1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
APACHE 1.3 STATUS: -*-text-*-
Last modified at [$Date$]
Release:
1.3.42: Released and Retired February 2, 2010.
1.3.41: Released January 19, 2008.
1.3.40: Tagged January 4, 2008. Not released.
1.3.39: Released September 7, 2007.
1.3.38: Tagged August 10, 2007. Not released.
1.3.37: Tagged July 27, 2006. Announced July 28, 2006.
1.3.36: Tagged May 14, 2006. Announced May 17, 2006.
1.3.35: Tagged April 24, 2006. Announced May 1, 2006.
1.3.34: Tagged October 13, 2005. Announced October 18, 2005.
1.3.33: Tagged October 27, 2004. Announced October 29, 2004.
1.3.32: Tagged October 18, 2004. Not formally released.
1.3.31: Tagged May 7, 2004. Announced May 11, 2004.
1.3.30: Tagged April 9, 2004. Not released.
1.3.29: Tagged October 24, 2003. Announced Oct 29, 2003.
1.3.28: Tagged July 16, 2003. Announced ??
1.3.27: Tagged September 30, 2002. Announced Oct 3, 2002.
1.3.26: Tagged June 18, 2002.
1.3.25: Tagged June 17, 2002. Not released.
1.3.24: Tagged Mar 21, 2002. Announced Mar 22, 2002.
1.3.23: Tagged Jan 21, 2002.
1.3.22: Tagged Oct 8, 2001. Announced Oct 12, 2001.
1.3.21: Not released.
(Pulled for htdocs/manual config mismatch. t/r Oct 5, 2001)
1.3.20: Tagged and rolled May 15, 2001. Announced May 21, 2001.
1.3.19: Tagged and rolled Feb 26, 2001. Announced Mar 01, 2001.
1.3.18: Tagged and rolled Not released.
(Pulled because of an incorrect unescaping fix. t/r Feb 19, 2001)
1.3.17: Tagged and rolled Jan 26, 2001. Announced Jan 29, 2001.
1.3.16: Not released.
(Pulled because of vhosting bug. t/r Jan 20, 2001)
1.3.15: Not released.
(Pulled due to CVS dumping core during the tagging when it
reached src/os/win32/)
1.3.14: Tagged and Rolled Oct 10, 2000. Released/announced on the 13th.
1.3.13: Not released.
(Pulled in the "first minutes" due to a Netware build bug)
1.3.12: Tagged and rolled Feb. 23, 2000. Released/announced on the 25th.
1.3.11: Tagged and rolled Jan. 19, 2000. Released/announced on the 21st.
1.3.10: Not released.
(Pulled at "last minute" due to a build bug in the MPE port)
1.3.9: Tagged and rolled on Aug. 16, 1999. Released and announced on 19th.
1.3.8: Not released.
1.3.7: Not released.
1.3.6: Tagged and rolled on Mar. 22, 1999. Released and announced on 24th.
1.3.5: Not released.
1.3.4: Tagged and rolled on Jan. 9, 1999. Released on 11th, announced on 12th.
1.3.3: Tagged and rolled on Oct. 7, 1998. Released on 9th, announced on 10th.
1.3.2: Tagged and rolled on Sep. 21, 1998. Announced and released on 23rd.
1.3.1: Tagged and rolled on July 19, 1998. Announced and released.
1.3.0: Tagged and rolled on June 1, 1998. Announced and released on the 6th.
2.0 : Available for general use, see httpd-2.0 repository
** THIS BRANCH IS CLOSED TO DEVELOPMENT AND MAINTENANCE **
POST-RETIREMENT SECURITY PATCHES:
(for distribution in the official patches directory)
*) CVE-2011-3368/CVE-2011-4317
http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch
+1: trawick, wrowe
*) CVE-2012-0053
http://people.apache.org/~trawick/1.3-CVE-2012-0053-r1234837.patch
+1: trawick, wrowe
trawick: I'll update the security doc once I get an idea of whether
or not a patch will be made available.
