| -*- coding: utf-8 -*- |
| |
| Changes with Apache 2.4.7 |
| |
| *) APR 1.5.0 or later is now required for the event MPM. |
| |
| *) slotmem_shm: Error detection. [Jim Jagielski] |
| |
| *) event: Use skiplist data structure. [Jim Jagielski] |
| |
| *) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication |
| and align w/ trunk. [Jim Jagielski] |
| |
| *) Fix potential rejection of valid MaxMemFree and ThreadStackSize |
| directives. [Mike Rumph <mike.rumph oracle.com>] |
| |
| *) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars. |
| An individual envvar with an encoded length of more than 16K will be |
| omitted. [Jeff Trawick] |
| |
| *) mod_proxy_fcgi: Handle reading protocol data that is split between |
| packets. [Jeff Trawick] |
| |
| *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by |
| allowing custom parameters to be configured via SSLCertificateFile, |
| and by adding standardized DH parameters for 1024/2048/3072/4096 bits. |
| Unless custom parameters are configured, the standardized parameters |
| are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] |
| |
| *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] |
| |
| *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA |
| keys, and unconditionally disable aNULL, eNULL and EXP ciphers |
| (not overridable via SSLCipherSuite). [Kaspar Brand] |
| |
| *) Add experimental cmake-based build system for Windows. [Jeff Trawick, |
| Tom Donovan] |
| |
| *) event MPM: Fix possible crashes (third party modules accessing c->sbh) |
| or occasional missed mod_status updates for some keepalive requests |
| under load. [Eric Covener] |
| |
| *) mod_authn_socache: Support optional initialization arguments for |
| socache providers. [Chris Darroch] |
| |
| *) mod_session: Reset the max-age on session save. PR 47476. [Alexey |
| Varlamov <alexey.v.varlamov gmail com>] |
| |
| *) mod_session: After parsing the value of the header specified by the |
| SessionHeader directive, remove the value from the response. PR 55279. |
| [Graham Leggett] |
| |
| *) mod_headers: Allow for format specifiers in the substitution string |
| when using Header edit. [Daniel Ruggeri] |
| |
| *) mod_dav: dav_resource->uri is treated as unencoded. This was an |
| unnecessary ABI changed introduced in 2.4.6. PR 55397. |
| |
| *) mod_dav: Don't require lock tokens for COPY source. PR 55306. |
| |
| *) core: Don't truncate output when sending is interrupted by a signal, |
| such as from an exiting CGI process. PR 55643. [Jeff Trawick] |
| |
| *) WinNT MPM: Exit the child if the parent process crashes or is terminated. |
| [Oracle Corporation] |
| |
| *) Windows: Correct failure to discard stderr in some error log |
| configurations. (Error message AH00093) [Jeff Trawick] |
| |
| *) mod_session_crypto: Allow using exec: calls to obtain session |
| encryption key. [Daniel Ruggeri] |
| |
| *) core: Add missing Reason-Phrase in HTTP response headers. |
| PR 54946. [Rainer Jung] |
| |
| *) mod_rewrite: Make rewrite websocket-aware to allow proxying. |
| PR 55598. [Chris Harris <chris.harris kitware com>] |
| |
| *) mod_ldap: When looking up sub-groups, use an implicit objectClass=* |
| instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>] |
| |
| *) ab: Add wait time, fix processing time, and output write errors only if |
| they occured. [Christophe Jaillet] |
| |
| *) worker MPM: Don't forcibly kill worker threads if the child process is |
| exiting gracefully. [Oracle Corporation] |
| |
| *) core: apachectl -S prints wildcard name-based virtual hosts twice. |
| PR54948 [Eric Covener] |
| |
| *) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to |
| allow migration of passwords from digest to basic authentication. |
| [Chris Darroch] |
| |
| *) ab: Add a new -l parameter in order not to check the length of the responses. |
| This can be usefull with dynamic pages. |
| PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>] |
| |
| *) Suppress formatting of startup messages written to the console when |
| ErrorLogFormat is used. [Jeff Trawick] |
| |
| *) mod_auth_digest: Be more specific when the realm mismatches because the |
| realm has not been specified. [Graham Leggett] |
| |
| *) mod_proxy: Add a note in the balancer manager stating whether changes |
| will or will not be persisted and whether settings are inherited. |
| [Daniel Ruggeri, Jim Jagielski] |
| |
| *) mod_cache: Avoid a crash with strcmp() when the hostname is not provided. |
