

  *) Rewrite htpasswd to use APR.  The removes the annoying warning about
     tmpnam being unsafe.   [Ryan Bloom]

  *) We must set the MIME-type for .shtml files to text/html if we want them
     to be parsed for SSI tags.  Add the config for that to the default 
     config file so that it is easier to enable .shtml parsing.
     [Dave Dyer <ddyer real-me.net>]

  *) Fixed a problem with 'make install' on ReliantUnix.
     [Jean-frederic Clere <jfrederic.clere fujitsu-siemens.com>]

  *) Make the default_handler catch all requests that aren't served by
     another handler.  This also gets us to return a 404 if a directory
     is requested, there is no DirectoryIndex, and mod_autoindex isn't
     loaded.  [Justin Erenkrantz]

  *) Fixed the handling of nested if-statements in shtml files.
     PR 9866  [Brian Pane]

  *) Allow 'make install DESTDIR=/path'.  This allows packagers to install
     into a directory different from the one that was configured.  This 
     also mirrors the root= feature from 1.3.  We cannot use prefix=,
     because both APR and APR-util resolve their installation paths at 
     configuration time.  This means that there is no variable prefix 
     to replace.  [Andreas Hasenack <andreas netbank.com.br>]

  *) AIX 4.3.2 and above: Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT.
     These levels of AIX don't have a thundering herd problem with
     accept().  [Jeff Trawick]

  *) prefork MPM: Ignore mutex errors during graceful restart.  For
     certain types of mutexes (particularly SysV semaphores), we
     should expect to occasionally fail to obtain or release the
     mutex during restart processing.  [Jeff Trawick]

  *) Fix install-bindist.sh so that it finds any perl instead of just
     early perl 5.x versions.  This is consistent with a build/install
     from source, and it allows the perl scripts installed by a bindist 
     to work on systems with perl 5.6.  [Jeff Trawick]

  *) Fix apxs so that the makefile created by "apxs -g" works on AIX and
     Tru64 (and probably some other platforms).  [Jeff Trawick]

  *) Allow CGI scripts to return their Content-Length.  This also fixes a
     hang on HEAD requests seen on certain platforms (such as FreeBSD).
     [Justin Erenkrantz]

  *) Added log rotation based on file size to the RotateLog support
     utility. [Brad Nicholes]

  *) Fix some casting in mod_rewrite which broke random maps.
     PR 9770  [Allan Edwards, Greg Ames, Jeff Trawick]

Changes with Apache 2.0.37

  *) allow POST method over SSL when per-directory client cert
     authentication is used with 'SSLOptions +OptRenegotiate' enabled
     and a client cert was found in the ssl session cache.

  *) 'SSLOptions +OptRengotiate' will use client cert in from the ssl
     session cache when there is no cert chain in the cache.  prior to
     the fix this situation would result in a FORBIDDEN response and
     error message "Cannot find peer certificate chain"
     [Doug MacEachern]

  *) ap_finalize_sub_req_protocol() shouldn't send an EOS bucket if
     one was already sent.  PR 9644  [Jeff Trawick]

  *) Fix the display of the default name for the mime types config
     file.  PR 9729  [Matthew Brecknell <mbrecknell orchestream.com>]

  *) Fix the working directory *for WinNT/2K/XP services only* to
     change to the Apache directory (one level above the location 
     of Apache.exe, in the case that Apache.exe resides in bin/.)
     Solves the case of ServerRoot /foo paths where /foo was not
     on the same drive as /winnt/system32.  [William Rowe]

  *) Make 2.0's "AcceptMutex" startup message now "completely"
     match how 1.3 does it. [Jim Jagielski]

  *) Implement a fixed size memory cache using a priority queue
     [Ian Holsman]

  *) Fix apxs to allow "apxs -q installbuilddir" and to allow
     querying certain other variables from config_vars.mk.  PR 9316  
     [Jeff Trawick]

  *) Added the "detached" attribute to the cgi_exec_info_t internals
     so that Win32 and Netware won't create a new window or console
     for each CGI invoked.  PR 8387
     [Brad Nicholes, William Rowe]