UNADDRESSED ISSUES:
*) mod_rewrite on Win32: change the mutex mechanism for RewriteLog
to something more reliable; Apache on Win32 will often exit(1)
currently if RewriteLog is enabled
Patch is here:
http://people.apache.org/~colm/mod_rewrite-win32loglock.diff
Message-ID: <1404e5910504010716389dd7da@mail.gmail.com>
From: Eric Covener <covener@gmail.com>
Subject: [1.3 PATCH] Win32 RewriteLog deadlock
+1: trawick, wrowe, colm (tested on XP and Vista, but not 9x).
*) mod_log_config: Cleanup log_header_out function to allow multiple headers
like Set-Cookie to be logged properly. PR 27787
http://people.apache.org/~colm/mod_log_config.diff
jerenkrantz asks: Isn't this what apr_table_merge is for?
nd replies: yep. But cookies won't be merged, because browsers don't
support it.
jerenkrantz: Couldn't we copy the table and merge the values somehow?
This just seems like a lot of code to duplicate what we
have already. *shrug*
+1: colm
* backport fix for mod_log_config logging "0" for %b
[1.3 PATCH] backport 2.0 fix to log "-" for %b...
Message-ID: <cc67648e0412210644542f55dc@mail.gmail.com>
+1: trawick, nd
* mod_whatkilledus: log the address of active request_rec and/or
conn_rec (if any); this provides a head start to coredump
analysis; this updates Apache 1.3 to the level of code
I've been giving out for some time
http://www.apache.org/~trawick/whatkilledus.txt
+1: trawick. colm
* PR: 27023 Cookie could not delivered if the cookie made before
proxy module.
* isn't ap_die() broken with recognizing recursive errors
Message-Id: <3F8C56E3.8050501@attglobal.net>
+1: jeff, jim
* Current vote on 3 PRs for inclusion:
Bugz #17877 (passing chunked encoding thru proxy)
(still checking if RFC compliant... vote is on the
correctness of the patch code only).
+1: jim, chuck, minfrin
Bugz #9181 (Unable to set headers on non-2XX responses)
+1: Martin, Jim
Gnats #10246 (Add ProxyConnAllow directive)
+0: Martin (or rather -.5, see dev@ Message
<20020529215048.A56015@deejai2.mch.fsc.net>)
* htpasswd.c and htdigest.c use tmpnam()... consider using
mkstemp() when available.
Message-ID: <Pine.LNX.4.30.0102191441100.22500-100000@dax.joh.cam.ac.uk>
Status:
* Dean's "unescaping hell" (unescaping the various URI components
at the right time and place, esp. unescaping the host name).
Message-ID: <Pine.LNX.4.33.0102231235031.11699-100000@twinlark.arctic.org>
Status:
* Martin observed a core dump because a ipaddr_chain struct contains
a NULL-"server" pointer when being dereferenced by invoking "httpd -S".
Message-ID: <20010213231854.A20932@deejai2.mch.fsc.net>
Status: Workaround enabled. Clean solution can come after 1.3.19
* long pathnames with many components and no AllowOverride None
Workaround is to define <Directory /> with AllowOverride None,
which is something all sites should do in any case.
Status: Marc was looking at it. (Will asks 'wasn't this patched?')
* Ronald Tschalär's patch to mod_proxy to allow other modules to
set headers too (needed by mod_auth_digest)
Message-ID: <199907080712.JAA28269@chill.innovation.ch>
Status:
Available Patches (Most likely, will be ported to 2.0 as appropriate):
* A rewrite of ap_unparse_uri_components() by Jeffrey W. Baker
<jwbaker@acm.org> to more fully close some segfault potential.
Message-ID: <Pine.LNX.4.21.0102102350060.6815-200000@desktop>
Status: Jim +1 (for 1.3.19), Martin +0
* Andrew Ford's patch (1999/12/05) to add absolute times to mod_expires
Message-ID: <m3wvqtcoqx.fsf@icarus.demon.co.uk>
Status: Martin +1, Jim +1, Ken +1 (on concept)
* Raymond S Brand's path to mod_autoindex to fix the header/readme
include processing so the envariables are correct for the included
documents. (Actually, there are two variants in the patch message,
for two different ways of doing it.)