| [Graham Leggett] |
| |
| *) core: Add util_fcgi.h and associated definitions and support |
| routines for FastCGI, based largely on mod_proxy_fcgi. |
| [Jeff Trawick] |
| |
| *) mod_headers: Add 'Header note header-name note-name' for copying a response |
| headers value into a note. [Eric Covener] |
| |
| *) mod_headers: Add 'setifempty' command to Header and RequestHeader. |
| [Eric Covener] |
| |
| *) mod_logio: new format-specifier %S (sum) which is the sum of received |
| and sent byte counts. |
| PR54015 [Christophe Jaillet] |
| |
| *) mod_deflate: Improve error detection when decompressing request bodies |
| with trailing garbage: handle case where trailing bytes are in |
| the same bucket. [Rainer Jung] |
| |
| *) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663 |
| from ERROR to DEBUG, since these modules do not know what mod_authz_core |
| is doing with their AUTHZ_DENIED return value. [Eric Covener] |
| |
| *) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener] |
| |
| *) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener] |
| |
| *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP |
| SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK |
| default, sans rebind authentication callback. |
| [Jan Kaluza <kaluze AT redhat.com>] |
| |
| *) core: Log a message at TRACE1 when the client aborts a connection. |
| [Eric Covener] |
| |
| *) WinNT MPM: Don't crash during child process initialization if the |
| Listen protocol is unrecognized. [Jeff Trawick] |
| |
| *) modules: Fix some compiler warnings. [Guenter Knauf] |
| |
| *) Sync 2.4 and trunk |
| - Avoid some memory allocation and work when TRACE1 is not activated |
| - fix typo in include guard |
| - indent |
| - No need to lower the string before removing the path, it is just a waste of time... |
| - Save a few cycles |
| [Christophe Jaillet <christophe.jaillet wanadoo.fr>] |
| |
| *) mod_filter: Add "change=no" as a proto-flag to FilterProtocol |
| to remove a providers initial flags set at registration time. |
| [Eric Covener] |
| |
| *) core, mod_ssl: Enable the ability for a module to reverse the sense of |
| a poll event from a read to a write or vice versa. This is a step on |
| the way to allow mod_ssl taking full advantage of the event MPM. |
| [Graham Leggett] |
| |
| *) Makefile.win: Install proper pcre DLL file during debug build install. |
| PR 55235. [Ben Reser <ben reser org>] |
| |
| *) mod_ldap: Fix a potential memory leak or corruption. PR 54936. |
| [Zhenbo Xu <zhenbo1987 gmail com>] |
| |
| *) ab: Fix potential buffer overflows when processing the T and X |
| command-line options. PR 55360. |
| [Mike Rumph <mike.rumph oracle.com>] |
| |
| *) fcgistarter: Specify SO_REUSEADDR to allow starting a server |
| with old connections in TIME_WAIT. [Jeff Trawick] |
| |
| *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat |
| and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be |
| used without patches to httpd core. [Stefan Fritsch] |
| |
| *) support/htdbm: fix processing of -t command line switch. Regression |
| introduced in 2.4.4 |
| PR 55264 [Jo Rhett <jrhett netconsonance com>] |
| |
| Changes with Apache 2.4.6 |
| |
| *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was |
| not released) and found post-2.4.5 tagging. |
| |
| Changes with Apache 2.4.5 |
| |
| *) SECURITY: CVE-2013-1896 (cve.mitre.org) |
| mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with |
| the source href (sent as part of the request body as XML) pointing to a |
| URI that is not configured for DAV will trigger a segfault. [Ben Reser |
| <ben reser.org>] |
| |
| *) SECURITY: CVE-2013-2249 (cve.mitre.org) |
| mod_session_dbd: Make sure that dirty flag is respected when saving |
| sessions, and ensure the session ID is changed each time the session |
| changes. This changes the format of the updatesession SQL statement. |
| Existing configurations must be changed. |
| [Takashi Sato, Graham Leggett] |
| |
| *) mod_auth_basic: Add a generic mechanism to fake basic authentication |
| using the ap_expr parser. AuthBasicFake allows the administrator to |
| construct their own username and password for basic authentication based |
| on their needs. [Graham Leggett] |
| |
| *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254. |
| [Jackie Zhang <jackie qq zhang gmail com>] |
| |
| *) mod_proxy: Ensure we don't attempt to amend a table we are iterating |
