1 |
-*- coding: utf-8 -*- |
2 |
|
3 |
Changes with Apache 2.4.13 |
4 |
|
5 |
*) SECURITY: CVE-2015-0253 (cve.mitre.org) |
6 |
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path |
7 |
with the INCLUDES filter active, introduced in 2.4.11. PR 57531. |
8 |
[Yann Ylavic] |
9 |
|
10 |
*) SECURITY: CVE-2015-0228 (cve.mitre.org) |
11 |
mod_lua: A maliciously crafted websockets PING after a script |
12 |
calls r:wsupgrade() can cause a child process crash. |
13 |
[Edward Lu <Chaosed0 gmail.com>] |
14 |
|
15 |
*) mod_proxy: Don't put the worker in error state for 500 or 503 errors |
16 |
returned by the backend unless failonstatus is configured to. PR 56925. |
17 |
[Yann Ylavic] |
18 |
|
19 |
*) core: Don't lowercase the argument to SetHandler if it begins with |
20 |
"proxy:unix". PR 57968. [Eric Covener] |
21 |
|
22 |
*) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing |
23 |
the OCSP response for a different certificate. mod_ssl has an additional |
24 |
global mutex, "ssl-stapling-refresh". PR 57131 (partial fix). |
25 |
[Jeff Trawick] |
26 |
|
27 |
*) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and |
28 |
authz modules were loaded in the "wrong" order. [Joe Orton] |
29 |
|
30 |
*) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime |
31 |
of DB lookup entries independently of the selected DB engine. PR 46421. |
32 |
[Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic]. |
33 |
|
34 |
*) In alignment with RFC 7525, the default recommended SSLCipherSuite |
35 |
and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the |
36 |
default recommended SSLProtocol and SSLProxyProtocol directives now |
37 |
exclude SSLv3. Existing configurations must be adjusted by the |
38 |
administrator. [William Rowe] |
39 |
|
40 |
*) mod_ssl: Add support for extracting subjectAltName entries of type |
41 |
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n |
42 |
environment variables. Also addresses PR 57207. [Kaspar Brand] |
43 |
|
44 |
*) dav_validate_request: avoid validating locks and ETags when there are |
45 |
no If headers providing them on a resource we aren't modifying. |
46 |
[Ben Reser] |
47 |
|
48 |
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate |
49 |
response header to be used by the application, for when the application |
50 |
or framework is unable to return Location in the internal-redirect |
51 |
form. [Jeff Trawick] |
52 |
|
53 |
*) core: Cleanup the request soon/even if some output filter fails to |
54 |
handle the EOR bucket. [Yann Ylavic] |
55 |
|
56 |
*) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic] |
57 |
|
58 |
*) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine |
59 |
readable server-status produced when using the "?auto" query string. |
60 |
[Rainer Jung] |
61 |
|
62 |
*) mod_status: Add more data to machine readable server-status produced |
63 |
when using the "?auto" query string. [Rainer Jung] |
64 |
|
65 |
*) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at |
66 |
configure time (RAND_egd), and complain if SSLRandomSeed requires using |
67 |
it otherwise. [Bernard Spil <pil.oss gmail com>, Stefan Sperling, |
68 |
Kaspar Brand] |
69 |
|
70 |
*) mod_ssl: make sure to consistently output SSLCertificateChainFile |
71 |
deprecation warnings, when encountered in a VirtualHost block. |
72 |
[Falco Schwarz <hiding falco.me>] |
73 |
|
74 |
*) mod_log_config: Add "%{UNIT}T" format to output request duration in |
75 |
seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us"). |
76 |
[Ben Reser, Rainer Jung] |
77 |
|
78 |
*) Allow FallbackResource to work when a directory is requested and |
79 |
there is no autoindex nor DirectoryIndex. |
80 |
[Jack <tjerk.meesters gmail.com>, Eric Covener] |
81 |
|
82 |
*) mod_proxy_wstunnel: Bypass the handler while the connection is not |
83 |
upgraded to WebSocket, so that other modules can possibly take over |
84 |
the leading HTTP requests. [Yann Ylavic] |
85 |
|
86 |
*) mod_http: Fix incorrect If-Match handling. PR 57358 |
87 |
[Kunihiko Sakamoto <ksakamoto google.com>] |
88 |
|
89 |
*) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol |
90 |
will override other parameters given in the same directive. This could be |
91 |
a missing + or - prefix. PR 52820 [Christophe Jaillet] |
92 |
|
93 |
*) core, modules: Avoid error response/document handling by the core if some |
94 |
handler or input filter already did it while reading the request (causing |
95 |
a double response body). [Yann Ylavic] |
96 |
|
97 |
*) mod_proxy_ajp: Fix client connection errors handling and logged status |
98 |
when it occurs. PR 56823. [Yann Ylavic] |
99 |
|
100 |
*) mod_proxy: Use the correct server name for SNI in case the backend |
101 |
SSL connection itself is established via a proxy server. |
102 |
PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>] |
103 |
|
104 |
*) mod_ssl: Fix possible crash when loading server certificate constraints. |
105 |
PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic] |
106 |
|
107 |
*) build: Don't load both mod_cgi and mod_cgid in the default configuration |
108 |
if they're both built. [olli hauer <ohauer gmx.de>] |
109 |
|
110 |
*) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time |
111 |
taken to start writing response headers. [Eric Covener] |
112 |
|
113 |
*) mod_ssl: Avoid compilation errors with LibreSSL related to |
114 |
the use of ENGINE_CTRL_CHIL_SET_FORKCHECK. |
115 |
[Stuart Henderson <sthen openbsd.org>] |
116 |
|
117 |
*) mod_proxy_http: Use the "Connection: close" header for requests to |
118 |
backends not recycling connections (disablereuse), including the default |
119 |
reverse and forward proxies. [Yann Ylavic] |
120 |
|
121 |
*) mod_proxy: Add ap_connection_reusable() for checking if a connection |
122 |
is reusable as of this point in processing. [Jeff Trawick] |
123 |
|
124 |
*) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad |
125 |
Gateway) when no response is ever received from the backend. |
126 |
[Jan Kaluza] |
127 |
|
128 |
*) core_filters: Restore/disable TCP_NOPUSH option after non-blocking |
129 |
sendfile. [Yann Ylavic] |
130 |
|
131 |
*) mod_buffer: Forward flushed input data immediately and avoid (unlikely) |
132 |
access to freed memory. [Yann Ylavic, Christophe Jaillet] |
133 |
|
134 |
*) core: Add CGIPassAuth directive to control whether HTTP authorization |
135 |
headers are passed to scripts as CGI variables. PR 56855. [Jeff |
136 |
Trawick] |
137 |
|
138 |
*) core: Initialize scoreboard's used optional functions on graceful restarts |
139 |
to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic] |
140 |
|
141 |
*) mod_dav: Avoid a potential integer underflow in the lock timeout value sent |
142 |
back to a client. The answer to a LOCK request could be an extremly large |
143 |
integer if the time needed to lock the resource was longer that the |
144 |
requested timeout given in the LOCK request. In such a case, we now answer |
145 |
"Second-0". PR55420 |
146 |
[Christophe Jaillet] |
147 |
|
148 |
*) mod_cgid: Within the first minute of a server start or restart, |
149 |
allow mod_cgid to retry connecting to its daemon process. Previously, |
150 |
'No such file or directory: unable to connect to cgi daemon...' could |
151 |
be logged without an actual retry. PR57685. |
152 |
[Edward Lu <Chaosed0 gmail.com>] |
153 |
|
154 |
*) mod_proxy: Use the original (non absolute) form of the request-line's URI |
155 |
for requests embedded in CONNECT payloads used to connect SSL backends via |
156 |
a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms |
157 |
gmail com>, William Rowe, Yann Ylavic] |
158 |
|
159 |
*) http: Make ap_die() robust against any HTTP error code and not modify |
160 |
response status (finally logged) when nothing is to be done. [Yann Ylavic] |
161 |
|
162 |
*) mod_proxy_connect/wstunnel: If both client and backend sides get readable |
163 |
at the same time, don't lose errors occuring while forwarding on the first |
164 |
side when none occurs next on the other side, and abort. [Yann Ylavic] |
165 |
|
166 |
*) mod_rewrite: Improve relative substitutions in per-directory/htaccess |
167 |
context for directories found by mod_userdir and mod_alias. These no |
168 |
longer require RewriteBase to be specified. [Eric Covener] |
169 |
|
170 |
*) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to |
171 |
finally close those not meant to be kept alive by SetEnv proxy-nokeepalive |
172 |
or force-proxy-request-1.0. [Yann Ylavic] |
173 |
|
174 |
*) core: If explicitly configured, use the KeepaliveTimeout value of the |
175 |
virtual host which handled the latest request on the connection, or by |
176 |
default the one of the first virtual host bound to the same IP:port. |
177 |
PR56226. [Yann Ylavic] |
178 |
|
179 |
*) mod_lua: After a r:wsupgrade(), mod_lua was not properly |
180 |
responding to a websockets PING but instead invoking the specified |
181 |
script. PR57524. [Edward Lu <Chaosed0 gmail.com>] |
182 |
|
183 |
*) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides |
184 |
a combination of certificate serialNumber and issuer as defined by |
185 |
CertificateExactMatch in RFC4523. [Graham Leggett] |
186 |
|
187 |
*) core: Add expression support to ErrorDocument. Switch from a fixed |
188 |
sized 664 byte array per merge to a hash table. [Graham Leggett] |
189 |
|
190 |
*) ab: Add missing longest request (100%) to CSV export. |
191 |
[Marcin Fabrykowski <bugzilla fabrykowski.pl>] |
192 |
|
193 |
*) mod_macro: Clear macros before initialization to avoid use-after-free |
194 |
on startup or restart when the module is linked statically. PR 57525 |
195 |
[apache.org tech.futurequest.net, Yann Ylavic] |
196 |
|
197 |
*) mod_alias: Introduce expression parser support for Alias, ScriptAlias |
198 |
and Redirect. [Graham Leggett] |
199 |
|
200 |
*) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. |
201 |
PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>, |
202 |
Yann Ylavic] |
203 |
|
204 |
*) mpm_event: Avoid access to the scoreboard from the connection while |
205 |
it is suspended (waiting for events). [Eric Covener, Jeff Trawick] |
206 |
|
207 |
*) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. |
208 |
PR 57334. [Yann Ylavic]. |
209 |
|
210 |
*) mod_deflate: A misplaced check prevents limiting small bodies with the |
211 |
new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic] |
212 |
|
213 |
*) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a |
214 |
request attribute to the backend. Recent Tomcat versions will extract |
215 |
it and provide it as a servlet request attribute named |
216 |
"org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung] |
217 |
|
218 |
*) core: Optimize string concatenation in expression parser when evaluating |
219 |
a string expression. [Rainer Jung] |
220 |
|
221 |
*) acinclude.m4: Generate #LoadModule directive in default httpd.conf for |
222 |
every --enable-mpms-shared. PR 53882. [olli hauer <ohauer gmx.de>, |
223 |
Yann Ylavic] |
224 |
|
225 |
*) mod_authn_dbd: Fix the error message logged in case of error while querying |
226 |
the database. This is associated to AH01656 and AH01661. [Christophe Jaillet] |
227 |
|
228 |
*) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG, |
229 |
because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener] |
230 |
|
231 |
*) mod_ssl: Fix small memory leak during initialization when ECDH is used. |
232 |
[Jan Kaluza] |
233 |
|
234 |
Changes with Apache 2.4.12 |
235 |
|
236 |
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for |
237 |
internationalization. [William Rowe] |
238 |
|
239 |
*) mpm_winnt: Normalize the error and status messages emitted by service.c, |
240 |
the service control interface for Windows. [William Rowe] |
241 |
|
242 |
*) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824. |
243 |
[ olli hauer <ohauer gmx.de>, Yann Ylavic ] |
244 |
|
245 |
*) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11 |
246 |
(not released). |
247 |
|
248 |
Changes with Apache 2.4.11 |
249 |
|
250 |
*) SECURITY: CVE-2014-3583 (cve.mitre.org) |
251 |
mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with |
252 |
response headers' size above 8K. [Yann Ylavic, Jeff Trawick] |
253 |
|
254 |
*) SECURITY: CVE-2014-3581 (cve.mitre.org) |
255 |
mod_cache: Avoid a crash when Content-Type has an empty value. |
256 |
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza] |
257 |
|
258 |
*) SECURITY: CVE-2014-8109 (cve.mitre.org) |
259 |
mod_lua: Fix handling of the Require line when a LuaAuthzProvider is |
260 |
used in multiple Require directives with different arguments. |
261 |
PR57204 [Edward Lu <Chaosed0 gmail.com>] |
262 |
|
263 |
*) SECURITY: CVE-2013-5704 (cve.mitre.org) |
264 |
core: HTTP trailers could be used to replace HTTP headers |
265 |
late during request processing, potentially undoing or |
266 |
otherwise confusing modules that examined or modified |
267 |
request headers earlier. Adds "MergeTrailers" directive to restore |
268 |
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] |
269 |
|
270 |
*) mod_ssl: New directive SSLSessionTickets (On|Off). |
271 |
The directive controls the use of TLS session tickets (RFC 5077), |
272 |
default value is "On" (unchanged behavior). |
273 |
Session ticket creation uses a random key created during web |
274 |
server startup and recreated during restarts. No other key |
275 |
recreation mechanism is available currently. Therefore using session |
276 |
tickets without restarting the web server with an appropriate frequency |
277 |
(e.g. daily) compromises perfect forward secrecy. [Rainer Jung] |
278 |
|
279 |
*) mod_proxy_fcgi: Provide some basic alternate options for specifying |
280 |
how PATH_INFO is passed to FastCGI backends by adding significance to |
281 |
the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener] |
282 |
|
283 |
*) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule |
284 |
to opt-in to connection reuse and other Proxy options via explicitly |
285 |
declared "proxy workers" (<Proxy unix:... enablereuse=on max=...) |
286 |
[Eric Covener] |
287 |
|
288 |
*) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse". |
289 |
[Eric Covener] |
290 |
|
291 |
*) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly |
292 |
setting proxy option disablereuse=off. [Eric Covener] PR 57378. |
293 |
|
294 |
*) event: Update the internal "connection id" when requests |
295 |
move from thread to thread. Reuse can confuse modules like |
296 |
mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>] |
297 |
|
298 |
*) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME |
299 |
passed to fastcgi backends. [Eric Covener] |
300 |
|
301 |
*) core: Configuration files with long lines and continuation characters |
302 |
are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>] |
303 |
|
304 |
*) mod_include: the 'env' function was incorrectly handled as 'getenv' if the |
305 |
leading 'e' was written in upper case in <!--#if expr="..." --> |
306 |
statements. [Christophe Jaillet] |
307 |
|
308 |
*) split-logfile: Fix perl error: 'Can't use string ("example.org:80") |
309 |
as a symbol ref while "strict refs"'. PR 56329. |
310 |
[Holger Mauermann <mauermann gmail.com>] |
311 |
|
312 |
*) mod_proxy: Prevent ProxyPassReverse from doing a substitution when |
313 |
the URL parameter interpolates to an empty string. PR 56603. |
314 |
[<ajprout hotmail.com>] |
315 |
|
316 |
*) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. |
317 |
PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic]. |
318 |
|
319 |
*) mod_proxy: Preserve original request headers even if they differ |
320 |
from the ones to be forwarded to the backend. PR 45387. |
321 |
[Yann Ylavic] |
322 |
|
323 |
*) mod_ssl: dump SSL IO/state for the write side of the connection(s), |
324 |
like reads (level TRACE4). [Yann Ylavic] |
325 |
|
326 |
*) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198. |
327 |
[Jan Kaluza] |
328 |
|
329 |
*) mod_ssl: Do not crash when looking up SSL related variables during |
330 |
expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem] |
331 |
|
332 |
*) mod_proxy_ajp: Fix handling of the default port (8009) in the |
333 |
ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic] |
334 |
|
335 |
*) mpm_event: Avoid a possible use after free when notifying the end of |
336 |
connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic] |
337 |
|
338 |
*) mod_ssl: Fix recognition of OCSP stapling responses that are encoded |
339 |
improperly or too large. [Jeff Trawick] |
340 |
|
341 |
*) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers. |
342 |
[Jeff Trawick] |
343 |
|
344 |
*) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an |
345 |
error when parsing or forwarding the response fails. [Yann Ylavic] |
346 |
|
347 |
*) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e |
348 |
PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>] |
349 |
|
350 |
*) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read |
351 |
determine whether it is a normal close or a real error. PR 57168. [Yann |
352 |
Ylavic] |
353 |
|
354 |
*) mod_proxy_wstunnel: abort backend connection on polling error to avoid |
355 |
further processing. [Yann Ylavic] |
356 |
|
357 |
*) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. |
358 |
PR 57167 [Edward Lu <Chaosed0 gmail.com>] |
359 |
|
360 |
*) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC |
361 |
systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>] |
362 |
|
363 |
*) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752 |
364 |
CacheLock error occurs during cache revalidation. [Eric Covener] |
365 |
|
366 |
*) mod_ssl: Move OCSP stapling information from a per-certificate store to |
367 |
a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>, |
368 |
Yann Ylavic, Kaspar Brand] |
369 |
|
370 |
*) mod_cache_socache: Change average object size hint from 32 bytes to |
371 |
2048 bytes. [Rainer Jung] |
372 |
|
373 |
*) mod_cache_socache: Add cache status to server-status. [Rainer Jung] |
374 |
|
375 |
*) event: Fix worker-listener deadlock in graceful restart. |
376 |
PR 56960. |
377 |
|
378 |
*) Concat strings at compile time when possible. PR 53741. |
379 |
|
380 |
*) mod_substitute: Restrict configuration in .htaccess to |
381 |
FileInfo as documented. [Rainer Jung] |
382 |
|
383 |
*) mod_substitute: Make maximum line length configurable. [Rainer Jung] |
384 |
|
385 |
*) mod_substitute: Fix line length limitation in case of regexp plus flatten. |
386 |
[Rainer Jung] |
387 |
|
388 |
*) mod_proxy: Truncated character worker names are no longer fatal |
389 |
errors. PR53218. [Jim Jagielski] |
390 |
|
391 |
*) mod_dav: Set r->status_line in dav_error_response. PR 55426. |
392 |
|
393 |
*) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory. |
394 |
[Yann Ylavic, Christophe Jaillet] |
395 |
|
396 |
*) http_protocol: fix logic in ap_method_list_(add|remove) in order: |
397 |
- to correctly reset bits |
398 |
- not to modify the 'method_mask' bitfield unnecessarily |
399 |
[Christophe Jaillet] |
400 |
|
401 |
*) mod_slotmem_shm: Increase log level for some originally debug messages. |
402 |
[Jim Jagielski] |
403 |
|
404 |
*) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with |
405 |
the wrong credentials when a backend connection is reused. |
406 |
[Eric Covener] |
407 |
|
408 |
*) mod_macro: Add missing APLOGNO for some Warning log messages. |
409 |
[Christophe Jaillet] |
410 |
|
411 |
*) mod_cache: Avoid sending 304 responses during failed revalidations |
412 |
PR56881. [Eric Covener] |
413 |
|
414 |
*) mod_status: Honor client IP address using mod_remoteip. PR 55886. |
415 |
[Jim Jagielski] |
416 |
|
417 |
*) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12 |
418 |
and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick] |
419 |
|
420 |
*) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade |
421 |
failed) messages from ERROR to TRACE1. Other filters do not bother |
422 |
re-reporting failures from lower level filters. PR56832. [Eric Covener] |
423 |
|
424 |
*) core: Avoid useless warning message when parsing a section guarded by |
425 |
<IfDefine foo> if $(foo) is used within the section. |
426 |
PR 56503 [Christophe Jaillet] |
427 |
|
428 |
*) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the |
429 |
application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>] |
430 |
|
431 |
*) mod_proxy_http: Proxy responses with error status and |
432 |
"ProxyErrorOverride On" hang until proxy timeout. |
433 |
PR53420 [Rainer Jung] |
434 |
|
435 |
*) mod_log_config: Allow three character log formats to be registered. For |
436 |
backwards compatibility, the first character of a three-character format |
437 |
must be the '^' (caret) character. [Eric Covener] |
438 |
|
439 |
*) mod_lua: Don't quote Expires and Path values. PR 56734. |
440 |
[Keith Mashinter, <kmashint yahoo com>] |
441 |
|
442 |
*) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth |
443 |
stanzas under virtual hosts. PR 56870. [Eric Covener] |
444 |
|
445 |
Changes with Apache 2.4.10 |
446 |
|
447 |
*) SECURITY: CVE-2014-0117 (cve.mitre.org) |
448 |
mod_proxy: Fix crash in Connection header handling which allowed a denial |
449 |
of service attack against a reverse proxy with a threaded MPM. |
450 |
[Ben Reser] |
451 |
|
452 |
*) SECURITY: CVE-2014-3523 (cve.mitre.org) |
453 |
Fix a memory consumption denial of service in the WinNT MPM, used in all |
454 |
Windows installations. Workaround: AcceptFilter <protocol> {none|connect} |
455 |
[Jeff Trawick] |
456 |
|
457 |
*) SECURITY: CVE-2014-0226 (cve.mitre.org) |
458 |
Fix a race condition in scoreboard handling, which could lead to |
459 |
a heap buffer overflow. [Joe Orton, Eric Covener] |
460 |
|
461 |
*) SECURITY: CVE-2014-0118 (cve.mitre.org) |
462 |
mod_deflate: The DEFLATE input filter (inflates request bodies) now |
463 |
limits the length and compression ratio of inflated request bodies to |
464 |
avoid denial of service via highly compressed bodies. See directives |
465 |
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, |
466 |
and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] |
467 |
|
468 |
*) SECURITY: CVE-2014-0231 (cve.mitre.org) |
469 |
mod_cgid: Fix a denial of service against CGI scripts that do |
470 |
not consume stdin that could lead to lingering HTTPD child processes |
471 |
filling up the scoreboard and eventually hanging the server. By |
472 |
default, the client I/O timeout (Timeout directive) now applies to |
473 |
communication with scripts. The CGIDScriptTimeout directive can be |
474 |
used to set a different timeout for communication with scripts. |
475 |
[Rainer Jung, Eric Covener, Yann Ylavic] |
476 |
|
477 |
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions |
478 |
resumed by TLS session resumption (RFC 5077). [Rainer Jung] |
479 |
|
480 |
*) mod_deflate: Don't fail when flushing inflated data to the user-agent |
481 |
and that coincides with the end of stream ("Zlib error flushing inflate |
482 |
buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>] |
483 |
|
484 |
*) mod_proxy_ajp: Forward local IP address as a custom request attribute |
485 |
like we already do for the remote port. [Rainer Jung] |
486 |
|
487 |
*) core: Include any error notes set by modules in the canned error |
488 |
response for 403 errors. [Jeff Trawick] |
489 |
|
490 |
*) mod_ssl: Set an error note for requests rejected due to |
491 |
SSLStrictSNIVHostCheck. [Jeff Trawick] |
492 |
|
493 |
*) mod_ssl: Fix issue with redirects to error documents when handling |
494 |
SNI errors. [Jeff Trawick] |
495 |
|
496 |
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer |
497 |
larger keys and support up to 8192-bit keys. [Ruediger Pluem, |
498 |
Joe Orton] |
499 |
|
500 |
*) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480. |
501 |
[Ben Reser] |
502 |
|
503 |
*) WinNT MPM: Improve error handling for termination events in child. |
504 |
[Jeff Trawick] |
505 |
|
506 |
*) mod_proxy: When ping/pong is configured for a worker, don't send or |
507 |
forward "100 Continue" (interim) response to the client if it does |
508 |
not expect one. [Yann Ylavic] |
509 |
|
510 |
*) mod_ldap: Be more conservative with the last-used time for |
511 |
LDAPConnectionPoolTTL. PR54587 [Eric Covener] |
512 |
|
513 |
*) mod_ldap: LDAP connections used for authn were not respecting |
514 |
LDAPConnectionPoolTTL. PR54587 [Eric Covener] |
515 |
|
516 |
*) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies. |
517 |
[Jeff Trawick] |
518 |
|
519 |
*) event MPM: Fix possible crashes (third-party modules accessing c->sbh) |
520 |
or occasional missed mod_status updates under load. PR 56639. |
521 |
[Edward Lu <Chaosed0 gmail com>] |
522 |
|
523 |
*) mod_authnz_ldap: Support primitive LDAP servers do not accept |
524 |
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special |
525 |
filter "none" to be specified in AuthLDAPURL. [Eric Covener] |
526 |
|
527 |
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062. |
528 |
[Lukas Bezdicka <social v3.sk>] |
529 |
|
530 |
*) mod_deflate: Handle Zlib header and validation bytes received in multiple |
531 |
chunks. PR 46146. [Yann Ylavic] |
532 |
|
533 |
*) mod_proxy: Allow reverse-proxy to be set via explicit handler. |
534 |
[ryo takatsuki <ryotakatsuki gmail com>] |
535 |
|
536 |
