Apache1.3.22 Main improvements and corrections _ server

Apache 1.3.20-1.3.22 Major improvements:
Security Weaknesses:
1. A vulnerability was found on the Apache1.3.20 Win32 platform. If the client sends a very long URI, it may result in a directory listing instead of the default home page. 403 Forbidden will be returned. can-2001-0729
2. A vulnerability was found in the Split-logfile support program. A request sent with a special host: header may allow any file in the system that ends with a. log extension to be written. pr#7848 can-2001-0730
3. A vulnerability was found when MultiViews was used for catalog index negotiation. In some configurations, if a URI request carries a m=d query_string, it is possible to return a list of directories instead of the expected index page. can-2001-0731
New features:
1.3.22 major new features (compared to 1.3.20):
1. The user's manual has been updated with a lot of minor fixes. This update includes translations of French and Japanese, a guide to using Apache on Cygwin, and a comprehensive guide to using log files.
2. The user manual can be moved out of Htdocs (DocumentRoot)-The--manualdir= option can be specified when configure is installed. Allows online documents to be detached from regular content.
3. Supported icons are allowed to be published in PNG format.
4. An important check was made on the Apache evaluation program. AB was replaced (the first reported in April), and the new Apache review includes corrections, additional statistics, CSV and gnuplot output, and SSL support.
5. Mod_usertrack module has added a new directive, first, Cookiedomain, can be used to customize the domain attribute, the patch to join the Cookiedomain directive was originally submitted for more than two years. Mod_usertrack uses the very old Netscape cookie syntax, and the new Cookiestyle directive allows RFC2109 or RFC2965 to be used instead. pr#5023, pr#5920, pr#6140.
6. If a line end Comment (#) is found in the configuration file, the server displays a warning. Not all instructions can handle annotations on the same line.
7. A new directive, Acceptmutex, allows the use of mutex types to accept serial serialization at runtime configuration, The current compile-time is set only in 1.3, while different mutex types have different performance characteristics on different platforms, and this instruction will make it easier for administrators to adjust their Apache, and the current list of possible methods is: Uslock, Pthread, Sysvsem, fcntl, Flock, Os2sem, Tpfcore, none. Not all platforms support all methods.
8. The Mod_auth is enhanced to allow access control over a document to be based on file-owner authentication. Require File-owner can be accessed only when the authenticated username matches the document owner, Require File-group works in a similar manner to check the match.
New features relative to specific platforms:
1. A new instruction, Acceptfilter, is added to the runtime to control BSD acceptance filtering. This makes it easier to move binary packets between different BSD machines without recompiling. Support acceptance filtering is first added to the 1.3.14 version, which delays the need for a subprocess to process a new connection until an HTTP request arrives, so you can increase the number of connections a given number of child processes can handle.
2. MOD_UNIQUE_ID, Mod_mime_magic, and Mod_vhost_alias modules are available on the Win32 platform.
3. The Win32 platform allows the server to run a number of revisions and updates in the code under Cygwin, and support for Cygwin is first added to version 1.3.20.
4. Under Windows NT or 2000, the name that the service displays can be modified by the user (using the Service Control Panel applet).
5. Added a new option under Win32-W; to start a dependency service.
6. Benefit from recent improvements in the TPF operating system. Includes enhanced system derivation and execution, updating updates that allow non blocking file descriptors and shutdown processes.
Fixed bugs:
The following bugs are found in the 1.3.20 and have been fixed in 1.3.22:
1. In some cases a subprocess may be destroyed by a bug in the Mod_include module, if the server uses errordocument instead of the 404 (Request not found) error to refer to a server-side parsed HTML file. And it contains such fragments, then a request containing%2f will result in a segment error. This error is harmless and does not cause security problems, but it may have been triggered by the nearest IIS worm.
2. The MultiViews feature was modified to prevent the MultiView variable supplied by the Mod_negotiation module from containing an unknown file name extension. pr#8130
3. Apache binds the expat library in the installed version, which fixes conflicts that arise when multiple copies of a expat are loaded. (especially when using Mod_perl and xml::P arsers::expat)
4. The UNSETENV directive can now work in the body of the configuration file. pr#8254
5. As a reverse proxy, headers that are set by other modules, such as Mod_usertrack or Mod_securid, can pass through the back-end server. pr#6055
6. Server-side response headers can now be logged by proxy. pr#7461
7. The Mod_proxy module now notes that the HTTP headers for the specified request will not be cached. pr#5668
8. When a client sends a request through Mod_proxy unexpectedly, the Mod_proxy module will not close its connection. pr#8090
9. The cacheforcecompletion directive has been amended. pr#7383, pr#8067, pr#6585
10. The memory leak in the Mod_mime_magic module has been corrected.
11. The Satisfy All option is added to the default container to stop the. htaccess file. Without this instruction, these files can still be obtained if they are in the scope of the satisfy any instruction.
The following are bug fixes relative to a specific platform:
1. A number of fixes have been added to NetWare, including allowing htdigest of long filenames in htpasswd, restricting relatively malicious modules, better handling of unconventional shutdowns, processing of restricted stack space in SSI, and proper identification of similar proxy:http:// 's special filename.
2. Shutdown hangs may occur on Solaris, when a large number of pipe transferlogs and at least one pipe errorlog are used.
3. A bug when the agent module stops the SSL agent from working on the EBCDIC platform.
4. On the Win32, the MOD_UNIQUE_ID module does not guarantee a unique ID bug because of the thread.
The makefiles on 5.win32 is now 100% compliant with the Microsoft Visual C + + compiler (version 5,6,7).