  *) Consolidated the command line parameters and attributes that are 
     manipulated by the optional function ap_cgi_build_command() in
     mod_cgi into a single structure.
     [Brad Nicholes]

  *) Get rid of uninitialized value errors with "apxs -q" on certain
     variables.  [Stas Bekman <stas stason.org>]

  *) Fix apxs to allow it to work when the build directory is somewhere
     besides server-root/build.  PR 8453  
     [Jeff Trawick and a host of others]

  *) Allow ap_discard_request_body to be called multiple times in the
     same request.  Essentially, ap_http_filter keeps track of whether
     it has sent an EOS bucket up the stack, if so, it will only ever
     send an EOS bucket for this request.  
     [Ryan Bloom, Justin Erenkrantz, Greg Stein]

  *) Remove all special mod_ssl URIs.  This also fixes the bug where
     redirecting (.*) will allow an SSL protected page to be viewed
     without SSL.  [Ryan Bloom]

  *) Fix the binary build install script so that the build logic
     created by "apxs -g" will work when the user has a binary
     build.  [Jeff Trawick]

  *) Allow instdso.sh to work with full paths to the shared module.
     [Justin Erenkrantz]

  *) NetWare: Enabled CGI functionality and added mod_cgi as a built
     in module for NetWare  [Brad Nicholes]

  *) Changed cgi and piped log behavior to accept 65536 characters
     on Win32 (matching Linux) before deadlocking between outputing
     client stdin, slurping the output from stdout and then the stderr
     stream.  PR 8179  [William Rowe]

  *) Fixed Win32 wintty.exe support to assure the window title is valid.
     Elimiates possible gpfault or garbage title without the -t option.
     [William Rowe]

  *) Rewrite mod_cgi, mod_cgid, and mod_proxy input handling to use
     brigades and input filters.  [Justin Erenkrantz]

  *) Allow ap_http_filter (HTTP_IN) to return EOS when there is no request
     body.  [Justin Erenkrantz]
    
  *) NetWare: Piping log entries through RotateLogs using the 
     CustomLogs directive is finally supported now that we have 
     the pipes and spawning functionality working.
     [Brad Nicholes]

  *) SECURITY: CVE-2002-0392 (cve.mitre.org) [CERT VU#944335]
     Detect overflow when reading the hex bytes forming a chunk line.
     [Aaron Bannert]

  *) Allow RewriteMap prg:'s to take command-line arguments.  PR 8464.
     [James Tait <JTait wyrddreams.demon.co.uk>]

  *) Correctly return 413 when an invalid chunk size is given on
     input.  Also modify ap_discard_request_body to not do anything
     on sub-requests or when the connection will be dropped.
     [Justin Erenkrantz]

  *) Fix the TIME_* SSL var lookups to be threadsafe.  PR 9469.
     [Cliff Woolley]

  *) Ensure that apr_brigade_write() flushes in all of the cases that
     it should to avoid conditions in some modules that could cause
     large amounts of data to be buffered.  [Cliff Woolley]

  *) Fix problem where mod_cache/mod_disk_cache was incorrectly
     stripping the content_type from cached responses.
     [Bill Stoddard]

  *) apachectl passes through any httpd options.  Note: apachectl
     should be used in preference to httpd since it ensures that any
     appropriate environment variables have been set up.
     [Jeff Trawick]

  *) Fix the combination of mod_cgid, mod_setuexec, and mod_userdir.
     PR 7810  [Colm MacCarthaigh <colmmacc redbrick.dcu.ie>]

  *) Fix suexec execution of CGI scripts from mod_include.
     PR 7791, 8291  [Colm MacCarthaigh <colmmacc redbrick.dcu.ie>]

  *) Fix segfaults at startup on some platforms when mod_auth_digest,
     mod_suexec, or mod_ssl were used as DSO's due to the way they
     were tracking the current init phase since DSO's get completely
     unloaded and reloaded between phases.  PR 9413.
     [Tsuyoshi Sasamoto <nazonazo super.win.ne.jp>, Brad Nicholes]