*) ab: support custom HTTP method with -m argument. PR 56604. |
537 |
[Roman Jurkov <winfinit gmail.com>] |
538 |
|
539 |
*) mod_proxy_balancer: Correctly encode user provided data in management |
540 |
interface. PR 56532 [Maksymilian, <max cert.cx>] |
541 |
|
542 |
*) mod_proxy: Don't limit the size of the connectable Unix Domain Socket |
543 |
paths. [Graham Dumpleton, Christophe Jaillet, Yann Ylavic] |
544 |
|
545 |
*) mod_proxy_fcgi: Support iobuffersize parameter. [Jeff Trawick] |
546 |
|
547 |
*) event: Send the SSL close notify alert when the KeepAliveTimeout |
548 |
expires. PR54998. [Yann Ylavic] |
549 |
|
550 |
*) mod_ssl: Ensure that the SSL close notify alert is flushed to the client. |
551 |
PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic] |
552 |
|
553 |
*) mod_proxy: Shutdown (eg. SSL close notify) the backend connection before |
554 |
closing. [Yann Ylavic] |
555 |
|
556 |
*) mod_auth_form: Add a debug message when the fields on a form are not |
557 |
recognised. [Graham Leggett] |
558 |
|
559 |
*) mod_cache: Preserve non-cacheable headers forwarded from an origin 304 |
560 |
response. PR 55547. [Yann Ylavic] |
561 |
|
562 |
*) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:" |
563 |
scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>] |
564 |
|
565 |
*) mod_socache_shmcb: Correct counting of expirations for status display. |
566 |
Expirations happening during retrieval were not counted. [Rainer Jung] |
567 |
|
568 |
*) mod_cache: Retry unconditional request with the full URL (including the |
569 |
query-string) when the origin server's 304 response does not match the |
570 |
conditions used to revalidate the stale entry. [Yann Ylavic]. |
571 |
|
572 |
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment |
573 |
variables as a result of AliasMatch. [Eric Covener] |
574 |
|
575 |
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response. |
576 |
PR 55547. [Yann Ylavic] |
577 |
|
578 |
*) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme(): |
579 |
Support default SCGI port (4000). [Jeff Trawick] |
580 |
|
581 |
*) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive |
582 |
is enabled. [Eric Covener] |
583 |
|
584 |
*) mod_expires: don't add Expires header to error responses (4xx/5xx), |
585 |
be they generated or forwarded. PR 55669. [Yann Ylavic] |
586 |
|
587 |
*) mod_proxy_fcgi: Don't segfault when failing to connect to the backend. |
588 |
(regression in 2.4.9 release) [Jeff Trawick] |
589 |
|
590 |
*) mod_authn_socache: Fix crash at startup in certain configurations. |
591 |
PR 56371. (regression in 2.4.7) [Jan Kaluza] |
592 |
|
593 |
*) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog |
594 |
programs to the form used in releases up to 2.4.7, and emulate |
595 |
a backwards-compatible behavior for existing setups. [Kaspar Brand] |
596 |
|
597 |
*) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not |
598 |
OCSP requests should use a nonce to be checked against the responder's |
599 |
one. PR 56233. [Yann Ylavic, Kaspar Brand] |
600 |
|
601 |
*) mod_ssl: "SSLEngine off" will now override a Listen-based default |
602 |
and does disable mod_ssl for the vhost. [Joe Orton] |
603 |
|
604 |
*) mod_lua: Enforce the max post size allowed via r:parsebody() |
605 |
[Daniel Gruno] |
606 |
|
607 |
*) mod_lua: Use binary comparison to find boundaries for multipart |
608 |
objects, as to not terminate our search prematurely when hitting |
609 |
a NULL byte. [Daniel Gruno] |
610 |
|
611 |
*) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL |
612 |
versions before 0.9.8h and not specifying an SSLCertificateChainFile |
613 |
(regression introduced with 2.4.8). PR 56410. [Kaspar Brand] |
614 |
|
615 |
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066: |
616 |
no longer send warning-level unrecognized_name(112) alerts, |
617 |
and limit startup warnings to cases where an OpenSSL version |
618 |
without TLS extension support is used. PR 56241. [Kaspar Brand] |
619 |
|
620 |
*) mod_proxy_html: Avoid some possible memory access violation in case of |
621 |
specially crafted files, when the ProxyHTMLMeta directive is turned on. |
622 |
Follow up of PR 56287 [Christophe Jaillet] |
623 |
|
624 |
*) mod_auth_form: Make sure the optional functions are loaded even when |
625 |
the AuthFormProvider isn't specified. [Graham Leggett] |
626 |
|
627 |
*) mod_ssl: avoid processing bogus SSLCertificateKeyFile values |
628 |
(and logging garbled file names). PR 56306. [Kaspar Brand] |
629 |
|
630 |
*) mod_ssl: fix merging of global and vhost-level settings with the |
631 |
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd |
632 |
directives. PR 56353. [Kaspar Brand] |
633 |
|
634 |
*) mod_headers: Allow the "value" parameter of Header and RequestHeader to |
635 |
contain an ap_expr expression if prefixed with "expr=". [Eric Covener] |
636 |
|
637 |
*) rotatelogs: Avoid creation of zombie processes when -p is used on |
638 |
Unix platforms. [Joe Orton] |
639 |
|
640 |
*) mod_authnz_fcgi: New module to enable FastCGI authorizer |
641 |
applications to authenticate and/or authorize clients. |
642 |
[Jeff Trawick] |
643 |
|
644 |
*) mod_proxy: Do not try to parse the regular expressions passed by |
645 |
ProxyPassMatch as URL as they do not follow their syntax. |
646 |
PR 56074. [Ruediger Pluem] |
647 |
|
648 |
*) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests |
649 |
under the Event MPM. PR56216. [Frank Meier <frank meier ergon ch>] |
650 |
|
651 |
*) mod_proxy_fcgi: Fix sending of response without some HTTP headers |
652 |
that might be set by filters. PR 55558. [Jim Riggs <jim riggs.me>] |
653 |
|
654 |
*) mod_proxy_html: Do not delete the wrong data from HTML code when a |
655 |
"http-equiv" meta tag specifies a Content-Type behind any other |
656 |
"http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>] |
657 |
|
658 |
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI |
659 |
differs. PR 55782. [Yann Ylavic] |
660 |
|
661 |
*) Add suspend_connection and resume_connection hooks to notify modules |
662 |
when the thread/connection relationship changes. (Should be implemented |
663 |
for any third-party async MPMs.) [Jeff Trawick] |
664 |
|
665 |
*) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine |
666 |
hangups from websockets origin servers. PR 56299 |
667 |
[Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener] |
668 |
|
669 |
*) mod_proxy_wstunnel: Don't pool backend websockets connections, |
670 |
because we need to handshake every time. PR 55890. |
671 |
[Eric Covener] |
672 |
|
673 |
*) mod_lua: Redesign how request record table access behaves, |
674 |
in order to utilize the request record from within these tables. |
675 |
[Daniel Gruno] |
676 |
|
677 |
*) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno] |
678 |
|
679 |
*) mod_lua: Log an error when the initial parsing of a Lua file fails. |
680 |
[Daniel Gruno, Felipe Daragon <filipe syhunt com>] |
681 |
|
682 |
*) mod_lua: Reformat and escape script error output. |
683 |
[Daniel Gruno, Felipe Daragon <filipe syhunt com>] |
684 |
|
685 |
*) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data |
686 |
from causing response splitting. |
687 |
[Daniel Gruno, Felipe Daragon <filipe syhunt com>] |
688 |
|
689 |
*) mod_lua: Disallow newlines in table values inside the request_rec, |
690 |
to prevent HTTP Response Splitting via tainted headers. |
691 |
[Daniel Gruno, Felipe Daragon <filipe syhunt com>] |
692 |
|
693 |
*) mod_lua: Remove the non-working early/late arguments for |
694 |
LuaHookCheckUserID. [Daniel Gruno] |
695 |
|
696 |
*) mod_lua: Change IVM storage to use shm [Daniel Gruno] |
697 |
|
698 |
*) mod_lua: More verbose error logging when a handler function cannot be |
699 |
found. [Daniel Gruno] |
700 |
|
701 |
Changes with Apache 2.4.9 |
702 |
|
703 |
*) mod_ssl: Work around a bug in some older versions of OpenSSL that |
704 |
would cause a crash in SSL_get_certificate for servers where the |
705 |
certificate hadn't been sent. [Stephen Henson] |
706 |
|
707 |
*) mod_lua: Add a fixups hook that checks if the original request is intended |
708 |
for LuaMapHandler. This fixes a bug where FallbackResource invalidates the |
709 |
LuaMapHandler directive in certain cases by changing the URI before the map |
710 |
handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>]. |
711 |
|
712 |
Changes with Apache 2.4.8 |
713 |
|
714 |
*) SECURITY: CVE-2014-0098 (cve.mitre.org) |
715 |
Clean up cookie logging with fewer redundant string parsing passes. |
716 |
Log only cookies with a value assignment. Prevents segfaults when |
717 |
logging truncated cookies. |
718 |
[William Rowe, Ruediger Pluem, Jim Jagielski] |
719 |
|
720 |
*) SECURITY: CVE-2013-6438 (cve.mitre.org) |
721 |
mod_dav: Keep track of length of cdata properly when removing |
722 |
leading spaces. Eliminates a potential denial of service from |
723 |
specifically crafted DAV WRITE requests |
724 |
[Amin Tora <Amin.Tora neustar.biz>] |
725 |
|
726 |
*) core: Support named groups and backreferences within the LocationMatch, |
727 |
DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires |
728 |
non-ancient PCRE library) [Graham Leggett] |
729 |
|
730 |
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding |
731 |
TE/CL conflicts. [Yann Ylavic, Jim Jagielski] |
732 |
|
733 |
*) core: Detect incomplete request and response bodies, log an error and |
734 |
forward it to the underlying filters. PR 55475 [Yann Ylavic] |
735 |
|
736 |
*) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping |
737 |
execution when a handler is already set. PR53929. [Eric Covener] |
738 |
|
739 |
*) mod_ssl: Do not perform SNI / Host header comparison in case of a |
740 |
forward proxy request. [Ruediger Pluem] |
741 |
|
742 |
*) mod_ssl: Remove the hardcoded algorithm-type dependency for the |
743 |
SSLCertificateFile and SSLCertificateKeyFile directives, to enable |
744 |
future algorithm agility, and deprecate the SSLCertificateChainFile |
745 |
directive (obsoleted by SSLCertificateFile). [Kaspar Brand] |
746 |
|
747 |
*) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore, |
748 |
and IgnoreInherit to allow RewriteRules to be pushed from parent scopes |
749 |
to child scopes without explicitly configuring each child scope. |
750 |
PR56153. [Edward Lu <Chaosed0 gmail com>] |
751 |
|
752 |
*) prefork: Fix long delays when doing a graceful restart. |
753 |
PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>] |
754 |
|
755 |
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions |
756 |
5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick] |
757 |
|
758 |
*) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message |
759 |
IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145. |
760 |
[Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener] |
761 |
|
762 |
*) mod_remoteip: Correct the trusted proxy match test. PR 54651. |
763 |
[Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>] |
764 |
|
765 |
*) mod_proxy_fcgi: Fix error message when an unexpected protocol version |
766 |
number is received from the application. PR 56110. [Jeff Trawick] |
767 |
|
768 |
*) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field. |
769 |
PR 55972. [Mike Rumph] |
770 |
|
771 |
*) mod_lua: Update r:setcookie() to accept a table of options and add domain, |
772 |
path and httponly to the list of options available to set. |
773 |
PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno] |
774 |
|
775 |
*) mod_lua: Fix r:setcookie() to add, rather than replace, |
776 |
the Set-Cookie header. PR56105 |
777 |
[Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>] |
778 |
|
779 |
*) mod_lua: Allow for database results to be returned as a hash with |
780 |
row-name/value pairs instead of just row-number/value. [Daniel Gruno] |
781 |
|
782 |
*) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to |
783 |
%{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>] |
784 |
|
785 |
*) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't |
786 |
save the socket for reuse by the next worker as if it were an |
787 |
APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener] |
788 |
|
789 |
*) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL |
790 |
that was just rewritten by mod_rewrite. PR53929. [Eric Covener] |
791 |
|
792 |
*) mod_session: When we have a session we were unable to decode, |
793 |
behave as if there was no session at all. [Thomas Eckert |
794 |
<thomas.r.w.eckert gmail com>] |
795 |
|
796 |
*) mod_session: Fix problems interpreting the SessionInclude and |
797 |
SessionExclude configuration. PR 56038. [Erik Pearson |
798 |
<erik adaptations.com>] |
799 |
|
800 |
*) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth |
801 |
stanzas under virtual hosts. PR 55622. [Eric Covener] |
802 |
|
803 |
*) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded |
804 |
30 seconds timeout. [Jan Kaluza] |
805 |
|
806 |
*) build: only search for modules (config*.m4) in known subdirectories, see |
807 |
build/config-stubs. [Stefan Fritsch] |
808 |
|
809 |
*) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk. |
810 |
PR 55833. [Eric Covener] |
811 |
|
812 |
*) mod_ssl: Add support for OpenSSL configuration commands by introducing |
813 |
the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand] |
814 |
|
815 |
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which |
816 |
is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet] |
817 |
|
818 |
*) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm, |
819 |
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the |
820 |
require directives. [Graham Leggett] |
821 |
|
822 |
*) mod_proxy_http: Core dumped under high load. PR 50335. |
823 |
[Jan Kaluza <jkaluza redhat.com>] |
824 |
|
825 |
*) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size |
826 |
previously limited to 64MB. [Jens Låås <jelaas gmail.com>] |
827 |
|
828 |
*) mod_lua: Use binary copy when dealing with uploads through r:parsebody() |
829 |
to prevent truncating files. [Daniel Gruno] |
830 |
|
831 |
Changes with Apache 2.4.7 |
832 |
|
833 |
*) SECURITY: CVE-2013-4352 (cve.mitre.org) |
834 |
mod_cache: Fix a NULL pointer deference which allowed untrusted |
835 |
origin servers to crash mod_cache in a forward proxy |
836 |
configuration. [Graham Leggett] |
837 |
|
838 |
*) APR 1.5.0 or later is now required for the event MPM. |
839 |
|
840 |
*) slotmem_shm: Error detection. [Jim Jagielski] |
841 |
|
842 |
*) event: Use skiplist data structure. [Jim Jagielski] |
843 |
|
844 |
*) event: Fail at startup with message AP02405 if the APR atomic |
845 |
implementation is not compatible with the MPM. [Jim Jagielski] |
846 |
|
847 |
*) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication |
848 |
and align w/ trunk. [Jim Jagielski] |
849 |
|
850 |
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize |
851 |
directives. [Mike Rumph <mike.rumph oracle.com>] |
852 |
|
853 |
*) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars. |
854 |
An individual envvar with an encoded length of more than 16K will be |
855 |
omitted. [Jeff Trawick] |
856 |
|
857 |
*) mod_proxy_fcgi: Handle reading protocol data that is split between |
858 |
packets. [Jeff Trawick] |
859 |
|
860 |
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by |
861 |
allowing custom parameters to be configured via SSLCertificateFile, |
862 |
and by adding standardized DH parameters for 1024/2048/3072/4096 bits. |
863 |
Unless custom parameters are configured, the standardized parameters |
864 |
are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] |
865 |
|
866 |
*) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] |
867 |
|
868 |
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA |
869 |
keys, and unconditionally disable aNULL, eNULL and EXP ciphers |
870 |
(not overridable via SSLCipherSuite). [Kaspar Brand] |
871 |
|
872 |
*) mod_proxy: Added support for unix domain sockets as the |
873 |
backend server endpoint [Jim Jagielski, Blaise Tarr |
874 |
<blaise tarr gmail com>] |
875 |
|
876 |
*) Add experimental cmake-based build system for Windows. [Jeff Trawick, |
877 |
Tom Donovan] |
878 |
|
879 |
*) event MPM: Fix possible crashes (third party modules accessing c->sbh) |
880 |
or occasional missed mod_status updates for some keepalive requests |
881 |
under load. [Eric Covener] |
882 |
|
883 |
*) mod_authn_socache: Support optional initialization arguments for |
884 |
socache providers. [Chris Darroch] |
885 |
|
886 |
*) mod_session: Reset the max-age on session save. PR 47476. [Alexey |
887 |
Varlamov <alexey.v.varlamov gmail com>] |
888 |
|
889 |
*) mod_session: After parsing the value of the header specified by the |
890 |
SessionHeader directive, remove the value from the response. PR 55279. |
891 |
[Graham Leggett] |
892 |
|
893 |
*) mod_headers: Allow for format specifiers in the substitution string |
894 |
when using Header edit. [Daniel Ruggeri] |
895 |
|
896 |
*) mod_dav: dav_resource->uri is treated as unencoded. This was an |
897 |
unnecessary ABI changed introduced in 2.4.6. PR 55397. |
898 |
|
899 |
*) mod_dav: Don't require lock tokens for COPY source. PR 55306. |
900 |
|
901 |
*) core: Don't truncate output when sending is interrupted by a signal, |
902 |
such as from an exiting CGI process. PR 55643. [Jeff Trawick] |
903 |
|
904 |
*) WinNT MPM: Exit the child if the parent process crashes or is terminated. |
905 |
[Oracle Corporation] |
906 |
|
907 |
*) Windows: Correct failure to discard stderr in some error log |
908 |
configurations. (Error message AH00093) [Jeff Trawick] |
909 |
|
910 |
*) mod_session_crypto: Allow using exec: calls to obtain session |
911 |
encryption key. [Daniel Ruggeri] |
912 |
|
913 |
*) core: Add missing Reason-Phrase in HTTP response headers. |
914 |
PR 54946. [Rainer Jung] |
915 |
|
916 |
*) mod_rewrite: Make rewrite websocket-aware to allow proxying. |
917 |
PR 55598. [Chris Harris <chris.harris kitware com>] |
918 |
|
919 |
*) mod_ldap: When looking up sub-groups, use an implicit objectClass=* |
920 |
instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>] |
921 |
|
922 |
*) ab: Add wait time, fix processing time, and output write errors only if |
923 |
they occured. [Christophe Jaillet] |
924 |
|
925 |
*) worker MPM: Don't forcibly kill worker threads if the child process is |
926 |
exiting gracefully. [Oracle Corporation] |
927 |
|
928 |
*) core: apachectl -S prints wildcard name-based virtual hosts twice. |
929 |
PR54948 [Eric Covener] |
930 |
|
931 |
*) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to |
932 |
allow migration of passwords from digest to basic authentication. |
933 |
[Chris Darroch] |
934 |
|
935 |
*) ab: Add a new -l parameter in order not to check the length of the responses. |
936 |
This can be usefull with dynamic pages. |
937 |
PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>] |
938 |
|
939 |
*) Suppress formatting of startup messages written to the console when |
940 |
ErrorLogFormat is used. [Jeff Trawick] |
941 |
|
942 |
*) mod_auth_digest: Be more specific when the realm mismatches because the |
943 |
realm has not been specified. [Graham Leggett] |
944 |
|
945 |
*) mod_proxy: Add a note in the balancer manager stating whether changes |
946 |
will or will not be persisted and whether settings are inherited. |
947 |
[Daniel Ruggeri, Jim Jagielski] |
948 |
|
949 |
*) core: Add util_fcgi.h and associated definitions and support |
950 |
routines for FastCGI, based largely on mod_proxy_fcgi. |
951 |
[Jeff Trawick] |
952 |
|
953 |
*) mod_headers: Add 'Header note header-name note-name' for copying a response |
954 |
headers value into a note. [Eric Covener] |
955 |
|
956 |
*) mod_headers: Add 'setifempty' command to Header and RequestHeader. |
957 |
[Eric Covener] |
958 |
|
959 |
*) mod_logio: new format-specifier %S (sum) which is the sum of received |
960 |
and sent byte counts. |
961 |
PR54015 [Christophe Jaillet] |
962 |
|
963 |
*) mod_deflate: Improve error detection when decompressing request bodies |
964 |
with trailing garbage: handle case where trailing bytes are in |
965 |
the same bucket. [Rainer Jung] |
966 |
|
967 |
*) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663 |
968 |
from ERROR to DEBUG, since these modules do not know what mod_authz_core |
969 |
is doing with their AUTHZ_DENIED return value. [Eric Covener] |
970 |
|
971 |
*) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener] |
972 |
|
973 |
*) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener] |
974 |
|
975 |
*) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP |
976 |
SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK |
977 |
default, sans rebind authentication callback. |
978 |
[Jan Kaluza <kaluze AT redhat.com>] |
979 |
|
980 |
*) core: Log a message at TRACE1 when the client aborts a connection. |
981 |
[Eric Covener] |
982 |
|
983 |
*) WinNT MPM: Don't crash during child process initialization if the |
984 |
Listen protocol is unrecognized. [Jeff Trawick] |
985 |
|
986 |
*) modules: Fix some compiler warnings. [Guenter Knauf] |
987 |
|
988 |
*) Sync 2.4 and trunk |
989 |
- Avoid some memory allocation and work when TRACE1 is not activated |
990 |
- fix typo in include guard |
991 |
- indent |
992 |
- No need to lower the string before removing the path, it is just |
993 |
a waste of time... |
994 |
- Save a few cycles |
995 |
[Christophe Jaillet <christophe.jaillet wanadoo.fr>] |
996 |
|
997 |
*) mod_filter: Add "change=no" as a proto-flag to FilterProtocol |
998 |
to remove a providers initial flags set at registration time. |
999 |
[Eric Covener] |
1000 |
|
1001 |
*) core, mod_ssl: Enable the ability for a module to reverse the sense of |
1002 |
a poll event from a read to a write or vice versa. This is a step on |
1003 |
the way to allow mod_ssl taking full advantage of the event MPM. |
1004 |
[Graham Leggett] |
1005 |
|
1006 |
*) Makefile.win: Install proper pcre DLL file during debug build install. |
1007 |
PR 55235. [Ben Reser <ben reser org>] |
1008 |
|
1009 |
*) mod_ldap: Fix a potential memory leak or corruption. PR 54936. |
1010 |
[Zhenbo Xu <zhenbo1987 gmail com>] |
1011 |
|
1012 |
*) ab: Fix potential buffer overflows when processing the T and X |
1013 |
command-line options. PR 55360. |
1014 |
[Mike Rumph <mike.rumph oracle.com>] |
1015 |
|
1016 |
*) fcgistarter: Specify SO_REUSEADDR to allow starting a server |
1017 |
with old connections in TIME_WAIT. [Jeff Trawick] |
1018 |
|
1019 |
*) core: Add open_htaccess hook which, in conjunction with dirwalk_stat |
1020 |
and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be |
1021 |
used without patches to httpd core. [Stefan Fritsch] |
1022 |
|
1023 |
*) support/htdbm: fix processing of -t command line switch. Regression |
1024 |
introduced in 2.4.4 |
1025 |
PR 55264 [Jo Rhett <jrhett netconsonance com>] |
1026 |
|
1027 |
*) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread |
1028 |
and r:wsping. [Daniel Gruno] |
1029 |
|
1030 |
*) mod_lua: add support for writing/reading cookies via r:getcookie and |
1031 |
r:setcookie. [Daniel Gruno] |
1032 |
|
1033 |
*) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should |
1034 |
be prefixed to the response as documented. [Eric Covener] |
1035 |
Note: Not present in 2.4.7 CHANGES |
1036 |
|
1037 |
*) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter |
1038 |
is configured without mod_filter. [Eric Covener] |
1039 |
Note: Not present in 2.4.7 CHANGES |
1040 |
|
1041 |
*) mod_lua: Register LuaOutputFilter scripts as changing the content and |
1042 |
content-length by default, when run my mod_filter. Previously, |
1043 |
growing or shrinking a response that started with Content-Length set |
1044 |
would require mod_filter and FilterProtocol change=yes. [Eric Covener] |
1045 |
Note: Not present in 2.4.7 CHANGES |
1046 |
|
1047 |
*) mod_lua: Return a 500 error if a LuaHook* script doesn't return a |
1048 |
numeric return code. [Eric Covener] |
1049 |
Note: Not present in 2.4.7 CHANGES |
1050 |
|
1051 |
Changes with Apache 2.4.6 |
1052 |
|
1053 |
*) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was |
1054 |
not released) and found post-2.4.5 tagging. |
1055 |
|
1056 |
Changes with Apache 2.4.5 |
1057 |
|
1058 |
*) SECURITY: CVE-2013-1896 (cve.mitre.org) |
1059 |
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with |
1060 |
the source href (sent as part of the request body as XML) pointing to a |
1061 |
URI that is not configured for DAV will trigger a segfault. [Ben Reser |
1062 |
<ben reser.org>] |
1063 |
|
1064 |
*) SECURITY: CVE-2013-2249 (cve.mitre.org) |
1065 |
mod_session_dbd: Make sure that dirty flag is respected when saving |
1066 |
sessions, and ensure the session ID is changed each time the session |
1067 |
changes. This changes the format of the updatesession SQL statement. |
1068 |
Existing configurations must be changed. |
1069 |
[Takashi Sato, Graham Leggett] |
1070 |
|
1071 |
*) mod_auth_basic: Add a generic mechanism to fake basic authentication |
1072 |
using the ap_expr parser. AuthBasicFake allows the administrator to |
1073 |
construct their own username and password for basic authentication based |
1074 |
on their needs. [Graham Leggett] |
1075 |
|
1076 |
*) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254. |
1077 |
[Jackie Zhang <jackie qq zhang gmail com>] |
1078 |
|
1079 |
