123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559 |
- -*- coding: utf-8 -*-
- *) mod_dav: Improve error handling in dav_method_put(), add new
- dav_join_error() function. PR 54145. [Ben Reser <ben reser.org>]
- Changes with Apache 2.2.15
- *) SECURITY: CVE-2009-3555 (cve.mitre.org)
- mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
- by rejecting any client-initiated renegotiations. Forcibly disable
- keepalive for the connection if there is any buffered data readable. Any
- configuration which requires renegotiation for per-directory/location
- access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
- [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
- *) SECURITY: CVE-2010-0408 (cve.mitre.org)
- mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
- when request headers indicate a request body is incoming; not a case of
- HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
- *) SECURITY: CVE-2010-0425 (cve.mitre.org)
- mod_isapi: Do not unload an isapi .dll module until the request
- processing is completed, avoiding orphaned callback pointers.
- [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
- *) Ensure each subrequest has a shallow copy of headers_in so that the
- parent request headers are not corrupted. Elimiates a problematic
- optimization in the case of no request body. PR 48359
- [Jake Scott, William Rowe, Ruediger Pluem]
- *) mod_reqtimeout: New module to set timeouts and minimum data rates for
- receiving requests from the client. [Stefan Fritsch]
- *) mod_proxy_ajp: Really regard the operation a success, when the client
- aborted the connection. In addition adjust the log message if the client
- aborted the connection. [Ruediger Pluem]
- *) mod_negotiation: Preserve query string over multiviews negotiation.
- This buglet was fixed for type maps in 2.2.6, but the same issue
- affected multiviews and was overlooked.
- PR 33112 [Joergen Thomsen <apache jth.net>]
- *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
- the flood of requests at bay that strike a backend webserver as
- a cached entity goes stale. [Graham Leggett]
- *) mod_proxy_http: Make sure that when an ErrorDocument is served
- from a reverse proxied URL, that the subrequest respects the status
- of the original request. This brings the behaviour of proxy_handler
- in line with default_handler. PR 47106. [Graham Leggett]
- *) mod_log_config: Add the R option to log the handler used within the
- request. [Christian Folini <christian.folini netnea com>]
- *) mod_include: Allow fine control over the removal of Last-Modified and
- ETag headers within the INCLUDES filter, making it possible to cache
- responses if desired. Fix the default value of the SSIAccessEnable
- directive. [Graham Leggett]
- *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
- allows insecure renegotiation with clients which do not yet
- support the secure renegotiation protocol. [Joe Orton]
- *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
- is configured for client cert auth. PR 46952. [Joe Orton]
- *) core: Fix potential memory leaks by making sure to not destroy
- bucket brigades that have been created by earlier filters.
- [Stefan Fritsch]
- *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
- try other providers in the case of an LDAP bind failure.
- PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
- *) mod_proxy, mod_proxy_http: Support remote https proxies
- by using HTTP CONNECT.
- PR 19188. [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
- *) worker: Don't report server has reached MaxClients until it has.
- Add message when server gets within MinSpareThreads of MaxClients.
- PR 46996. [Dan Poirier]
- *) mod_ssl: When extracting certificate subject/issuer names to the
- SSL_*_DN_* variables, handle RDNs with duplicate tags by
- exporting multiple varialables with an "_n" integer suffix.
- PR 45875. [Joe Orton, Peter Sylvester <peter.sylvester edelweb.fr>]
- *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
- password now result in an informational level log entry instead of
- warning level. [Eric Covener]
- *) core: Preserve Port information over internal redirects
- PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]
- *) mod_filter: fix FilterProvider matching where "dispatch" string
- doesn't exist.
- PR 48054 [<tietw gmail.com>]
- *) Build: fix --with-module to work as documented
- PR 43881 [Gez Saunders <gez.saunders virgin.net>]
- *) mod_mime: Make RemoveType override the info from TypesConfig.
- PR 38330. [Stefan Fritsch]
- *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
- rather than BAD_GATEWAY or (especially) NOT_FOUND.
- PR 46971 [evanc nortel.com]
- *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
- [Eric Covener]
- *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
- some cache entries and log a warning. Also increase the default
- LDAPSharedCacheSize to 500000. This is a more realistic size suitable
- for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
- PR 46749. [Stefan Fritsch]
- *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
- per RFC 2616, 13.8. PR15866. [Dan Poirier]
- *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
- the request is a CONNECT request. PR 47928
- [Bill Zajac <billz consultla.com>]
- *) mod_cache: correctly consider s-maxage in cacheability
- decisions. [Dan Poirier]
- *) core: Return APR_EOF if request body is shorter than the length announced
- by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
- *) mod_rewrite: Add scgi scheme detection. [André Malo]
- *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
- LocationMatch sections. PR 47754. [Dan Poirier]
- *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
- [Guenter Knauf]
- Changes with Apache 2.2.14
- *) SECURITY: CVE-2009-2699 (cve.mitre.org)
- Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support
- (Event Port backend) which could trigger hangs in the prefork and event
- MPMs on that platform. PR 47645. [Jeff Trawick]
- *) SECURITY: CVE-2009-3095 (cve.mitre.org)
- mod_proxy_ftp: sanity check authn credentials.
- [Stefan Fritsch <sf fritsch.de>, Joe Orton]
- *) SECURITY: CVE-2009-3094 (cve.mitre.org)
- mod_proxy_ftp: NULL pointer dereference on error paths.
- [Stefan Fritsch <sf fritsch.de>, Joe Orton]
- *) mod_proxy_scgi: Backport from trunk. [André Malo]
- *) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
- has been defined at a very high level. PR 45946. [Eric Covener]
- *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
- *) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
- usage() in synch with the manual and the implementation (0 and -1
- both disable the cache). [Eric Covener]
- *) mod_ssl: The error message when SSLCertificateFile is missing should
- at least give the name or position of the problematic virtual host
- definition. [Stefan Fritsch sf sfritsch.de]
- *) htdbm: Fix possible buffer overflow if dbm database has very
- long values. PR 30586 [Dan Poirier]
- *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
- *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
- type. PR 45107. [Michael Ströder <michael stroeder.com>,
- Peter Sylvester <peter.sylvester edelweb.fr>]
- *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
- defined session identifiers encoded in the URL when caching.
- [Ruediger Pluem]
- *) mod_mem_cache: fix seg fault under load due to pool concurrency problem
- PR: 47672 [Dan Poirier <poirier pobox.com>]
- *) mod_autoindex: Correctly create an empty cell if the description
- for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
- Changes with Apache 2.2.13
- *) SECURITY: CVE-2009-2412 (cve.mitre.org)
- Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow
- in pools and rmm, where size alignment was taking place.
- [Matt Lewis <mattlewis@google.com>, Sander Striker]
- *) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report
- warnings compiling mod_ssl against OpenSSL to the httpd developers.
- [Guenter Knauf]
- *) mod_cgid: Do not add an empty argument when calling the CGI script.
- PR 46380 [Ruediger Pluem]
- *) Fix potential segfaults with use of the legacy ap_rputs() etc
- interfaces, in cases where an output filter fails. PR 36780.
- [Joe Orton]
- Changes with Apache 2.2.12
- *) SECURITY: CVE-2009-1891 (cve.mitre.org)
- Fix a potential Denial-of-Service attack against mod_deflate or other
- modules, by forcing the server to consume CPU time in compressing a
- large file after a client disconnects. PR 39605.
- [Joe Orton, Ruediger Pluem]
- *) SECURITY: CVE-2009-1195 (cve.mitre.org)
- Prevent the "Includes" Option from being enabled in an .htaccess
- file if the AllowOverride restrictions do not permit it.
- [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
- Ruediger Pluem, Jeff Trawick]
- *) SECURITY: CVE-2009-1890 (cve.mitre.org)
- Fix a potential Denial-of-Service attack against mod_proxy in a
- reverse proxy configuration, where a remote attacker can force a
- proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
- *) SECURITY: CVE-2009-1191 (cve.mitre.org)
- mod_proxy_ajp: Avoid delivering content from a previous request which
- failed to send a request body. PR 46949 [Ruediger Pluem]
- *) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
- The bundled copy of the APR-util library has been updated, fixing three
- different security issues which may affect particular configurations
- and third-party modules.
- *) mod_include: fix potential segfault when handling back references
- on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
- *) mod_alias: check sanity in Redirect arguments.
- PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
- *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
- PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
- *) mod_rewrite: Remove locking for writing to the rewritelog.
- PR 46942
- *) mod_alias: Ensure Redirect emits HTTP-compliant URLs.
- PR 44020
- *) mod_proxy_http: fix case sensitivity checking transfer encoding
- PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
- *) mod_rewrite: Fix the error string returned by RewriteRule.
- RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
- argument of RewriteRule was not started with "[" or not ended with "]".
- PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
- *) mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given;
- BalancerMember balancer://alias http://example.com/foo
- ProxyPassReverse /bash balancer://alias/bar
- backend url http://example.com/foo/bar/that is now translated /bash/that
- [William Rowe]
- *) New piped log syntax: Use "||process args" to launch the given process
- without invoking the shell/command interpreter. Use "|$command line"
- (the default behavior of "|command line" in 2.2) to invoke using shell,
- consuming an additional shell process for the lifetime of the logging
- pipe program but granting additional process invocation flexibility.
- [William Rowe]
- *) mod_ssl: Add server name indication support (RFC 4366) and better
- support for name based virtual hosts with SSL. PR 34607
- [Peter Sylvester <peter.sylvester edelweb.fr>,
- Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
- Ruediger Pluem]
- *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
- HTML injections and HTTP response splitting. PR 46837.
- [Geoff Keating <geoffk apple.com>]
- *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
- including multiple INCLUDES filters. PR 39369 [Joe Orton]
- *) mod_rewrite: When evaluating a proxy rule in directory context, do
- escape the filename by default. PR 46428 [Joe Orton]
- *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
- protocol. [Mladen Turk]
- *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
- to enable stricter checking of remote server certificates.
- [Ruediger Pluem]
- *) mod_substitute: Fix a memory leak. PR 44948
- [Dan Poirier <poirier pobox.com>]
- *) mod_proxy_ajp: Forward remote port information by default.
- [Rainer Jung]
- *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
- directive to correctly remove headers before storing them.
- [Lars Eilebrecht]
- *) mod_deflate: revert changes in 2.2.8 that caused an invalid
- etag to be emitted for on-the-fly gzip content-encoding.
- PR 39727 will require larger fixes and this fix was far more
- harmful than the original code. PR 45023. [Roy T. Fielding]
- *) mod_disk_cache: The module now turns off sendfile support if
- 'EnableSendfile off' is defined globally. PR 41218.
- [Lars Eilebrecht, Issac Goldstand]
- *) prefork: Fix child process hang during graceful restart/stop in
- configurations with multiple listening sockets. PR 42829. [Joe Orton,
- Jeff Trawick]
- *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
- size of the buffer used for the request-body where necessary
- during a per-dir renegotiation. PR 39243. [Joe Orton]
- *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
- way that per-directory rewrites append the previous notion of PATH_INFO
- to each substitution before evaluating subsequent rules.
- PR38642 [Eric Covener]
- *) mod_authnz_ldap: Reduce number of initialization debug messages and make
- information more clear. PR 46342 [Dan Poirier]
- *) mod_cache: Introduce 'no-cache' per-request environment variable
- to prevent the saving of an otherwise cacheable response.
- [Eric Covener]
- *) core: Translate the status line to ASCII on EBCDIC platforms in
- ap_send_interim_response() and for locally generated "100 Continue"
- responses. [Eric Covener]
- *) CGI: return 504 (Gateway timeout) rather than 500 when a script
- times out before returning status line/headers.