Message-ID: <384AA242.B93F8B5@rsbx.net>
Status: Martin +1(concept)
* Jayaram's patch (10/27/99) for bugfix to mod_autoindex
IndexIgnore <file-extension> should hide the files with this file-
extension in directory listings. This was NOT happening because the
total filename was being compared with the file-extension.
Status: Martin +1(untested), Ken +1(untested)
* Salvador Ortiz Garcia <sog@msg.com.mx>' patch to allow DirectoryIndex
to refer to URIs for non-static resources.
MID: <Pine.LNX.4.10.9906041415330.15776-100000@xiomara.msg.com.mx>
Status: Ken +1 (on concept), Lars +1 (on concept)
* Brian Havard's patch to remove dependency of mod_auth_dbm on mod_auth.
(PR#2598)
Message-ID: <199905170830.SAA31549@silk.apana.org.au>
Status: Lars +1 (on concept), Ken +1 (on concept),
Martin +1(untested)
* Aidan Cully's patch to allow assignment of 'ownership' of resources
to either the server UID or the file's owner.
Message-ID: <37306CB4.8EA9D76C@Golux.Com>
Status: Ken +1, Dean +1, Randy +1, Lars +0, Jim +1
In progress:
Needs patch:
* get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
See: <Pine.LNX.3.96dg4.980427034301.16648P-100000@twinlark.arctic.org>
* URI issues
- RFC2068 requires a server to recognize its own IP addr(s) in
dot notation, we do this fine if the user follows the
dns-caveats documentation... we should handle it in the case
the user doesn't ever supply a dot-notation address.
* Problems dealing with .-rooted domain names such as "twinlark."
versus "twinlark.arctic.org.". See the thread containing
Message-ID: <19980203211817.06723@deejai.mch.sni.de> for more
details. In particular this affects the correctness of the
proxy and the vhost mechanism.
* proxy_*_canon routines use r->proxyreq incorrectly. See
<Pine.LNX.3.96dg4.980304030057.13656O-100000@twinlark.arctic.org>
Open issues:
* Should we provide a way to force CustomError responses past IE's
'prettify-if-less-than-N-bytes' bogosity?
* general/3787: SERVER_PORT is always 80 if client comes to any port
=> needs review by the protocol guys, I think.
* All DBMs suffer from confusion in dbmmanage (perl script) since the
dbmmanage creates in the first-matched dbm format. This is not
necessarily the library that Apache was built with. Aught to
rewrite dbmmanage with the proper library for clean administration.
* Marc's socket options like source routing (kill them?)
Marc, Martin say Yes
* In ap_bclose() there's no test that (fb->fd != -1) -- so it's
possible that it'll do something completely bogus when it's
used for read-only things. - Dean Gaudet
* Roy's HTTP/1.1 Wishlist items:
1) byte range error handling
* use of spawnvp in uncompress_child in mod_mime_magic - doesn't
use the new child_info structure, is this still safe? Needs to be
looked at.
* suexec doesn't understand argv parameters; e.g.
<!--#exec cmd="./ls -l" -->
fails even when "ls" is in the same directory because suexec is trying
to stat a file called "ls -l". A patch for this is available at
http://www.xnet.com/~emarshal/suexec.diff
and it's not bad except that it doesn't handle programs with spaces in
the filename (think win32, or samba-mounted filesystems). There are
several PR's to this and I don't see for security reasons why we can't
accomodate it, though it does add complexity to suexec.c.
Accepting quoted executable names solves that issue, except that the
exec cmd="" parsing needs to accept escaped quotes.
PR #1120
Brian: +1
Status: Already resolved in Apache 2.0 - exec is defined as passing
the cmd="" argument as argv[0], which means it is -only- the
file name to execute (with spaces allowed in the name.)
Win32/Netware specific issues:
* mod_rewrite's cache isn't threadsafe, needs a mutex on Win32/Netware
(and OS/2?)
* apparently either "BrowserMatch" or the "nokeepalive" variable
cause instability - see PR#1729.
|