*) mod_proxy: Ensure we don't attempt to amend a table we are iterating |
1080 |
through, ensuring that all headers listed by Connection are removed. |
1081 |
[Graham Leggett, Co-Advisor <coad measurement-factory.com>] |
1082 |
|
1083 |
*) mod_proxy_http: Make the proxy-interim-response environment variable |
1084 |
effective by formally overriding origin server behaviour. [Graham |
1085 |
Leggett, Co-Advisor <coad measurement-factory.com>] |
1086 |
|
1087 |
*) mod_proxy: Fix seg-faults when using the global pool on threaded |
1088 |
MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett, |
1089 |
Jim Jagielski] |
1090 |
|
1091 |
*) mod_deflate: Remove assumptions as to when an EOS bucket might arrive. |
1092 |
Gracefully step aside if the body size is zero. [Graham Leggett] |
1093 |
|
1094 |
*) mod_ssl: Fix possible truncation of OCSP responses when reading from the |
1095 |
server. [Joe Orton] |
1096 |
|
1097 |
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization |
1098 |
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun |
1099 |
<apache heilbrun.org>] |
1100 |
|
1101 |
*) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged |
1102 |
correctly. [Jens Låås <jelaas gmail.com>] |
1103 |
|
1104 |
*) rotatelogs: add -n number-of-files option to rotate through a number |
1105 |
of fixed-name logfiles. [Eric Covener] |
1106 |
|
1107 |
*) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel. |
1108 |
[Jim Jagielski] |
1109 |
|
1110 |
*) mod_cache_socache: Use the name of the socache implementation when performing |
1111 |
a lookup rather than using the raw arguments. [Martin Ksellmann |
1112 |
<martin@ksellmann.de>] |
1113 |
|
1114 |
*) core: Add dirwalk_stat hook. [Jeff Trawick] |
1115 |
|
1116 |
*) core: Add post_perdir_config hook. |
1117 |
[Steinar Gunderson <sgunderson bigfoot.com>] |
1118 |
|
1119 |
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'. |
1120 |
[Christophe Jaillet] |
1121 |
|
1122 |
*) mod_remoteip: close file in error path. [Christophe Jaillet] |
1123 |
|
1124 |
*) core: make the "default" parameter of the "ErrorDocument" option case |
1125 |
insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>] |
1126 |
|
1127 |
*) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive. |
1128 |
PR 54420 [Tianyin Xu <tixu cs ucsd edu>] |
1129 |
|
1130 |
*) mod_cache: Make option "CacheDisable" in mod_cache case insensitive. |
1131 |
PR 54462 [Tianyin Xu <tixu cs ucsd edu>] |
1132 |
|
1133 |
*) mod_cache: If a 304 response indicates an entity not currently cached, then |
1134 |
the cache MUST disregard the response and repeat the request without the |
1135 |
conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>] |
1136 |
|
1137 |
*) mod_cache: Ensure that we don't attempt to replace a cached response |
1138 |
with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor |
1139 |
<coad measurement-factory.com>] |
1140 |
|
1141 |
*) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions() |
1142 |
with weak validation combined with If-Range and Range headers. Break |
1143 |
out explicit conditional header checks to be useable elsewhere in the |
1144 |
server. Ensure weak validation RFC compliance in the byteranges filter. |
1145 |
Ensure RFC validation compliance when serving cached entities. PR 16142 |
1146 |
[Graham Leggett, Co-Advisor <coad measurement-factory.com>] |
1147 |
|
1148 |
*) core: Add the ability to do explicit matching on weak and strong ETags |
1149 |
as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor |
1150 |
<coad measurement-factory.com>] |
1151 |
|
1152 |
*) mod_cache: Ensure that updated responses to HEAD requests don't get |
1153 |
mistakenly paired with a previously cached body. Ensure that any existing |
1154 |
body is removed when a HEAD request is cached. [Graham Leggett, |
1155 |
Co-Advisor <coad measurement-factory.com>] |
1156 |
|
1157 |
*) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett] |
1158 |
|
1159 |
*) mod_cache: Make sure that contradictory entity headers present in a 304 |
1160 |
Not Modified response are caught and cause the entity to be removed. |
1161 |
[Graham Leggett] |
1162 |
|
1163 |
*) mod_cache: Make sure Vary processing handles multivalued Vary headers and |
1164 |
multivalued headers referred to via Vary. [Graham Leggett] |
1165 |
|
1166 |
*) mod_cache: When serving from cache, only the last header of a multivalued |
1167 |
header was taken into account. Fixed. Ensure that Warning headers are |
1168 |
correctly handled as per RFC2616. [Graham Leggett] |
1169 |
|
1170 |
*) mod_cache: Ignore response headers specified by no-cache=header and |
1171 |
private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure |
1172 |
that these headers are still processed when multiple Cache-Control |
1173 |
headers are present in the response. PR 54706 [Graham Leggett, |
1174 |
Yann Ylavic <ylavic.dev gmail.com>] |
1175 |
|
1176 |
*) mod_cache: Invalidate cached entities in response to RFC2616 Section |
1177 |
13.10 Invalidation After Updates or Deletions. PR 15868 [Graham |
1178 |
Leggett] |
1179 |
|
1180 |
*) mod_dav: Improve error handling in dav_method_put(), add new |
1181 |
dav_join_error() function. PR 54145. [Ben Reser <ben reser.org>] |
1182 |
|
1183 |
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known. |
1184 |
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] |
1185 |
|
1186 |
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead |
1187 |
property on a resource for which there is no dead property in the same |
1188 |
namespace httpd segfaults. PR 52559 [Diego Santa Cruz |
1189 |
<diego.santaCruz spinetix.com>] |
1190 |
|
1191 |
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't |
1192 |
result in a 412 Precondition Failed for a COPY operation. PR54610 |
1193 |
[Timothy Wood <tjw omnigroup.com>] |
1194 |
|
1195 |
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison, |
1196 |
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>] |
1197 |
|
1198 |
*) mod_deflate: Remove assumptions as to when an EOS bucket might arrive. |
1199 |
Gracefully step aside if the body size is zero. [Graham Leggett] |
1200 |
|
1201 |
*) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional |
1202 |
'standard' keyword . It was unused and not documented. |
1203 |
PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet] |
1204 |
|
1205 |
*) core: Do not over allocate memory within 'ap_rgetline_core' for |
1206 |
the common case. [Christophe Jaillet] |
1207 |
|
1208 |
*) core: speed up (for common cases) and reduce memory usage of |
1209 |
ap_escape_logitem(). This should save 70-100 bytes in the request |
1210 |
pool for a default config. [Christophe Jaillet] |
1211 |
|
1212 |
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 |
1213 |
[Timothy Wood <tjw omnigroup.com>] |
1214 |
|
1215 |
*) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett, |
1216 |
Co-Advisor <coad measurement-factory.com>] |
1217 |
|
1218 |
*) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the |
1219 |
semantics of the proxy-revalidate directive. [Graham Leggett] |
1220 |
|
1221 |
*) mod_ssl: add support for subjectAltName-based host name checking |
1222 |
in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand] |
1223 |
|
1224 |
*) core: Use the proper macro for HTTP/1.1. [Graham Leggett] |
1225 |
|
1226 |
*) event MPM: Provide error handling for ThreadStackSize. PR 54311 |
1227 |
[Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet] |
1228 |
|
1229 |
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM. |
1230 |
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] |
1231 |
|
1232 |
*) core: Improve error message where client's request-line exceeds |
1233 |
LimitRequestLine. PR 54384 [Christophe Jaillet] |
1234 |
|
1235 |
*) mod_macro: New module that provides macros within configuration files. |
1236 |
[Fabien Coelho] |
1237 |
|
1238 |
*) mod_cache_socache: New cache implementation backed by mod_socache |
1239 |
that replaces mod_mem_cache known from httpd 2.2. [Graham |
1240 |
Leggett] |
1241 |
|
1242 |
*) htpasswd: Add -v option to verify a password. [Stefan Fritsch] |
1243 |
|
1244 |
*) mod_proxy: Add BalancerInherit and ProxyPassInherit to control |
1245 |
whether Proxy Balancers and Workers are inherited by vhosts |
1246 |
(default is On). [Jim Jagielski] |
1247 |
|
1248 |
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind |
1249 |
password. [Daniel Ruggeri] |
1250 |
|
1251 |
*) Added balancer parameter failontimeout to allow server admin |
1252 |
to configure an IO timeout as an error in the balancer. |
1253 |
[Daniel Ruggeri] |
1254 |
|
1255 |
*) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan |
1256 |
Fritsch] |
1257 |
|
1258 |
*) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch] |
1259 |
|
1260 |
*) core: Add workaround for gcc bug on sparc/64bit. PR 52900. |
1261 |
[Stefan Fritsch] |
1262 |
|
1263 |
*) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used |
1264 |
together. PR 54881. [Ruediger Pluem] |
1265 |
|
1266 |
*) htdigest: Fix buffer overflow when reading digest password file |
1267 |
with very long lines. PR 54893. [Rainer Jung] |
1268 |
|
1269 |
*) ap_expr: Add the ability to base64 encode and base64 decode |
1270 |
strings and to generate their SHA1 and MD5 hash. |
1271 |
[Graham Leggett, Stefan Fritsch] |
1272 |
|
1273 |
*) mod_log_config: Fix crash when logging request end time for a failed |
1274 |
request. PR 54828 [Rainer Jung] |
1275 |
|
1276 |
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs |
1277 |
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. |
1278 |
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand] |
1279 |
|
1280 |
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits |
1281 |
in the error log to debug level. [William Rowe] |
1282 |
|
1283 |
*) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always |
1284 |
using compiled in defaults of 1000000/1 respectively. [Eric Covener] |
1285 |
|
1286 |
*) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/ |
1287 |
DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file. [Jeff Trawick] |
1288 |
|
1289 |
*) mod_include: Use new ap_expr for 'elif', like 'if', |
1290 |
if legacy parser is not specified. PR 54548 [Tom Donovan] |
1291 |
|
1292 |
*) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(), |
1293 |
r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc(). |
1294 |
[Guenter Knauf] |
1295 |
|
1296 |
*) mod_lua: Add multipart form data handling. [Daniel Gruno] |
1297 |
|
1298 |
*) mod_lua: If a LuaMapHandler doesn't return any value, log a warning |
1299 |
and treat it as apache2.OK. [Eric Covener] |
1300 |
|
1301 |
*) mod_lua: Add bindings for apr_dbd/mod_dbd database access |
1302 |
[Daniel Gruno] |
1303 |
|
1304 |
*) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content |
1305 |
filters in Lua [Daniel Gruno] |
1306 |
|
1307 |
*) mod_lua: Allow scripts handled by the lua-script handler to return |
1308 |
a status code to the client (such as a 302 or a 500) [Daniel Gruno] |
1309 |
|
1310 |
*) mod_lua: Decline handling 'lua-script' if the file doesn't exist, |
1311 |
rather than throwing an internal server error. [Daniel Gruno] |
1312 |
|
1313 |
*) mod_lua: Add functions r:flush and r:sendfile as well as additional |
1314 |
request information to the request_rec structure. [Daniel Gruno] |
1315 |
|
1316 |
*) mod_lua: Add a server scope for Lua states, which creates a pool of |
1317 |
states with managable minimum and maximum size. [Daniel Gruno] |
1318 |
|
1319 |
*) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping |
1320 |
URIs to Lua scripts and functions using regular expressions. |
1321 |
[Daniel Gruno] |
1322 |
|
1323 |
*) mod_lua: Add new directive LuaCodeCache for controlling in-memory |
1324 |
caching of lua scripts. [Daniel Gruno] |
1325 |
|
1326 |
Changes with Apache 2.4.4 |
1327 |
|
1328 |
*) SECURITY: CVE-2012-3499 (cve.mitre.org) |
1329 |
Various XSS flaws due to unescaped hostnames and URIs HTML output in |
1330 |
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. |
1331 |
[Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] |
1332 |
|
1333 |
*) SECURITY: CVE-2012-4558 (cve.mitre.org) |
1334 |
XSS in mod_proxy_balancer manager interface. [Jim Jagielski, |
1335 |
Niels Heinen <heinenn google com>] |
1336 |
|
1337 |
*) mod_dir: Add support for the value 'disabled' in FallbackResource. |
1338 |
[Vincent Deffontaines] |
1339 |
|
1340 |
*) mod_proxy_connect: Don't keepalive the connection to the client if the |
1341 |
backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>] |
1342 |
|
1343 |
*) mod_lua: Add bindings for mod_dbd/apr_dbd database access. |
1344 |
[Daniel Gruno] |
1345 |
|
1346 |
*) mod_proxy: Allow for persistence of local changes made via the |
1347 |
balancer-manager between graceful/normal restarts and power |
1348 |
cycles. [Jim Jagielski] |
1349 |
|
1350 |
*) mod_proxy: Fix startup crash with mis-defined balancers. |
1351 |
PR 52402. [Jim Jagielski] |
1352 |
|
1353 |
*) --with-module: Fix failure to integrate them into some existing |
1354 |
module directories. PR 40097. [Jeff Trawick] |
1355 |
|
1356 |
*) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton] |
1357 |
|
1358 |
*) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody |
1359 |
PR 54435. [Pavel Mateja <pavel netsafe.cz>] |
1360 |
|
1361 |
*) mod_proxy_ajp: Support unknown HTTP methods. PR 54416. |
1362 |
[Rainer Jung] |
1363 |
|
1364 |
*) htcacheclean: Fix list options "-a" and "-A". |
1365 |
[Rainer Jung] |
1366 |
|
1367 |
*) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm. |
1368 |
[Jim Jagielski] |
1369 |
|
1370 |
*) mod_proxy: non-existance of byrequests is not an immediate error. |
1371 |
[Jim Jagielski] |
1372 |
|
1373 |
*) mod_proxy_balancer: Improve output of balancer-manager (re: Drn, |
1374 |
Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>] |
1375 |
|
1376 |
*) configure: Fix processing of --disable-FEATURE for various features. |
1377 |
[Jeff Trawick] |
1378 |
|
1379 |
*) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal |
1380 |
redirect. PR 52230. |
1381 |
|
1382 |
*) various modules, rotatelogs: Replace use of apr_file_write() with |
1383 |
apr_file_write_full() to prevent incomplete writes. PR 53131. |
1384 |
[Nicolas Viennot <apache viennot biz>, Stefan Fritsch] |
1385 |
|
1386 |
*) ab: Support socket timeout (-s timeout). |
1387 |
[Guido Serra <zeph fsfe org>] |
1388 |
|
1389 |
*) httxt2dbm: Correct length computation for the 'value' stored in the |
1390 |
DBM file. PR 47650 [jon buckybox com] |
1391 |
|
1392 |
*) core: Be more correct about rejecting directives that cannot work in <If> |
1393 |
sections. [Stefan Fritsch] |
1394 |
|
1395 |
*) core: Fix directives like LogLevel that need to know if they are invoked |
1396 |
at virtual host context or in Directory/Files/Location/If sections to |
1397 |
work properly in If sections that are not in a Directory/Files/Location. |
1398 |
[Stefan Fritsch] |
1399 |
|
1400 |
*) mod_xml2enc: Fix problems with charset conversion altering the |
1401 |
Content-Length. [Micha Lenk <micha lenk info>] |
1402 |
|
1403 |
*) ap_expr: Add req_novary function that allows HTTP header lookups |
1404 |
without adding the name to the Vary header. [Stefan Fritsch] |
1405 |
|
1406 |
*) mod_slotmem_*: Add in new fgrab() function which forces a grab and |
1407 |
slot allocation on a specified slot. Allow for clearing of inuse |
1408 |
array. [Jim Jagielski] |
1409 |
|
1410 |
*) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS |
1411 |
AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan |
1412 |
dyndns org>, <ast domdv de>, Jim Jagielski] |
1413 |
|
1414 |
*) mod_auth_form: Make sure that get_notes_auth() sets the user as does |
1415 |
get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER |
1416 |
does not vanish during mod_include driven subrequests. [Graham |
1417 |
Leggett] |
1418 |
|
1419 |
*) mod_cache_disk: Resolve errors while revalidating disk-cached files on |
1420 |
Windows ("...rename tempfile to datafile failed..."). PR 38827 |
1421 |
[Eric Covener] |
1422 |
|
1423 |
*) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski] |
1424 |
|
1425 |
*) htpasswd, htdbm: Optionally read passwords from stdin, as more |
1426 |
secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas |
1427 |
paltanavicius gmail com>, Stefan Fritsch] |
1428 |
|
1429 |
*) htpasswd, htdbm: Add support for bcrypt algorithm (requires |
1430 |
apr-util 1.5 or higher). PR 49288. [Stefan Fritsch] |
1431 |
|
1432 |
*) htpasswd, htdbm: Put full 48bit of entropy into salt, improve |
1433 |
error handling. Add some of htpasswd's improvements to htdbm, |
1434 |
e.g. warn if password is truncated by crypt(). [Stefan Fritsch] |
1435 |
|
1436 |
*) mod_auth_form: Support the expr parser in the |
1437 |
AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and |
1438 |
AuthFormLogoutLocation directives. [Graham Leggett] |
1439 |
|
1440 |
*) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange |
1441 |
for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>, |
1442 |
Christophe Renou, Peter Sylvester] |
1443 |
|
1444 |
*) mod_rewrite: Stop mergeing RewriteBase down to subdirectories |
1445 |
unless new option 'RewriteOptions MergeBase' is configured. |
1446 |
PR 53963. [Eric Covener] |
1447 |
|
1448 |
*) mod_header: Allow for exposure of loadavg and server load using new |
1449 |
format specifiers %l, %i, %b [Jim Jagielski] |
1450 |
|
1451 |
*) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make |
1452 |
ap_pregcomp() abort if out of memory. This raises the minimum PCRE |
1453 |
requirement to version 6.0. [Stefan Fritsch] |
1454 |
|
1455 |
*) mod_proxy: Add ability to configure the sticky session separator. |
1456 |
PR 53893. [<inu inusasha de>, Jim Jagielski] |
1457 |
|
1458 |
*) mod_dumpio: Correctly log large messages |
1459 |
PR 54179 [Marek Wianecki <mieszek2 interia pl>] |
1460 |
|
1461 |
*) core: Don't fail at startup with AH00554 when Include points to |
1462 |
a directory without any wildcard character. [Eric Covener] |
1463 |
|
1464 |
*) core: Fail startup if the argument to ServerTokens is unrecognized. |
1465 |
[Jackie Zhang <jackie.qq.zhang gmail.com>] |
1466 |
|
1467 |
*) mod_log_forensic: Don't log a spurious "-" if a request has been rejected |
1468 |
before mod_log_forensic could attach its id to it. [Stefan Fritsch] |
1469 |
|
1470 |
*) rotatelogs: Omit the second argument for the first invocation of |
1471 |
a post-rotate program when -p is used, per the documentation. |
1472 |
[Joe Orton] |
1473 |
|
1474 |
*) mod_session_dbd: fix a segmentation fault in the function dbd_remove. |
1475 |
PR 53452. [<rebanerebane gmail com>, Reimo Rebane] |
1476 |
|
1477 |
*) core: Functions to provide server load values: ap_get_sload() and |
1478 |
ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>, |
1479 |
Jeff Trawick] |
1480 |
|
1481 |
*) mod_ldap: Fix regression in handling "server unavailable" errors on |
1482 |
Windows. PR 54140. [Eric Covener] |
1483 |
|
1484 |
*) syslog logging: Remove stray ", referer" at the end of some messages. |
1485 |
[Jeff Trawick] |
1486 |
|
1487 |
*) "Iterate" directives: Report an error if no arguments are provided. |
1488 |
[Jeff Trawick] |
1489 |
|
1490 |
*) mod_ssl: Change default for SSLCompression to off, as compression |
1491 |
causes security issues in most setups. (The so called "CRIME" attack). |
1492 |
[Stefan Fritsch] |
1493 |
|
1494 |
*) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output |
1495 |
to more accurately report the negotiated protocol. PR 53916. |
1496 |
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand] |
1497 |
|
1498 |
*) core: ErrorDocument now works for requests without a Host header. |
1499 |
PR 48357. [Jeff Trawick] |
1500 |
|
1501 |
*) prefork: Avoid logging harmless errors during graceful stop. |
1502 |
[Joe Orton, Jeff Trawick] |
1503 |
|
1504 |
*) mod_proxy: When concatting for PPR, avoid cases where we |
1505 |
concat ".../" and "/..." to create "...//..." [Jim Jagielski] |
1506 |
|
1507 |
*) mod_cache: Wrong content type and character set when |
1508 |
mod_cache serves stale content because of a proxy error. |
1509 |
PR 53539. [Rainer Jung, Ruediger Pluem] |
1510 |
|
1511 |
*) mod_proxy_ajp: Fix crash in packet dump code when logging |
1512 |
with LogLevel trace7 or trace8. PR 53730. [Rainer Jung] |
1513 |
|
1514 |
*) httpd.conf: Removed the configuration directives setting a bad_DNT |
1515 |
environment introduced in 2.4.3. The actual directives are commented |
1516 |
out in the default conf file. |
1517 |
|
1518 |
*) core: Apply length limit when logging Status header values. |
1519 |
[Jeff Trawick, Chris Darroch] |
1520 |
|
1521 |
*) mod_proxy_balancer: The nonce is only derived from the UUID iff |
1522 |
not set via the 'nonce' balancer param. [Jim Jagielski] |
1523 |
|
1524 |
*) mod_ssl: Match wildcard SSL certificate names in proxy mode. |
1525 |
PR 53006. [Joe Orton] |
1526 |
|
1527 |
*) Windows: Fix output of -M, -L, and similar command-line options |
1528 |
which display information about the server configuration. |
1529 |
[Jeff Trawick] |
1530 |
|
1531 |
Changes with Apache 2.4.3 |
1532 |
|
1533 |
*) SECURITY: CVE-2012-3502 (cve.mitre.org) |
1534 |
mod_proxy_ajp, mod_proxy_http: Fix an issue in back end |
1535 |
connection closing which could lead to privacy issues due |
1536 |
to a response mixup. PR 53727. [Rainer Jung] |
1537 |
|
1538 |
*) SECURITY: CVE-2012-2687 (cve.mitre.org) |
1539 |
mod_negotiation: Escape filenames in variant list to prevent a |
1540 |
possible XSS for a site where untrusted users can upload files to |
1541 |
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>] |
1542 |
|
1543 |
*) mod_authnz_ldap: Don't try a potentially expensive nested groups |
1544 |
search before exhausting all AuthLDAPGroupAttribute checks on the |
1545 |
current group. PR 52464 [Eric Covener] |
1546 |
|
1547 |
*) mod_lua: Add new directive LuaAuthzProvider to allow implementing an |
1548 |
authorization provider in lua. [Stefan Fritsch] |
1549 |
|
1550 |
*) core: Be less strict when checking whether Content-Type is set to |
1551 |
"application/x-www-form-urlencoded" when parsing POST data, |
1552 |
or we risk losing data with an appended charset. PR 53698 |
1553 |
[Petter Berntsen <petterb gmail.com>] |
1554 |
|
1555 |
*) httpd.conf: Added configuration directives to set a bad_DNT environment |
1556 |
variable based on User-Agent and to remove the DNT header field from |
1557 |
incoming requests when a match occurs. This currently has the effect of |
1558 |
removing DNT from requests by MSIE 10.0 because it deliberately violates |
1559 |
the current specification of DNT semantics for HTTP. [Roy T. Fielding] |
1560 |
|
1561 |
*) mod_socache_shmcb: Fix bus error due to a misalignment |
1562 |
in some 32 bit builds, especially on Solaris Sparc. |
1563 |
PR 53040. [Rainer Jung] |
1564 |
|
1565 |
*) mod_cache: Set content type in case we return stale content. |
1566 |
[Ruediger Pluem] |
1567 |
|
1568 |
*) Windows: Fix SSL failures on windows with AcceptFilter https none. |
1569 |
PR 52476. [Jeff Trawick] |
1570 |
|
1571 |
*) ab: Fix read failure when targeting SSL server. [Jeff Trawick] |
1572 |
|
1573 |
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: |
1574 |
- mod_auth_digest: shared memory file |
1575 |
[Jeff Trawick] |
1576 |
|
1577 |
*) htpasswd: Use correct file mode for checking if file is writable. |
1578 |
PR 45923. [Stefan Fritsch] |
1579 |
|
1580 |
*) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T. |
1581 |
<mi apache aldan algebra com>] |
1582 |
|
1583 |
*) mod_ssl: Add new directive SSLCompression to disable TLS-level |
1584 |
compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch] |
1585 |
|
1586 |
*) mod_lua: Add a few missing request_rec fields. Rename remote_ip to |
1587 |
client_ip to match conn_rec. [Stefan Fritsch] |
1588 |
|
1589 |
*) mod_lua: Change prototype of vm_construct, to work around gcc bug which |
1590 |
causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>] |
1591 |
|
1592 |
*) mpm_event: Don't count connections in lingering close state when |
1593 |
calculating how many additional connections may be accepted. |
1594 |
[Stefan Fritsch] |
1595 |
|
1596 |
*) mod_ssl: If exiting during initialization because of a fatal error, |
1597 |
log a message to the main error log pointing to the appropriate |
1598 |
virtual host error log. [Stefan Fritsch] |
1599 |
|
1600 |
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on |
1601 |
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>] |
1602 |
|
1603 |
*) mod_proxy_balancer: Restore balancing after a failed worker has |
1604 |
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] |
1605 |
|
1606 |
*) mod_setenvif: Compile some global regex only once during startup. |
1607 |
This should save some memory, especially with .htaccess. |
1608 |
[Stefan Fritsch] |
1609 |
|
1610 |
*) core: Add the port number to the vhost's name in the scoreboard. |
1611 |
[Stefan Fritsch] |
1612 |
|
1613 |
*) mod_proxy: Fix ProxyPassReverse for balancer configurations. |
1614 |
PR 45434. [Joe Orton] |
1615 |
|
1616 |
*) mod_lua: Add the parsebody function for parsing POST data. PR 53064. |
1617 |
[Daniel Gruno] |
1618 |
|
1619 |
*) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS. |
1620 |
[Stefan Fritsch] |
1621 |
|
1622 |
*) mod_proxy: Fix memory leak or possible corruption in ProxyBlock |