- PR 42190 [Nick Kew]
- *) prefork: Log an error instead of segfaulting when child startup fails
- due to pollset creation failures. PR 46467. [Jeff Trawick]
- *) mod_ext_filter: fix error handling when the filter prog fails to start,
- and introduce an onfail configuration option to abort the request
- or to remove the broken filter and continue.
- PR 41120 [Nick Kew]
- *) mod_include: support generating non-ASCII characters as entities in SSI
- PR 25202 [Nick Kew]
- *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII
- chars [Nick Kew]
- *) mod_rewrite: fix "B" flag breakage by reverting r589343
- PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
- *) mod_cgid: fix segfault problem on solaris.
- PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>, Jeff Trawick]
- *) mod_ldap: Avoid a segfault when result->rc is checked in
- uldap_connection_init when result is NULL. This could happen if LDAP
- initialization failed. PR 45994. [Dan Poirier <poirier pobox.com>]
- *) Set Listen protocol to "https" if port is set to 443 and no proto is
- specified (as documented but not implemented). PR 46066
- [Dan Poirier <poirier pobox.com>]
- *) mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401
- [Dan Poirier <poirier pobox.com>]
- *) Output -M and -S dumps (modules and vhosts) to stdout instead of stderr.
- PR 42571 and PR 44266 (dup). [Dan Poirier <poirier pobox.com>]
- *) mod_cache: When an explicit Expires or Cache-Control header is set, cache
- normally non-cacheable response statuses. PR 46346.
- [Alex Polvi <alex polvi.net>]
- Changes with Apache 2.2.11
- *) core: When the ap_http_header_filter processes an error bucket, cleanup
- the passed brigade before returning AP_FILTER_ERROR down the filter
- chain. This unambiguously ensures the same error bucket isn't revisited
- [Ruediger Pluem]
- *) core: Error responses set by filters were being coerced into 500 errors,
- sometimes appended to the original error response. Log entry of:
- 'Handler for (null) returned invalid result code -3'
- [Eric Covener]
- *) configure: Don't reject libtool 2.x
- PR 44817 [Arfrever Frehtes Taifersar Arahesis <Arfrever.FTA gmail.com>]
- *) mod_autoindex: add configuration option to insert string
- in HTML HEAD (IndexHeadInsert). [Nick Kew]
- *) Add new LogFormat parameter, %k, which logs the number of
- keepalive requests on this connection for this request.
- PR 45762 [Dan Poirier <poirier pobox.com>, Jim Jagielski]
- *) Export and install the mod_rewrite.h header to ensure the optional
- rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are
- available to third party modules. [Graham Leggett]
- *) mod_cache: Convert age of cached object to seconds before comparing it to
- age supplied by the request when checking whether to send a Warning
- header for a stale response. PR 39713. [Owen Taylor <otaylor redhat.com>]
- *) Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is
- not available. PR 46018 [Ruediger Pluem]
- *) mod_proxy_ajp: Do not fail if response data is sent before all request
- data is read. PR 45911 [Ruediger Pluem]
- *) mod_proxy_balancer: Add in forced recovery for balancer members if
- all are in error state. [Mladen Turk]
- *) mod_proxy: Prevent segmentation faults by correctly adjusting the
- lifetime of the buckets read from the proxy backend. PR 45792
- [Ruediger Pluem]
- *) mod_expires: Do not sets negative max-age / Expires header in the past.
- PR 39774 [Jim Jagielski]
- *) mod_info: Was displaying the wrong value for the KeepAliveTimeout
- value. [Jim Jagielski]
- *) mod_proxy_ajp: Fix wrongly formatted requests where client
- sets Content-Length header, but doesn't provide a body.
- Servlet container always expects that next packet is
- body whenever C-L is present in the headers. This can lead
- to wrong interpretation of the packets. In this case
- send the empty body packet, so container can deal with
- that. [Mladen Turk]
- *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem]
- *) mod_proxy: Add the possibility to set the worker parameters
- connectiontimeout and ping in milliseconds. [Ruediger Pluem]
- *) Worker MPM: Crosscheck that idle workers are still available before using
- them and thus preventing an overflow of the worker queue which causes
- a SegFault. PR 45605 [Denis Ustimenko <denusk gmail.com>]
- *) Windows: Always build the odbc dbd driver on windows, to be consistent
- with the apr-util default. [Tom Donovan]
- Changes with Apache 2.2.10
- *) SECURITY: CVE-2008-2939 (cve.mitre.org)
- mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
- the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
- *) Allow for smax to be 0 for balancer members so that all idle
- connections are able to be dropped should they exceed ttl.
- PR 43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
- Jim Jagielski]
- *) mod_proxy_http: Don't trigger a retry by the client if a failure to
- read the response line was the result of a timeout.
- [Adam Woodworth <mirkperl gmail.com>]
- *) Support chroot on Unix-family platforms
- PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
- *) mod_ssl: implement dynamic mutex callbacks for the benefit of
- OpenSSL. [Sander Temme]
- *) mod_proxy_balancer: Add 'bybusyness' load balance method.
- [Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
- *) mod_authn_alias: Detect during startup when AuthDigestProvider
- is configured to use an incompatible provider via AuthnProviderAlias.
- PR 45196 [Eric Covener]
- *) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
- used as a session path separator/delim PR 45158. [Jim Jagielski]
- *) mod_charset_lite: Avoid dropping error responses by handling meta buckets
- correctly. PR 45687 [Dan Poirier <poirier pobox.com>]
- *) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled
- to avoid reusing pooled connections if the client connection is an
- initial connection. PR 37770. [Ruediger Pluem]
- *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
- PR 44799 [Christian Wenz <christian wenz.org>]
- *) mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101.
- [Geoff Thorpe]
- *) mod_proxy: Add connectiontimeout parameter for proxy workers in order to
- be able to set the timeout for connecting to the backend separately.
- PR 45445. [Ruediger Pluem, rahul <rahul sun.com>]
- *) mod_dav_fs: Retrieve minimal system information about directory
- entries when walking a DAV fs, resolving a performance degradation on
- Windows. PR 45464. [Joe Orton, Jeff Trawick]
- *) mod_cgid: Pass along empty command line arguments from an ISINDEX
- query that has consecutive '+' characters in the QUERY_STRING,
- matching the behavior of mod_cgi.
- [Eric Covener]
- *) mod_headers: Prevent Header edit from processing only the first header
- of possibly multiple headers with the same name and deleting the
- remaining ones. PR 45333. [Ruediger Pluem]
- *) mod_proxy_balancer: Move nonce field in the balancer manager page inside
- the html form where it belongs. PR 45578. [Ruediger Pluem]
- *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
- known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
- [Ruediger Pluem]
- *) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247.
- [Tom Donovan]
- Changes with Apache 2.2.9
- *) SECURITY: CVE-2008-2364 (cve.mitre.org)
- mod_proxy_http: Better handling of excessive interim responses
- from origin server to prevent potential denial of service and high
- memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
- Joe Orton, Jim Jagielski]
- *) SECURITY: CVE-2007-6420 (cve.mitre.org)
- mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
- interface. [Joe Orton]
- *) core: Fix address-in-use startup failure on some platforms caused
- by creating an IPv4 listener which overlaps with an existing IPv6
- listener. [Jeff Trawick]
- *) mod_proxy: Make all proxy modules nocanon aware and do not add the
- query string again in this case. PR 44803.
- [Jim Jagielski, Ruediger Pluem]
- *) mod_unique_id: Fix timestamp value in UNIQUE_ID.
- PR 37064 [Kobayashi <kobayashi firstserver.co.jp>]
- *) htpasswd: Fix salt generation weakness. PR 31440
- [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>,
- Paul Querna]
- *) core: Add the filename of the configuration file to the warning message
- about the useless use of AllowOverride. PR 39992.
- [Darryl Miles <darryl darrylmiles.org>]
- *) scoreboard: Remove unused proxy load balancer elements from scoreboard
- image (not scoreboard memory itself). [Chris Darroch]
- *) mod_proxy: Support environment variable interpolation in reverse
- proxying directives. [Nick Kew]
- *) suexec: When group is given as a numeric gid, validate it by looking up
- the actual group name such that the name can be used in log entries.
- PR 7862 [<y-koga apache.or.jp>, Leif W <warp-9.9 usa.net>]
- *) Fix garbled TRACE response on EBCDIC platforms.
- [David Jones <oscaremma gmail.com>]
- *) ab: Include <limits.h> earlier if available since we may need
- INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.
- PR 45024 [Ruediger Pluem]
- *) ab: Improve client performance by clearing connection pool instead
- of destroying it. PR 40054 [Brad Roberts <braddr puremagic.com>]
- *) ab: Don't stop sending a request if EAGAIN is returned, which
- will only happen if both the write and subsequent wait are
- returning EAGAIN, and count posted bytes correctly when the initial
- write of a request is not complete. PR 10038, 38861, 39679
- [Patrick McManus <mcmanus datapower.com>,
- Stefan Fleiter <stefan.fleiter web.de>,
- Davanum Srinivas, Roy T. Fielding]
- *) ab: Overhaul stats collection and reporting to avoid integer
- truncation and time divisions within the test loop, retain
- native time resolution until output, remove unused data,
- consistently round milliseconds, and generally avoid losing
- accuracy of calculation due to type casts. PR 44878, 44931.
- [Roy T. Fielding]
- *) ab: Add -r option to continue after socket receive errors.
- [Filip Hanik <devlist hanik.com>]
- *) core: Do not allow Options ALL if not all options are allowed to be
- overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>]
- *) mod_cache: Handle If-Range correctly if the cached resource was stale.
- PR 44579 [Ruediger Pluem]
- *) mod_proxy: Do not try a direct connection if the connection via a
- remote proxy failed before and the request has a request body.
- [Ruediger Pluem]
- *) mod_proxy_ajp: Do not retry request in the case that we either failed to
- sent a part of the request body or if the request is not idempotent.
- PR 44334 [Ruediger Pluem]
- *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early
- enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>]
- *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV
- copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem]
- *) http_filters: Don't return 100-continue on redirects. PR 43711
- [Ruediger Pluem]
- *) mod_ssl: Fix a memory leak with connections that have zlib compression
- turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>,
- Dr Stephen Henson <steve openssl.org>]
- *) mod_proxy: Trigger a retry by the client in the case we fail to read the
- response line from the backend by closing the connection to the client.
- PR 37770 [Ruediger Pluem]
- *) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP.
- PR 9727 [Ville Skytt <ville.skytta iki.fi>]
- *) core: reinstate location walk to fix config for subrequests
- PR 41960 [Jose Kahan <jose w3.org>]
- *) rotatelogs: Log the current file size and error code/description
- when failing to write to the log file. [Jeff Trawick]
- *) rotatelogs: Added '-f' option to force rotatelogs to create the
- logfile as soon as started, and not wait until it reads the
- first entry. [Jim Jagielski]
- *) rotatelogs: Don't leak memory when reopening the logfile.
- PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>]
- *) rotatelogs: Improve atomicity when using -l and cleaup code.
- PR 44004 [Rainer Jung]
- *) mod_authn_dbd: Disambiguate and tidy database authentication
- error messages. PR 43210. [Chris Darroch, Phil Endecott
- <spam_from_apache_bugzilla chezphil.org>]
- *) mod_headers: Add 'merge' option to avoid duplicate values within
- the same header. [Chris Darroch]
- *) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by
- mod_cgid and request processing threads, for OS'es such as HPUX and AIX
- that do not use umask for AF_UNIX socket permissions.
- [Eric Covener, Jeff Trawick]
- *) mod_cgid: Don't try to restart the daemon if it fails to initialize
- the socket. [Jeff Trawick]
- *) mod_log_config: Add format options for %p so that the actual local
- or remote port can be logged. PR 43415. [Adam Hasselbalch Hansen
- <ahh@one.com>, Ruediger Pluem, Jeff Trawick]
- *) Added 'disablereuse' option for ProxyPass which, essentially,
- disables connection pooling for the backend servers.
