Subject: CVS commit: pkgsrc/www/apache6
To: None <>
From: Martti Kuparinen <>
List: pkgsrc-changes
Date: 10/17/2001 10:47:54
Module Name:	pkgsrc
Committed By:	martti
Date:		Wed Oct 17 07:47:54 UTC 2001

Modified Files:
	pkgsrc/www/apache6: Makefile distinfo
	pkgsrc/www/apache6/files: config.layout
	pkgsrc/www/apache6/patches: patch-aa patch-aj
	pkgsrc/www/apache6/pkg: PLIST

Log Message:
- Updated to Apache 1.3.22
- Updated the IPv6 patch

Apache 1.3.20 - 1.3.22 Major changes

  Security vulnerabilities

     * A vulnerability was found in the Win32 port of Apache 1.3.20.  A
       client submitting a very long URI could cause a directory listing
       to be returned rather than the default index page. A 403 Forbidden
       will now be returned.  CAN-2001-0729
     * A vulnerability was found in the split-logfile support program. A
       request with a specially crafted Host: header could allow any file
       with a .log extension on the system to be written to. PR#7848
     * A vulnerability was found when Multiviews are used to negotiate
       the directory index. In some configurations, requesting a URI with
       a QUERY_STRING of M=D could return a directory listing rather than
       the expected index page.  CAN-2001-0731

     The security issues above have been assigned standardized names, CAN-
     by the Common Vulnerabilities and Exposures project (

  New features

   The main new features in 1.3.22 (compared to 1.3.20) are:
     * The user manual has been updated. As well as a number of small
       fixes these updates include new translations into French and
       Japanese, a guide to using Apache httpd on Cygwin, a lexicon of
       Apache error messages, updated TPF documentation, and a
       comprehensive guide to using log files
     * The user manual can now be moved out of the htdocs DocumentRoot
       during installation by invoking configure with the --manualdir=
       switch, to allow separation of on-line docs from regular contents.
     * The supplied icons are now also distributed in PNG format
     * A significant overhaul to the Apache Bench program, ab has taken
       place, as first reported in April. The new Apache Bench includes
       fixes, additional statistics, csv and gnuplot output, and some
       SSL support
     * New directives have been added to the mod_usertrack module, The
       first, CookieDomain, can be used to customise the Domain
       attribute.  The patch to add the CookieDomain directive was first
       submitted over two years ago. Historically mod_usertrack has used
       the obsolete Netscape cookie syntax. The new CookieStyle directive
       allows use of the RFC2109 or RFC2965 syntax instead. PR#5023,
       PR#5920, PR#6140.
     * The server will now display a warning if line-end comments (#) are
       found in the configuration file. Not all directives are able to
       handle comments on the same line
     * A new directive, AcceptMutex, allows run-time configuration of the
       mutex type used for accept serialization, currently a compile-time
       only setting in 1.3. Since different types of mutex have different
       performance characteristics on different platforms, this directive
       will allow administrators to tune their Apache server more easily.
       The current list of possible methods is: uslock, pthread, sysvsem,
       fcntl, flock, os2sem, tpfcore, none. Not all platforms support all
     * mod_auth has been enhanced to allow access to a document to be
       controlled based on the owner of the file being served. Require
       file-owner will only allow files to be served where the
       authenticated username matches the user that owns the document.
       Require file-group works in a similar way checking that the group

   New features that relate to specific platforms:
     * A new directive, AcceptFilter, has been added to control BSD
       accept filters at run-time.  This should make it easier to move
       server binaries across different BSD machines without requiring
       recompilation.  Support for accept filters was first added to
       version 1.3.14, the functionality can postpone the requirement for
       a child process to handle a new connection until an HTTP request
       has arrived, therefore increasing the number of connections that a
       given number of child processes can handle
     * On Win32 mod_unique_id, mod_mime_magic, and the mod_vhost_alias
       modules are now enabled
     * The Cygwin port includes a number of fixes and updates.  Cygwin
       support was first introduced in version 1.3.20
     * On Windows 2000, the service display names can now be modified
       by the user (use the service control panel applet)
     * On Win32 a new option -W can be used to set up a dependency on
       another service, see win_service.html
     * The server will now take advantage of recent improvements to the
       TPF operating system which include an enhanced system fork and
       exec, updates to allow non-blocking file descriptors, and an
       update to shutdown processing

  Bugs fixed

   The following bugs were found in Apache 1.3.20 and have been fixed in
   Apache 1.3.22:
     * Under certain circumstances a child may crash due to a bug in
       mod_include.  If a server uses an ErrorDocument for 404 (request
       not found) errors which points to a server-parsed HTML file which
       uses a <!--#include  virtual="file" --> section, then a request
       containing %2f will result in a segfault. The segfault is harmless
       and does not cause a security problem, but is being triggered by
       the recent IIS worm
     * The Multiviews functionality has been fixed to prevent
       mod_negotiation from serving any multiview variant that contains
       unknown filename extensions. PR#8130
     * Apache will prefer installed version of the Expat library over the
       bundled version. This fixes conflicts when multiple copies of the
       Expat library get loaded (notably when using mod_perl and
     * UnsetEnv now works from the main body of a configuration file.
     * When used as a reverse proxy any headers set by other modules
       (such as mod_usertrack or mod_securid) now get passed on to the
       back-end server. PR#6055
     * Server response headers can now be logged via the proxy. PR#7461
     * mod_proxy will now pay attention to HTTP headers that specify the
       request is not to be cached. PR#5668
     * When a client making a request via mod_proxy died unexpectedly,
       mod_proxy did not close its connection. PR#8090
     * The CacheForceCompletion directive has been fixed PR#7383,
       PR#8067, PR#6585
     * A memory leak has been fixed in the mod_mime_magic module
     * A Satisfy All option has been added to the default container
       designed to stop access to .htaccess files.  Without this
       directive, these files could still be fetched if they were within
       the scope of a Satisfy Any directive.

   The following bugs relate to specific platforms:
     * A number of fixes for NetWare have been added. These include:
       enabling long file names in htpasswd and htdigest, protection
       against ill behaved modules, better handling of abnormal
       shutdowns, dealing with the limited stack space during server side
       includes, and recognising special filenames such as proxy:http://
     * A shutdown hang could occur on Solaris when using lots of piped
       TransferLogs and at least one piped ErrorLog
     * On EBCDIC platforms a bug in the proxy module stopped SSL proxying
     * On Win32, mod_unique_id did not guarantee a unique ID due to
     * The Win32 Makefiles are now 100% compatible with the Microsoft
       Visual C++ compiler versions 5,6,7

To generate a diff of this commit:
cvs rdiff -r1.38 -r1.39 pkgsrc/www/apache6/Makefile
cvs rdiff -r1.6 -r1.7 pkgsrc/www/apache6/distinfo
cvs rdiff -r1.1 -r1.2 pkgsrc/www/apache6/files/config.layout
cvs rdiff -r1.4 -r1.5 pkgsrc/www/apache6/patches/patch-aa
cvs rdiff -r1.5 -r1.6 pkgsrc/www/apache6/patches/patch-aj
cvs rdiff -r1.13 -r1.14 pkgsrc/www/apache6/pkg/PLIST

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.