1623 |
implementation. [Ruediger Pluem, Joe Orton] |
1624 |
|
1625 |
*) mod_proxy: Check hostname from request URI against ProxyBlock list, |
1626 |
not forward proxy, if ProxyRemote* is configured. [Joe Orton] |
1627 |
|
1628 |
*) mod_proxy_connect: Avoid DNS lookup on hostname from request URI |
1629 |
if ProxyRemote* is configured. PR 43697. [Joe Orton] |
1630 |
|
1631 |
*) mpm_event, mpm_worker: Remain active amidst prevalent child process |
1632 |
resource shortages. [Jeff Trawick] |
1633 |
|
1634 |
*) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen] |
1635 |
|
1636 |
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: |
1637 |
- core: the scoreboard (ScoreBoardFile), pid file (PidFile), and |
1638 |
mutexes (Mutex) |
1639 |
[Jim Jagielski] |
1640 |
|
1641 |
*) ab: Fix bind() errors. [Joe Orton] |
1642 |
|
1643 |
*) mpm_event: Don't do a blocking write when starting a lingering close |
1644 |
from the listener thread. PR 52229. [Stefan Fritsch] |
1645 |
|
1646 |
*) mod_so: If a filename without slashes is specified for LoadFile or |
1647 |
LoadModule and the file cannot be found in the server root directory, |
1648 |
try to use the standard dlopen() search path. [Stefan Fritsch] |
1649 |
|
1650 |
*) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced |
1651 |
after child process resource shortages. [Jeff Trawick] |
1652 |
|
1653 |
*) mpm_prefork: Reduce spawn rate after a child process exits due to |
1654 |
unexpected poll or accept failure. [Jeff Trawick] |
1655 |
|
1656 |
*) core: Log value of Status header line in script responses rather |
1657 |
than the fixed header name. [Chris Darroch] |
1658 |
|
1659 |
*) mod_ssl: Fix handling of empty response from OCSP server. |
1660 |
[Jim Meyering <meyering redhat.com>, Joe Orton] |
1661 |
|
1662 |
*) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch] |
1663 |
|
1664 |
*) mod_authz_core: If an expression in "Require expr" returns denied and |
1665 |
references %{REMOTE_USER}, trigger authentication and retry. PR 52892. |
1666 |
[Stefan Fritsch] |
1667 |
|
1668 |
*) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch] |
1669 |
|
1670 |
*) mod_deflate: Skip compression if compression is enabled at SSL level. |
1671 |
[Stefan Fritsch] |
1672 |
|
1673 |
*) core: Add missing HTTP status codes registered with IANA. |
1674 |
[Julian Reschke <julian.reschke gmx.de>, Rainer Jung] |
1675 |
|
1676 |
*) mod_ldap: Treat the "server unavailable" condition as a transient |
1677 |
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>] |
1678 |
|
1679 |
*) core: Fix spurious "not allowed here" error returned when the Options |
1680 |
directive is used in .htaccess and "AllowOverride Options" (with no |
1681 |
specific options restricted) is configured. PR 53444. [Eric Covener] |
1682 |
|
1683 |
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>. |
1684 |
PR 53048. [Stefan Fritsch] |
1685 |
|
1686 |
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=". |
1687 |
PR 53104. [Greg Ames] |
1688 |
|
1689 |
*) mod_ext_filter: Fix error_log spam when input filters are configured. |
1690 |
[Joe Orton] |
1691 |
|
1692 |
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] |
1693 |
|
1694 |
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). |
1695 |
[Paul Wouters <pwouters redhat.com>, Joe Orton] |
1696 |
|
1697 |
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if |
1698 |
the chosen listener is configured for https. [Joe Orton] |
1699 |
|
1700 |
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when |
1701 |
forwarding to SSL backends. PR 53134. |
1702 |
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem] |
1703 |
|
1704 |
*) mod_info: Display all registered providers. [Stefan Fritsch] |
1705 |
|
1706 |
*) mod_ssl: Send the error message for speaking http to an https port using |
1707 |
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when |
1708 |
using SNI. PR 50823. [Stefan Fritsch] |
1709 |
|
1710 |
*) core: Fix segfault in logging if r->useragent_addr or c->client_addr is |
1711 |
unset. PR 53265. [Stefan Fritsch] |
1712 |
|
1713 |
*) log_server_status: Bring Perl style forward to the present, use |
1714 |
standard modules, update for new format of server-status output. |
1715 |
PR 45424. [Richard Bowen, Dave Brondsema, and others] |
1716 |
|
1717 |
*) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. |
1718 |
[Joe Orton, André Malo] |
1719 |
|
1720 |
*) core: Prevent "httpd -k restart" from killing server in presence of |
1721 |
config error. [Joe Orton] |
1722 |
|
1723 |
*) mod_proxy_fcgi: If there is an error reading the headers from the |
1724 |
backend, send an error to the client. PR 52879. [Stefan Fritsch] |
1725 |
|
1726 |
Changes with Apache 2.4.2 |
1727 |
|
1728 |
*) SECURITY: CVE-2012-0883 (cve.mitre.org) |
1729 |
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the |
1730 |
current working directory to be searched for DSOs. [Stefan Fritsch] |
1731 |
|
1732 |
*) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski] |
1733 |
|
1734 |
*) mod_ssl: Fix crash with threaded MPMs due to race condition when |
1735 |
initializing EC temporary keys. [Stefan Fritsch] |
1736 |
|
1737 |
*) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly. |
1738 |
PR 53023. [Axel Reinhold <apache freakout.de>, André Malo] |
1739 |
|
1740 |
*) mod_proxy: Add the forcerecovery balancer parameter that determines if |
1741 |
recovery for balancer workers is enforced. [Ruediger Pluem] |
1742 |
|
1743 |
*) Fix MPM DSO load failure on AIX. [Jeff Trawick] |
1744 |
|
1745 |
*) mod_proxy: Correctly set up reverse proxy worker. PR 52935. |
1746 |
[Petter Berntsen <petterb gmail.com>] |
1747 |
|
1748 |
*) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing |
1749 |
compile problems on GNU hurd. [Stefan Fritsch] |
1750 |
|
1751 |
*) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir. |
1752 |
[Jeff Trawick] |
1753 |
|
1754 |
*) core: Fix breakage of Listen directives with MPMs that use a |
1755 |
per-directory config. PR 52904. [Stefan Fritsch] |
1756 |
|
1757 |
*) core: Disallow directives in AllowOverrideList which are only allowed |
1758 |
in VirtualHost or server context. These are usually not prepared to be |
1759 |
called in .htaccess files. [Stefan Fritsch] |
1760 |
|
1761 |
*) core: In AllowOverrideList, do not allow 'None' together with other |
1762 |
directives. PR 52823. [Stefan Fritsch] |
1763 |
|
1764 |
*) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm. |
1765 |
[Jim Jagielski] |
1766 |
|
1767 |
*) core: Fix merging of AllowOverrideList and ContentDigest. |
1768 |
[Stefan Fritsch] |
1769 |
|
1770 |
*) mod_request: Fix validation of the KeptBodySize argument so it |
1771 |
doesn't always throw a configuration error. PR 52981 [Eric Covener] |
1772 |
|
1773 |
*) core: Add filesystem paths to access denied / access failed messages |
1774 |
AH00035 and AH00036. [Eric Covener] |
1775 |
|
1776 |
*) mod_dumpio: Properly handle errors from subsequent input filters. |
1777 |
PR 52914. [Stefan Fritsch] |
1778 |
|
1779 |
*) Unix MPMs: Fix small memory leak in parent process if connect() |
1780 |
failed when waking up children. [Joe Orton] |
1781 |
|
1782 |
*) "DirectoryIndex disabled" now undoes DirectoryIndex settings in |
1783 |
the current configuration section, not just previous config sections. |
1784 |
PR 52845. [Eric Covener] |
1785 |
|
1786 |
*) mod_xml2enc: Fix broken handling of EOS buckets which could lead to |
1787 |
response headers not being sent. PR 52766. [Stefan Fritsch] |
1788 |
|
1789 |
*) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand] |
1790 |
|
1791 |
*) core: Check during config test that directories for the access |
1792 |
logs actually exist. PR 29941. [Stefan Fritsch] |
1793 |
|
1794 |
*) mod_xml2enc, mod_proxy_html: Enable per-module loglevels. |
1795 |
[Stefan Fritsch] |
1796 |
|
1797 |
*) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755. |
1798 |
[Stefan Fritsch] |
1799 |
|
1800 |
*) mod_session: Sessions are encoded as application/x-www-form-urlencoded |
1801 |
strings, however we do not handle the encoding of spaces properly. |
1802 |
Fixed. [Graham Leggett] |
1803 |
|
1804 |
*) Configuration: Example in comment should use a path consistent |
1805 |
with the default configuration. PR 52715. |
1806 |
[Rich Bowen, Jens Schleusener, Rainer Jung] |
1807 |
|
1808 |
*) Configuration: Switch documentation links from trunk to 2.4. |
1809 |
[Rainer Jung] |
1810 |
|
1811 |
*) configure: Fix out of tree build using apr and apr-util in srclib. |
1812 |
[Rainer Jung] |
1813 |
|
1814 |
Changes with Apache 2.4.1 |
1815 |
|
1816 |
*) SECURITY: CVE-2012-0053 (cve.mitre.org) |
1817 |
Fix an issue in error responses that could expose "httpOnly" cookies |
1818 |
when no custom ErrorDocument is specified for status code 400. |
1819 |
[Eric Covener] |
1820 |
|
1821 |
*) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk] |
1822 |
|
1823 |
*) core: Check during configtest that the directories for error logs exist. |
1824 |
PR 29941 [Stefan Fritsch] |
1825 |
|
1826 |
*) Core configuration: add AllowOverride option to treat syntax |
1827 |
errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski] |
1828 |
|
1829 |
*) core: Fix memory consumption in core output filter with streaming |
1830 |
bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch] |
1831 |
|
1832 |
*) configure: Disable modules at configure time if a prerequisite module |
1833 |
is not enabled. PR 52487. [Stefan Fritsch] |
1834 |
|
1835 |
*) Rewrite and proxy now decline what they don't support rather |
1836 |
than fail the request. [Joe Orton] |
1837 |
|
1838 |
*) Fix building against external apr plus apr-util if apr is not installed |
1839 |
in a system default path. [Rainer Jung] |
1840 |
|
1841 |
*) Doxygen fixes and improvements. [Joe Orton, Igor Galić] |
1842 |
|
1843 |
*) core: Fix building against PCRE 8.30 by switching from the obsolete |
1844 |
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] |
1845 |
|
1846 |
Changes with Apache 2.4.0 |
1847 |
|
1848 |
*) SECURITY: CVE-2012-0031 (cve.mitre.org) |
1849 |
Fix scoreboard issue which could allow an unprivileged child process |
1850 |
to cause the parent to crash at shutdown rather than terminate |
1851 |
cleanly. [Joe Orton] |
1852 |
|
1853 |
*) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch] |
1854 |
|
1855 |
*) SECURITY: CVE-2012-0021 (cve.mitre.org) |
1856 |
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format |
1857 |
string is in use and a client sends a nameless, valueless cookie, causing |
1858 |
a denial of service. The issue existed since version 2.2.17 and 2.3.3. |
1859 |
PR 52256. [Rainer Canavan <rainer-apache 7val com>] |
1860 |
|
1861 |
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit |
1862 |
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive. |
1863 |
[Kaspar Brand] |
1864 |
|
1865 |
*) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 |
1866 |
or later, to improve binary compatibility with future OpenSSL releases. |
1867 |
[Kaspar Brand] |
1868 |
|
1869 |
*) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass, |
1870 |
but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime |
1871 |
behave identically in both cases. PR52342. [Graham Leggett] |
1872 |
|
1873 |
*) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with |
1874 |
corresponding man pages. [Graham Leggett] |
1875 |
|
1876 |
*) Distinguish properly between the bindir and sbindir directories when |
1877 |
installing binaries. Previously all binaries were silently installed to |
1878 |
sbindir, whether they were system administration commands or not. |
1879 |
[Graham Leggett] |
1880 |
|
1881 |
Changes with Apache 2.3.16 |
1882 |
|
1883 |
*) SECURITY: CVE-2011-4317 (cve.mitre.org) |
1884 |
Resolve additional cases of URL rewriting with ProxyPassMatch or |
1885 |
RewriteRule, where particular request-URIs could result in undesired |
1886 |
backend network exposure in some configurations. |
1887 |
[Joe Orton] |
1888 |
|
1889 |
*) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid |
1890 |
additional DoS potential. [Stefan Fritsch] |
1891 |
|
1892 |
*) core, all modules: Add unique tag to most error log messages. [Stefan |
1893 |
Fritsch] |
1894 |
|
1895 |
*) mod_socache_memcache: Change provider name from "mc" to "memcache" to |
1896 |
match module name. [Stefan Fritsch] |
1897 |
|
1898 |
*) mod_slotmem_shm: Change provider name from "shared" to "shm" to match |
1899 |
module name. [Stefan Fritsch] |
1900 |
|
1901 |
*) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This |
1902 |
requires an apr-util fix in which is available in apr-util >= 1.4.0. |
1903 |
PR 42682. [Stefan Fritsch] |
1904 |
|
1905 |
*) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible |
1906 |
for RewriteRules to be placed in .htaccess files that match the directory |
1907 |
with no trailing slash. PR 48304. |
1908 |
[Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>] |
1909 |
|
1910 |
*) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that |
1911 |
the administrator can hide the keys from the configuration. [Graham |
1912 |
Leggett] |
1913 |
|
1914 |
*) Introduce a per request version of the remote IP address, which can be |
1915 |
optionally modified by a module when the effective IP of the client |
1916 |
is not the same as the real IP of the client (such as a load balancer). |
1917 |
Introduce a per connection "peer_ip" and a per request "client_ip" to |
1918 |
distinguish between the raw IP address of the connection and the effective |
1919 |
IP address of the request. [Graham Leggett] |
1920 |
|
1921 |
*) ap_pass_brigade_fchk() function added. [Jim Jagielski] |
1922 |
|
1923 |
*) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch] |
1924 |
|
1925 |
*) mod_cache_disk: Make sure we check return codes on all writes and |
1926 |
attempts to close, and clean up after ourselves in these cases. |
1927 |
PR43589. [Graham Leggett] |
1928 |
|
1929 |
*) mod_cache_disk: Remove the unnecessary intermediate brigade while |
1930 |
writing to disk. Fixes a problem where mod_disk_cache was leaving |
1931 |
buckets in the intermediate brigade and not passing them to out on |
1932 |
exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett] |
1933 |
|
1934 |
*) mod_ssl: use a shorter setting for SSLCipherSuite in the default |
1935 |
default configuration file, and add some more information about |
1936 |
configuring a speed-optimized alternative. |
1937 |
[Kaspar Brand] |
1938 |
|
1939 |
*) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand] |
1940 |
|
1941 |
*) mod_lua: Stop losing track of all but the most specific LuaHook* directives |
1942 |
when multiple per-directory config sections are used. Adds LuaInherit |
1943 |
directive to control how parent sections are merged. [Eric Covener] |
1944 |
|
1945 |
*) Server directive display (-L): Include directives of DSOs. |
1946 |
[Jeff Trawick] |
1947 |
|
1948 |
*) mod_cache: Make sure we merge headers correctly when we handle a |
1949 |
non cacheable conditional response. PR52120. [Graham Leggett] |
1950 |
|
1951 |
*) Pre GA removal of components that will not be included: |
1952 |
- mod_noloris was superseded by mod_reqtimeout |
1953 |
- mod_serf |
1954 |
- mpm_simple |
1955 |
[Rainer Jung] |
1956 |
|
1957 |
*) core: Set MaxMemFree 2048 by default. [Stefan Fritsch] |
1958 |
|
1959 |
*) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch] |
1960 |
|
1961 |
*) configure: Additional modules loaded by default: mod_headers. |
1962 |
Modules moved from module set "few" to "most" and no longer loaded |
1963 |
by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer, |
1964 |
mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request, |
1965 |
mod_userdir. [Rainer Jung] |
1966 |
|
1967 |
*) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung] |
1968 |
|
1969 |
*) configure: Only load the really imporant modules (i.e. those enabled by |
1970 |
the 'few' selection) by default. Don't handle modules enabled with |
1971 |
--enable-foo specially. [Stefan Fritsch] |
1972 |
|
1973 |
*) end-generation hook: Fix false notification of end-of-generation for |
1974 |
temporary intervals with no active MPM children. [Jeff Trawick] |
1975 |
|
1976 |
*) mod_ssl: Add support for configuring persistent TLS session ticket |
1977 |
encryption/decryption keys (useful for clustered environments). |
1978 |
[Paul Querna, Kaspar Brand] |
1979 |
|
1980 |
*) mod_usertrack: Use random value instead of remote IP address. |
1981 |
[Stefan Fritsch] |
1982 |
|
1983 |
Changes with Apache 2.3.15 |
1984 |
|
1985 |
*) SECURITY: CVE-2011-3348 (cve.mitre.org) |
1986 |
mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not |
1987 |
recognized. [Jean-Frederic Clere] |
1988 |
|
1989 |
*) SECURITY: CVE-2011-3192 (cve.mitre.org) |
1990 |
core: Fix handling of byte-range requests to use less memory, to avoid |
1991 |
denial of service. If the sum of all ranges in a request is larger than |
1992 |
the original file, ignore the ranges and send the complete file. |
1993 |
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, |
1994 |
<lowprio20 gmail.com>] |
1995 |
|
1996 |
*) SECURITY: CVE-2011-3607 (cve.mitre.org) |
1997 |
core: Fix integer overflow in ap_pregsub. This can be triggered e.g. |
1998 |
with mod_setenvif via a malicious .htaccess. [Stefan Fritsch] |
1999 |
|
2000 |
*) SECURITY: CVE-2011-3368 (cve.mitre.org) |
2001 |
Reject requests where the request-URI does not match the HTTP |
2002 |
specification, preventing unexpected expansion of target URLs in |
2003 |
some reverse proxy configurations. [Joe Orton] |
2004 |
|
2005 |
*) configure: Load all modules in the generated default configuration |
2006 |
when using --enable-load-all-modules. [Rainer Jung] |
2007 |
|
2008 |
*) mod_reqtimeout: Change the default to set some reasonable timeout |
2009 |
values. [Stefan Fritsch] |
2010 |
|
2011 |
*) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove |
2012 |
the inode. PR 49623. [Stefan Fritsch] |
2013 |
|
2014 |
*) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener] |
2015 |
|
2016 |
*) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} |
2017 |
can now additionally be run as "early" or "late" relative to other modules. |
2018 |
[Eric Covener] |
2019 |
|
2020 |
*) configure: By default, only load those modules that are either required |
2021 |
or explicitly selected by a configure --enable-foo argument. The |
2022 |
LoadModule statements for modules enabled by --enable-mods-shared=most |
2023 |
and friends will be commented out. [Stefan Fritsch] |
2024 |
|
2025 |
*) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and |
2026 |
LuaHookQuickHandler) from being configured in <Directory>, <Files>, |
2027 |
and htaccess where the configuration would have been ignored. |
2028 |
[Eric Covener] |
2029 |
|
2030 |
*) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors |
2031 |
in LuaMapHandler scripts [Eric Covener] |
2032 |
|
2033 |
*) mod_log_debug: Rename optional argument from if= to expr=, to be more |
2034 |
in line with other config directives. [Stefan Fritsch] |
2035 |
|
2036 |
*) mod_headers: Require an expression to be specified with expr=, to be more |
2037 |
in line with other config directives. [Stefan Fritsch] |
2038 |
|
2039 |
*) mod_substitute: To prevent overboarding memory usage, limit line length |
2040 |
to 1MB. [Stefan Fritsch] |
2041 |
|
2042 |
*) mod_lua: Make the query string (r.args) writable. [Eric Covener] |
2043 |
|
2044 |
*) mod_include: Add support for application/x-www-form-urlencoded encoding |
2045 |
and decoding. [Graham Leggett] |
2046 |
|
2047 |
*) rotatelogs: Add -c option to force logfile creation in every rotation |
2048 |
interval, even if empty. [Jan Kaluža <jkaluza redhat.com>] |
2049 |
|
2050 |
*) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings. |
2051 |
[Stefan Fritsch] |
2052 |
|
2053 |
*) mod_session_crypto: Refactor to support the new apr_crypto API. |
2054 |
[Graham Leggett] |
2055 |
|
2056 |
*) http: Add missing Location header if local URL-path is used as |
2057 |
ErrorDocument for 30x. [Stefan Fritsch] |
2058 |
|
2059 |
*) mod_buffer: Make sure we step down for subrequests, but not for internal |
2060 |
redirects triggered by mod_rewrite. [Graham Leggett] |
2061 |
|
2062 |
*) mod_lua: add r:construct_url as a wrapper for ap_construct_url. |
2063 |
[Eric Covener] |
2064 |
|
2065 |
*) mod_remote_ip: Fix configuration of internal proxies. PR 49272. |
2066 |
[Jim Riggs <jim riggs me>] |
2067 |
|
2068 |
*) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific |
2069 |
server IP endpoint and remote client IP upon connection. [William Rowe] |
2070 |
|
2071 |
*) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with |
2072 |
PeerExtList(). [Stefan Fritsch] |
2073 |
|
2074 |
*) mpm_prefork, mpm_worker, mpm_event: If a child is created just before |
2075 |
graceful restart and then exits because of a missing lock file, don't |
2076 |
shutdown the whole server. PR 39311. [Shawn Michael |
2077 |
<smichael rightnow com>] |
2078 |
|
2079 |
*) mpm_event: Check the return value from ap_run_create_connection. |
2080 |
PR 41194. [Davi Arnaut] |
2081 |
|
2082 |
*) mod_mime_magic: Add signatures for PNG and SWF to the example config. |
2083 |
PR 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>] |
2084 |
|
2085 |
*) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items |
2086 |
from the parsed (or default) config. This is useful for init scripts that |
2087 |
need to setup temporary directories and permissions. [Stefan Fritsch] |
2088 |
|
2089 |
*) core, mod_actions, mod_asis: Downgrade error log messages which accompany |
2090 |
a 404 request status from loglevel error to info. PR 35768. [Stefan |
2091 |
Fritsch] |
2092 |
|
2093 |
*) core: Fix hook sorting with Perl modules. PR 45076. [Torsten Foertsch |
2094 |
<torsten foertsch gmx net>] |
2095 |
|
2096 |
*) core: Enforce LimitRequestFieldSize after multiple headers with the same |
2097 |
name have been merged. [Stefan Fritsch] |
2098 |
|
2099 |
*) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory |
2100 |
usage. PR 51618. [Cristian RodrÃguez <crrodriguez opensuse org>, |
2101 |
Stefan Fritsch] |
2102 |
|
2103 |
*) mod_ssl: At startup, when checking a server certificate whether it |
2104 |
matches the configured ServerName, also take dNSName entries in the |
2105 |
subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand] |
2106 |
|
2107 |
*) mod_substitute: Reduce memory usage and copying of data. PR 50559. |
2108 |
[Stefan Fritsch] |
2109 |
|
2110 |
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections |
2111 |
[Kaspar Brand] |
2112 |
|
2113 |
*) Add wrappers for malloc, calloc, realloc that check for out of memory |
2114 |
situations and use them in many places. PR 51568, PR 51569, PR 51571. |
2115 |
[Stefan Fritsch] |
2116 |
|
2117 |
*) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is |
2118 |
false but RLIMIT_* are defined. PR51371. [Eric Covener] |
2119 |
|
2120 |
*) core: Correctly obey ServerName / ServerAlias if the Host header from the |
2121 |
request matches the VirtualHost address. |
2122 |
PR 51709. [Micha Lenk <micha lenk.info>] |
2123 |
|
2124 |
*) mod_unique_id: Use random number generator to initialize counter. |
2125 |
PR 45110. [Stefan Fritsch] |
2126 |
|
2127 |
*) core: Add convenience API for apr_random. [Stefan Fritsch] |
2128 |
|
2129 |
*) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control |
2130 |
the number of overlapping and reversing ranges (respectively) permitted |
2131 |
before returning the entire resource, with a default limit of 20. |
2132 |
[Jim Jagielski] |
2133 |
|
2134 |
*) mod_ldap: Optional function uldap_ssl_supported(r) always returned false |
2135 |
if called from a virtual host with mod_ldap directives in it. Did not |
2136 |
affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener] |
2137 |
|
2138 |
*) mod_filter: Instead of dropping the Accept-Ranges header when a filter |
2139 |
registered with AP_FILTER_PROTO_NO_BYTERANGE is present, |
2140 |
set the header value to "none". [Eric Covener, Ruediger Pluem] |
2141 |
|
2142 |
*) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' |
2143 |
in the case Ranges are being ignored with MaxRanges none. |
2144 |
[Eric Covener] |
2145 |
|
2146 |
*) mod_ssl: revamp CRL-based revocation checking when validating |
2147 |
certificates of clients or proxied servers. Completely delegate |
2148 |
CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck |
2149 |
directive for controlling the revocation checking mode. [Kaspar Brand] |
2150 |
|
2151 |
*) core: Add MaxRanges directive to control the number of ranges permitted |
2152 |
before returning the entire resource, with a default limit of 200. |
2153 |
[Eric Covener] |
2154 |
|
2155 |
*) mod_cache: Ensure that CacheDisable can correctly appear within |
2156 |
a LocationMatch. [Graham Leggett] |
2157 |
|
2158 |
*) mod_cache: Fix the moving of the CACHE filter, which erroneously |
2159 |
stood down if the original filter was not added by configuration. |
2160 |
[Graham Leggett] |
2161 |
|
2162 |
*) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand] |
2163 |
|
2164 |
*) mod_authz_groupfile: Increase length limit of lines in the group file to |
2165 |
16MB. PR 43084. [Stefan Fritsch] |
2166 |
|
2167 |
*) core: Increase length limit of lines in the configuration file to 16MB. |
2168 |