- [Jim Jagielski]
- *) mod_speling: remove regression from 1.3/2.0 behavior and
- drop dependency between mod_speling and AcceptPathInfo.
- PR 43562 [Jose Kahan <jose w3.org>]
- *) mod_substitute: The default is now flattening the buckets after
- each substitution. The newly added 'q' flag allows for the
- quicker, more efficient bucket-splitting if the user so
- desires. [Jim Jagielski]
- *) http_filters: Don't spin if get an error when reading the
- next chunk. PR 44381 [Ruediger Pluem]
- *) ab: Do not try to read non existing response bodies of HEAD requests.
- PR 34275 [Takashi Sato <serai lans-tv.com>]
- *) ab: Use a 64 bit unsigned int instead of a signed long to count the
- bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem]
- *) ProxyPassReverse is now balancer aware. [Jim Jagielski]
- *) mod_include: Correctly handle SSI directives split over multiple filter
- passes. PR 44447 [Harald Niesche <harald brokenerror.de>]
- *) mod_cache: Revalidate cache entities which have Cache-Control: no-cache
- set in their response headers. PR 44511 [Ruediger Pluem]
- *) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite
- didn't pick up on updated sdbm maps due to this.
- PR41190 [Niklas Edmundsson]
- *) mod_proxy: Lower memory consumption for short lived connections.
- PR 44026. [Ruediger Pluem]
- *) mod_proxy: Keep connections to the backend persistent in the HTTPS case.
- [Ruediger Pluem]
- *) Don't add bogus duplicate Content-Language entries
- PR 11035 [Davi Arnaut]
- *) Worker / Event MPM: Fix race condition in pool recycling that leads to
- segmentation faults under load. PR 44402
- [Basant Kumar Kukreja <basant.kukreja sun.com>]
- *) mod_proxy_ftp: Fix base for directory listings.
- PR 27834 [Nick Kew]
- *) mod_logio: Provide optional function to allow modules to adjust the
- bytes_in count [Eric Covener]
- *) http_filters: Don't return 100-continue on client error
- PR 43711 [Chetan Reddy <chetanreddy gmail.com>]
- *) mod_charset_lite: Add TranslateAllMimeTypes sub-option to
- CharsetOptions, allowing the administrator to skip the
- mimetype checking that precedes translation.
- PR 44458 [Eric Covener]
- *) mod_proxy_http: Fix processing of chunked responses if
- Connection: Transfer-Encoding is set in the response of the proxied
- system. PR 44311 [Ruediger Pluem]
- *) mod_proxy_http: Return HTTP status codes instead of apr_status_t
- values for errors encountered while forwarding the request body
- PR 44165 [Eric Covener]
- *) mod_rewrite: Don't canonicalise URLs with [P,NE]
- PR 43319 [<rahul sun.com>]
- Changes with Apache 2.2.8
- *) core: Fix regression in 2.2.7 in chunk filtering with massively
- chunked requests. [Ruediger Pluem, Nick Kew]
- *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
- to /Device/Nul as the server is starting up, mirroring unix MPM's.
- PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
- *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
- by recreating the bucket allocator each time the trans pool is cleared.
- PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>]
- *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals.
- PR 38034 [Paritosh Shah <shah.paritosh gmail.com>]
- Changes with Apache 2.2.7 (not released)
- *) SECURITY: CVE-2007-6421 (cve.mitre.org)
- mod_proxy_balancer: Correctly escape the worker route and the worker
- redirect string in the HTML output of the balancer manager.
- Reported by SecurityReason. [Ruediger Pluem]
- *) SECURITY: CVE-2007-6422 (cve.mitre.org)
- Prevent crash in balancer manager if invalid balancer name is passed
- as parameter. Reported by SecurityReason. [Ruediger Pluem]
- *) SECURITY: CVE-2007-6388 (cve.mitre.org)
- mod_status: Ensure refresh parameter is numeric to prevent
- a possible XSS attack caused by redirecting to other URLs.
- Reported by SecurityReason. [Mark Cox, Joe Orton]
- *) SECURITY: CVE-2007-5000 (cve.mitre.org)
- mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
- [Joe Orton]
- *) SECURITY: CVE-2008-0005 (cve.mitre.org)
- Introduce the ProxyFtpDirCharset directive, allowing the administrator
- to identify a default, or specific servers or paths which list their
- contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
- *) mod_dav: Adjust etag generation to produce identical results on 32-bit
- and 64-bit platforms and avoid a regression with conditional PUT's on
- lock and etag. PR 44152.
- [Michael Clark <michael metaparadigm.com>, Ruediger Pluem]
- *) mod_ssl: Fix handling of the buffered request body during a per-location
- renegotiation, when an internal redirect occurs. PR 43738.
- [Joe Orton]
- *) mod_ldap: Try to establish a new backend LDAP connection when the
- Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
- LDAP server has closed the connection due to a timeout.
- PR 39095 [Eric Covener]
- *) log.c: Ensure Win32 resurrects its lost robust logger processes.
- [William Rowe]
- *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
- final name. [Davi Arnaut <davi haxent.com.br>]
- *) Add explicit charset to the output of various modules to work around
- possible cross-site scripting flaws affecting web browsers that do not
- derive the response character set as required by RFC2616. One of these
- reported by SecurityReason [Joe Orton]
- *) http_protocol: Escape request method in 405 error reporting.
- This has no security impact since the browser cannot be tricked
- into sending arbitrary method strings. [Jeff Trawick]
- *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073.
- [yl <yl bee-ware.net>]
- *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum
- length we can squeeze inside the AJP message packet.
- [Mladen Turk]
- *) core: Lower memory consumption of ap_r* functions by reusing the brigade
- instead of recreating it during each filter pass.
- [Stefan Fritsch <sf sfritsch.de>]
- *) core: Lower memory consumption in case that flush buckets are passed thru
- the chunk filter as last bucket of a brigade. PR 23567.
- [Stefan Fritsch <sf sfritsch.de>]
- *) core: Fix broken chunk filtering that causes all non blocking reads to be
- converted into blocking reads. PR 19954, 41056.
- [Jean-Frederic Clere, Jim Jagielski]
- *) mod_rewrite: Add the novary flag to RewriteCond.
- [Ruediger Pluem]
- *) core: Change etag generation to produce identical results on
- 32-bit and 64-bit platforms. PR 40064. [Joe Orton]
- *) http_protocol: Escape request method in 413 error reporting.
- Determined to be not generally exploitable, but a flaw in any case.
- PR 44014 [Victor Stinner <victor.stinner inl.fr>]
- *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage.
- PR 43956 [Nick Kew, Ruediger Pluem]
- *) core: Handle unrecognised transfer-encodings.
- PR 43882 [Nick Kew, Jeff Trawick]
- *) mod_include: Add an "if" directive syntax to test whether an URL
- is accessible, and if so, conditionally display content. This
- allows a webmaster to hide a link to a private page when the user
- has no access to that page. [Graham Leggett]
- *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
- [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
- *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx)
- responses from the backend according to RFC2616. But make it
- configurable in case something breaks on it.
- PR 16518 [Nick Kew]
- *) mod_substitute: Added a new output filter, which performs
- inline response content pattern matching (including regex)
- and substitution. [Jim Jagielski, Ruediger Pluem]
- *) rotatelogs: Change command-line parsing to report more types
- of errors. Allow local timestamps to be used when rotating based
- on file size. [Jeff Trawick]
- *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to
- ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,
- don't escape/unescape forward-proxied URLs.
- PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski]
- *) mod_status: Add SeeRequestTail directive, which determines if
- ExtendedStatus displays the 1st 63 characters of the request
- or the last 63. Useful for those requests with large string
- lengths and which only vary with the last several characters.
- [Jim Jagielski]
- *) mod_ssl: Prevent memory corruption of version string.
- PR 43865, 43334 [William Rowe, Joe Orton]
- *) core: Avoid some unexpected connection closes by telling the client
- that the connection is not persistent if the MPM process handling
- the request is already exiting when the response header is built.
- [Jeff Trawick]
- *) mod_autoindex: Generate valid XHTML output by adding the xhtml
- namespace. PR 43649 [Jose Kahan <jose w3.org>]
- *) mod_ldap: Give callers a reference to data copied into the request
- pool instead of references directly into the cache
- PR 43786 [Eric Covener]
- *) mod_ldap: Stop passing a reference to pconf around for
- (limited) use during request processing, avoiding possible
- memory corruption and crashes. [Eric Covener]
- *) Event MPM: Add support for running under mod_ssl, by reverting to the
- Worker MPM behaviors, when run under an input filter that buffers
- its own data. [Paul Querna]
- *) mod_charset_lite: Don't crash when the request has no associated
- filename. [Jeff Trawick]
- *) Core: fix possible crash at startup in case of nonexistent DocumentRoot.
- PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>]
- *) HTTP protocol: Add "DefaultType none" option.
- PR 13986 and PR 16139 [Nick Kew]
- *) mod_rewrite: Add option to suppress URL unescaping
- PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>]
- *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean
- shutdown of the server when the MaxClients is higher then 257,
- in a more responsive manner [Mladen Turk, William Rowe]
- *) mod_proxy_http: Remove Warning headers with wrong date
- PR 16138 [Nick Kew]
- *) mod_proxy_http: Correctly parse all Connection headers in proxy.
- PR 43509 [Nick Kew]
- *) mod_proxy_http: add Via header correctly (if enabled) to
- response, even where other Via headers exist.
- PR 19439 [Nick Kew]
- *) http_core: OPTIONS * no longer maps to local storage or URI
- space. Note that unlike previous versions, OPTIONS * no
- longer returns an Allow: header. PR 43519 [Jim Jagielski]
- *) mod_proxy_http: strip hop-by-hop response headers
- PR 43455 [Nick Kew]
- *) mod_proxy: Don't by default violate RFC2616 by setting
- Max-Forwards when the client didn't send it to us.
- Leave that as a configuration option.
- PR 16137 [Nick Kew]
- *) scoreboard: improve error message on apr_shm_create failure
- PR 40037 [Nick Kew]
- *) proxy: Fix persistent backend connections.
- PR 43472 [Ruediger Pluem]
- *) mod_deflate: initialise inflate-out filter correctly when the
- first brigade contains no data buckets.
- PR 43512 [Nick Kew]
- *) mod_proxy_ajp: Ignore any ajp13 flush packets received before
- we send the response headers. See Tomcat PR 43478.
- [Jim Jagielski]
- *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when
- starting a new child.
- PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem]
- *) mod_proxy_http: Propagate Proxy-Authorization header correctly.
- PR 25947 [Nick Kew]
- *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD
- requests. PR 43060 [Jim Jagielski]
- *) Don't send spurious "100 Continue" response lines.
- PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>]
- *) mod_proxy_ftp: Don't segfault on bad line in FTP listing
- PR 40733 [Ulf Harnhammar <metaur telia.com>]
- *) mod_proxy: escape error-notes correctly
- PR 40952 [Thijs Kinkhorst <thijs debian.org>]
- *) mod_proxy: check ProxyBlock for all blocked addresses
- PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>]
- *) mod_proxy: Don't lose bytes when a response line arrives in small chunks.
- PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
- Changes with Apache 2.2.6
- *) SECURITY: CVE-2007-3847 (cve.mitre.org)
- mod_proxy: Prevent reading past the end of a buffer when parsing
- date-related headers. PR 41144.
- [Davi Arnaut, Nick Kew]
- *) SECURITY: CVE-2007-1863 (cve.mitre.org)
- mod_cache: Prevent a segmentation fault if attributes are listed in a
- Cache-Control header without any value.
- [Niklas Edmundsson <nikke acc.umu.se>]
- *) SECURITY: CVE-2007-3304 (cve.mitre.org)
- prefork, worker, event MPMs: Ensure that the parent process cannot
- be forced to kill processes outside its process group.
