Category Archives: Apache

Apache Security

[ANNOUNCE] libapreq2-2.12 Released

        libapreq2-2.12 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.12 release of libapreq2.  This
Announcement notes significant changes introduced by this release.

libapreq2-2.12 is released under the Apache License
version 2.0.  It is now available through the ASF mirrors

      http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as 

  file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.12.tar.gz
  size: 859412 bytes
  md5: 76e2acde0d82246dea6f2565f3746eec


libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data.  This package provides

    1) version 2.7.1 of the libapreq2 library,

    2) mod_apreq2, a filter module necessary for using libapreq2
       within the Apache HTTP Server,

    3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
       perl modules for using libapreq2 with mod_perl2.

========================================================================

Changes with libapreq2-2.12 (released March 13, 2009)

- C API [joes]
  Make the cookie parser a little more flexible.

- Interactive CGI module [issac]
  Allow cgi module to interactively prompt for parameters and cookies when
  running a script from the command line and not from a CGI interface

- Perl Glue [joes]
  Fix the linking of the perl modules to libapreq2 and libapr
  on Solaris.

- Perl Glue [joes]
  Fix install-time linking issue of the .so modules.
  Previously they would remain linked against the src
  library path, not the install path.

- C API [joes]
  Add optional interface for apreq_handle_apache2().

- C API [joes]
  Clean up buggy apreq_hook_find_param().

- Perl Glue Build [Philip M. Gollucci]
  config.status format changed format yet again in autoconf 2.62+.

- License [Mladen Turk]
  Add libapreq.rc and generate libapreq.res

- Build [Mladen Turk]
  Add APREQ_DECLARE_EXPORT/APREQ_DECLARE_STATIC
  in the same way as APR declares so that dllexport/dllimport
  get correctly handled.   

- Build [Randy Kobes]
  Add appropriate manifest command to embed manifest files on Win32 
  when using VC8

- C API [Andy Grundman, joes]
  Add missing bytes_read initializer to apreq_handle_custom().

- C API [suggested by Vinay Y S, tested by Steve Hay and Peter Walsham]
  For Win32, remove the
     flag |= APR_FILE_NOCLEANUP | APR_SHARELOCK;
  in apreq_file_cleanup, to avoid problems with file uploads.

- C API [joes]
  Fix leak associated to calling apreq_brigade_fwrite() on an upload
  brigade.

- Build [Philip M. Gollucci]
  SunOS (Solaris) 
  Users must use gmake not make for building.

- Build [Philip M. Gollucci]
  SunOS (Solaris)
  Code around bug in libtool (at least in 1.5.18, 1.5.20, 1.5.22)
  causing mod_apreq2 to be built instead of mod_apreq2.so

- C API [Philip M. Gollucci]
  Fix comparison signed vs unsigned comparison
  in apreq_fwritev() on SunOS/gcc where iovec.iov_len is a long.

- Build [Philip M. Gollucci]
  SunOS (Solaris)
  fix duplicate link error to libexpat.so -- by using the one from httpd
  exclusively now.

- Build [Philip M. Gollucci]
  code around |#_!!_#| autoconf 2.60 bug.



[ANNOUNCEMENT] Apache HTTP Server 2.2.11 Released

                       Apache HTTP Server 2.2.11 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.11 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a bug fix
   release.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.2.11 is available for download from:

     http://httpd.apache.org/download.cgi

   Apache 2.2 offers numerous enhancements, improvements, and performance
   boosts over the 2.0 codebase.  For an overview of new features
   introduced since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.11 provides the
   complete list of changes since 2.2.10. A summary of security
   vulnerabilities which were addressed in the previous 2.2.10 and earlier
   releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   Apache HTTP Server 1.3.41 and 2.0.63 legacy releases are also currently
   available.  See the appropriate CHANGES from the url above.  See the
   corresponding CHANGES files linked from the download page.  The Apache
   HTTP Project developers strongly encourage all users to migrate to
   Apache 2.2, as only limited maintenance is performed on these legacy
   versions.

   This release includes the Apache Portable Runtime (APR) version 1.3.3
   bundled with the tar and zip distributions.  The APR libraries libapr
   and libaprutil (and on Win32, libapriconv) must all be updated to ensure
   binary compatibility and address many known platform bugs.

   This release builds on and extends the Apache 2.0 API.  Modules written
   for Apache 2.0 will need to be recompiled in order to run with Apache
   2.2, and require minimal or no source code changes.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.