Project description.

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT.

The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards

Apache 1.2.5 Changelog
  • SECURITY: Fix a possible buffer overflow in logresolve. This is only an issue on systems without a MAXDNAME define or where the resolver returns domain names longer than MAXDNAME. [Marc Slemko]
  • Fix an improper length in an ap_snprintf call in proxy_date_canon(). [Marc Slemko]
  • Fix core dump in the ftp proxy when reading incorrectly formatted directory listings. [Marc Slemko]
  • SECURITY: Fix possible minor buffer overflow in the proxy cache. [Marc Slemko]
  • SECURITY: Eliminate possible buffer overflow in cfg_getline, which is used to read various types of files such as htaccess and htpasswd files. [Marc Slemko]
  • SECURITY: Ensure that the buffer returned by ht_time is always properly null terminated. [Marc Slemko]
  • SECURITY: General mod_include cleanup, including fixing several possible buffer overflows and a possible infinite loop. This cleanup was done against 1.3 code and then backported to 1.2, the result is a large difference (due to indentation cleanup in 1.3 code). Users interested in seeing a smaller set of relevant differences should consider comparing against src/modules/standard/mod_include.c from the 1.3b3 release. Non-indentation changes to mod_include between 1.2 and 1.3 were minimal. [Dean Gaudet, Marc Slemko]
  • SECURITY: Numerous changes to mod_imap in a general cleanup including fixing a possible buffer overflow. This cleanup also was done with 1.3 code as a basis, see the the previous note about mod_include. [Dean Gaudet]
  • SECURITY: If a htaccess file can not be read due to bad permissions, deny access to the directory with a HTTP_FORBIDDEN. The previous behavior was to ignore the htaccess file if it could not be read. This change may make some setups with unreadable htaccess files stop working. [Marc Slemko] PR#817
  • SECURITY: no2slash() was O(n^2) in the length of the input. Make it O(n). This inefficiency could be used to mount a denial of service attack against the Apache server. Thanks to Michal Zalewski for reporting this. [Dean Gaudet]
  • mod_include used uninitialized data for some uses of && and ||. [Brian Slesinsky ] PR#1139
  • mod_imap should decline all non-GET methods. [Jay Bloodworth ]
  • suexec.c wouldn't build without -DLOG_EXEC. [Jason A. Dour]
  • mod_userdir was modifying r->finfo in cases where it wasn't setting r->filename. Since those two are meant to be in sync with each other this is a bug. ["Paul B. Henson" ]
  • mod_include did not properly handle all possible redirects from sub- requests. [Ken Coar]
  • Inetd mode (which is buggy) uses timeouts without having setup the jmpbuffer. [Dean Gaudet] PR#1064
  • Work around problem under Linux where a child will start looping reporting a select error over and over. [Rick Franchuk ] PR#1107