- [Joe Orton, Jim Jagielski]
- *) SECURITY: CVE-2006-5752 (cve.mitre.org)
- mod_status: Fix a possible XSS attack against a site with a public
- server-status page and ExtendedStatus enabled, for browsers which
- perform charset "detection". Reported by Stefan Esser. [Joe Orton]
- *) SECURITY: CVE-2007-1862 (cve.mitre.org)
- mod_mem_cache: Copy headers into longer lived storage; header names and
- values could previously point to cleaned up storage. PR 41551.
- [Davi Arnaut <davi haxent.com.br>]
- *) mod_info: mod_info outputs invalid XHTML 1.0 transitional.
- PR 42847 [Rici Lake <rici ricilake.net>]
- *) mod_ssl: Fix spurious hostname mismatch warning for valid
- wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>]
- *) mod_mem_cache: Increase the minimum and default value for
- MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not
- make sense and leads to a division by zero. PR 40576.
- [Xuekun Hu <xuekun.hu gmail.com>]
- *) mod_cache: Remove expired content from cache that cannot be revalidated.
- PR 30370. [Ruediger Pluem]
- *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous.
- PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray]
- *) mod_proxy: Ensure that at least scheme://hostname[:port] matches between
- worker and URL when searching for the best fitting worker for a given
- URL. PR 40910 [Ruediger Pluem]
- *) mod_proxy: Improve network performance by setting APR_TCP_NODELAY
- (disable Nagle algorithm) on sockets if implemented.
- PR 42871 [Christian BOITEL <christian_boitel yahoo.fr>, Jim Jagielski]
- *) core: Do not replace a Date header set by a proxied backend server.
- PR 40232 [Ruediger Pluem]
- *) mod_proxy: Add a missing assignment in an error checking code path.
- PR 40865 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
- *) mod_proxy_connect: avoid segfault on DNS lookup failure.
- PR 40756 [Trevin Beattie <tbeattie boingo.com>]
- *) mod_proxy: enable Ignore Errors option on ProxyPass Status.
- PR 43167 [Francisco Gimeno <kikov kikov.org>
- *) mod_proxy_http: Don't try to read body of a HEAD request before
- responding. PR 41644 [Stuart Children <stuart terminus.co.uk>]
- *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when
- LDAP authentication is configured but we haven't seen any
- 'Require ldap-*' directives, allowing authorization to be passed to lower
- level modules (e.g. Require valid-user)
- PR 43281 [Eric Covener]
- *) mod_proxy: don't URLencode tilde in path component
- PR 38448 [Stijn Hoop <stijn sandcat.nl>]
- *) proxy/ajp_header.c: Fixed header token string comparisons
- Matching of header tokens failed to include the trailing NIL byte
- and could misinterpret a longer header token for a shorter.
- Additionally, a "Content-Type" comparison was made case insensitive.
- [Martin Kraemer]
- *) proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC
- On EBCDIC machines, the status_line string was incorrectly converted
- twice. [Jean-Frederic Clere, Martin Kraemer]
- *) mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts
- Data had been incorrectly converted twice, resulting in
- garbled log output. [Martin Kraemer]
- *) mod_autoindex: Add in Type and Charset options to IndexOptions
- directive. This allows the admin to explicitly set the
- content-type and charset of the generated page and is therefore
- a viable workaround for buggy browsers affected by CVE-2007-4465
- (cve.mitre.org). [Jim Jagielski]
- *) log core: ensure we use a special pool for stderr logging, so that
- the stderr channel remains valid from the time plog is destroyed,
- until the time the open_logs hook is called again. [William Rowe]
- *) mod_negotiation: preserve Query String in resolving a type map
- PR 33112 [Jørgen Thomsen <apache jth.net>, Nick Kew]
- *) mod_ssl: Version reporting update; displays 'compiled against'
- Apache and build-time SSL Library versions at loglevel [info],
- while reporting the run-time SSL Library version in the server
- info tags. Helps to identify a mod_ssl built against one flavor
- of OpenSSL but running against another (also adds SSL-C version
- number reporting.) [William Rowe]
- *) mime.types: Many updates to sync with IANA registry and common
- unregistered types that the owners refuse to register. Admins
- are encouraged to update their installed mime.types file.
- PR: 35550, 37798, 39317, 31483 [Roy T. Fielding]
- *) mod_expires: don't crash on bad configuration data
- PR 43213 [Julien Perez <julien.perez epsylonia.net>]
- *) mod_dbd: Introduce configuration groups to allow inheritance by virtual
- hosts of database configurations from the main server. Determine the
- minimal set of distinct configurations and share connection pools
- whenever possible. Allow virtual hosts to override inherited SQL
- statements. PR 41302. [Chris Darroch]
- *) mod_dbd: Create memory sub-pools for each DB connection and close
- DB connections in a pool cleanup function. Ensure prepared statements
- are destroyed before DB connection is closed. When using reslists,
- prevent segfaults when child processes exit, and stop memory leakage
- of ap_dbd_t structures. Avoid use of global s->process->pool, which
- isn't destroyed by exiting child processes in most multi-process MPMs.
- PR 39985. [Chris Darroch, Nick Kew]
- *) mod_dbd: Handle error conditions in dbd_construct() properly.
- Simplify ap_dbd_open() and use correct arguments to apr_dbd_error()
- when non-threaded. Register correct cleanup data in non-threaded
- ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data
- and merge function. Use ap_log_error() wherever possible.
- [Chris Darroch, Nick Kew]
- *) mod_dbd: Stash DBD connections in request_config of initial request
- only, or else sub-requests and internal redirections may cause
- entire DBD pool to be stashed in a single HTTP request. [Chris Darroch]
- *) main core: Emit errors during the initial apr_app_initialize()
- or apr_pool_create() (when apr-based error reporting is not ready).
- [William Rowe, Jeff Trawick]
- *) log core: fix the new piped logger case where we couldn't connect
- the replacement stderr logger's stderr to the NULL stdout stream.
- Continue in this case, since the previous alternative of no error
- logging at all (/dev/null) is far worse. [William Rowe]
- *) mpm_winnt: Prevent the parent-child pipe from leaking into other
- spawned processes, and ensure we have a /Device/null handle for
- stdout when running as-a-service. [William Rowe]
- *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
- improper merging of the cache lock in vhost config
- PR 43164 [Eric Covener]
- *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk]
- *) mod_deflate: fix protocol handling in deflate input filter
- PR 23287 [Nick Kew]
- *) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329)
- PR 40299 [Dave Hodder <dmh dmh.org.uk>]
- *) mod_filter: fix integer comparisons in dispatch rules
- PR 41835 [Nick Kew]
- *) mod_filter: fix merging of ! and = in FilterChain
- PR 42186 [Issac Goldstand <margol beamartyr.net>]
- *) mod_deflate: don't try to process metadata buckets as data. what should
- have been a 413 error was logged as a 500 and a blank screen appeared
- at the browser.
- [Greg Ames, Ruediger Pluem]
- *) mod_cgi, mod_cgid: Fix use of CGI scripts as ErrorDocuments.
- PR 39710. [Paul Querna, Ruediger Pluem]
- *) mod_proxy: Allow to use different values for sessionid
- in url encoded id and cookies. PR 41897. [Jean-Frederic Clere]
- *) mod_proxy: Fix the 503 returned when session route does
- not match any of the balancer members. [Mladen Turk]
- *) mod_proxy: Added ProxyPassMatch directive, which is similar
- to ProxyPass but takes a regex local path prefix. [Jim Jagielski]
- *) mod_cache: Do not set Date or Expires when they are missing from
- the original response or are invalid. [Justin Erenkrantz]
- *) mod_cache: Correctly handle HEAD requests on expired cache content.
- PR 41230. [Niklas Edmundsson <nikke acc.umu.se>]
- *) mod_cache: Let Cache-Control max-age set the expiration of the cached
- representation if Expires is not set. [Justin Erenkrantz]
- *) mod_cache: Allow caching of requests with query arguments when
- Cache-Control max-age is explicitly specified. [Justin Erenkrantz]
- *) mod_disk_cache: Allow Vary'd responses to be refreshed properly.
- [Justin Erenkrantz]
- *) mod_proxy: Print the correct error message for erroneous configured
- ProxyPass directives. PR 40439. [Takashi Sato <serai lans-tv.com>]
- *) mod_so: Provide more helpful LoadModule feedback when an error occurs.
- [William Rowe]
- *) mod_alias: Accept path components (URL part) in Redirects. PR 35314.
- [Nick Kew]
- *) mod_headers: Allow % at the end of a Header value. PR 36609.
- [Nick Kew, Ruediger Pluem]
- *) mod_cache: Use the same cache key throughout the whole request processing
- to handle escaped URLs correctly. PR 41475. [Ruediger Pluem]
- *) mod_cache: Add CacheIgnoreQueryString directive. PR 41484.
- [Fredrik Widlund <fredrik.widlund qbrick.com>]
- *) mod_cache: While serving a cached entity ensure that filters that have
- been applied to this cached entity before saving it to the cache are not
- applied again. PR 40090. [Ruediger Pluem]
- *) mod_cache: Correctly cache objects whose URL query string has been
- modified by mod_rewrite. PR 40805. [Ruediger Pluem]
- *) HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses alone. Only
- processing of error responses (4xx, 5xx) will be altered. PR 39245.
- [Jeff Trawick, Bart van der Schans <schans hippo.nl>]
- *) htdbm: Enable crypt support on platforms with crypt() but not
- <crypt.h>, such as z/OS. [David Jones <oscaremma gmail.com>]
- *) mod_ssl: initialize thread locks before initializing the hardware
- acceleration library, so the latter can make use of the former.
- PR 20951. [<adunn at ncipher.com>]
- *) ab.c: Correct behavior of HTTP request headers sent by ab
- in presence of -H command-line overrides. PR 31268, 26554.
- [Arvind Srinivasan <arvind.srinivasan sun.com>]
- *) ab.c: The apr_port_t type is unsigned, but ab was using a
- signed format code in its reports. PR 42070.
- [Takashi Sato <serai lans-tv.com>]
- *) mod_ldap: Remove the hardcoded size limit parameter for
- ldap_search_ext_s and replace it with an APR_ defined
- value that is set according to the LDAP SDK being used.
- [David Jones <oscaremma gmail com>]
- *) core: Correct a regression since 2.0.x in the handling of AllowOverride
- Options. PR 41829. [Torsten Förtsch <torsten.foertsch gmx.net>]
- *) mod_proxy_http: Handle request bodies larger than 2 GB by converting
- the Content-Length header of the request correctly. PR 40883.
- [Ruediger Pluem, toadie <toadie643 gmail.com>]
- *) mod_proxy: Fix some proxy setting inheritance problems (eg:
- ProxyTimeout). PR 11540. [Stuart Children <stuart terminus.co.uk>]
- *) Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory
- can work after that terminating signal.
- [Eric Covener]
- *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005)
- including embedding the .manifest information into each binary.
- [William Rowe]
- There was no Apache 2.2.5
- Changes with Apache 2.2.4
- *) mod_isapi: Correctly present SERVER_PORT_SECURE.
- PR: 40573. [Matt Eaton <asf divinehawk.com>]
- *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util
- statically like the older support programs.
- [Eric Covener <covener gmail.com>]
- *) core: Fix NONBLOCK status of listening sockets on restart/graceful
- PR 37680. [Darius Davis <darius-abz free-range.com.au>]
- *) mod_deflate: Rework inflate output and deflate output filter to fix
- several issues: Incorrect handling of flush buckets, potential memory
- leaks, excessive memory usage in inflate output filter for large
- compressed content. PR 39854.
- [Ruediger Pluem, Nick Kew, Justin Erenkrantz]
- *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer.