  *) Fix mod_include's handling of regular expressions in
     "<!--#if" directives [Julius Gawlas <julius_gawlas hp.com>]

  *) Fix the worker MPM deadlock problem  [Brian Pane]

  *) Modify the module documentation to allow for translations.
     [Yoshiki Hayashi, Joshua Slive]

  *) Fix a file permissions problem which prevented mod_disk_cache
     from working on Unix.  [Jeff Trawick]

  *) Add "-k start|restart|graceful|stop" support to httpd for the Unix 
     MPMs.  These have semantics very similar to the old apachectl 
     commands of the same name.  [Justin Erenkrantz, Jeff Trawick]

  *) Make sure that the runtime dir is created by make install.
     PR 9233.  [Jeff Trawick]

  *) Fix an unusual set of ./configure arguments that could cause
     mod_http to be built as a DSO, which it currently doesn't
     support.  PR 9244.
     [Cliff Woolley, Robin Johnson <robbat2 orbis-terrarum.net>]

  *) Win32: Fix bug in apr_sendfile() that caused incorrect operation
     of the %X, %b and %B logformat options. PR 8253, 8996.
     [Bill Stoddard]

  *) If content-encoding is already present, do not run deflate (PR 9222)
     [Kazuhisa ASADA <kaz asada.sytes.net>]

  *) The APLOG_NOERRNO flag to ap_log_[r]error() is now deprecated.
     It is currently ignored and it will be removed in a future release
     of Apache.  [Jeff Trawick]

  *) Removed documentation references to the no-longer-supported
     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
     certificates, if truly desired, can be generated using openssl
     commands.  PR 8724.  [Cliff Woolley]

  *) Remove SSLLog and SSLLogLevel directives in favor of having
     mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]

  *) OS/390: LIBPATH no longer has to be manually uncommented in
     envvars to get apachectl to set up httpd properly.  [Jeff Trawick]

  *) mod_isapi: All mod_isapi directives, excluding ISAPICacheFile,
     may now be specified to the <File/Directory > container, rather
     than by vhost.  [William Rowe]

  *) mod_isapi: Experimental support for faux async support for ISAPI
     modules.  [William Rowe]

  *) mod_isapi: Major refactoring of the code to rely on apr internals
     rather than MS APIs (using our own mod_isapi.h headers for ISAPI
     symbol definitions.)  [William Rowe]

  *) mod_isapi: Fixed the return string length from GetServerVariable
     callback, it was not including the trailing null in the consumed
     buffer size.  This was particularly bad for Delphi 6.0 users.
     PR 8934  [Sebastian Hantsch <sebastian.hantsch gmx.de>]

  *) Fixed Win32 builds for Microsoft VisualStudio 7.0 (.net).
     [William Rowe]

  *) Make apxs look in the correct directory for envvars.  It was
     broken when sbindir != bindir.  PR 8869
     [Andreas Sundström <sunkan zappa.cx>]
  
  *) Fix mod_deflate corruption when using multiple buckets.  PR 9014.
     [Asada Kazuhisa <kaz asada.sytes.net>]

  *) Performance enhancements for access logger when using
     default timestamp formatting  [Brian Pane]

  *) Added EnableMMAP config directive to enable the server
     administrator to disable memory-mapping of delivered files
     on a per-directory basis.  [Brian Pane]

  *) Performance enhancements for mod_setenvif  [Brian Pane]

  *) Fix a mod_ssl build problem on OS/390.  [Jeff Trawick]

  *) Fixed If-Modified-Since on Win32, which would give false positives
     because of the sub-second resolution of file timestamps on that
     platform.  [Cliff Woolley]

  *) Reverse the hook ordering for mod_userdir and mod_alias so
     that Alias/ScriptAlias will override Userdir.  PR 8841
     [Joshua Slive]

  *) Move mod_deflate out of experimental and into filters.
     [Justin Erenkrantz]

  *) Get proxy CONNECT basically working.  [Jeff Trawick]

  *) Fix mod_rewrite hang when APR uses SysV Semaphores and
     RewriteLogLevel is set to anything other than 0.  PR: 8143
     [Aaron Bannert, Cliff Woolley]