PR 45888. PR 50824. [Stefan Fritsch] |
2169 |
|
2170 |
*) core: Add API for resizable buffers. [Stefan Fritsch] |
2171 |
|
2172 |
*) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have |
2173 |
LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such |
2174 |
as Tivoli Directory Server 6.3 and later. [Eric Covener] |
2175 |
|
2176 |
*) mod_ldap: Change default number of retries from 10 to 3, and add |
2177 |
an LDAPRetries and LDAPRetryDelay directives. [Eric Covener] |
2178 |
|
2179 |
*) mod_authnz_ldap: Don't retry during authentication, because this just |
2180 |
multiplies the ample retries already being done by mod_ldap. [Eric Covener] |
2181 |
|
2182 |
*) configure: Allow to explicitly disable modules even with module selection |
2183 |
'reallyall'. [Stefan Fritsch] |
2184 |
|
2185 |
*) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the |
2186 |
RewriteEngine is disabled in server context, avoiding a crash while |
2187 |
referencing the invalid int: map at runtime. PR 50994. |
2188 |
[Ben Noordhuis <info noordhuis nl>] |
2189 |
|
2190 |
*) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand] |
2191 |
|
2192 |
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand] |
2193 |
|
2194 |
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. |
2195 |
[Kaspar Brand] |
2196 |
|
2197 |
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the |
2198 |
cookie is set when modules such as mod_rewrite trigger a redirect. Also |
2199 |
use r->err_headers_out for the cookie, for the same reason. PR29755. |
2200 |
[Sami J. Mäkinen <sjm almamedia fi>, Eric Covener] |
2201 |
|
2202 |
*) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and |
2203 |
'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch] |
2204 |
|
2205 |
*) configure: Enable ldap modules in 'all' and 'most' selections if ldap |
2206 |
is compiled into apr-util. [Stefan Fritsch] |
2207 |
|
2208 |
*) core: Add ap_check_cmd_context()-check if a command is executed in |
2209 |
.htaccess file. [Stefan Fritsch] |
2210 |
|
2211 |
*) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590. |
2212 |
[Torsten Foertsch <torsten foertsch gmx net>] |
2213 |
|
2214 |
*) mod_authn_socache: Fix to work in .htaccess if not configured anywhere |
2215 |
in httpd.conf, and introduce an AuthnCacheEnable directive. |
2216 |
PR 51991 [Nick Kew] |
2217 |
|
2218 |
*) mod_xml2enc: new (formerly third-party) module supporting |
2219 |
internationalisation for filters via smart charset sniffing |
2220 |
and conversion. [Nick Kew] |
2221 |
|
2222 |
*) mod_proxy_html: new (formerly third-party) module to fix up |
2223 |
HTML links in a reverse proxy situation, where a backend |
2224 |
generates URLs that are not resolvable by Clients. [Nick Kew] |
2225 |
|
2226 |
Changes with Apache 2.3.14 |
2227 |
|
2228 |
*) mod_proxy_ajp: Improve trace logging. [Rainer Jung] |
2229 |
|
2230 |
*) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. |
2231 |
[Rainer Jung] |
2232 |
|
2233 |
*) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse, |
2234 |
e.g. to reverse proxy "Location: https://other-internal-server/login" |
2235 |
[Nick Kew] |
2236 |
|
2237 |
*) prefork, worker, event: Make sure crashes are logged to the error log if |
2238 |
httpd has already detached from the console. [Stefan Fritsch] |
2239 |
|
2240 |
*) prefork, worker, event: Reduce period during startup/restart where a |
2241 |
successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>] |
2242 |
|
2243 |
*) mod_allowmethods: Correct Merging of "reset" and do not allow an |
2244 |
empty parameter list for the AllowMethods directive. [Rainer Jung] |
2245 |
|
2246 |
*) configure: Update selection of modules for 'all' and 'most'. 'all' will |
2247 |
now enable all modules except for example and test modules. Make the |
2248 |
selection for 'most' more useful (including ssl and proxy). Both 'all' |
2249 |
and 'most' will now disable modules if dependencies are missing instead |
2250 |
of aborting. If a specific module is requested with --enable-XXX=yes, |
2251 |
missing dependencies will still cause configure to exit with an error. |
2252 |
[Stefan Fritsch] |
2253 |
|
2254 |
*) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done |
2255 |
in 2.3.13. [Stefan Fritsch] |
2256 |
|
2257 |
*) core: For '*' or '_default_' vhosts, use a wildcard address of any |
2258 |
address family, rather than IPv4 only. [Joe Orton] |
2259 |
|
2260 |
*) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable |
2261 |
include [ ] for literal IPv6 addresses, as mandated by RFC 3875. |
2262 |
PR 26005. [Stefan Fritsch] |
2263 |
|
2264 |
*) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203. |
2265 |
[Nagae Hidetake <nagae eagan jp>] |
2266 |
|
2267 |
*) core: Add more logging to ap_scan_script_header_err* functions. Add |
2268 |
ap_scan_script_header_err*_ex functions that take a module index for |
2269 |
logging. |
2270 |
mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the |
2271 |
new functions in order to make logging configurable per-module. |
2272 |
[Stefan Fritsch] |
2273 |
|
2274 |
*) mod_dir: Add DirectoryIndexRedirect to send an external redirect to |
2275 |
the proper index. [Eric Covener] |
2276 |
|
2277 |
*) mod_deflate: Don't try to compress requests with a zero sized body. |
2278 |
PR 51350. [Stefan Fritsch] |
2279 |
|
2280 |
*) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton, |
2281 |
<root linkage white-void net>] |
2282 |
|
2283 |
*) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX, |
2284 |
REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the |
2285 |
whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>, |
2286 |
Stefan Fritsch] |
2287 |
|
2288 |
*) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch] |
2289 |
|
2290 |
*) mod_log_debug: New module that allows to log custom messages at various |
2291 |
phases in the request processing. [Stefan Fritsch] |
2292 |
|
2293 |
*) mod_ssl: Add some debug logging when loading server certificates. |
2294 |
PR 37912. [Nick Burch <nick burch alfresco com>] |
2295 |
|
2296 |
*) configure: Support reallyall option also for --enable-mods-static. |
2297 |
[Rainer Jung] |
2298 |
|
2299 |
*) mod_socache_dc: add --with-distcache to configure for choosing |
2300 |
the distcache installation directory. [Rainer Jung] |
2301 |
|
2302 |
*) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD |
2303 |
instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung] |
2304 |
|
2305 |
*) mod_lua, mod_deflate: respect platform specific runpath linker |
2306 |
flag. [Rainer Jung] |
2307 |
|
2308 |
*) configure: Only link the httpd binary against PCRE. No other support |
2309 |
binary needs PCRE. [Rainer Jung] |
2310 |
|
2311 |
*) configure: tolerate dependency checking failures for modules if |
2312 |
they have been enabled implicitely. [Rainer Jung] |
2313 |
|
2314 |
*) configure: Allow to specify module specific custom linker flags via |
2315 |
the MOD_XXX_LDADD variables. [Rainer Jung] |
2316 |
|
2317 |
Changes with Apache 2.3.13 |
2318 |
|
2319 |
*) ab: Support specifying the local address to use. PR 48930. |
2320 |
[Peter Schuller <scode spotify com>] |
2321 |
|
2322 |
*) core: Add support to ErrorLogFormat for logging the system unique |
2323 |
thread id under Linux. [Stefan Fritsch] |
2324 |
|
2325 |
*) event: New AsyncRequestWorkerFactor directive to influence how many |
2326 |
connections will be accepted per process. [Stefan Fritsch] |
2327 |
|
2328 |
*) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which |
2329 |
describes more accurately what it does. [Stefan Fritsch] |
2330 |
|
2331 |
*) rotatelogs: Add -p argument to specify custom program to invoke |
2332 |
after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>, |
2333 |
Joe Orton] |
2334 |
|
2335 |
*) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand] |
2336 |
|
2337 |
*) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0. |
2338 |
PR 48215. [Kaspar Brand] |
2339 |
|
2340 |
*) mod_status: Display information about asynchronous connections in the |
2341 |
server-status. PR 44377. [Stefan Fritsch] |
2342 |
|
2343 |
*) mpm_event: If the number of connections of a process is very high, or if |
2344 |
all workers are busy, don't accept new connections in that process. |
2345 |
[Stefan Fritsch] |
2346 |
|
2347 |
*) mpm_event: Process lingering close asynchronously instead of tying up |
2348 |
worker threads. [Jeff Trawick, Stefan Fritsch] |
2349 |
|
2350 |
*) mpm_event: If MaxMemFree is set, limit the number of pools that is kept |
2351 |
around. [Stefan Fritsch] |
2352 |
|
2353 |
*) mpm_event: Fix graceful restart aborting connections. PR 43359. |
2354 |
[Takashi Sato <takashi lans-tv com>] |
2355 |
|
2356 |
*) mod_ssl: Disable AECDH ciphers in example config. PR 51363. |
2357 |
[Rob Stradling <rob comodo com>] |
2358 |
|
2359 |
*) core: Introduce new function ap_get_conn_socket() to access the socket of |
2360 |
a connection. [Stefan Fritsch] |
2361 |
|
2362 |
*) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham |
2363 |
Leggett] |
2364 |
|
2365 |
*) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT, |
2366 |
CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198. |
2367 |
[Stefan Fritsch] |
2368 |
|
2369 |
*) core: Allow to override document_root on a per-request basis. Introduce |
2370 |
new context_document_root and context_prefix which provide information |
2371 |
about non-global URI-to-directory mappings (from e.g. mod_userdir or |
2372 |
mod_alias) to scripts. PR 49705. [Stefan Fritsch] |
2373 |
|
2374 |
*) core: Add <ElseIf> and <Else> to complement <If> sections. |
2375 |
[Stefan Fritsch] |
2376 |
|
2377 |
*) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel. |
2378 |
[Stefan Fritsch] |
2379 |
|
2380 |
*) mod_include: Make the "#if expr" element use the new "ap_expr" expression |
2381 |
parser. The old parser can still be used by setting the new directive |
2382 |
SSILegacyExprParser. [Stefan Fritsch] |
2383 |
|
2384 |
*) core: Add some features to ap_expr for use by mod_include: a restricted |
2385 |
mode that does not allow to bypass request access restrictions; new |
2386 |
variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an |
2387 |
alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by |
2388 |
the consumer; an extensible ap_expr_exec_ctx() API that allows to use that |
2389 |
data entry. [Stefan Fritsch] |
2390 |
|
2391 |
*) mod_include: Merge directory configs instead of one SSI* config directive |
2392 |
causing all other per-directory SSI* config directives to be reset. |
2393 |
[Stefan Fritsch] |
2394 |
|
2395 |
*) mod_charset_lite: Remove DebugLevel option in favour of per-module |
2396 |
loglevel. [Stefan Fritsch] |
2397 |
|
2398 |
*) core: Add ap_regexec_len() function that works with non-null-terminated |
2399 |
strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>] |
2400 |
|
2401 |
*) mod_authnz_ldap: If the LDAP server returns constraint violation, |
2402 |
don't treat this as an error but as "auth denied". [Stefan Fritsch] |
2403 |
|
2404 |
*) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO |
2405 |
for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>, |
2406 |
Jim Jagielski] |
2407 |
|
2408 |
*) mod_cache: When content is served stale, and there is no means to |
2409 |
revalidate the content using ETag or Last-Modified, and we have |
2410 |
mandated no stale-on-error behaviour, stand down and don't cache. |
2411 |
Saves a cache write that will never be read. |
2412 |
[Graham Leggett] |
2413 |
|
2414 |
*) mod_reqtimeout: Fix a timed out connection going into the keep-alive |
2415 |
state after a timeout when discarding a request body. PR 51103. |
2416 |
[Stefan Fritsch] |
2417 |
|
2418 |
*) core: Add various file existance test operators to ap_expr. |
2419 |
[Stefan Fritsch] |
2420 |
|
2421 |
*) mod_proxy_express: New mass reverse-proxy switch extension for |
2422 |
mod_proxy. [Jim Jagielski] |
2423 |
|
2424 |
*) configure: Fix script error when configuring module set "reallyall". |
2425 |
[Rainer Jung] |
2426 |
|
2427 |
Changes with Apache 2.3.12 |
2428 |
|
2429 |
*) configure, core: Provide easier support for APR's hook probe |
2430 |
capability. [Jim Jagielski, Jeff Trawick] |
2431 |
|
2432 |
*) Silence autoconf 2.68 warnings. [Rainer Jung] |
2433 |
|
2434 |
*) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only |
2435 |
[Scott Hill <shill genscape.com>] |
2436 |
|
2437 |
*) support: Make sure check_forensic works with mod_unique_id loaded |
2438 |
[Joe Schaefer] |
2439 |
|
2440 |
*) Add child_status hook for tracking creation/termination of MPM child |
2441 |
processes. Add end_generation hook for notification when the last |
2442 |
MPM child of a generation exits. [Jeff Trawick] |
2443 |
|
2444 |
*) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per |
2445 |
process as opposed to disabling caching completely. This allows to use |
2446 |
the non-shared-memory cache as a workaround for the shared memory cache |
2447 |
not being available during graceful restarts. PR 48958. [Stefan Fritsch] |
2448 |
|
2449 |
*) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API, |
2450 |
necessary if a module (like mod_perl) registers additional modules late |
2451 |
in the startup phase. [Stefan Fritsch] |
2452 |
|
2453 |
*) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072. |
2454 |
[Torsten Förtsch <torsten foertsch gmx net>] |
2455 |
|
2456 |
*) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick] |
2457 |
|
2458 |
*) MinGW build improvements. PR 49535. [John Vandenberg |
2459 |
<jayvdb gmail.com>, Jeff Trawick] |
2460 |
|
2461 |
*) core: Support module names with colons in loglevel configuration. |
2462 |
[Torsten Förtsch <torsten foertsch gmx net>] |
2463 |
|
2464 |
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. |
2465 |
[Stefan Fritsch] |
2466 |
|
2467 |
*) core: Abort if the MPM is changed across restart. [Jeff Trawick] |
2468 |
|
2469 |
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. |
2470 |
[Peter Pramberger <peter pramberger.at>, Jim Jagielski] |
2471 |
|
2472 |
*) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913. |
2473 |
[Mark Montague <mark catseye.org>, Jim Jagielski] |
2474 |
|
2475 |
*) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an |
2476 |
error code. Abort with a nice error message if a config line is too long. |
2477 |
Partial fix for PR 50824. [Stefan Fritsch] |
2478 |
|
2479 |
*) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is |
2480 |
specified. PR 31956. [Stefan Fritsch] |
2481 |
|
2482 |
*) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM |
2483 |
helper function ap_remove_pid() added. [Jeff Trawick] |
2484 |
|
2485 |
*) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various] |
2486 |
|
2487 |
*) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff |
2488 |
Trawick] |
2489 |
|
2490 |
*) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch |
2491 |
<torsten.foertsch gmx.net>] |
2492 |
|
2493 |
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes |
2494 |
in request URL path info but not decode them. Change behavior of option |
2495 |
"On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256, |
2496 |
PR 46830. [Dan Poirier] |
2497 |
|
2498 |
*) mod_ssl: Check SNI hostname against Host header case-insensitively. |
2499 |
PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>] |
2500 |
|
2501 |
*) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime |
2502 |
of bound backend LDAP connections. PR47634 [Eric Covener] |
2503 |
|
2504 |
*) mod_cache: Make CacheEnable and CacheDisable configurable per |
2505 |
directory in addition to per server, making them work from within |
2506 |
a LocationMatch. [Graham Leggett] |
2507 |
|
2508 |
*) worker, event, prefork: Correct several issues when built as |
2509 |
DSOs; most notably, the scoreboard was reinitialized during graceful |
2510 |
restart, such that processes of the previous generation were not |
2511 |
observable. [Jeff Trawick] |
2512 |
|
2513 |
Changes with Apache 2.3.11 |
2514 |
|
2515 |
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. |
2516 |
Win32's cscript interpreter can only use a single quote as comment char. |
2517 |
[Guenter Knauf] |
2518 |
|
2519 |
*) mod_proxy: balancer-manager now uses POST instead of GET. |
2520 |
[Jim Jagielski] |
2521 |
|
2522 |
*) core: new util function: ap_parse_form_data(). Previously, |
2523 |
this capability was tucked away in mod_request. [Jim Jagielski] |
2524 |
|
2525 |
*) core: new hook: ap_run_pre_read_request. [Jim Jagielski] |
2526 |
|
2527 |
*) modules: Fix many modules that were not correctly initializing if they |
2528 |
were not active during server startup but got enabled later during a |
2529 |
graceful restart. [Stefan Fritsch] |
2530 |
|
2531 |
*) core: Create new ap_state_query function that allows modules to determine |
2532 |
if the current configuration run is the initial one at server startup, |
2533 |
and if the server is started for testing/config dumping only. |
2534 |
[Stefan Fritsch] |
2535 |
|
2536 |
*) mod_proxy: Runtime configuration of many parameters for existing |
2537 |
balancers via the balancer-manager. [Jim Jagielski] |
2538 |
|
2539 |
*) mod_proxy: Runtime addition of new workers (BalancerMember) for existing |
2540 |
balancers via the balancer-manager. [Jim Jagielski] |
2541 |
|
2542 |
*) mod_cache: When a bad Expires date is present, we need to behave as if |
2543 |
the Expires is in the past, not as if the Expires is missing. PR 16521. |
2544 |
[Co-Advisor <coad measurement-factory.com>] |
2545 |
|
2546 |
*) mod_cache: We must ignore quoted-string values that appear in a |
2547 |
Cache-Control header. PR 50199. [Graham Leggett] |
2548 |
|
2549 |
*) mod_dav: Revert change to send 501 error if unknown Content-* header is |
2550 |
received for a PUT request. PR 42978. [Stefan Fritsch] |
2551 |
|
2552 |
*) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must |
2553 |
take precedence if present. PR 35247. [Graham Leggett] |
2554 |
|
2555 |
*) mod_ssl: Fix a possible startup failure if multiple SSL vhosts |
2556 |
are configured with the same ServerName and private key file. |
2557 |
[Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton] |
2558 |
|
2559 |
*) mod_socache_dc: Make module compile by fixing some typos. |
2560 |
PR 50735 [Mark Montague <mark catseye.org>] |
2561 |
|
2562 |
*) prefork: Update MPM state in children during a graceful stop or |
2563 |
restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>] |
2564 |
|
2565 |
*) mod_mime: Ignore leading dots when looking for mime extensions. |
2566 |
PR 50434 [Stefan Fritsch] |
2567 |
|
2568 |
*) core: Add support to set variables with the 'Define' directive. The |
2569 |
variables that can then be used in the config using the ${VAR} syntax |
2570 |
known from envvar interpolation. [Stefan Fritsch] |
2571 |
|
2572 |
*) mod_proxy_http: make adding of X-Forwarded-* headers configurable. |
2573 |
ProxyAddHeaders defaults to On. [Vincent Deffontaines] |
2574 |
|
2575 |
*) mod_slotmem_shm: Increase memory alignment for slotmem data. |
2576 |
[Rainer Jung] |
2577 |
|
2578 |
*) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout, |
2579 |
SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew. |
2580 |
[Kaspar Brand <httpd-dev.2011 velox.ch>] |
2581 |
|
2582 |
*) mod_ssl: Revamp output buffering to reduce network overhead for |
2583 |
output fragmented into many buckets, such as chunked HTTP responses. |
2584 |
[Joe Orton] |
2585 |
|
2586 |
*) core: Apply <If> sections to all requests, not only to file base requests. |
2587 |
Allow to use <If> inside <Directory>, <Location>, and <Files> sections. |
2588 |
The merging of <If> sections now happens after the merging of <Location> |
2589 |
sections, even if an <If> section is embedded inside a <Directory> or |
2590 |
<Files> section. [Stefan Fritsch] |
2591 |
|
2592 |
*) mod_proxy: Refactor usage of shared data by dropping the scoreboard |
2593 |
and using slotmem. Create foundation for dynamic growth/changes of |
2594 |
members within a balancer. Remove BalancerNonce in favor of a |
2595 |
per-balancer 'nonce' parameter. [Jim Jagielski] |
2596 |
|
2597 |
*) mod_status: Don't show slots which are disabled by MaxClients as open. |
2598 |
PR 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch] |
2599 |
|
2600 |
*) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and |
2601 |
AP_MPMQ_MAX_THREADS. |
2602 |
|
2603 |
*) mod_authz_core: Fix bug in merging logic if user-based and non-user-based |
2604 |
authorization directives were mixed. [Stefan Fritsch] |
2605 |
|
2606 |
*) mod_authn_socache: change directive name from AuthnCacheProvider |
2607 |
to AuthnCacheProvideFor. The term "provider" is overloaded in |
2608 |
this module, and we should avoid confusion between the provider |
2609 |
of a backend (AuthnCacheSOCache) and the authn provider(s) for |
2610 |
which this module provides cacheing (AuthnCacheProvideFor). |
2611 |
[Nick Kew] |
2612 |
|
2613 |
*) mod_proxy_http: Allocate the fake backend request from a child pool |
2614 |
of the backend connection, instead of misusing the pool of the frontend |
2615 |
request. Fixes a thread safety issue where buckets set aside in the |
2616 |
backend connection leak into other threads, and then disappear when |
2617 |
the frontend request is cleaned up, in turn causing corrupted buckets |
2618 |
to make other threads spin. [Graham Leggett] |
2619 |
|
2620 |
*) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables |
2621 |
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and |
2622 |
escape other special characters with backslashes. The old format can |
2623 |
still be used with the LegacyDNStringFormat argument to SSLOptions. |
2624 |
|
2625 |
*) core, mod_rewrite: Make the REQUEST_SCHEME variable available to |
2626 |
scripts and mod_rewrite. [Stefan Fritsch] |
2627 |
|
2628 |
*) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in |
2629 |
RewriteCond. [Stefan Fritsch] |
2630 |
|
2631 |
*) mod_rewrite: Allow to unset environment variables using E=!VAR. |
2632 |
PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch] |
2633 |
|
2634 |
*) mod_headers: Restore the 2.3.8 and earlier default for the first |
2635 |
argument of the Header directive ("onsuccess"). [Eric Covener] |
2636 |
|
2637 |
*) core: Disallow the mixing of relative and absolute Options PR 33708. |
2638 |
[Sönke Tesch <st kino-fahrplan.de>] |
2639 |
|
2640 |
*) core: When exporting request headers to HTTP_* environment variables, |
2641 |
drop variables whose names contain invalid characters. Describe in the |
2642 |
docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>] |
2643 |
|
2644 |
*) core: When selecting an IP-based virtual host, favor an exact match for |
2645 |
the port over a wildcard (or omitted) port instead of favoring the one |
2646 |
that came first in the configuration file. [Eric Covener] |
2647 |
|
2648 |
*) core: Overlapping virtual host address/port combinations now implicitly |
2649 |
enable name-based virtual hosting for that address. The NameVirtualHost |
2650 |
directive has no effect, and _default_ is interpreted the same as "*". |
2651 |
[Eric Covener] |
2652 |
|
2653 |
*) core: In the absence of any Options directives, the default is now |
2654 |
"FollowSymlinks" instead of "All". [Igor Galić] |
2655 |
|
2656 |
*) rotatelogs: Add -e option to write logs through to stdout for optional |
2657 |
further processing. [Graham Leggett] |
2658 |
|
2659 |
*) mod_ssl: Correctly read full lines in input filter when the line is |
2660 |
incomplete during first read. PR 50481. [Ruediger Pluem] |
2661 |
|
2662 |
*) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow |
2663 |
sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization |
2664 |
fails for an authenticated user. PR 40721. [Stefan Fritsch] |
2665 |
|
2666 |
Changes with Apache 2.3.10 |
2667 |
|
2668 |
*) mod_rewrite: Don't implicitly URL-escape the original query string |
2669 |
when no substitution has changed it. PR 50447. [Eric Covener] |
2670 |
|
2671 |
*) core: Honor 'AcceptPathInfo OFF' during internal redirects, |
2672 |
such as per-directory mod_rewrite substitutions. PR 50349. |
2673 |
[Eric Covener] |
2674 |
|
2675 |
*) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base |
2676 |
rules/conditions before the overridden rules/conditions. PR 39313. |
2677 |
[Jérôme Grandjanny <jerome.grandjanny cea.fr>] |
2678 |
|
2679 |
*) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored |
2680 |
filenames in higher precedence configuration sections. PR 24243. |
2681 |
[Eric Covener] |
2682 |
|
2683 |
*) mod_cgid: RLimit* directive support for mod_cgid. PR 42135 |
2684 |
[Eric Covener] |
2685 |
|
2686 |
*) core: Fail startup when the argument to ServerName looks like a glob |
2687 |
or a regular expression instead of a hostname (*?[]). PR 39863 |
2688 |
[Rahul Nair <rahul.g.nair gmail.com>] |
2689 |
|
2690 |
*) mod_userdir: Add merging of enable, disable, and filename arguments |
2691 |
to UserDir directive, leaving enable/disable of userlists unmerged. |
2692 |
PR 44076 [Eric Covener] |
2693 |
|
2694 |
*) httpd: When no -k option is provided on the httpd command line, the server |
2695 |
was starting without checking for an existing pidfile. PR 50350 |
2696 |
[Eric Covener] |
2697 |
|
2698 |
*) mod_proxy: Put the worker in error state if the SSL handshake with the |
2699 |
backend fails. PR 50332. |