- [Davi Arnaut <davi haxent.com.br>]
- *) Allow mod_dumpio to log at other than DEBUG levels via
- the new DumpIOLogLevel directive. [Jim Jagielski]
- *) rotatelogs: Improve error message for open failures. PR 39487.
- [Joe Orton]
- *) mod_dbd: share per-request database handles across subrequests
- and internal redirects [Chris Darroch]
- *) mod_dbd: key connection pools to virtual hosts correctly even when
- ServerName is unset/unavailable [Graham Leggett]
- *) Better detection and clean up of ldap connection that has been
- terminated by the ldap server. PR 40878.
- [Rob Baily <rbaily servicebench com>]
- *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions
- by creating a root pool for object persistence across requests. This
- also eliminates the need for custom serialization code.
- [Davi Arnaut <davi haxent.com.br>]
- *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If
- set, REMOTE_USER will be set to this attribute, rather than the
- username supplied by the user. Useful for example when you want users
- to log in using an email address, but need to supply a userid instead
- to the backend. [Graham Leggett]
- *) mod_cgi and mod_cgid: Don't use apr_status_t error return
- from input filters as HTTP return value from the handler.
- PR 31759. [Nick Kew]
- *) mod_cache: Eliminate a bogus error in the log when a filter returns
- AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>]
- *) core: Fix issue which could cause piped loggers to be orphaned and never
- terminate after a graceful restart. PR 40651.
- [Joe Orton, Ruediger Pluem]
- *) core: Fix address-in-use startup failure caused by corruption of the list
- of listen sockets in some configurations with multiple generic Listen
- directives. [Jeff Trawick]
- *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew]
- *) mod_proxy: Add explicit flushing feature. When Servlet container sends
- AJP body message with size 0, this means that Servlet container has asked
- for an explicit flush. Create flush bucket in that case. This feature has
- been added to the recent Tomcat versions without breaking the AJP
- protocol. [Mladen Turk]
- *) mod_proxy_balancer: Set the new environment variable
- BALANCER_ROUTE_CHANGED if a worker with a route different from the one
- supplied by the client had been chosen or if the client supplied no
- routing information for a balancer with sticky sessions.
- [Ruediger Pluem]
- *) mod_proxy_balancer: Add information about the route, the sticky session
- and the worker used during a request as environment variables. PR 39806.
- [Brian <brectanu gmail.com>]
- *) mod_proxy: Don't try to use dead backend connection. PR 37770.
- [Olivier BOEL <ob dorrboel.com>]
- *) mod_proxy_balancer: Extract stickysession routing information contained
- as parameter in the URL correctly. PR 40400.
- [Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>]
- *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol.
- A new worker directive ping=timeout will cause CPING packet
- to be send expecting CPONG packet within defined timeout.
- In case the backend is too busy this will fail instead
- sending the full header. [Mladen Turk]
- *) mod_disk_cache: Make sure that only positive integers are accepted
- for the CacheMaxFileSize and CacheMinFileSize parameters in the
- config file. PR39380. [Niklas Edmundsson <nikke acc.umu.se>]
- *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an
- authority component and an empty path, the empty path is to be equivalent
- to "/". It explicitly cites the following four URIs as equivalents:
- http://example.com
- http://example.com/
- http://example.com:/
- http://example.com:80/
- [Davi Arnaut <davi haxent.com.br>]
- *) mod_cache: Don't cache requests with a expires date in the past;
- otherwise mod_cache will always try to cache the URL. This bug
- might lead to numerous rename() errors on win32 if the URL was
- previously cached. [Davi Arnaut <davi haxent.com.br>]
- *) core: Deal with the widespread use of apr_status_t return values
- as HTTP status codes, as documented in PR#31759 (a bug shared by
- the default handler, mod_cgi, mod_cgid, mod_proxy, and probably
- others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
- *) mod_ext_filter: Handle filter names which include capital letters.
- PR 40323. [Jeff Trawick]
- *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
- support. Also corrects the slashes for Windows.
- PR 15993. [William Rowe]
- *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
- token parser worked while the resulting length was misinterpreted.
- PR 29098. [Brock Bland <bbland serena.com>]
- *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
- attempts to stream the response at the client. Log these as well.
- PR 30022, 40470. [William Rowe, Matt Eaton <asf divinehawk.com>]
- *) mod_isapi: Ensure we walk through all the methods the developer may have
- employed to report their HTTP status result code. PR 16637 30033 28089
- [Matt Lewandowsky <matt iamcode.net>, William Rowe]
- *) mod_echo: Fix precedence problem in if statement. PR 40658.
- [Larry Cipriani <lvc lucent.com>]
- *) mod_mime_magic: Fix precedence problem in if statement. PR 40656.
- [Larry Cipriani <lvc lucent.com>]
- *) The full server version information is now included in the error log at
- startup as well as server status reports, irrespective of the setting
- of the ServerTokens directive. ap_get_server_version() is now
- deprecated, and is replaced by ap_get_server_banner() and
- ap_get_server_description(). [Jeff Trawick]
- *) mod_proxy_balancer: Workers can now be defined as part of
- a balancer cluster "set" in which members of a lower-numbered set
- are preferred over higher numbered ones. [Jim Jagielski]
- *) mod_proxy_balancer: Workers can now be defined as "hot standby" which
- will only be used if all other workers are unusable (eg: in
- error or disabled). Also, the balancer-manager displays the election
- count and I/O counts of all workers. [Jim Jagielski]
- *) mod_proxy_ajp: Close connection to backend if reading of request body
- fails. PR 40310. [Ian Abel <ianabel mxtelecom.com>]
- *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if
- it is in error state before sending "Service Temporarily Unavailable".
- PR 38962. [Christian Boitel <cboitel lfdj.com>]
- Changes with Apache 2.2.3
- *) SECURITY: CVE-2006-3747 (cve.mitre.org)
- mod_rewrite: Fix an off-by-one security problem in the ldap scheme
- handling. For some RewriteRules this could lead to a pointer being
- written out of bounds. Reported by Mark Dowd of McAfee.
- [Mark Cox]
- *) Win32: Minor fixes to build more cleanly under Visual Studio 2005
- with command line builds. [William Rowe]
- *) mod_authn_alias: Add a check to make sure that the base provider and the
- alias names are different and also that the alias has not been registered
- before. PR 40051. [Brad Nicholes]
- *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
- client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
- [Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>]
- *) mod_cache: Do not overwrite the Content-Type in the cache, for
- successfully revalidated cached objects. PR 39647. [Ruediger Pluem]
- *) mod_speling: Add directive to deal with case corrections only
- and ignore other misspellings [Olivier Thereaux <ot w3.org>]
- *) mod_dbd: Fix dependence on virtualhost configuration in
- defining prepared statements (possible segfault at startup
- in user modules such as mod_authn_dbd). [Nick Kew]
- *) Add optional 'scheme://' prefix to ServerName directive,
- allowing correct determination of the canonical server URL
- for use behind a proxy or offload device handling SSL; fixing
- redirect generation in those cases. PR 33398. [Sander Temme]
- *) Added server_scheme field to server_rec for above. Minor MMN bump.
- [Sander Temme]
- *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593.
- [Ruediger Pluem, Joe Orton]
- *) Worker MPM: On graceless shutdown or restart, send signals to
- each worker thread to wake them up if they're polling on a
- Keep-Alive connection. PR 38737. [Chris Darroch]
- *) worker and event MPMs: fix excessive forking if fork() or child_init
- take a long time. PR 39275.
- [Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ]
- *) configure: Add "--with-included-apr" flag to force use of the
- bundled version of APR at build time. [Joe Orton]
- *) Respect GracefulShutdownTimeout in the worker and event MPMs.
- [Chris Darroch, Garrett Rooney]
- *) mod_mem_cache: Set content type correctly when delivering data from
- cache. PR 39266. [Ruediger Pluem]
- *) mod_autoindex: Fix filename escaping with FancyIndexing disabled.
- PR 38910. [Robby Griffin <rmg terc.edu>]
- *) mod_charset_lite: Bypass translation when the source and dest charsets
- are the same. [Jeff Trawick]
- Changes with Apache 2.2.2
- *) mod_deflate: work correctly in an internal redirect
- [Brian J. France <list firehawksystems com>]
- *) mod_proxy_balancer: Initialize members of a balancer correctly.
- PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
- *) mod_proxy: Do not release connections from connection pool twice.
- PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>]
- *) core: Prevent reading uninitialized memory while reading a line of
- protocol input. PR 39282. [Davi Arnaut <davi haxent com br>]
- *) mod_dbd: Update defaults, improve error reporting.
- [Chris Darroch <chrisd pearsoncmg com>, Nick Kew]
- *) mod_dbd: Create own pool and mutex to avoid problem use of
- process pool in request processing.
- [Chris Darroch <chrisd pearsoncmg com>]
- *) HTML-escape the Expect error message. Not classed as security as
- an attacker has no way to influence the Expect header a victim will
- send to a target site. Reported by Thiago Zaninotti
- <thiango nstalker.com>. [Mark Cox]
- *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
- [Jeff Trawick]
- *) htdbm: Warn the user when adding a plaintext password on a platform
- where it wouldn't work with the server (i.e., anywhere that has
- crypt()). [Jeff Trawick]
- *) mod_proxy: don't reuse a connection that may be to the wrong backend
- PR 39253 [Ruediger Pluem]
- *) Default handler: Don't return output filter apr_status_t values.
- PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
- Changes with Apache 2.2.1
- *) SECURITY: CVE-2005-3357 (cve.mitre.org)
- mod_ssl: Fix a possible crash during access control checks if a
- non-SSL request is processed for an SSL vhost (such as the
- "HTTP request received on SSL port" error message when an 400
- ErrorDocument is configured, or if using "SSLEngine optional").
- PR 37791. [Rüdiger Plüm, Joe Orton]
- *) SECURITY: CVE-2005-3352 (cve.mitre.org)
- mod_imagemap: Escape untrusted referer header before outputting
- in HTML to avoid potential cross-site scripting. Change also
- made to ap_escape_html so we escape quotes. Reported by JPCERT.
- [Mark Cox]
- *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now
- configurable at runtime via the 'flushpackets' and 'flushwait' worker
- params. Minor MMN bump. [Jim Jagielski]
- *) mod_proxy: Fix incorrect usage of local and shared worker init.
- PR 38403. [Jim Jagielski]
- *) mod_isapi: Fix compiler errors on Unix platforms.
- [William Rowe]
- *) mod_proxy_http: Do send keep-alive header if the client sent
- connection: keep-alive and do not close backend connection if the client
- sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton]
- *) mod_disk_cache: Return the correct error codes from bucket read
- failures, instead of APR_EGENERAL.
- [Brian Akins <brian.akins turner.com>]
- *) Add APR/APR-Util Compiled and Runtime Version numbers to the
- output of 'httpd -V'. [William Rowe]
- *) http: If a connection is aborted while waiting for a chunked line,
- flag the connection as errored out. [Justin Erenkrantz]
- *) core: Reject invalid Expect header immediately. PR 38123.
- [Ruediger Pluem]
- *) Fix mis-shifted 32 bit scope, masked to 64 bits as a method.
- [Will Rowe, Joe Orton]
- *) mod_proxy: Fix KeepAlives not being allowed and set to
- backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski]
- *) Fix instdso.sh "sed syntax error" installation issue on some
- platforms. PR 38108. [Masaoki Kobayashi <masaoki techfirm.co.jp>]
- *) mod_ssl: Fix possible crashes in shmcb with gcc 4 on platforms
- requiring word-aligned pointers. PR 38838. [Joe Orton]
- *) mod_proxy: If we get an error reading the upstream response,
- close the connection. [Justin Erenkrantz, Roy T. Fielding,
- Jim Jagielski, Ruediger Pluem]
- *) mod_proxy_ajp: Support common headers of the AJP protocol in responses.
- PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>]
- *) mod_proxy_balancer: Do not overwrite the status of initialized workers
- and respect the configured status of uninitilized workers when creating
- a new child process. [Ruediger Pluem]
- *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
- the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
- boundaries and thus revealing possibly sensitive memory contents to the
- client. [Ruediger Pluem]
- *) Ensure that the proper status line is written to the client, fixing
- incorrect status lines caused by filters which modify r->status without
- resetting r->status_line, such as the built-in byterange filter.
- [Jeff Trawick]
- *) mod_speling: Stop crashing with certain non-file requests.
- [Jeff Trawick]
- *) mod_cache: Make caching of reverse proxies possible again. PR 38017.
- [Ruediger Pluem]
- *) Modify apr[util] .h detection to avoid breakage on VPATH builds
- using Solaris make (amoung others) and avoid breakage in ./buildconf
- when srclib/apr[-util] are symlinks rather than directories proper.
- [William Rowe]
- *) Avoid Server-driven negotiation when a script has emitted an
- explicit Status: header. PR 38070. [Nick Kew]
- *) Fix to avoid feeding C99 to C++ compilers. [Joe Orton]
- *) Chunk filter: Fix chunk filter to create correct chunks in the case that
- a flush bucket is surrounded by data buckets. [Ruediger Pluem]
- *) Fix syntax error in httpd.h with strict compilers. PR 37840.
- [Per Olausson <pao darkheim.freeserve.co.uk>]
- *) Fix recursive ErrorDocument handling. PR 36090.
- [Chris Darroch <chrisd pearsoncmg.com>]
- *) Don't hang on error return from post_read_request. PR 37790.
- [Nick Kew]
- *) Fix off-by-one error in proxy_balancer. PR 37753.
- [Kazuhiro Osawa <ko yappo ne jp>]
- Changes with Apache 2.2.0
- *) mod_negotiation: Minor performance tweak by reusing already calculated
- strlen.
- [Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>]
- *) Remove support for 'On' and 'Off' for AuthBasicProvider and
- AuthDigestProvider. [Joshua Slive, Justin Erenkrantz]
- *) Add in new UseCanonicalPhysicalPort directive, which controls
- whether or not Apache will ever use the actual physical port
- when constructing the canonical port number. [Jim Jagielski]
- *) mod_dav: Fix a null pointer dereference in an error code path during the
- handling of MKCOL.
- [Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>]
- *) mod_proxy_balancer: When finding best worker, use case insensitive
- match for scheme and host, but case sensitive for the rest of
- the path. [Jim Jagielski, Ruediger Pluem]
- *) Require use of APR >= 1.2.0 and APR-util >= 1.2.0 when configured
- to use external copies of the libraries. [Joe Orton]
- *) Fix DESTDIR=... installation when using bundled copy of APR.
- [Torsten Foertsch <torsten.foertsch gmx.net>]
- *) mod_dav: Fix handling of unknown state tokens in If: headers.
- PR: 37288. [Joe Orton]
- *) Strip out Experimental MPMs that have gone nowhere since 2.0
- (perchild, threadpool, leader). [Nick Kew]
- Changes with Apache 2.1.9
- *) Add mod_authn_dbd (SQL-based authentication) [Nick Kew]
- *) mod_proxy_ajp: Do not spool the entire response from AJP backend before
- sending it up the filter chain. PR 37100. [Ruediger Pluem]
- *) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which
- only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that
- subrequests to non-local resources work again. [Ruediger Pluem]
- *) mod_proxy: Do not lowercase the entire worker name of a BalancerMember
- since this breaks case sensitive URI's. PR 36906. [Ruediger Pluem]
- *) core: AddOutputFilterByType is ignored for proxied requests. PR 31226.
- [Joe Orton, Ruediger Pluem]
- *) mod_proxy_http: Prevent data corruption of POST request bodies when
- client accesses proxied resources with SSL. PR 37145.
- [Ruediger Pluem, William Rowe]
- *) mod_ssl: Fix issue which could cause spurious warnings about use
- of name-based vhosts. PR 37051. [Joe Orton]
- *) ab: Fix to ensure that only the expected number of requests are run.
- PR 36966. [Joe Orton]
- *) mod_proxy_balancer: BalancerManager and proxies correctly handle
- member workers with paths. PR 36816. [Ruediger Pluem, Jim Jagielski]
- *) mod_log_config: %{hextid}P will log the thread id in hex with APR
- versions 1.2.0 or higher. [Jeff Trawick]
- *) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as
- in 1.3. [Jeff Trawick]
- *) Support dbd connection tied to conn_rec in mod_dbd. [Nick Kew]
- *) Fix use of pools in mod_dbd. [Brian J France, Nick Kew]
- *) Promote modules from "experimental": mod_dbd, mod_filter,
- mod_charset_lite. [Nick Kew]
- *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL
- connections. PR 36883.
- [William Barker <william.barker wilshire.com>, Ruediger Pluem]
- *) Eliminated the NET_TIME filter, restructuring the timeout logic.
- This provides a working mod_echo on all platforms, and ensures any
- custom protocol module is at least given an initial timeout value
- based on the <VirtualHost > context's Timeout directive.
- [William Rowe]
- *) mod_proxy: Run the request_status hook also if there are no free workers
- or all workers are in error state.
- [Ruediger Pluem, Brian Akins <brian.akins turner.com>]
- *) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which
- trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951.
- [Jeff Trawick, Ruediger Pluem]
- *) mod_proxy_balancer: Fix handling of sticky sessions with Tomcat.
- PR 36507. [Ruediger Pluem]
- *) SECURITY: CVE-2005-2970 (cve.mitre.org)
- worker MPM: Fix a memory leak which can occur after an aborted
- connection in some limited circumstances. [Greg Ames]
- *) Doxygen fixups. [Neale Ranns <neale ranns.org>, Ian Holsman]
- *) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing
- mod_dir from serving indexes correctly with mod_cache enabled.
- [Colm MacCarthaigh]
- Changes with Apache 2.1.8
- *) Fix lingering close implementation to match 1.3.x behaviour.
- PR 35292. [Joe Orton]
- *) mod_ssl: Support limited buffering of request bodies to allow
- per-location renegotiation to proceed. PR 12355. [Joe Orton]
- *) Fix regression since 2.0.x in AllowOverride Options handling.
- PR 35330. [kabe <kabe sra-tohoku.co.jp>]
- *) mod_ssl: Fix memory leak in ssl_util_algotypeof().
- PR 25659. [David Blake <dblake hp com>, Martin Kraemer]
- *) prefork, worker and event MPMs: Support a graceful-stop procedure:
- Server will wait until existing requests are finished or until
- "GracefulShutdownTimeout" number of seconds before exiting.
- [Colm MacCarthaigh, Ken Coar, Bill Stoddard]
- *) prefork, worker and event MPMs: Prevent children from holding open
- listening ports upon graceful restart or stop. PR 28167.
- [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
- *) SECURITY: CVE-2005-2700 (cve.mitre.org)
- mod_ssl: Fix a security issue where "SSLVerifyClient" was not
- enforced in per-location context if "SSLVerifyClient optional"
- was configured in the vhost configuration. [Joe Orton]
- *) mod_ssl: Catch parse errors from misconfigured or malformed
- CRLs. PR 36438. [Joe Orton]
- *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
- providers. Prevent problems when no Vhost containers were
- configured with proxy balancers. [Jim Jagielski]
- *) New provider function to list all available provider names in a
- specific group and version (ap_list_provider_names). [Jim Jagielski]
- *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a
- per-protocol, per-host and per-path basis. Intended for proxy
- configurations. [Colm MacCarthaigh]
- *) mod_disk_cache: Canonicalise the storage key, for improved hit/miss
- ratio. [Colm MacCarthaigh]
- *) mod_cgid: Append .PID to the script socket filename and remove the
- script socket on exit. [Colm MacCarthaigh, Jim Jagielski]
- *) mod_cgid: run the get_suexec_identity hook within the request-handler
- instead of within cgid. PR 36410. [Colm MacCarthaigh]
- *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use
- of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh]
- Changes with Apache 2.1.7
- *) SECURITY: CVE-2005-2491 (cve.mitre.org):
- Fix integer overflows in PCRE in quantifier parsing which could
- be triggered by a local user through use of a carefully-crafted
- regex in an .htaccess file. [Philip Hazel]
- *) mod_proxy/mod_proxy_balancer: Provide a simple, functional
- interface to add additional balancer lb selection methods
- without requiring code changes to mod_proxy/mod_proxy_balancer;
- these can be implemented via sub-modules now. [Jim Jagielski]
- *) mod_cache: Fix incorrectly served 304 responses when expired cache
- entity is valid, but cache is unwritable and headers cannot be
- updated. [Colm MacCarthaigh <colm stdlib.net>]
- *) mod_cache: Remove entities from the cache when re-validation
- receives a 404 or other content-no-longer-present error.
- [Rüdiger Plüm ruediger.pluem vodafone.com]
- *) mod_disk_cache: Properly remove files from cache when needed.
- [Rüdiger Plüm ruediger.pluem vodafone.com]
- *) mod_disk_cache: Support htcacheclean removing directories.
- [Andreas Steinmetz]
- *) htcacheclean: Add -t option to remove empty directories.
- [Colm MacCarthaigh <colm stdlib.net>]
- *) Remove the base href tag from mod_proxy_ftp, as it breaks relative
- links for clients not using an Authorization header. [Graham Leggett,
- Jon Snow <jsnow27 gatesec.net>]
- *) mod_cache: Restore the HTTP status of cached responses.
- [Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>]
- *) mod_cache: Store varied contents all in the same prefix for a varied URI.
- [Paul Querna]
- *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content
- filters. [Paul Querna]
- *) mod_negotiation: Correctly report 404 instead of 403 for missing files.
- [Paul Querna]
- *) new hook (request_status) that gets ran in proxy_handler just before
- the final return. This gives modules an opportunity to do something
- based on the proxy status. (minor MMN bump)
- [Brian Akins <bakins turner.com>, Ian Holsman]
- *) Add additional SSLSessionCache option, 'nonenotnull', which is
- similar to 'none' (disabling any external shared cache) but forces
- OpenSSL to provide a non-null session ID. [Jim Jagielski]
- *) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
- [Paul Querna]
- *) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
- the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>]
- *) Fixed complaints about unpackaged files within the RPM build
- after changes to the config files. [Graham Leggett]
- *) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of
- just closing the socket, a HTTP request is made, to make sure the child is
- always awakened. [Paul Querna]
- Changes with Apache 2.1.6
- *) Fix htdbm password validation for records which included comments.
- [Eric Covener <covener gmail.com>]
- *) mod_cgid: Fix buffer overflow processing ScriptSock directive.
- [Steve Kemp <steve steve.org.uk>]
- Changes with Apache 2.1.5
- *) mod_ssl: Setting the Protocol to 'https' can replace the use of the
- 'SSLEngine on' command. [Paul Querna]
- *) core: Refactor the mapping of Accept Filters to Sockets. Add the
- AcceptFilter and Protocol directives to aid in mapping filter types.
- Extend the Listen directive to optionally take a protocol name.
- [Paul Querna]
- *) mod_disk_cache: Support storing multiple variations of one URL. PR 35211.
- [Paul Querna]
- *) mod_disk_cache: Atomically create the header data file. [Paul Querna]
- *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
- [Paul Querna]
- *) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'.
- [Paul Querna]
- *) mod_mime_magic: Handle CRLF-format magic files so that it works with
- the default installation on Windows. [Jeff Trawick]
- *) core: Allow multiple modules to register interest in a single
- configuration command. [Paul Querna]
- *) authn_provider_alias: Adds the configuration block tag
- <AuthnProviderAlias baseProvider Alias>
- Authentication directives contained within this block can be
- referenced as a new authProvider using the AuthBasicProvider or
- AuthDigestProvider directive. These directives will be merged in to
- the per_dir configuration just before the base provider is called.
