Stronghold Web Server version history

Stronghold Web Server 3.0 Build code 3022 [April 2003]

• Include security fix for OpenSSL timing attacks: CAN-2003-0131, CAN-2003-0147

Stronghold Web Server 3.0 Build code 3021 [March 2003]

• Include security fix for OpenSSL timing attack: CAN-2003-0078
• Include security fixes for Apache log output: CAN-2003-0020, CAN-2003-0083
• Include security fix for PHP 4.1 MySQL extension: CAN-2002-1376

Stronghold Web Server 3.0 Build code 3020 [October 2002]

• Include security fixes for Apache vulnerabilities: CAN-2002-0839, CAN-2002-0840, CAN-2002-0843
• Include security fix for mod_ssl vulnerability: CAN-2002-1157
• Include security fixes for PHP vulnerabilities: CAN-2002-0985, CAN-2002-0986

Stronghold Web Server 3.0 Build code 3019 [August 2002]

• Updated patch for OpenSSL ASN1 vulnerability

Stronghold Web Server 3.0 Build code 3018 [July 2002]

• Include security fix for OpenSSL vulnerabilities: CAN-2002-0655 CAN-2002-0656, CAN-2002-0659
• Include security fix for mod_ssl vulnerability: CAN-2002-0653
• Include security fix for mm vulnerability: CAN-2002-0658

Stronghold Web Server 3.0 Build code 3017 [June 2002]

• Include security fix for Apache chunk size vulnerability: CAN-2002-0392

Stronghold Web Server 3.0 Build code 3016 [March 2002]

• Updated to mod_ssl 2.8.7
• Security fix for shm and dbm session caches: CAN-2002-0082
• Updated to PHP 4.1.2
• Security fix in file upload handling: CAN-2002-0081

Stronghold Web Server 3.0 Build code 3015 [October 2001]

• Updated to Apache 1.3.22.
• Updated to PHP 4.0.6.
• Updated to OpenSSL 0.9.6b
• Support for AEP and Baltimore cryptographic accelerators.
• Restriction of stronghold-info and stronghold-status pages. The Stronghold Web Server Administration Guide (page 1-13) explains that directives should be added to httpd.conf in order to restrict access of the stronghold-info and stronghold-status pages to users on the local network. Without these directives, Stronghold Web Server (prior to 3.0 build 3015) can allow remote user access to stronghold-status and stronghold-info pages which contain information about the server, in particular addresses of clients accessing particular pages and hit counts. In Stronghold Web Server (build 3015) these pages are restricted by default.

Stronghold Web Server 3.0 Build code 3014 [March 2001]

• Updated to Apache 1.3.19
  • Fixes for RewriteMap lookups in mod_rewrite
  • Fix for PDF byteserving
  • Security fix for mod_autoindex displaying directory indexes
  • Handle out-of-space condition better with piped logs
  • Performance improvements for Linux 2.2 and later
• Updated to mod_ssl 2.8.1.
• Updated to PHP 3.0.18 and PHP 4.0.4pl1.
  • PHP 3.0.18 has fix for file upload bugs
• Updated to mod_perl 1.25.

Stronghold Web Server 3.0 Build code 3013 [October 2000]

• Updated to Apache 1.3.14
• Updated to OpenSSL 0.9.6.
• Updated to mod_ssl 2.7.1
• Updated to PHP 3.0.17 and PHP 4.0.3pl1.
• Updated to mod_perl 1.24_01 from 1.22
• Includes support for nCipher boards.
• When run inside the Apache source directory (src/), make install now installs the apxs script correctly, without having to run make support beforehand.
• Includes fixes for mod_rewrite preventing, under some configurations, the ability to read any file on the system. (See Apache Week for further information.)

Stronghold Web Server 3.0 Build code 3012 [July 2000]

• PHP 4.0.1 is now bundled for most platforms, alongside of PHP 3.0.16. Please see the conf/httpd.conf file for information on enabling the module.
• New directive for compatibility with Stronghold Web Server 2: SSLProxyPassEnv.
• Various internal and user-visible modifications for improved portability.
• Better support in the installation program for those who are upgrading from an earlier version of Stronghold Web Server 3.0.
• Updated server and client root CA certificates.
• Improvements for rebuilding on systems such as AIX, where a file listing exported symbols is required.

Stronghold Web Server 3.0 Build code 3011 [June 2000]

• APXS, used by many modules when building as a DSO (dynamic shared object), is now supported by Stronghold Web Server 3.0.
• In addition to the original start-server, stop-server and reload-server scripts, apachectl is provided as an alternative to this system. Please note this has been renamed to "strongholdctl", preventing conflicts if Apache and Stronghold Web Server are installed on the same machine.
• Stronghold Web Server's modssl SSL/TLS module has been removed and replaced with Ralf S. Engelschall's mod_ssl. Directives for backward compatibility have been added allowing Stronghold Web Server 2.4.x installations to continue to work as before with no or only minimal changes.
• Updated PHP/FI 2.0 to PHP 3.0.16.
• Includes mod_perl 1.22 (perl 5.005_03 is included enabling the module to work on any supported system).
• Includes OpenSSL 0.9.5a, replacing SSLeay 0.9.1b.

Updated Apache to 1.3.12 from 1.3.6

• Faster start up and restarts when a large number of virtual hosts are used.
• The directives used to configure environment variables can be set on a per-directory basis.
• SetEnvIf can test environment variables as well as the request protocol.
• A new module for mass virtual hosting has been added.
• SHA1 encoding for basic authentication passwords has been added.
• "httpd -l", used to obtain a list of the compiled-in modules, now includes the status of suexec.
• Additional logging variables have been added to give greater control over custom log files. %m logs the request method ("GET", "POST", etc.) and %H logs the request protocol (e.g. "HTTP/1.1"). %q logs the information passed in the query string.
• The cross-site scripting CERT advisory, affecting most web servers, has been fixed by specifying in the headers which character set is being used. Two new directives, AddDefaultCharset and AddDefaultCharsetName, have been added to enable controlling of this.
• Arbitary methods, instead of just the well-known methods, can now be used for script handling through mod_actions.
• The IndexOptions directive, used for controlling FancyIndexed directory listings, has been extended. FoldersFirst causes subdirectories to be listed before other files, and DescriptionWidth allows the default width for file descriptions to be changed.
• mod_autoindex, used for directory indexing, has been modified to parse the automatic header and readme files and correctly use the standard include variables.
• Improved granularity for the ServerTokens directive. It is now possible to specify "ProductOnly," resulting in "Stronghold" being displayed in the server string.
• Support for a directory-based configuration system: this involves pointing various directives to directories instead of files, and all files in the specified directory will be parsed as part of the configuration.
• The SetEnvIf and BrowserMatch range of directives can be used in .htaccess files.