2700 |
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] |
2701 |
|
2702 |
*) mod_cache_disk: Fix Windows build which was broken after renaming |
2703 |
the module. [Gregg L. Smith] |
2704 |
|
2705 |
Changes with Apache 2.3.9 |
2706 |
|
2707 |
*) SECURITY: CVE-2010-1623 (cve.mitre.org) |
2708 |
Fix a denial of service attack against mod_reqtimeout. |
2709 |
[Stefan Fritsch] |
2710 |
|
2711 |
*) mod_headers: Change default first argument of Header directive |
2712 |
from "onsuccess" to "always". [Eric Covener] |
2713 |
|
2714 |
*) mod_include: Add the onerror attribute to the include element, |
2715 |
allowing an URL to be specified to include on error. [Graham |
2716 |
Leggett] |
2717 |
|
2718 |
*) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be |
2719 |
consistent with the naming of other modules. [Graham Leggett] |
2720 |
|
2721 |
*) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on |
2722 |
expression. [Stefan Fritsch] |
2723 |
|
2724 |
*) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292. |
2725 |
[Stefan Fritsch] |
2726 |
|
2727 |
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the |
2728 |
binary (Suexec Off), or force startup failure if suEXEC is required |
2729 |
but not supported (Suexec On). Change SuexecUserGroup to fail |
2730 |
startup instead of just printing a warning if suEXEC is disabled. |
2731 |
[Jeff Trawick] |
2732 |
|
2733 |
*) core: Add Error directive for aborting startup or htaccess processing |
2734 |
with a specified error message. [Jeff Trawick] |
2735 |
|
2736 |
*) mod_rewrite: Fix the RewriteEngine directive to work within a |
2737 |
location. Previously, once RewriteEngine was switched on globally, |
2738 |
it was impossible to switch off. [Graham Leggett] |
2739 |
|
2740 |
*) core, mod_include, mod_ssl: Move the expression parser derived from |
2741 |
mod_include back into mod_include. Replace ap_expr with a parser |
2742 |
derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework |
2743 |
ap_expr's public interface and provide hooks for modules to add variables |
2744 |
and functions. [Stefan Fritsch] |
2745 |
|
2746 |
*) core: Do the hook sorting earlier so that the hooks are properly sorted |
2747 |
for the pre_config hook and during parsing the config. [Stefan Fritsch] |
2748 |
|
2749 |
*) core: In the absence of any AllowOverride directives, the default is now |
2750 |
"None" instead of "All". PR49823 [Eric Covener] |
2751 |
|
2752 |
*) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in |
2753 |
<Directory> or <Files>. PR47765 [Eric Covener] |
2754 |
|
2755 |
*) prefork/worker/event MPMS: default value (when no directive is present) |
2756 |
of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000 |
2757 |
to match default configuration and manual. PR47782 [Eric Covener] |
2758 |
|
2759 |
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel |
2760 |
when the child process is starting to exit. PR50220. [Eric Covener] |
2761 |
|
2762 |
*) mod_autoindex: Fix inheritance of mod_autoindex directives into |
2763 |
contexts that don't have any mod_autoindex directives. PR47766. |
2764 |
[Eric Covener] |
2765 |
|
2766 |
*) mod_rewrite: Add END flag for RewriteRule to prevent further rounds |
2767 |
of rewrite processing when a per-directory substitution occurs. |
2768 |
[Eric Covener] |
2769 |
|
2770 |
*) mod_ssl: Make sure to always log an error if loading of CA certificates |
2771 |
fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>] |
2772 |
|
2773 |
*) mod_dav: Send 501 error if unknown Content-* header is received for a PUT |
2774 |
request (RFC 2616 9.6). PR 42978. [Stefan Fritsch] |
2775 |
|
2776 |
*) mod_dav: Send 400 error if malformed Content-Range header is received for |
2777 |
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] |
2778 |
|
2779 |
*) mod_proxy: Release the backend connection as soon as EOS is detected, |
2780 |
so the backend isn't forced to wait for the client to eventually |
2781 |
acknowledge the data. [Graham Leggett] |
2782 |
|
2783 |
*) mod_proxy: Optimise ProxyPass within a Location so that it is stored |
2784 |
per-directory, and chosen during the location walk. Make ProxyPass |
2785 |
work correctly from within a LocationMatch. [Graham Leggett] |
2786 |
|
2787 |
*) core: Fix segfault if per-module LogLevel is on virtual host |
2788 |
scope. PR 50117. [Stefan Fritsch] |
2789 |
|
2790 |
*) mod_proxy: Move the ProxyErrorOverride directive to have per |
2791 |
directory scope. [Graham Leggett] |
2792 |
|
2793 |
*) mod_allowmethods: New module to deny certain HTTP methods without |
2794 |
interfering with authentication/authorization. [Paul Querna, |
2795 |
Igor Galić, Stefan Fritsch] |
2796 |
|
2797 |
*) mod_ssl: Log certificate information and improve error message if client |
2798 |
cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>, |
2799 |
Stefan Fritsch] |
2800 |
|
2801 |
*) htcacheclean: Teach htcacheclean to limit cache size by number of |
2802 |
inodes in addition to size of files. Prevents a cache disk from |
2803 |
running out of space when many small files are cached. |
2804 |
[Graham Leggett] |
2805 |
|
2806 |
*) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which |
2807 |
describes more accurately what the directive does. The old name |
2808 |
still works but logs a warning. [Stefan Fritsch] |
2809 |
|
2810 |
*) mod_cache: Optionally serve stale data when a revalidation returns a |
2811 |
5xx response, controlled by the CacheStaleOnError directive. |
2812 |
[Graham Leggett] |
2813 |
|
2814 |
*) htcacheclean: Allow the listing of valid URLs within the cache, with |
2815 |
the option to list entry metadata such as sizes and times. [Graham |
2816 |
Leggett] |
2817 |
|
2818 |
*) mod_cache: correctly parse quoted strings in cache headers. |
2819 |
PR 50199 [Nick Kew] |
2820 |
|
2821 |
*) mod_cache: Allow control over the base URL of reverse proxied requests |
2822 |
using the CacheKeyBaseURL directive, so that the cache key can be |
2823 |
calculated from the endpoint URL instead of the server URL. [Graham |
2824 |
Leggett] |
2825 |
|
2826 |
*) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate, |
2827 |
CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire, |
2828 |
CacheMinExpire and CacheMaxExpire can be set per directory/location. |
2829 |
[Graham Leggett] |
2830 |
|
2831 |
*) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and |
2832 |
CacheReadTime can be set per directory/location. [Graham Leggett] |
2833 |
|
2834 |
*) core: Speed up config parsing if using a very large number of config |
2835 |
files. PR 50002 [andrew cloudaccess net] |
2836 |
|
2837 |
*) mod_cache: Support the caching of HEAD requests. [Graham Leggett] |
2838 |
|
2839 |
*) htcacheclean: Allow the option to round up file sizes to a given |
2840 |
block size, improving the accuracy of disk usage. [Graham Leggett] |
2841 |
|
2842 |
*) mod_ssl: Add authz providers for use with mod_authz_core and its |
2843 |
RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL), |
2844 |
'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and |
2845 |
'ssl-require' (expressions with same syntax as SSLRequire). |
2846 |
[Stefan Fritsch] |
2847 |
|
2848 |
*) mod_ssl: Make the ssl expression parser thread-safe. It now requires |
2849 |
bison instead of yacc. [Stefan Fritsch] |
2850 |
|
2851 |
*) mod_disk_cache: Change on-disk header file format to support the |
2852 |
link of the device/inode of the data file to the matching header |
2853 |
file, and to support the option of not writing a data file when |
2854 |
the data file is empty. [Graham Leggett] |
2855 |
|
2856 |
*) core/mod_unique_id: Add generate_log_id hook to allow to use |
2857 |
the ID generated by mod_unique_id as error log ID for requests. |
2858 |
[Stefan Fritsch] |
2859 |
|
2860 |
*) mod_cache: Make sure that we never allow a 304 Not Modified response |
2861 |
that we asked for to leak to the client should the 304 response be |
2862 |
uncacheable. PR45341 [Graham Leggett] |
2863 |
|
2864 |
*) mod_cache: Add the cache_status hook to register the final cache |
2865 |
decision hit/miss/revalidate. Add optional support for an X-Cache |
2866 |
and/or an X-Cache-Detail header to add the cache status to the |
2867 |
response. PR48241 [Graham Leggett] |
2868 |
|
2869 |
*) mod_authz_host: Add 'local' provider that matches connections originating |
2870 |
on the local host. PR 19938. [Stefan Fritsch] |
2871 |
|
2872 |
*) Event MPM: Fix crash accessing pollset on worker thread when child |
2873 |
process is exiting. [Jeff Trawick] |
2874 |
|
2875 |
*) core: For process invocation (cgi, fcgid, piped loggers and so forth) |
2876 |
pass the system library path (LD_LIBRARY_PATH or platform-specific |
2877 |
variables) along with the system PATH, by default. Both should be |
2878 |
overridden together as desired using PassEnv etc; see mod_env. |
2879 |
[William Rowe] |
2880 |
|
2881 |
*) mod_cache: Introduce CacheStoreExpired, to allow administrators to |
2882 |
capture a stale backend response, perform If-Modified-Since requests |
2883 |
against the backend, and serving from the cache all 304 responses. |
2884 |
This restores pre-2.2.4 cache behavior. [William Rowe] |
2885 |
|
2886 |
*) mod_rewrite: Introduce <=, >= string comparison operators, and integer |
2887 |
comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop |
2888 |
the ambiguity of the symlink test "-ltest", introduce -h or -L as |
2889 |
symlink test operators. [William Rowe] |
2890 |
|
2891 |
*) mod_cache: Give the cache provider the opportunity to choose to cache |
2892 |
or not cache based on the buckets present in the brigade, such as the |
2893 |
presence of a FILE bucket. |
2894 |
[Graham Leggett] |
2895 |
|
2896 |
*) mod_authz_core: Allow authz providers to check args while reading the |
2897 |
config and allow to cache parsed args. Move 'all' and 'env' authz |
2898 |
providers from mod_authz_host to mod_authz_core. Add 'method' authz |
2899 |
provider depending on the HTTP method. [Stefan Fritsch] |
2900 |
|
2901 |
*) mod_include: Move the request_rec within mod_include to be |
2902 |
exposed within include_ctx_t. [Graham Leggett] |
2903 |
|
2904 |
*) mod_include: Reinstate support for UTF-8 character sets by allowing a |
2905 |
variable being echoed or set to be decoded and then encoded as separate |
2906 |
steps. PR47686 [Graham Leggett] |
2907 |
|
2908 |
*) mod_cache: Add a discrete commit_entity() provider function within the |
2909 |
mod_cache provider interface which is called to indicate to the |
2910 |
provider that caching is complete, giving the provider the opportunity |
2911 |
to commit temporary files permanently to the cache in an atomic |
2912 |
fashion. Replace the inconsistent use of error cleanups with a formal |
2913 |
set of pool cleanups attached to a subpool, which is destroyed on error. |
2914 |
[Graham Leggett] |
2915 |
|
2916 |
*) mod_cache: Change the signature of the store_body() provider function |
2917 |
within the mod_cache provider interface to support an "in" brigade |
2918 |
and an "out" brigade instead of just a single input brigade. This |
2919 |
gives a cache provider the option to consume only part of the brigade |
2920 |
passed to it, rather than the whole brigade as was required before. |
2921 |
This fixes an out of memory and a request timeout condition that would |
2922 |
occur when the original document was a large file. Introduce |
2923 |
CacheReadSize and CacheReadTime directives to mod_disk_cache to control |
2924 |
the amount of data to attempt to cache at a time. [Graham Leggett] |
2925 |
|
2926 |
*) core: Add ErrorLogFormat to allow configuring error log format, including |
2927 |
additional information that is logged once per connection or request. Add |
2928 |
error log IDs for connections and request to allow correlating error log |
2929 |
lines and the corresponding access log entry. [Stefan Fritsch] |
2930 |
|
2931 |
*) core: Disable sendfile by default. [Stefan Fritsch] |
2932 |
|
2933 |
*) mod_cache: Check the request to determine whether we are allowed |
2934 |
to return cached content at all, and respect a "Cache-Control: |
2935 |
no-cache" header from a client. Previously, "no-cache" would |
2936 |
behave like "max-age=0". [Graham Leggett] |
2937 |
|
2938 |
*) mod_cache: Use a proper filter context to hold filter data instead |
2939 |
of misusing the per-request configuration. Fixes a segfault on trunk |
2940 |
when the normal handler is used. [Graham Leggett] |
2941 |
|
2942 |
*) mod_cgid: Log a warning if the ScriptSock path is truncated because |
2943 |
it is too long. PR 49388. [Stefan Fritsch] |
2944 |
|
2945 |
*) vhosts: Do not allow _default_ in NameVirtualHost, or mixing * |
2946 |
and non-* ports on NameVirtualHost, or multiple NameVirtualHost |
2947 |
directives for the same address:port, or NameVirtualHost |
2948 |
directives with no matching VirtualHosts, or multiple ip-based |
2949 |
VirtualHost sections for the same address:port. These were |
2950 |
previously accepted with a warning, but the behavior was |
2951 |
undefined. [Dan Poirier] |
2952 |
|
2953 |
*) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with |
2954 |
Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>] |
2955 |
|
2956 |
*) core: DirectoryMatch can now match on the end of line character ($), |
2957 |
and sub-directories of matched directories are no longer implicitly |
2958 |
matched. PR49809 [Eric Covener] |
2959 |
|
2960 |
*) Regexps: introduce new higher-level regexp utility including parsing |
2961 |
and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory |
2962 |
[Nick Kew] |
2963 |
|
2964 |
*) Proxy: support setting source address. PR 29404 |
2965 |
[Multiple contributors iterating through bugzilla, |
2966 |
Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>, |
2967 |
<dan listening-station.net; trunk version Nick Kew] |
2968 |
|
2969 |
*) HTTP protocol: return 400 not 503 if we have to abort due to malformed |
2970 |
chunked encoding. [Nick Kew] |
2971 |
|
2972 |
Changes with Apache 2.3.8 |
2973 |
|
2974 |
*) suexec: Support large log files. PR 45856. [Stefan Fritsch] |
2975 |
|
2976 |
*) core: Abort with sensible error message if no or more than one MPM is |
2977 |
loaded. [Stefan Fritsch] |
2978 |
|
2979 |
*) mod_proxy: Rename erroronstatus to failonstatus. |
2980 |
[Daniel Ruggeri <DRuggeri primary.net>] |
2981 |
|
2982 |
*) mod_dav_fs: Fix broken "creationdate" property. |
2983 |
Regression in version 2.3.7. [Rainer Jung] |
2984 |
|
2985 |
Changes with Apache 2.3.7 |
2986 |
|
2987 |
*) SECURITY: CVE-2010-1452 (cve.mitre.org) |
2988 |
mod_dav, mod_cache, mod_session: Fix Handling of requests without a path |
2989 |
segment. PR 49246 [Mark Drayton, Jeff Trawick] |
2990 |
|
2991 |
*) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076. |
2992 |
[Stefan Fritsch] |
2993 |
|
2994 |
*) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639. |
2995 |
[Stefan Fritsch] |
2996 |
|
2997 |
*) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers |
2998 |
via leveraging 100-Continue as the initial "request". |
2999 |
[Jim Jagielski] |
3000 |
|
3001 |
*) core/mod_authz_core: Introduce new access_checker_ex hook that enables |
3002 |
mod_authz_core to bypass authentication if access should be allowed by |
3003 |
IP address/env var/... [Stefan Fritsch] |
3004 |
|
3005 |
*) core: Introduce note_auth_failure hook to allow modules to add support |
3006 |
for additional auth types. This makes ap_note_auth_failure() work with |
3007 |
mod_auth_digest again. PR 48807. [Stefan Fritsch] |
3008 |
|
3009 |
*) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew] |
3010 |
|
3011 |
*) mod_authn_socache: new module [Nick Kew] |
3012 |
|
3013 |
*) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch] |
3014 |
|
3015 |
*) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>] |
3016 |
|
3017 |
*) mod_rewrite: Allow to set environment variables without explicitly |
3018 |
giving a value. [Rainer Jung] |
3019 |
|
3020 |
*) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung] |
3021 |
|
3022 |
*) mod_include: recognise "text/html; parameters" as text/html |
3023 |
PR 49616 [Andrey Chernov <ache nagual.pp.ru>] |
3024 |
|
3025 |
*) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH |
3026 |
PR 43906 [Nick Kew] |
3027 |
|
3028 |
*) Core: Extra robustness: don't try authz and segfault if authn |
3029 |
fails to set r->user. Log bug and return 500 instead. |
3030 |
PR 42995 [Nick Kew] |
3031 |
|
3032 |
*) HTTP protocol filter: fix handling of longer chunk extensions |
3033 |
PR 49474 [<tee.bee gmx.de>] |
3034 |
|
3035 |
*) Update SSL cipher suite and add example for SSLHonorCipherOrder. |
3036 |
[Lars Eilebrecht, Rainer Jung] |
3037 |
|
3038 |
*) move AddOutputFilterByType from core to mod_filter. This should |
3039 |
fix nasty side-effects that happen when content_type is set |
3040 |
more than once in processing a request, and make it fully |
3041 |
compatible with dynamic and proxied contents. [Nick Kew] |
3042 |
|
3043 |
*) mod_log_config: Implement logging for sub second timestamps and |
3044 |
request end time. [Rainer Jung] |
3045 |
|
3046 |
Changes with Apache 2.3.6 |
3047 |
|
3048 |
*) SECURITY: CVE-2009-3555 (cve.mitre.org) |
3049 |
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection |
3050 |
attack when compiled against OpenSSL version 0.9.8m or later. Introduces |
3051 |
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability |
3052 |
and offer unsafe legacy renegotiation with clients which do not yet |
3053 |
support the new secure renegotiation protocol, RFC 5746. |
3054 |
[Joe Orton, and with thanks to the OpenSSL Team] |
3055 |
|
3056 |
*) SECURITY: CVE-2009-3555 (cve.mitre.org) |
3057 |
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack |
3058 |
by rejecting any client-initiated renegotiations. Forcibly disable |
3059 |
keepalive for the connection if there is any buffered data readable. Any |
3060 |
configuration which requires renegotiation for per-directory/location |
3061 |
access control is still vulnerable, unless using OpenSSL >= 0.9.8l. |
3062 |
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] |
3063 |
|
3064 |
*) SECURITY: CVE-2010-0408 (cve.mitre.org) |
3065 |
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent |
3066 |
when request headers indicate a request body is incoming; not a case of |
3067 |
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>] |
3068 |
|
3069 |
*) SECURITY: CVE-2010-0425 (cve.mitre.org) |
3070 |
mod_isapi: Do not unload an isapi .dll module until the request |
3071 |
processing is completed, avoiding orphaned callback pointers. |
3072 |
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] |
3073 |
|
3074 |
*) core: Filter init functions are now run strictly once per request |
3075 |
before handler invocation. The init functions are no longer run |
3076 |
for connection filters. PR 49328. [Joe Orton] |
3077 |
|
3078 |
*) core: Adjust the output filter chain correctly in an internal |
3079 |
redirect from a subrequest, preserving filters from the main |
3080 |
request as necessary. PR 17629. [Joe Orton] |
3081 |
|
3082 |
*) mod_cache: Explicitly allow cache implementations to cache a 206 Partial |
3083 |
Response if they so choose to do so. Previously an attempt to cache a 206 |
3084 |
was arbitrarily allowed if the response contained an Expires or |
3085 |
Cache-Control header, and arbitrarily denied if both headers were missing. |
3086 |
[Graham Leggett] |
3087 |
|
3088 |
*) core: Add microsecond timestamp fractions, process id and thread id |
3089 |
to the error log. [Rainer Jung] |
3090 |
|
3091 |
*) configure: The "most" module set gets build by default. [Rainer Jung] |
3092 |
|
3093 |
*) configure: Building dynamic modules (DSO) by default. [Rainer Jung] |
3094 |
|
3095 |
*) configure: Fix broken VPATH build when using included APR. |
3096 |
[Rainer Jung] |
3097 |
|
3098 |
*) mod_session_crypto: Fix configure problem when building |
3099 |
with APR 2 and for VPATH builds with included APR. |
3100 |
[Rainer Jung] |
3101 |
|
3102 |
*) mod_session_crypto: API compatibility with APR 2 crypto and |
3103 |
APR Util 1.x crypto. [Rainer Jung] |
3104 |
|
3105 |
*) ab: Fix memory leak with -v2 and SSL. PR 49383. |
3106 |
[Pavel Kankovsky <peak argo troja mff cuni cz>] |
3107 |
|
3108 |
*) core: Add per-module and per-directory loglevel configuration. |
3109 |
Add some more trace logging. |
3110 |
mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels. |
3111 |
mod_ssl: Replace LogLevelDebugDump with trace log levels. |
3112 |
mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info |
3113 |
and debug. |
3114 |
mod_dumpio: Replace DumpIOLogLevel with trace log levels. |
3115 |
[Stefan Fritsch] |
3116 |
|
3117 |
*) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns |
3118 |
title page only) when any mod_ldap directives were used in VirtualHost |
3119 |
context. [Eric Covener] |
3120 |
|
3121 |
*) mod_disk_cache: Decline the opportunity to cache if the response is |
3122 |
a 206 Partial Content. This stops a reverse proxied partial response |
3123 |
from becoming cached, and then being served in subsequent responses. |
3124 |
[Graham Leggett] |
3125 |
|
3126 |
*) mod_deflate: avoid the risk of forwarding data before headers are set. |
3127 |
PR 49369 [Matthew Steele <mdsteele google.com>] |
3128 |
|
3129 |
*) mod_authnz_ldap: Ensure nested groups are checked when the |
3130 |
top-level group doesn't have any direct non-group members |
3131 |
of attributes in AuthLDAPGroupAttribute. [Eric Covener] |
3132 |
|
3133 |
*) mod_authnz_ldap: Search or Comparison during authorization phase |
3134 |
can use the credentials from the authentication phase |
3135 |
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser). |
3136 |
PR 48340 [Domenico Rotiroti, Eric Covener] |
3137 |
|
3138 |
*) mod_authnz_ldap: Allow the initial DN search during authentication |
3139 |
to use the HTTP username/pass instead of an anonymous or hard-coded |
3140 |
LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern). |
3141 |
[Eric Covener] |
3142 |
|
3143 |
*) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix |
3144 |
when this module is used for authorization. See AuthLDAPAuthorizePrefix. |
3145 |
PR 45584 [Eric Covener] |
3146 |
|
3147 |
*) apxs -q: Stop filtering out ':' characters from the reported values. |
3148 |
PR 45343. [Bill Cole] |
3149 |
|
3150 |
*) prefork MPM: Work around possible crashes on child exit in APR reslist |
3151 |
cleanup code. PR 43857. [Tom Donovan] |
3152 |
|
3153 |
*) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497. |
3154 |
[Bryn Dole <dole blekko.com>] |
3155 |
|
3156 |
*) Log an error for failures to read a chunk-size, and return 408 instead of |
3157 |
413 when this is due to a read timeout. This change also fixes some cases |
3158 |
of two error documents being sent in the response for the same scenario. |
3159 |
[Eric Covener] PR49167 |
3160 |
|
3161 |
*) mod_proxy_balancer: Add new directive BalancerNonce to allow admin |
3162 |
to control/set the nonce used in the balancer-manager application. |
3163 |
[Jim Jagielski] |
3164 |
|
3165 |
*) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673. |
3166 |
[Stefan Fritsch] |
3167 |
|
3168 |
*) Proxy balancer: support setting error status according to HTTP response |
3169 |
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>] |
3170 |
|
3171 |
*) htcacheclean: Introduce the ability to clean specific URLs from the |
3172 |
cache, if provided as an optional parameter on the command line. |
3173 |
[Graham Leggett] |
3174 |
|
3175 |
*) core: Introduce the IncludeStrict directive, which explicitly fails |
3176 |
server startup if no files or directories match a wildcard path. |
3177 |
[Graham Leggett] |
3178 |
|
3179 |
*) htcacheclean: Report additional statistics about entries deleted. |
3180 |
PR 48944. [Mark Drayton mark markdrayton.info] |
3181 |
|
3182 |
*) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all |
3183 |
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper |
3184 |
build of openssl is required for 'SSLFIPS on'. PR 46270. |
3185 |
[Dr Stephen Henson <steve openssl.org>, William Rowe] |
3186 |
|
3187 |
*) mod_proxy_http: Log the port of the remote server in various messages. |
3188 |
PR 48812. [Igor Galić <i galic brainsware org>] |
3189 |
|
3190 |
*) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend |
3191 |
connections and other protocol handlers (like mod_ftp). [Stefan Fritsch] |
3192 |
|
3193 |
*) mod_proxy_ajp: Really regard the operation a success, when the client |
3194 |
aborted the connection. In addition adjust the log message if the client |
3195 |
aborted the connection. [Ruediger Pluem] |
3196 |
|
3197 |
*) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which |
3198 |
allows insecure renegotiation with clients which do not yet |
3199 |
support the secure renegotiation protocol. [Joe Orton] |
3200 |
|
3201 |
*) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs |
3202 |
is configured for client cert auth. PR 46952. [Joe Orton] |
3203 |
|
3204 |
*) core: Only log a 408 if it is no keepalive timeout. PR 39785 |
3205 |
[Ruediger Pluem, Mark Montague <markmont umich.edu>] |
3206 |
|
3207 |
*) support/rotatelogs: Add -L option to create a link to the current |
3208 |
log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier] |
3209 |
|
3210 |
*) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory |
3211 |
setting only, matching most of the documentation and examples. |
3212 |
PR 46541 [Paul Reder, Eric Covener] |
3213 |
|
3214 |
*) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument |
3215 |
types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener] |
3216 |
|
3217 |
*) mod_negotiation: Preserve query string over multiviews negotiation. |
3218 |
This buglet was fixed for type maps in 2.2.6, but the same issue |
3219 |
affected multiviews and was overlooked. |
3220 |
PR 33112 [Joergen Thomsen <apache jth.net>] |
3221 |
|
3222 |
*) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert |
3223 |
when some are not password-protected. [Eric Covener] |
3224 |
|
3225 |
*) Fix startup segfault when the Mutex directive is used but no loaded |
3226 |
modules use httpd mutexes. PR 48787. [Jeff Trawick] |
3227 |
|
3228 |
*) Proxy: get the headers right in a HEAD request with |
3229 |
ProxyErrorOverride, by checking for an overridden error |
3230 |
before not after going into a catch-all code path. |
3231 |
PR 41646. [Nick Kew, Stuart Children] |
3232 |
|
3233 |
*) support/rotatelogs: Support the simplest log rotation case, log |
3234 |
truncation. Useful when the log is being processed in real time |
3235 |
using a command like tail. [Graham Leggett] |
3236 |
|
3237 |
*) support/htcacheclean: Teach it how to write a pid file (modelled on |
3238 |
httpd's writing of a pid file) so that it becomes possible to run |
3239 |
more than one instance of htcacheclean on the same machine. |
3240 |
[Graham Leggett] |
3241 |
|
3242 |
*) Log command line on startup, so there's a record of command line |
3243 |
arguments like -f. PR 48752. [Dan Poirier] |
3244 |
|
3245 |
*) Introduce mod_reflector, a handler capable of reflecting POSTed |
3246 |
request bodies back within the response through the output filter |
3247 |
stack. Can be used to turn an output filter into a web service. |
3248 |
[Graham Leggett] |
3249 |
|
3250 |
*) mod_proxy_http: Make sure that when an ErrorDocument is served |
3251 |
from a reverse proxied URL, that the subrequest respects the status |
3252 |
of the original request. This brings the behaviour of proxy_handler |
3253 |
in line with default_handler. PR 47106. [Graham Leggett] |
3254 |
|
3255 |
*) Support wildcards in both the directory and file components of |
3256 |
the path specified by the Include directive. [Graham Leggett] |
3257 |
|
3258 |
*) mod_proxy, mod_proxy_http: Support remote https proxies |
3259 |
by using HTTP CONNECT. PR 19188. |
3260 |
[Philippe Dutrueux <lilas evidian.com>, Rainer Jung] |
3261 |
|
3262 |
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf |
3263 |
[Philip M. Gollucci] |
3264 |
|
3265 |
*) worker: Don't report server has reached MaxClients until it has. |
3266 |
Add message when server gets within MinSpareThreads of MaxClients. |
3267 |
PR 46996. [Dan Poirier] |
3268 |
|
3269 |
*) mod_session: Session expiry was being initialised, but not updated |
3270 |
on each session save, resulting in timed out sessions when there |
3271 |
should not have been. Fixed. [Graham Leggett] |
3272 |
|
3273 |
*) mod_log_config: Add the R option to log the handler used within the |
3274 |
request. [Christian Folini <christian.folini netnea com>] |
3275 |
|
3276 |
*) mod_include: Allow fine control over the removal of Last-Modified and |
3277 |
ETag headers within the INCLUDES filter, making it possible to cache |
3278 |
responses if desired. Fix the default value of the SSIAccessEnable |
3279 |
directive. [Graham Leggett] |
3280 |
|
3281 |
*) Add new UnDefine directive to undefine a variable. PR 35350. |
3282 |
[Stefan Fritsch] |
3283 |
|
3284 |
*) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax |
3285 |
for regex backreferences as mod_rewrite and mod_include: Remove the use |
3286 |
of '&' as an alias for '$0' and allow to escape any character with a |
3287 |
backslash. PR 48351. [Stefan Fritsch] |
3288 |
|
3289 |
*) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the |
3290 |
password to UTF-8. PR 45318. |
3291 |
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch] |
3292 |
|
3293 |
*) ab: Fix calculation of requests per second in HTML output. PR 48594. |
3294 |
[Stefan Fritsch] |
3295 |
|
3296 |
*) mod_authnz_ldap: Failures to map a username to a DN, or to check a user |
3297 |
password now result in an informational level log entry instead of |
3298 |
warning level. [Eric Covener] |
3299 |
|
3300 |
Changes with Apache 2.3.5 |
3301 |
|
3302 |
*) SECURITY: CVE-2010-0434 (cve.mitre.org) |
3303 |
Ensure each subrequest has a shallow copy of headers_in so that the |
3304 |
parent request headers are not corrupted. Eliminates a problematic |
3305 |
optimization in the case of no request body. PR 48359 |
3306 |
[Jake Scott, William Rowe, Ruediger Pluem] |
3307 |
|
3308 |
*) Turn static function get_server_name_for_url() into public |
3309 |
ap_get_server_name_for_url() and use it where appropriate. This |
3310 |
fixes mod_rewrite generating invalid URLs for redirects to IPv6 |
3311 |
literal addresses. [Stefan Fritsch] |
3312 |
|
3313 |
*) mod_ldap: Introduce new config option LDAPTimeout to set the timeout |
3314 |
for LDAP operations like bind and search. [Stefan Fritsch] |
3315 |
|
3316 |
*) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to |
3317 |
mod_proxy_ftp. [Takashi Sato] |
3318 |
|
3319 |
*) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to |
3320 |
mod_proxy_connect. [Takashi Sato] |
3321 |
|
3322 |
*) mod_cache: Do an exact match of the keys defined by |
3323 |
CacheIgnoreURLSessionIdentifiers against the querystring instead of |
3324 |
a partial match. PR 48401. |
3325 |
[Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem] |
3326 |
|
3327 |
*) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung] |
3328 |
|
3329 |
*) Core HTTP: disable keepalive when the Client has sent |
3330 |
Expect: 100-continue |
3331 |
but we respond directly with a non-100 response. |
3332 |
Keepalive here led to data from clients continuing being treated as |
3333 |
a new request. |
3334 |
PR 47087 [Nick Kew] |
3335 |
|
3336 |
*) Core: reject NULLs in request line or request headers. |
3337 |
PR 43039 [Nick Kew] |
3338 |
|
3339 |
*) Core: (re)-introduce -T commandline option to suppress documentroot |
3340 |
check at startup. |
3341 |
PR 41887 [Jan van den Berg <janvdberg gmail.com>] |
3342 |
|
3343 |
*) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions, |
3344 |
ScanHTMLTitles, ReadmeName, HeaderName |
3345 |
PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew] |
3346 |
|
3347 |
*) Proxy: Fix ProxyPassReverse with relative URL |
3348 |
Derived (slightly erroneously) from PR 38864 [Nick Kew] |
3349 |
|
3350 |
*) mod_headers: align Header Edit with Header Set when used on Content-Type |
3351 |
PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>] |
3352 |
|
3353 |
*) mod_headers: Enable multi-match-and-replace edit option |
3354 |
PR 46594 [Nick Kew] |
3355 |
|
3356 |
*) mod_filter: enable it to act on non-200 responses. |
3357 |
PR 48377 [Nick Kew] |
3358 |
|
3359 |
Changes with Apache 2.3.4 |
3360 |
|
3361 |
*) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex, |
3362 |
and WatchdogMutexPath with a single Mutex directive. Add APIs to |
3363 |
simplify setup and user customization of APR proc and global mutexes. |
3364 |
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer |
3365 |
respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick] |
3366 |
|
3367 |
*) http_core: KeepAlive no longer accepts other than On|Off. |
3368 |
[Takashi Sato] |
3369 |
|
3370 |
*) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error() |
3371 |
and dav_new_error_tag() must be adjusted to add an apr_status_t parameter. |
3372 |
[Jeff Trawick] |
3373 |
|
3374 |
*) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to |
3375 |
try other providers in the case of an LDAP bind failure. |
3376 |
PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] |
3377 |
|
3378 |
*) Build: fix --with-module to work as documented |
3379 |
PR 43881 [Gez Saunders <gez.saunders virgin.net>] |
3380 |
|
3381 |
Changes with Apache 2.3.3 |
3382 |
|
3383 |
*) SECURITY: CVE-2009-3095 (cve.mitre.org) |
3384 |
mod_proxy_ftp: sanity check authn credentials. |
3385 |
[Stefan Fritsch <sf fritsch.de>, Joe Orton] |
3386 |
|
3387 |
*) SECURITY: CVE-2009-3094 (cve.mitre.org) |
3388 |
mod_proxy_ftp: NULL pointer dereference on error paths. |
3389 |
[Stefan Fritsch <sf fritsch.de>, Joe Orton] |
3390 |
|
3391 |
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against |
3392 |
OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme] |
3393 |
|
3394 |
*) mod_dav: Include uri when logging a PUT error due to connection abort. |
3395 |
PR 38149. [Stefan Fritsch] |
3396 |
|
3397 |
*) mod_dav: Return 409 instead of 500 for a LOCK request if the parent |
3398 |
resource does not exist or is not a collection. PR 43465. [Stefan Fritsch] |
3399 |
|
3400 |
*) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll |
3401 |
(a COPY request where the parent of the destination resource does not |
3402 |
exist). PR 39299. [Stefan Fritsch] |
3403 |
|
3404 |
*) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed. |
3405 |
PR 42896. [Stefan Fritsch] |
3406 |
|
3407 |
*) mod_dav_fs: Make PUT create files atomically and no longer destroy the |
3408 |
old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch] |
3409 |
|
3410 |
*) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically |
3411 |
creating files. On systems with inode numbers, this is a format change of |
3412 |
the DavLockDB. The old DavLockDB must be deleted on upgrade. |
3413 |
[Stefan Fritsch] |
3414 |
|
3415 |
*) mod_log_config: Make ${cookie}C correctly match whole cookie names |
3416 |
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>, |
3417 |
Stefan Fritsch] |
3418 |
|
3419 |
*) vhost: A purely-numeric Host: header should not be treated as a port. |
3420 |
PR 44979 [Nick Kew] |
3421 |
|
3422 |
*) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5" |
3423 |
when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless |
3424 |
LDAPReferralHopLimit is explicitly configured. |
3425 |
[Eric Covener] |
3426 |
|
3427 |
*) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. |
3428 |
[Eric Covener] |
3429 |
|
3430 |
*) mod_ssl: Add support for OCSP Stapling. PR 43822. |
3431 |
[Dr Stephen Henson <shenson oss-institute.org>] |
3432 |
|
3433 |
*) mod_socache_shmcb: Allow parens in file name if cache size is given. |
3434 |
Fixes SSLSessionCache directive mis-parsing parens in pathname. |
3435 |
PR 47945. [Stefan Fritsch] |
3436 |
|
3437 |
*) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch] |
3438 |
|
3439 |
*) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch] |
3440 |
|
3441 |
*) mod_sed: Reduce memory consumption when processing very long lines. |
3442 |
PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>] |
3443 |
|
3444 |
*) ab: Fix segfault in case the argument for -n is a very large number. |
3445 |
PR 47178. [Philipp Hagemeister <oss phihag.de>] |
3446 |
|
3447 |
*) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901. |
3448 |
[Stefan Fritsch] |
3449 |
|
3450 |
*) configure: Fix THREADED_MPMS so that mod_cgid is enabled again |
3451 |
for worker MPM. [Takashi Sato] |
3452 |
|
3453 |
*) mod_dav: Provide a mechanism to obtain the request_rec and pathname |
3454 |
from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>, |
3455 |
Brian France <brian brianfrance.com>] |
3456 |
|
3457 |
*) Build: Use install instead of cp if available on installing |
3458 |
modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com] |
3459 |
|
3460 |
*) mod_cache: correctly consider s-maxage in cacheability |
3461 |
decisions. [Dan Poirier] |
3462 |
|
3463 |
*) mod_logio/core: Report more accurate byte counts in mod_status if |
3464 |
mod_logio is loaded. PR 25656. [Stefan Fritsch] |
3465 |
|
3466 |
*) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge |
3467 |
some cache entries and log a warning. Also increase the default |
3468 |
LDAPSharedCacheSize to 500000. This is a more realistic size suitable |
3469 |
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. |
3470 |
PR 46749. [Stefan Fritsch] |
3471 |
|
3472 |
*) mod_rewrite: Make sure that a hostname:port isn't fully qualified if |
3473 |
the request is a CONNECT request. [Bill Zajac <billz consultla.com>] |
3474 |
|
3475 |
*) mod_cache: Teach CacheEnable and CacheDisable to work from within a |
3476 |
Location section, in line with how ProxyPass works. [Graham Leggett] |
3477 |
|
3478 |
*) mod_reqtimeout: New module to set timeouts and minimum data rates for |
3479 |
receiving requests from the client. [Stefan Fritsch] |
3480 |
|
3481 |
*) core: Fix potential memory leaks by making sure to not destroy |
3482 |
bucket brigades that have been created by earlier filters. |
3483 |
[Stefan Fritsch] |
3484 |
|
3485 |
*) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket |
3486 |
brigades in several places. [Stefan Fritsch] |
3487 |
|
3488 |
*) mod_cache: Fix uri_meets_conditions() so that CacheEnable will |
3489 |
match by scheme, or by a wildcarded hostname. PR 40169 |
3490 |
[Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett] |
3491 |
|
3492 |
*) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC |
3493 |
on the log file instead of closing it. PR 10744. [Nicolas Rachinsky] |
3494 |
|
3495 |
*) mod_mime: Make RemoveType override the info from TypesConfig. |
3496 |
PR 38330. [Stefan Fritsch] |
3497 |
|
3498 |
*) mod_cache: Introduce the option to run the cache from within the |
3499 |
normal request handler, and to allow fine grained control over |
3500 |
where in the filter chain content is cached. Adds CacheQuickHandler |
3501 |
directive. [Graham Leggett] |
3502 |
|
3503 |
*) core: Treat timeout reading request as 408 error, not 400. |
3504 |
Log 408 errors in access log as was done in Apache 1.3.x. |
3505 |
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, |
3506 |
Stefan Fritsch <sf fritsch.de>, Dan Poirier] |
3507 |
|
3508 |
*) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN, |
3509 |
SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl. |
3510 |
[Peter Sylvester <peter.sylvester edelweb.fr>] |
3511 |
|
3512 |
*) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8. |
3513 |
PR15866. [Dan Poirier] |
3514 |
|
3515 |
*) ab: ab segfaults in verbose mode on https sites |
3516 |
PR46393. [Ryan Niebur] |
3517 |
|
3518 |
*) mod_dav: Allow other modules to become providers and add resource types |
3519 |
to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>, |
3520 |
Brian France <brian brianfrance.com>] |
3521 |
|
3522 |
*) mod_dav: Allow other modules to add things to the DAV or Allow headers |
3523 |
of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>, |
3524 |
Brian France <brian brianfrance.com>] |
3525 |
|
3526 |
*) core: Lower memory usage of core output filter. |
3527 |
[Stefan Fritsch <sf sfritsch.de>] |
3528 |
|
3529 |
*) mod_mime: Detect invalid use of MultiviewsMatch inside Location and |
3530 |
LocationMatch sections. PR47754. [Dan Poirier] |
3531 |
|
3532 |
*) mod_request: Make sure the KeptBodySize directive rejects values |
3533 |
that aren't valid numbers. [Graham Leggett] |
3534 |
|
3535 |
*) mod_session_crypto: Sanity check should the potentially encrypted |
3536 |
session cookie be too short. [Graham Leggett] |
3537 |
|
3538 |
*) mod_session.c: Prevent a segfault when session is added but not |
3539 |
configured. [Graham Leggett] |
3540 |
|
3541 |
*) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] |
3542 |
|
3543 |
*) mod_auth_digest: Fail server start when nonce count checking |
3544 |
is configured without shared memory, or md5-sess algorithm is |
3545 |
configured. [Dan Poirier] |
3546 |
|
3547 |
*) mod_proxy_connect: The connect method doesn't work if the client is |
3548 |
connecting to the apache proxy through an ssl socket. Fixed. |
3549 |
PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand, |
3550 |
David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango, |
3551 |
Kevin Croft, Rudolf Cardinal] |
3552 |
|
3553 |
*) mod_ssl: The error message when SSLCertificateFile is missing should |
3554 |
at least give the name or position of the problematic virtual host |
3555 |
definition. [Stefan Fritsch sf sfritsch.de] |
3556 |
|
3557 |
*) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier] |
3558 |
|
3559 |
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>] |
3560 |
|
3561 |
*) mod_headers: generalise the envclause to support expression |
3562 |
evaluation with ap_expr parser [Nick Kew] |
3563 |
|
3564 |
*) mod_cache: Introduce the thundering herd lock, a mechanism to keep |
3565 |
the flood of requests at bay that strike a backend webserver as |
3566 |
a cached entity goes stale. [Graham Leggett] |
3567 |
|
3568 |
*) mod_auth_digest: Fix usage of shared memory and re-enable it. |
3569 |
PR 16057 [Dan Poirier] |
3570 |
|
3571 |
*) Preserve Port information over internal redirects |
3572 |
PR 35999 [Jonas Ringh <jonas.ringh cixit.se>] |
3573 |
|
3574 |
*) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, |
3575 |
rather than BAD_GATEWAY or (especially) NOT_FOUND. |
3576 |
PR 46971 [evanc nortel.com] |
3577 |
|
3578 |
*) Various modules: Do better checking of pollset operations in order to |
3579 |
avoid segmentation faults if they fail. PR 46467 |
3580 |
[Stefan Fritsch <sf sfritsch.de>] |
3581 |
|
3582 |
*) mod_autoindex: Correctly create an empty cell if the description |
3583 |
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>] |
3584 |
|
3585 |
*) ab: Fix broken error messages after resolver or connect() failures. |
3586 |
[Jeff Trawick] |
3587 |
|
3588 |
*) SECURITY: CVE-2009-1890 (cve.mitre.org) |
3589 |
Fix a potential Denial-of-Service attack against mod_proxy in a |
3590 |
reverse proxy configuration, where a remote attacker can force a |
3591 |
proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] |
3592 |
|
3593 |
*) SECURITY: CVE-2009-1191 (cve.mitre.org) |
3594 |
mod_proxy_ajp: Avoid delivering content from a previous request which |
3595 |
failed to send a request body. PR 46949 [Ruediger Pluem] |
3596 |
|
3597 |
*) htdbm: Fix possible buffer overflow if dbm database has very |
3598 |
long values. PR 30586 [Dan Poirier] |
3599 |
|
3600 |
*) core: Return APR_EOF if request body is shorter than the length announced |
3601 |
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>] |
3602 |
|
3603 |
*) mod_suexec: correctly set suexec_enabled when httpd is run by a |
3604 |
non-root user and may have insufficient permissions. |
3605 |
PR 42175 [Jim Radford <radford blackbean.org>] |
3606 |
|
3607 |
*) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute |
3608 |
type. PR 45107. [Michael Ströder <michael stroeder.com>, |
3609 |
Peter Sylvester <peter.sylvester edelweb.fr>] |
3610 |
|
3611 |
*) mod_proxy_http: fix case sensitivity checking transfer encoding |
3612 |
PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>] |
3613 |
|
3614 |
*) mod_alias: ensure Redirect issues a valid URL. |
3615 |
PR 44020 [HÃ¥kon Stordahl <hakon stordahl.org>] |
3616 |
|
3617 |
*) mod_dir: add FallbackResource directive, to enable admin to specify |
3618 |
an action to happen when a URL maps to no file, without resorting |
3619 |
to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] |
3620 |
|
3621 |
*) mod_cgid: Do not leak the listening Unix socket file descriptor to the |
3622 |
CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>] |
3623 |
|
3624 |
*) mod_rewrite: Remove locking for writing to the rewritelog. |
3625 |
PR 46942 [Dan Poirier <poirier pobox.com>] |
3626 |
|
3627 |
*) mod_alias: check sanity in Redirect arguments. |
3628 |
PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski] |
3629 |
|
3630 |
*) mod_proxy_http: fix Host: header for literal IPv6 addresses. |
3631 |
PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>] |
3632 |
|
3633 |
*) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore |
3634 |
defined session identifiers encoded in the URL when caching. |
3635 |
[Ruediger Pluem] |
3636 |
|
3637 |
*) mod_rewrite: Fix the error string returned by RewriteRule. |
3638 |
RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd |
3639 |
argument of RewriteRule was not started with "[" or not ended with "]". |
3640 |
PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>] |
3641 |
|
3642 |
*) Windows: Fix usage message. |
3643 |
[Rainer Jung] |
3644 |
|
3645 |
*) apachectl: When passing through arguments to httpd in |
3646 |
non-SysV mode, use the "$@" syntax to preserve arguments. |
3647 |
[Eric Covener] |
3648 |
|
3649 |
*) mod_dbd: add DBDInitSQL directive to enable SQL statements to |
3650 |
be run when a connection is opened. PR 46827 |
3651 |
[Marko Kevac <mkevac gmail.com>] |
3652 |
|
3653 |
*) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock). |
3654 |
PR 47037. [Jeff Trawick] |
3655 |
|
3656 |
*) mod_proxy_ajp: Check more strictly that the backend follows the AJP |
3657 |
protocol. [Mladen Turk] |
3658 |
|
3659 |
*) mod_proxy_ajp: Forward remote port information by default. |
3660 |
[Rainer Jung] |
3661 |
|
3662 |
*) Allow MPMs to be loaded dynamically, as with most other modules. Use |
3663 |
--enable-mpms-shared={list|"all"} to enable. This required changes to |
3664 |
the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed |
3665 |
header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child, |
3666 |
ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be |
3667 |
called until after the register-hooks phase. [Jeff Trawick] |
3668 |
|
3669 |
*) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives |
3670 |
to enable stricter checking of remote server certificates. |
3671 |
[Ruediger Pluem] |
3672 |
|
3673 |
*) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect |
3674 |
returns EINPROGRESS and a subsequent poll() returns only POLLERR. |
3675 |
Observed on HP-UX. [Eric Covener] |
3676 |
|
3677 |
*) Remove broken support for BeOS, TPF, and even older platforms such |
3678 |
as A/UX, Next, and Tandem. [Jeff Trawick] |
3679 |
|
3680 |
*) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with |
3681 |
globbing characters to be retrieved instead of converted into a |
3682 |
directory listing. PR 46789 [Dan Poirier <poirier pobox.com>] |
3683 |
|
3684 |
*) Provide ap_retained_data_create()/ap_retained_data_get() for preservation |
3685 |
of module state across unload/load. [Jeff Trawick] |
3686 |
|
3687 |
*) mod_substitute: Fix a memory leak. PR 44948 |
3688 |
[Dan Poirier <poirier pobox.com>] |
3689 |
|
3690 |
Changes with Apache 2.3.2 |
3691 |
|
3692 |
*) mod_mime_magic: Fix detection of compressed content. [Rainer Jung] |
3693 |
|
3694 |
*) mod_negotiation: Escape pathes of filenames in 406 responses to avoid |
3695 |
HTML injections and HTTP response splitting. PR 46837. |
3696 |
[Geoff Keating <geoffk apple.com>] |
3697 |
|
3698 |
*) mod_ssl: add support for type-safe STACK constructs in OpenSSL |
3699 |
development HEAD. PR 45521. [Kaspar Brand, Sander Temme] |
3700 |
|
3701 |
*) ab: Fix maintenance of the pollset to resolve EALREADY errors |
3702 |
with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris). |
3703 |
PR 44584. Use APR_POLLSET_NOCOPY for better performance with some |
3704 |
pollset implementations. [Jeff Trawick] |
3705 |
|
3706 |
*) mod_disk_cache: The module now turns off sendfile support if |
3707 |
'EnableSendfile off' is defined globally. [Lars Eilebrecht] |
3708 |
|
3709 |
*) mod_deflate: Adjust content metadata before bailing out on 304 |
3710 |
responses so that the metadata does not differ from 200 response. |
3711 |
[Roy T. Fielding] |
3712 |
|
3713 |
*) mod_deflate: Fix creation of invalid Etag headers. We now make sure |
3714 |
that the Etag value is properly quoted when adding the gzip marker. |
3715 |
PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding] |
3716 |
|
3717 |
*) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185. |
3718 |
[Peter Harlow] |
3719 |
|
3720 |
*) Disabled DefaultType directive and removed ap_default_type() |
3721 |
from core. We now exclude Content-Type from responses for which |
3722 |
a media type has not been configured via mime.types, AddType, |
3723 |
ForceType, or some other mechanism. PR 13986. [Roy T. Fielding] |
3724 |
|
3725 |
*) mod_rewrite: Add IPV6 variable to RewriteCond |
3726 |
[Ryan Phillips <ryan-apache trolocsis.com>] |
3727 |
|
3728 |
*) core: Enhance KeepAliveTimeout to support a value in milliseconds. |
3729 |
PR 46275. [Takashi Sato] |
3730 |
|
3731 |
*) rotatelogs: Allow size units B, K, M, G and combination of |
3732 |
time and size based rotation. [Rainer Jung] |
3733 |
|
3734 |
*) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung] |
3735 |
|
3736 |
*) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508 |
3737 |
[<tlhackque yahoo.com>] |
3738 |
|
3739 |
*) core: Translate the the status line to ASCII on EBCDIC platforms in |
3740 |
ap_send_interim_response() and for locally generated "100 Continue" |
3741 |
responses. [Eric Covener] |
3742 |
|
3743 |
*) prefork: Fix child process hang during graceful restart/stop in |
3744 |
configurations with multiple listening sockets. PR 42829. [Joe Orton, |
3745 |
Jeff Trawick] |
3746 |
|
3747 |
*) mod_session_crypto: Ensure that SessionCryptoDriver can only be |