- [Brad Nicholes]
- *) ap_getword_conf: Fix backslashes at the end of configuration directives.
- PR 34834. [Timo Viipuri <viipuri dlc.fi>]
- *) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml
- Provide module hooks for apr_dbd; optimise for httpd
- threaded and non-threaded arch [Nick Kew]
- *) ab: SSL support rewritten, improved, and enabled if SSL is enabled
- during the build; -f and -Z arguments added to specify SSL protocol
- options. [Masaoki Kobayashi <masaoki techfirm.co.jp>]
- *) mod_info: Show the Quick Handler [Paul Querna]
- *) mod_ldap: Add the directive LDAPVerifyServerCert to specify
- whether to force verification of the server certificate when
- establishing an SSL connection to the LDAP server.
- [Brad Nicholes]
-
- *) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name
- hook. [Paul Querna]
- *) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump)
- [Paul Querna]
- *) ap_get_local_host() rewritten for APR. [Jim Jagielski]
- *) Add the ap_vhost_iterate_given_conn function to expose the information
- used in Name Based Virtual Hosting. (minor MMN bump)
- [Paul Querna]
- *) Remove the never working ap_method_list_do and ap_method_list_vdo.
- [Paul Querna]
- *) Added makefile and doc for building mod_ssl on the NetWare
- platform. [Guenter Knauf, Brad Nicholes]
-
- *) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes
- applications that send the Vary Header themselves, and also apply
- mod_deflate as an output filter. [Paul Querna]
- *) Change the default (when not present in the config file) setting
- for UseCanonicalName to Off.
- [Joshua Slive]
- *) mod_userdir: The module no longer does any remapping unless the
- UserDir directive is present in the config file.
- [Joshua Slive]
- *) Massively simplify the distributed httpd.conf by removing
- many features and many directives that are at their default
- setting. Add a selection of example config excerpts for adding
- extra features in the conf/extra/ directory. Install the
- distributed config and the extra config examples in the
- conf/original/ directory during make install.
- [Joshua Slive, Justin Erenkrantz]
- *) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap,
- mod_userdir and mod_autoindex as shared modules rather than
- built-in modules within the NetWare build.
- [Brad Nicholes]
- *) Rename mod_imap to mod_imagemap.
- [Paul Querna]
- *) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap
- by changing the mod_ldap exported functions to optional functions.
- [Brad Nicholes]
- Changes with Apache 2.1.4
- *) Don't let a subrequest inherit headers describing the original request's
- body. [Greg Ames]
- *) Fix Windows CompContext buff size miscalculation
- [Allan Edwards]
- *) Add ReceiveBufferSize directive to control the TCP receive buffer.
- [Eric Covener <covener gmail.com>]
- *) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the
- end of the request body to work with really old HTTP servers.
- [Justin Erenkrantz]
- *) util_ldap: Keep track of the number of attributes retrieved from
- LDAP so that all the values can be properly cached even if the
- value is NULL. PR 33901 [Brad Nicholes]
- *) mod_cache: Fix error where incoming Cache-Control would be ignored.
- [Justin Erenkrantz]
- *) mod_cache: Correctly handle originally conditional requests.
- [Sander Striker]
- *) mod_disk_cache: Correctly update cached headers on revalidated responses.
- [Sander Striker, Justin Erenkrantz]
- *) worker MPM/mod_status: Support per-worker tracking of pid and
- generation in the scoreboard so that mod_status can accurately
- represent workers in processes which are gracefully terminating.
- (major MMN bump)
- [Jeff Trawick]
- *) Correctly export all mod_dav public functions.
- [Branko Čibej <brane xbc.nu>]
- Changes with Apache 2.1.3
- *) mod_ssl: Add ssl_ext_lookup optional function for accessing
- certificate extensions. [David Reid, Joe Orton]
- *) Add support for use of an external PCRE library; pass the
- --with-pcre flag to configure. PR 27550. [Joe Orton,
- Andres Salomon <dilinger voxel.net>]
- *) Renamed regex interfaces to be namespace-safe, and moved from
- pcreposix.h header to ap_regex.h: regex_t->ap_regex_t,
- regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions
- reg*->ap_reg*. PR 27550. [Andres Salomon <dilinger voxel.net>,
- Joe Orton]
- *) Only recompile buildmark.c when we have to relink httpd.
- [Justin Erenkrantz]
- *) mod_cache: Fix up handling of revalidated responses.
- [Justin Erenkrantz]
- *) mod_disk_cache: Properly load cached ETag from on-disk structures.
- [Justin Erenkrantz]
- *) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL
- to allow it to override the connection type set in mod_ldap. This
- parameter can be set to NONE, SSL or TLS | STARTTLS.
- [Brad Nicholes]
- *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
- [Max Bowsher <maxb ukf.net>]
- *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
- [Rici Lake <rici ricilake.net>]
- *) mod_proxy: Fix ap_proxy_canonenc API.
- PR 32459. [Jim Jagielski]
- *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive.
- [Justin Erenkrantz]
- *) Add --enable-pie flag to configure, to build httpd as a Position
- Independent Executable where supported (GCC/binutils).
- [Joe Orton]
- *) proxy_balancer: Add in load-balancing via weighted traffic
- byte count. [Jim Jagielski]
- *) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI
- scripts to be properly cached. [Justin Erenkrantz, Sander Striker]
- *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option()
- API for the setting of server and client SSL certificates. Replaced
- LDAPTrustedCA directive with LDAPTrustedGlobalCert and
- LDAPTrustedClientCert directives to correctly support global certs
- (CA certs / Netware client certs) and per connection client certs
- as supported by Netware, OpenLDAP and Netscape/Mozilla.
- [Graham Leggett]
- *) mod_cache: Remove unimplemented CacheForceCompletion directive.
- [Justin Erenkrantz]
- *) support/check_forensic: Fix temp file usage
- [Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
- *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
- which can be used to configure a specific list of CA names to send
- in a client certificate request. PR 32848.
- [Tim Taylor <tim.taylor dfas.mil>]
- *) --with-module can now take more than one module to be statically
- linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
- If the <modtype>-subdirectory doesn't exist it will be created and
- populated with a standard Makefile.in. [Erik Abele]
- *) Remove some compiler warnings within the LDAP modules [Graham Leggett]
- *) Add a build script to create a solaris package. [Graham Leggett]
- *) ap_http_scheme() replaced with ap_http_method() - this function
- returns the scheme (http v.s. https).
- [William Rowe]
- *) mod_proxy: Fix a request corruption problem and a buffering problem
- which sometimes prevented proxy-sendchunks from working.
- [Jeff Trawick]
- *) Fix the RPM spec file so that an RPM build now works. An RPM
- build now requires system installations of APR and APR-util.
- [Graham Leggett]
- *) Significantly simplify the load balancer scheduling algorithm
- for the proxy BalancerMember weighting. loadfactors (lbfactors)
- are now normalized with respect to each other. [Jim Jagielski]
- *) mod_dumpio: Added to the available module suite; it is an
- I/O logging/dumping module. Placed in the (new) debug module
- subdirectory. mod_bucketeer moved to that directory as well.
- [Jim Jagielski]
- *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting
- of a connection until data is available.
- [Paul Querna]
- Changes with Apache 2.1.2
- *) mod_proxy: Respect errors reported by pre_connection hooks.
- [Jeff Trawick]
- *) core: Error out on sections that are missing an argument instead of
- silently consuming the section. PR 25460.
- [Geoffrey Young, Paul Querna]
- *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental.
- *) Upgraded PCRE to version 5.0. [Brian Pane]
- *) mod_cgid: Catch configuration problem where two web server instances
- share same ServerRoot but admin forgot to use ScriptSock.
- [Jeff Trawick]
- *) mod_cgi: Ensure that all stderr is logged for a script which returns
- a Location header to generate a non-local redirect. PR 20111.
- [Joe Orton]
- *) Added the Event MPM to more efficiently handle clients during a
- Keep Alive request.
- [Paul Querna, Greg Ames]
- Changes with Apache 2.1.1
- *) mod_proxy_http: Stream content better - always flush buffered data to
- the client before blocking waiting for new data. PR 19954.
- [Joe Orton]
- *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which
- will dump the filenames of all configured SSL certificates to stdout.
- [Joe Orton]
- *) mod_disk_cache: Remove a bunch of non-implemented garbage collection
- and cache size directives that are now available through htcacheclean.
- [Justin Erenkrantz]
- *) Add htcacheclean to support/ for assistance with mod_disk_cache.
- [Andreas Steinmetz]
- *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
- allows the module to authorize a user based on a complex LDAP
- search filter. [Brad Nicholes]
- *) mod_usertrack: Run the fixups hook before other modules.
- PR 29755. [Paul Querna]
- *) Allow mod_authnz_ldap authorization functionality to be used
- without requiring the user to also be authenticated through
- mod_authnz_ldap. This allows other authentication modules to
- take advantage of LDAP authorization only [PR 28253]
- [Jari Ahonen jah progress.com, Brad Nicholes]
-
- *) Log the client IP address when an error occurs disabling nagle on a
- connection, but log at a severity of debug since this error
- generally means that the connection was dropped before data was
- sent. Log the client IP address when reporting errors in the core
- output filter. [Jeff Trawick]
- *) core: Add a warning message if the request line read fails.
- [Paul Querna]
- *) mod_rewrite: Removed the MaxRedirects option in favor of the
- core LimitInternalRecursion directive. [André Malo]
- *) mod_info: Added listing of the Request Hooks and added more build
- information like 'httpd -V' contains. Changed output to XHTML.
- [Paul Querna]
- *) mod_info: Rewrote config tree walk using a recursive function.
- Added ?config option. Added printout of config filename and line numbers.
- [Rici Lake <rici ricilake.net>, Paul Querna]
- *) mod_proxy: Fix type error that prevents proxy-sendchunks from working.
- [Justin Erenkrantz]
- *) mod_proxy: Fix data corruption by properly setting aside buckets.
- [Justin Erenkrantz]
- *) mod_proxy: If a request has a blank body and has a 0 Content-Length
- headers, pass that to the proxy. [Justin Erenkrantz]
- *) Recognize QSA flag in mod_rewrite again.
- [Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]
- *) Restructured mod_auth_ldap to fit the new authentication model.
- The module is now called authnz_ldap and has been moved out of
- the modules/experimental area and into modules/aaa with the other
- auth modules. Both the authn_ldap provider and the authz_ldap
- handler are contained within the authnz_ldap module. The
- authz_ldap handler introduces 3 new "requires" values for handling
- authorization. These handlers are ldap-user, ldap-group and
- ldap-dn. [Brad Nicholes]
- *) Fix some compiler warnings in proxy
- [Geoffrey Young <geoff@modperlcookbook.org>]
- *) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the
- number of days until the client cert expires. [Joe Orton]
- *) Add test_config hook, run only if httpd is invoked using -t.
- [Joe Orton]
- *) Improve error handling for corrupted pid files. [Jeff Trawick]
- *) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD
- (for backwards compatibility):
- Avoids mod_ssl.h (not included in 2.0-HEAD) and
- use apr_socket_create_ex for 0.9.x
- [Mladen Turk]
- *) Added proxy_ajp.c module for proxy support to ajp:// backends.
- [Jean Frederic Clere]
- *) Fixes the build of proxy on Windows. Since the proxy_module is declared
- as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there
- is a LNK2001 error when building proxy_http. [Mladen Turk]
- *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap.
- [Graham Leggett]
- *) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz]
- *) perchild MPM: Fix thread safety problem in the use of longjmp().