3748 |
set in the global scope. [Graham Leggett] |
3749 |
|
3750 |
*) mod_ext_filter: We need to detect failure to startup the filter |
3751 |
program (a mangled response is not acceptable). Fix to detect |
3752 |
failure, and offer configuration option either to abort or |
3753 |
to remove the filter and continue. |
3754 |
PR 41120 [Nick Kew] |
3755 |
|
3756 |
*) mod_session_crypto: Rewrite the session_crypto module against the |
3757 |
apr_crypto API. [Graham Leggett] |
3758 |
|
3759 |
*) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest |
3760 |
until the main request is cleaned up. [Graham Leggett] |
3761 |
|
3762 |
Changes with Apache 2.3.1 |
3763 |
|
3764 |
*) ap_slotmem: Add in new slot-based memory access API impl., including |
3765 |
2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski, |
3766 |
Jean-Frederic Clere, Brian Akins <brian.akins turner.com>] |
3767 |
|
3768 |
*) mod_include: support generating non-ASCII characters as entities in SSI |
3769 |
PR 25202 [Nick Kew] |
3770 |
|
3771 |
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars |
3772 |
PR 25202 [Nick Kew] |
3773 |
|
3774 |
*) mod_rewrite: fix "B" flag breakage by reverting r5589343 |
3775 |
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>] |
3776 |
|
3777 |
*) CGI: return 504 (Gateway timeout) rather than 500 when a script |
3778 |
times out before returning status line/headers. |
3779 |
PR 42190 [Nick Kew] |
3780 |
|
3781 |
*) mod_cgid: fix segfault problem on solaris. |
3782 |
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>] |
3783 |
|
3784 |
*) mod_proxy_scgi: Added. [André Malo] |
3785 |
|
3786 |
*) mod_cache: Introduce 'no-cache' per-request environment variable |
3787 |
to prevent the saving of an otherwise cacheable response. |
3788 |
[Eric Covener] |
3789 |
|
3790 |
*) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome |
3791 |
way that per-directory rewrites append the previous notion of PATH_INFO |
3792 |
to each substitution before evaluating subsequent rules. |
3793 |
PR 38642 [Eric Covener] |
3794 |
|
3795 |
*) mod_cgid: Do not add an empty argument when calling the CGI script. |
3796 |
PR 46380 [Ruediger Pluem] |
3797 |
|
3798 |
*) scoreboard: Remove unused sb_type from process_score. |
3799 |
[Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch] |
3800 |
|
3801 |
*) mod_ssl: Add SSLRenegBufferSize directive to allow changing the |
3802 |
size of the buffer used for the request-body where necessary |
3803 |
during a per-dir renegotiation. PR 39243. [Joe Orton] |
3804 |
|
3805 |
*) mod_proxy_fdpass: New module to pass a client connection over to a separate |
3806 |
process that is reading from a unix daemon socket. |
3807 |
|
3808 |
*) mod_ssl: Improve environment variable extraction to be more |
3809 |
efficient and to correctly handle DNs with duplicate tags. |
3810 |
PR 45975. [Joe Orton] |
3811 |
|
3812 |
*) Remove the obsolete serial attribute from the RPM spec file. Compile |
3813 |
against the external pcre. Add missing binaries fcgistarter, and |
3814 |
mod_socache* and mod_session*. [Graham Leggett] |
3815 |
|
3816 |
Changes with Apache 2.3.0 |
3817 |
|
3818 |
*) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna] |
3819 |
|
3820 |
*) Remove X-Pad header which was added as a work around to a bug in |
3821 |
Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>] |
3822 |
|
3823 |
*) Add DTrace Statically Defined Tracing (SDT) probes. |
3824 |
[Theo Schlossnagle <jesus omniti.com>, Paul Querna] |
3825 |
|
3826 |
*) mod_proxy_balancer: Move all load balancing implementations |
3827 |
as individual, self-contained mod_proxy submodules under |
3828 |
modules/proxy/balancers [Jim Jagielski] |
3829 |
|
3830 |
*) Rename APIs to include ap_ prefix: |
3831 |
find_child_by_pid -> ap_find_child_by_pid |
3832 |
suck_in_APR -> ap_suck_in_APR |
3833 |
sys_privileges_handlers -> ap_sys_privileges_handlers |
3834 |
unixd_accept -> ap_unixd_accept |
3835 |
unixd_config -> ap_unixd_config |
3836 |
unixd_killpg -> ap_unixd_killpg |
3837 |
unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms |
3838 |
unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms |
3839 |
unixd_set_rlimit -> ap_unixd_set_rlimit |
3840 |
[Paul Querna] |
3841 |
|
3842 |
*) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers |
3843 |
based on heartbeats. [Paul Querna] |
3844 |
|
3845 |
*) mod_heartmonitor: New module to collect heartbeats, and write out a file |
3846 |
so that other modules can load balance traffic as needed. [Paul Querna] |
3847 |
|
3848 |
*) mod_heartbeat: New module to generate multicast heartbeats to know if a |
3849 |
server is online. [Paul Querna] |
3850 |
|
3851 |
*) mod_buffer: Honour the flush bucket and flush the buffer in the |
3852 |
input filter. Make sure that metadata buckets are written to |
3853 |
the buffer, not to the final brigade. [Graham Leggett] |
3854 |
|
3855 |
*) mod_buffer: Optimise the buffering of heap buckets when the heap |
3856 |
buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett, |
3857 |
Ruediger Pluem] |
3858 |
|
3859 |
*) mod_buffer: Optional support for buffering of the input and output |
3860 |
filter stacks. Can collapse many small buckets into fewer larger |
3861 |
buckets, and prevents excessively small chunks being sent over |
3862 |
the wire. [Graham Leggett] |
3863 |
|
3864 |
*) mod_privileges: new module to make httpd on Solaris privileges-aware |
3865 |
and to enable different virtualhosts to run with different |
3866 |
privileges and Unix user/group IDs [Nick Kew] |
3867 |
|
3868 |
*) mod_mem_cache: this module has been removed. [William Rowe] |
3869 |
|
3870 |
*) authn/z: Remove mod_authn_default and mod_authz_default. |
3871 |
[Chris Darroch] |
3872 |
|
3873 |
*) authz: Fix handling of authz configurations, make default authz |
3874 |
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject, |
3875 |
and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge |
3876 |
directives. [Chris Darroch] |
3877 |
|
3878 |
*) mod_authn_core: Prevent crash when provider alias created to |
3879 |
provider which is not yet registered. [Chris Darroch] |
3880 |
|
3881 |
*) mod_authn_core: Add AuthType of None to support disabling |
3882 |
authentication. [Chris Darroch] |
3883 |
|
3884 |
*) core: Allow <Limit> and <LimitExcept> directives to nest, and |
3885 |
constrain their use to conform with that of other access control |
3886 |
and authorization directives. [Chris Darroch] |
3887 |
|
3888 |
*) unixd: turn existing code into a module, and turn the set user/group |
3889 |
and chroot into a child_init function. [Nick Kew] |
3890 |
|
3891 |
*) mod_dir: Support "DirectoryIndex disabled" |
3892 |
Suggested By André Warnier <aw ice-sa.com> [Eric Covener] |
3893 |
|
3894 |
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to |
3895 |
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>] |
3896 |
|
3897 |
*) mod_authnz_ldap: don't return NULL-valued environment variables to |
3898 |
other modules. PR 39045 [Francois Pesce <francois.pesce gmail.com>] |
3899 |
|
3900 |
*) Don't adjust case in pathname components that are not of interest |
3901 |
to mod_mime. Fixes mod_negotiation's use of such components. |
3902 |
PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>] |
3903 |
|
3904 |
*) Be tolerant in what you accept - accept slightly broken |
3905 |
status lines from a backend provided they include a valid status code. |
3906 |
PR 44995 [Rainer Jung <rainer.jung kippdata.de>] |
3907 |
|
3908 |
*) New module mod_sed: filter Request/Response bodies through sed |
3909 |
[Basant Kumar Kukreja <basant.kukreja sun.com>] |
3910 |
|
3911 |
*) mod_auth_form: Make sure that basic authentication is correctly |
3912 |
faked directly after login. [Graham Leggett] |
3913 |
|
3914 |
*) mod_session_cookie, mod_session_dbd: Make sure cookies are set both |
3915 |
within the output headers and error output headers, so that the |
3916 |
session is maintained across redirects. [Graham Leggett] |
3917 |
|
3918 |
*) mod_auth_form: Make sure the logged in user is populated correctly |
3919 |
after a form login. Fixes a missing REMOTE_USER variable directly |
3920 |
following a login. [Graham Leggett] |
3921 |
|
3922 |
*) mod_session_cookie: Make sure that cookie attributes are correctly |
3923 |
included in the blank cookie when cookies are removed. This fixes an |
3924 |
inability to log out when using mod_auth_form. [Graham Leggett] |
3925 |
|
3926 |
*) mod_session: Prevent a segfault when a CGI script sets a cookie with a |
3927 |
null value. [David Shane Holden <dpejesh apache.org>] |
3928 |
|
3929 |
*) core, authn/z: Determine registered authn/z providers directly in |
3930 |
ap_setup_auth_internal(), which allows optional functions that just |
3931 |
wrapped ap_list_provider_names() to be removed from authn/z modules. |
3932 |
[Chris Darroch] |
3933 |
|
3934 |
*) authn/z: Convert common provider version strings to macros. |
3935 |
[Chris Darroch] |
3936 |
|
3937 |
*) core: When testing for slash-terminated configuration paths in |
3938 |
ap_location_walk(), don't look past the start of an empty string |
3939 |
such as that created by a <Location ""> directive. |
3940 |
[Chris Darroch] |
3941 |
|
3942 |
*) core, mod_proxy: If a kept_body is present, it becomes safe for |
3943 |
subrequests to support message bodies. Make sure that safety |
3944 |
checks within the core and within the proxy are not triggered |
3945 |
when kept_body is present. This makes it possible to embed |
3946 |
proxied POST requests within mod_include. [Graham Leggett] |
3947 |
|
3948 |
*) mod_auth_form: Make sure the input filter stack is properly set |
3949 |
up before reading the login form. Make sure the kept body filter |
3950 |
is correctly inserted to ensure the body can be read a second |
3951 |
time safely should the authn be successful. [Graham Leggett, |
3952 |
Ruediger Pluem] |
3953 |
|
3954 |
*) mod_request: Insert the KEPT_BODY filter via the insert_filter |
3955 |
hook instead of during fixups. Add a safety check to ensure the |
3956 |
filters cannot be inserted more than once. [Graham Leggett, |
3957 |
Ruediger Pluem] |
3958 |
|
3959 |
*) ap_cache_cacheable_headers_out() will (now) always |
3960 |
merge an error headers _before_ clearing them and _before_ |
3961 |
merging in the actual entity headers and doing normal |
3962 |
hop-by-hop cleansing. [Dirk-Willem van Gulik]. |
3963 |
|
3964 |
*) cache: retire ap_cache_cacheable_hdrs_out() which was used |
3965 |
for both in- and out-put headers; and replace it by a single |
3966 |
ap_cache_cacheable_headers() wrapped in a in- and out-put |
3967 |
specific ap_cache_cacheable_headers_in()/out(). The latter |
3968 |
which will also merge error and ensure content-type. To keep |
3969 |
cache modules consistent with ease. This API change bumps |
3970 |
up the minor MM by one [Dirk-Willem van Gulik]. |
3971 |
|
3972 |
*) Move the KeptBodySize directive, kept_body filters and the |
3973 |
ap_parse_request_body function out of the http module and into a |
3974 |
new module called mod_request, reducing the size of the core. |
3975 |
[Graham Leggett] |
3976 |
|
3977 |
*) mod_dbd: Handle integer configuration directive parameters with a |
3978 |
dedicated function. |
3979 |
|
3980 |
*) Change the directives within the mod_session* modules to be valid |
3981 |
both inside and outside the location/directory sections, as |
3982 |
suggested by wrowe. [Graham Leggett] |
3983 |
|
3984 |
*) mod_auth_form: Add a module capable of allowing end users to log |
3985 |
in using an HTML form, storing the credentials within mod_session. |
3986 |
[Graham Leggett] |
3987 |
|
3988 |
*) Add a function to the http filters that is able to parse an HTML |
3989 |
form request with the type of application/x-www-form-urlencoded. |
3990 |
[Graham Leggett] |
3991 |
|
3992 |
*) mod_session_crypto: Initialise SSL in the post config hook. |
3993 |
[Ruediger Pluem, Graham Leggett] |
3994 |
|
3995 |
*) mod_session_dbd: Add a session implementation capable of storing |
3996 |
session information in a SQL database via the dbd interface. Useful |
3997 |
for sites where session privacy is important. [Graham Leggett] |
3998 |
|
3999 |
*) mod_session_crypto: Add a session encoding implementation capable |
4000 |
of encrypting and decrypting sessions wherever they may be stored. |
4001 |
Introduces a level of privacy when sessions are stored on the |
4002 |
browser. [Graham Leggett] |
4003 |
|
4004 |
*) mod_session_cookie: Add a session implementation capable of storing |
4005 |
session information within cookies on the browser. Useful for high |
4006 |
volume sites where server bound sessions are too resource intensive. |
4007 |
[Graham Leggett] |
4008 |
|
4009 |
*) mod_session: Add a generic session interface to unify the different |
4010 |
attempts at saving persistent sessions across requests. |
4011 |
[Graham Leggett] |
4012 |
|
4013 |
*) core, authn/z: Avoid calling access control hooks for internal requests |
4014 |
with configurations which match those of initial request. Revert to |
4015 |
original behaviour (call access control hooks for internal requests |
4016 |
with URIs different from initial request) if any access control hooks or |
4017 |
providers are not registered as permitting this optimization. |
4018 |
Introduce wrappers for access control hook and provider registration |
4019 |
which can accept additional mode and flag data. [Chris Darroch] |
4020 |
|
4021 |
*) Introduced ap_expr API for expression evaluation. |
4022 |
This is adapted from mod_include, which is the first module |
4023 |
to use the new API. |
4024 |
[Nick Kew] |
4025 |
|
4026 |
*) mod_authz_dbd: When redirecting after successful login/logout per |
4027 |
AuthzDBDRedirectQuery, do not report authorization failure, and use |
4028 |
first row returned by database query instead of last row. |
4029 |
[Chris Darroch] |
4030 |
|
4031 |
*) mod_ldap: Correctly return all requested attribute values |
4032 |
when some attributes have a null value. |
4033 |
PR 44560 [Anders Kaseorg <anders kaseorg.com>] |
4034 |
|
4035 |
*) core: check symlink ownership if both FollowSymlinks and |
4036 |
SymlinksIfOwnerMatch are set [Nick Kew] |
4037 |
|
4038 |
*) core: fix origin checking in SymlinksIfOwnerMatch |
4039 |
PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>] |
4040 |
|
4041 |
*) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the |
4042 |
'most' set for '--enable-modules' and '--enable-shared-mods'. Include |
4043 |
mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik] |
4044 |
|
4045 |
*) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these |
4046 |
contain public function declarations which are useful for |
4047 |
third party module authors. PR 42431 [Dirk-Willem van Gulik]. |
4048 |
|
4049 |
*) mod_dir, mod_negotiation: pass the output filter information |
4050 |
to newly created sub requests; as these are later on used |
4051 |
as true requests with an internal redirect. This allows for |
4052 |
mod_cache et.al. to trap the results of the redirect. |
4053 |
[Dirk-Willem van Gulik, Ruediger Pluem] |
4054 |
|
4055 |
*) mod_ldap: Add support (taking advantage of the new APR capability) |
4056 |
for ldap rebind callback while chasing referrals. This allows direct |
4057 |
searches on LDAP servers (in particular MS Active Directory 2003+) |
4058 |
using referrals without the use of the global catalog. |
4059 |
PRs 26538, 40268, and 42557 [Paul J. Reder] |
4060 |
|
4061 |
*) ApacheMonitor.exe: Introduce --kill argument for use by the |
4062 |
installer. This will permit the installation tool to remove |
4063 |
all running instances before attempting to remove the .exe. |
4064 |
[William Rowe] |
4065 |
|
4066 |
*) mod_ssl: Add support for OCSP validation of client certificates. |
4067 |
PR 41123. [Marc Stern <marc.stern approach.be>, Joe Orton] |
4068 |
|
4069 |
*) mod_serf: New module for Reverse Proxying. [Paul Querna] |
4070 |
|
4071 |
*) core: Add the option to keep aside a request body up to a certain |
4072 |
size that would otherwise be discarded, to be consumed by filters |
4073 |
such as mod_include. When enabled for a directory, POST requests |
4074 |
to shtml files can be passed through to embedded scripts as POST |
4075 |
requests, rather being downgraded to GET requests. [Graham Leggett] |
4076 |
|
4077 |
*) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton] |
4078 |
|
4079 |
*) scoreboard: Correctly declare ap_time_process_request. |
4080 |
PR 43789 [Tom Donovan <Tom.Donovan acm.org>] |
4081 |
|
4082 |
*) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member |
4083 |
from the connection rec, ap_get_scoreboard_worker(proc, thread) will now |
4084 |
provide the unusual legacy lookup. [William Rowe] |
4085 |
|
4086 |
*) mpm winnt: fix null pointer dereference |
4087 |
PR 42572 [Davi Arnaut] |
4088 |
|
4089 |
*) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn |
4090 |
parameters to the environment. Improve portability to |
4091 |
EBCDIC machines by using apr_toupper(). [Martin Kraemer] |
4092 |
|
4093 |
*) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability |
4094 |
to authorize an authenticated user via a "require ldap-group X" directive |
4095 |
where the user is not in group X, but is in a subgroup contained in X. |
4096 |
PR 42891 [Paul J. Reder] |
4097 |
|
4098 |
*) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna] |
4099 |
|
4100 |
*) apxs: Enhance -q flag to print all known variables and their values |
4101 |
when invoked without variable name(s). |
4102 |
[William Rowe, Sander Temme] |
4103 |
|
4104 |
*) apxs: Eliminate run-time check for mod_so. PR 40653. |
4105 |
[David M. Lee <dmlee crossroads.com>] |
4106 |
|
4107 |
*) beos MPM: Create pmain pool and run modules' child_init hooks when |
4108 |
entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run(). |
4109 |
[Chris Darroch] |
4110 |
|
4111 |
*) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that |
4112 |
cleanups registered in modules' child_init hooks are performed. |
4113 |
[Chris Darroch] |
4114 |
|
4115 |
*) Fix issue which could cause error messages to be written to access logs |
4116 |
on Win32. PR 40476. [Tom Donovan <Tom.Donovan acm.org>] |
4117 |
|
4118 |
*) The LockFile directive, which specifies the location of |
4119 |
the accept() mutex lockfile, is deprecated. Instead, the |
4120 |
AcceptMutex directive now takes an optional lockfile |
4121 |
location parameter, ala SSLMutex. [Jim Jagielski] |
4122 |
|
4123 |
*) mod_authn_dbd: Export any additional columns queried in the SQL select |
4124 |
into the environment with the name AUTHENTICATE_<COLUMN>. This brings |
4125 |
mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett] |
4126 |
|
4127 |
*) mod_dbd: Key the storage of prepared statements on the hex string |
4128 |
value of server_rec, rather than the server name, as the server name |
4129 |
may change (eg when the server name is set) at any time, causing |
4130 |
weird behaviour in modules dependent on mod_dbd. [Graham Leggett] |
4131 |
|
4132 |
*) mod_proxy_fcgi: Added win32 build. [Mladen Turk] |
4133 |
|
4134 |
*) sendfile_nonblocking() takes the _brigade_ as an argument, gets |
4135 |
the first bucket from the brigade, finds it not to be a FILE |
4136 |
bucket and barfs. The fix is to pass a bucket rather than a brigade. |
4137 |
[Niklas Edmundsson <nikke acc.umu.se>] |
4138 |
|
4139 |
*) mod_rewrite: support rewritemap by SQL query [Nick Kew] |
4140 |
|
4141 |
*) ap_get_server_version() has been removed. Third-party modules must |
4142 |
now use ap_get_server_banner() or ap_get_server_description(). |
4143 |
[Jeff Trawick] |
4144 |
|
4145 |
*) All MPMs: Introduce a check_config phase between pre_config and |
4146 |
open_logs, to allow modules to review interdependent configuration |
4147 |
directive values and adjust them while messages can still be logged |
4148 |
to the console. Handle relevant MPM directives during this phase |
4149 |
and format messages for both the console and the error log, as |
4150 |
appropriate. [Chris Darroch] |
4151 |
|
4152 |
*) core: Do not allow internal redirects like the DirectoryIndex of mod_dir |
4153 |
to circumvent the symbolic link checks imposed by FollowSymLinks and |
4154 |
SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe] |
4155 |
|
4156 |
*) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] |
4157 |
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug. |
4158 |
The default is none as this is far greater debugging resolution than |
4159 |
the typical administrator is prepared to untangle. [William Rowe] |
4160 |
|
4161 |
*) mod_disk_cache: If possible, check if the size of an object to cache is |
4162 |
within the configured boundaries before actually saving data. |
4163 |
[Niklas Edmundsson <nikke acc.umu.se>] |
4164 |
|
4165 |
*) Worker and event MPMs: Remove improper scoreboard updates which were |
4166 |
performed in the event of a fork() failure. [Chris Darroch] |
4167 |
|
4168 |
*) Add support for fcgi:// proxies to mod_rewrite. |
4169 |
[Markus Schiegl <ms schiegl.com>] |
4170 |
|
4171 |
*) Remove incorrect comments from scoreboard.h regarding conditional |
4172 |
loading of worker_score structure with mod_status, and remove unused |
4173 |
definitions relating to old life_status field. |
4174 |
[Chris Darroch <chrisd pearsoncmg.com>] |
4175 |
|
4176 |
*) Remove allocation of memory for unused array of lb_score pointers |
4177 |
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>] |
4178 |
|
4179 |
*) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy. |
4180 |
[Garrett Rooney, Jim Jagielski, Paul Querna] |
4181 |
|
4182 |
*) Event MPM: Fill in the scoreboard's tid field. PR 38736. |
4183 |
[Chris Darroch <chrisd pearsoncmg.com>] |
4184 |
|
4185 |
*) mod_charset_lite: Remove Content-Length when output filter can |
4186 |
invalidate it. Warn when input filter can invalidate it. |
4187 |
[Jeff Trawick] |
4188 |
|
4189 |
*) Authz: Add the new module mod_authn_core that will provide common |
4190 |
authn directives such as 'AuthType', 'AuthName'. Move the directives |
4191 |
'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias |
4192 |
into mod_authn_core. [Brad Nicholes] |
4193 |
|
4194 |
*) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy' |
4195 |
into the new module mod_access_compat which can be loaded to provide |
4196 |
support for these directives. |
4197 |
[Brad Nicholes] |
4198 |
|
4199 |
*) Authz: Move the 'Require' directive from the core module as well as |
4200 |
add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>' |
4201 |
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR' |
4202 |
logic into the authorization processing. [Brad Nicholes] |
4203 |
|
4204 |
*) Authz: Add the new module mod_authz_core which acts as the |
4205 |
authorization provider vector and contains common authz |
4206 |
directives. [Brad Nicholes] |
4207 |
|
4208 |
*) Authz: Renamed mod_authz_dbm authz providers from 'group' and |
4209 |
'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes] |
4210 |
|
4211 |
*) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle |
4212 |
host-based access control provided by mod_authz_host and invoked |
4213 |
through the 'Require' directive. [Brad Nicholes] |
4214 |
|
4215 |
*) Authz: Convert all of the authz modules from hook based to |
4216 |
provider based. [Brad Nicholes] |
4217 |
|
4218 |
*) mod_cache: Add CacheMinExpire directive to set the minimum time in |
4219 |
seconds to cache a document. |
4220 |
[Brian Akins <brian.akins turner.com>, Ruediger Pluem] |
4221 |
|
4222 |
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew] |
4223 |
|
4224 |
*) Fix typo in ProxyStatus syntax error message. |
4225 |
[Christophe Jaillet <christophe.jaillet wanadoo.fr>] |
4226 |
|
4227 |
*) Asynchronous write completion for the Event MPM. [Brian Pane] |
4228 |
|
4229 |
*) Added an End-Of-Request bucket type. The logging of a request and |
4230 |
the freeing of its pool are now done when the EOR bucket is destroyed. |
4231 |
This has the effect of delaying the logging until right after the last |
4232 |
of the response is sent; ap_core_output_filter() calls the access logger |
4233 |
indirectly when it destroys the EOR bucket. [Brian Pane] |
4234 |
|
4235 |
*) Rewrite of logresolve support utility: IPv6 addresses are now supported |
4236 |
and the format of statistical output has changed. [Colm MacCarthaigh] |
4237 |
|
4238 |
*) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane] |
4239 |
|
4240 |
*) Added new connection states for handler and write completion |
4241 |
[Brian Pane] |
4242 |
|
4243 |
*) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264. |
4244 |
[Justin Erenkrantz] |
4245 |
|
4246 |
*) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive, |
4247 |
allowing string-valued client certificate attributes to be used for |
4248 |
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1") |
4249 |
[Martin Kraemer, David Reid] |
4250 |
|
4251 |
[Apache 2.3.0-dev includes those bug fixes and changes with the |
4252 |
Apache 2.2.xx tree as documented, and except as noted, below.] |
4253 |
|
4254 |
Changes with Apache 2.2.x and later: |
4255 |
|
4256 |
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup |
4257 |
|
4258 |
Changes with Apache 2.0.x and later: |
4259 |
|
4260 |
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup |
4261 |
|