- [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>]
- *) Add load balancer support to the scoreboard in preparation for
- load balancing support in mod_proxy. [Mladen Turk]
- *) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to
- allow a non-secure connection to be upgraded to secure connections
- [Brad Nicholes]
-
- *) core: Add Options= syntax to AllowOverride to specify which options
- may be overridden in .htaccess files. PR 29310.
- [Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna]
- *) ab: Handle long URLs with an error instead of an buffer overflow.
- PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna]
- *) mod_so, core: Add new command line options to print all loaded
- modules. '-t -D DUMP_MODULES' and '-M' will show all static
- and shared modules as loaded from the configuration file.
- [Paul Querna]
- *) mod_autoindex: Add ShowForbidden to IndexOptions to list files
- that are not shown because the subrequest returned 401 or 403.
- PR 10575. [Paul Querna]
- *) mod_headers: implement "Early" processing option in post_read_request
- to enable Header and RequestHeader directives to be used to set up
- testcases for pre-fixups request phases [Nick Kew]
- *) mod_proxy: multiple bugfixes, principally support cookies in
- ProxyPassReverse, and don't canonicalise URL passed to backend.
- Documentation correspondingly updated. [Nick Kew <nick webthing.com>]
- *) mod_deflate: support gzip flags in inflate_out_filter
- [Nick Kew <nick webthing.com>]
- *) Drop the ErrorHeader directive which turned out to be a misnomer.
- Instead there's a new optional flag for the Header directive
- ('always'), which keeps the former ErrorHeader functionality.
- [André Malo]
- *) mod_deflate: Don't deflate responses with zero length
- e.g. proxied 304's [Allan Edwards]
- *) <IfModule> now recognizes the module identifier in addition to the
- file name. PR 29003. [Edward Rudd <eddie omegaware.com>, André Malo]
- *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the
- OpenSSL 0.9.7 flag which uses the server's cipher order rather
- than the client's. PR 28665.
- [Jim Schneider <jschneid netilla.com>]
- *) mod_ssl: Drop support for the CompatEnvVars argument to
- SSLOptions, which was never actually implemented in 2.0.
- [Joe Orton]
- *) Fix bug in mod_deflate that unconditionally sent deflate'd output
- even when Accept-Encoding is not present. [Justin Erenkrantz]
- *) Pass environment variables through to piped loggers and start
- them via the shell, resolving regressions since 1.3. PR 28815
- [Ken Coar, Jeff Trawick]
- *) External rewrite map responses are no longer limited to 2048
- bytes. [André Malo]
- *) Proxy server was deleting cookies that Apache had already
- assigned if the origin server had set any cookies. PR 27023.
- [Jim Jagielski]
- *) Removed old and unmaintained ap_add_named_module API and changed
- the following APIs to return an error instead of hard exiting:
- ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules,
- and ap_process_resource_config. [André Malo]
- *) mod_headers: Allow %% in header values to represent a literal %.
- [André Malo]
- *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions.
- [André Malo]
- *) mod_headers: Allow 'echo' also for ErrorHeaders. [André Malo]
- *) mod_deflate: New option for DEFLATE output file (force-gzip),
- new output filter 'INFLATE' for uncompressing responses.
- [Nick Kew <Nick at WebThing dot com>, Ian Holsman]
- *) Added new module mod_version, which provides version dependent
- configuration containers. [André Malo]
- *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o
- format is used. PR 27787. [André Malo]
- *) Allow Digest providers to return AUTH_DENIED to propagate a 401
- status and terminate the provider chain prior to checking the password.
- [Geoffrey Young]
- *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost;
- Don't place script socket inside default server root instead of
- actual server root. PR 27886. [Jeff Trawick]
- *) mod_proxy: Fix handling of non-200 success status codes when
- "ProxyErrorOverride On" is configured. PR 20183.
- [Marcus Janson <marcus.janson tre.se>, Joe Orton]
- *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize
- directive (previously NetWare-only) to override default thread
- stack size for threads which handle client connections. Required
- for some third-party modules on platforms with small default
- thread stack size. [Jeff Trawick]
- *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic
- now populates r->user with the (possibly unauthenticated) user,
- and mod_auth_digest returns 500 when a provider returns
- AUTH_GENERAL_ERROR.
- [Geoffrey Young]
- *) The whole codebase was relicensed and is now available under
- the Apache License, Version 2.0 (http://www.apache.org/licenses).
- [Apache Software Foundation]
- *) Delete some make-generated files in the server directory during
- "make clean" processing. PR 26552. [Jeff Trawick]
- *) Add core version query function (ap_get_server_revision) and
- accompanying ap_version_t structure (minor MMN bump).
- [André Malo]
- *) mod_rewrite: EOLs sent by external rewritemaps are now consumed
- as whole. That way, on systems with more than one EOL character
- rewritemap programs no longer need to switch stdout to binary
- mode. PR 25635. [André Malo]
- *) mod_rewrite: Introduce the ability to force a content handler via
- the [handler=...] flag. [André Malo]
- *) mod_rewrite: Introduce the RewriteCond -x check, which returns
- true if the pattern is a file with execution permissions.
- [André Malo]
- *) mod_rewrite: Allow proxying and RewriteRules in directory context
- for subrequests. PR 14648, 15114. [André Malo]
- *) mod_rewrite: Allow setting of any valid HTTP response code.
- PR 25917. [André Malo]
- *) mod_rewrite: Cookie creation now works locale independent.
- [André Malo]
- *) mod_ssl: Add support for distributed session cache using 'distcache'.
- [Geoff Thorpe <geoff geoffthorpe.net>]
- *) mod_dav: Disallow requests with an unescaped hash character in
- the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>]
- *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration
- attaches a body to the 302 response and a wrong Content-Length header.
- PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de]
- *) Bring ErrorHeader concept forward from 1.3, so that response
- header fields can be set for return even on errors or external
- redirects. [Ken Coar]
- *) Fix <Limit> and <LimitExcept> parsing to require a closing '>'
- in the initial container. PR 25414.
- [Geoffrey Young <geoff apache.org>]
- *) Clean up httpd -V output: Instead of displaying the MPM source
- directory, display the MPM name and some MPM properties.
- [Geoffrey Young <geoff apache.org>]
- *) mod_ssl/mod_status: Re-enable support for output of SSL session
- cache information in server-status page. [Joe Orton]
- *) mod_ssl: Remove the shmht session cache, shmcb should be used
- instead. [Joe Orton]
- *) mod_logio: Account for some bytes handed to the network layer prior to
- dropped connections. [Jeff Trawick]
- *) mod_autoindex: new directive IndexStyleSheet
- [Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>]
- *) Fix uninitialized gprof directory name in prefork MPM. PR 24450.
- [Chris Knight <Christopher.D.Knight nasa.gov>]
- *) Log an error when requests for URIs which fail to map to a valid
- filesystem name are rejected with 403. [Jeff Trawick]
- *) Switch to APR 1.0 API.
- *) Major overhaul of mod_include's filter parser. The new parser code
- is expected to be more robust and should catch all of the edge cases
- that were not handled by the previous one. This includes a binary
- incompatible change of mod_include's external API. [André Malo]
- *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded.
- PR 14223. [André Malo]
- *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously
- the current rewrite state was just used as lookup path, which lead to
- strange and often useless results. Related to PR 8493. [André Malo]
- *) Change Listen directive to bind to all addresses when a hostname is
- not specified. [Justin Erenkrantz]
- *) Correct failure with Listen directives on machines with IPv6 enabled.
- [Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz]
- *) Fix a link failure in mod_ssl when the OpenSSL libraries contain
- the ENGINE functions but the engine header files are missing.
- [Cliff Woolley]
- *) mod_rewrite: RewriteRules in server context using the force
- type feature [T=...] no longer disable MultiViews. [André Malo]
- *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot.
- [André Malo]
- *) mod_authz_groupfile: Strip trailing spaces of group names. This
- hopefully saves some hours of searching for typos. PR 12863.
- [André Malo]
- *) mod_actions: Propagate the handler name to the action script via
- the REDIRECT_HANDLER environment variable. [André Malo]
- *) mod_actions: Introduce the "virtual" modifier to the Action directive,
- which allows the use of handlers for virtual locations. PR 8431.
- [André Malo]
- *) mod_speling: Recognize AcceptPathInfo setting for the particular
- location. Default is to reject path information. PR 21059.
- [André Malo]
- *) mod_ext_filter: Add the ability to filter request bodies.
- [Philipp Reisner <philipp.reisner linbit.com>]
- *) Fix some broken log messages in WinNT MPM.
- [Juan Rivera <Juan.Rivera citrix.com>]
- *) prefork MPM: Use the right permissions for the directory created
- for gprof support. [Jim Carlson <jcarlson jnous.com>]
- *) Fix a compile failure with recent OpenSSL and picky compilers
- (e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick]
- *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on
- the INCLUDE path to be defined properly.
- PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>]
- *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli]
- *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using
- autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc).
- [Geoff Thorpe <geoff geoffthorpe.net>]
- *) change directive name from 'compressionlevel' to 'deflatecompressionlevel'
- [Ian Holsman, André Malo]
- *) mod_negotiation: quality values are now parsed independent from
- the current locale. level values are now really parsed as integers.
- PR 17564. [André Malo]
- *) Extend mod_negotiation to evaluate the environment variables
- no-gzip and gzip-only-text/html the same way as mod_deflate does.
- [André Malo]
- *) mod_rewrite: Fix some problems reporting errors with mapping
- programs (RewriteMap prg:/something). [Jeff Trawick]
- *) Return 413 if chunk-ext-header is too long rather than reading from
- the truncated line. PR 15857. [Justin Erenkrantz]
- *) Allow restart of httpd to occur even with syntax errors in the config
- file. PR 16813. [Justin Erenkrantz]
- *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679.
- [Justin Erenkrantz]
- *) Remove files on 'make distclean' that should be. PR 15592.
- [Justin Erenkrantz]
- *) Allow apachectl to perform status with links and elinks as well.
- [Justin Erenkrantz]
- *) mod_log_config change optional hook to return previous handler
- [Ian Holsman]
- *) Forward port of mod_actions' ability to handle arbitrary methods
- with the Script directive. [André Malo]
- *) Let suexec send a message to stderr, if it failed or its policy
- was violated. This message appears in the error log and allows
- for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo]
- *) Modify buildconf to copy all required files into httpd's tree.
- [Thom May <thom planetarytramp.net>]
- *) Allow mod_dav to do weak entity comparison functions.
- [Justin Erenkrantz]
- *) Move RFC 1413 ident requests from core to new module mod_ident.
- [André Malo]
- *) Add mod_authz_owner - a forward port of "Require file-owner"
- and "Require file-group", which was already present in version
- 1.3.21. [André Malo]
- *) Add mod_dav_lock - a generic subset of the DAV locking implementation.
- [Justin Erenkrantz]
- *) Replace some of the mutex locking in the worker MPM with
- atomic operations for higher concurrency. [Brian Pane]
- *) Allow 'make depend' to work with non-GCC compilers.
- [Justin Erenkrantz]
- *) If an httpd.conf has commented out AddModule directives,
- apxs -i -a will add an un-commented AddModule directive for
- the new module, which breaks the config.
- PR: 11212 [Joe Orton]
- *) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz]
- *) Move the check of the Expect request header field after the hook
- for ap_post_read_request, since that is the only opportunity for
- modules to handle Expect extensions. [Justin Erenkrantz]
- *) Rewrite of aaa modules to an authn/authz model.
- [Dirk-Willem van Gulik, Justin Erenkrantz]
- [Apache 2.1.0-dev includes those bug fixes and changes with the
- Apache 2.0.xx tree as documented, and except as noted, below.]
- Changes with Apache 2.0.x and later:
- *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
- Changes with Apache 1.3.x and later:
- *) http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?view=markup
|