| through, ensuring that all headers listed by Connection are removed. |
| [Graham Leggett, Co-Advisor <coad measurement-factory.com>] |
| |
| *) mod_proxy_http: Make the proxy-interim-response environment variable |
| effective by formally overriding origin server behaviour. [Graham |
| Leggett, Co-Advisor <coad measurement-factory.com>] |
| |
| *) mod_proxy: Fix seg-faults when using the global pool on threaded |
| MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett, |
| Jim Jagielski] |
| |
| *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive. |
| Gracefully step aside if the body size is zero. [Graham Leggett] |
| |
| *) mod_ssl: Fix possible truncation of OCSP responses when reading from the |
| server. [Joe Orton] |
| |
| *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization |
| on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun |
| <apache heilbrun.org>] |
| |
| *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged |
| correctly. [Jens Låås <jelaas gmail.com>] |
| |
| *) rotatelogs: add -n number-of-files option to rotate through a number |
| of fixed-name logfiles. [Eric Covener] |
| |
| *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel. |
| [Jim Jagielski] |
| |
| *) mod_cache_socache: Use the name of the socache implementation when performing |
| a lookup rather than using the raw arguments. [Martin Ksellmann |
| <martin@ksellmann.de>] |
| |
| *) core: Add dirwalk_stat hook. [Jeff Trawick] |
| |
| *) core: Add post_perdir_config hook. |
| [Steinar Gunderson <sgunderson bigfoot.com>] |
| |
| *) proxy_util: NULL terminate the right buffer in 'send_http_connect'. |
| [Christophe Jaillet] |
| |
| *) mod_remoteip: close file in error path. [Christophe Jaillet] |
| |
| *) core: make the "default" parameter of the "ErrorDocument" option case |
| insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>] |
| |
| *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive. |
| PR 54420 [Tianyin Xu <tixu cs ucsd edu>] |
| |
| *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive. |
| PR 54462 [Tianyin Xu <tixu cs ucsd edu>] |
| |
| *) mod_cache: If a 304 response indicates an entity not currently cached, then |
| the cache MUST disregard the response and repeat the request without the |
| conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>] |
| |
| *) mod_cache: Ensure that we don't attempt to replace a cached response |
| with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor |
| <coad measurement-factory.com>] |
| |
| *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions() |
| with weak validation combined with If-Range and Range headers. Break |
| out explicit conditional header checks to be useable elsewhere in the |
| server. Ensure weak validation RFC compliance in the byteranges filter. |
| Ensure RFC validation compliance when serving cached entities. PR 16142 |
| [Graham Leggett, Co-Advisor <coad measurement-factory.com>] |
| |
| *) core: Add the ability to do explicit matching on weak and strong ETags |
| as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor |
| <coad measurement-factory.com>] |
| |
| *) mod_cache: Ensure that updated responses to HEAD requests don't get |
| mistakenly paired with a previously cached body. Ensure that any existing |
| body is removed when a HEAD request is cached. [Graham Leggett, |
| Co-Advisor <coad measurement-factory.com>] |
| |
| *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett] |
| |
| *) mod_cache: Make sure that contradictory entity headers present in a 304 |
| Not Modified response are caught and cause the entity to be removed. |
| [Graham Leggett] |
| |
| *) mod_cache: Make sure Vary processing handles multivalued Vary headers and |
| multivalued headers referred to via Vary. [Graham Leggett] |
| |
| *) mod_cache: When serving from cache, only the last header of a multivalued |
| header was taken into account. Fixed. Ensure that Warning headers are |
| correctly handled as per RFC2616. [Graham Leggett] |
| |
| *) mod_cache: Ignore response headers specified by no-cache=header and |
| private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure |
| that these headers are still processed when multiple Cache-Control |
| headers are present in the response. PR 54706 [Graham Leggett, |
| Yann Ylavic <ylavic.dev gmail.com>] |
| |
| *) mod_cache: Invalidate cached entities in response to RFC2616 Section |
| 13.10 Invalidation After Updates or Deletions. PR 15868 [Graham |
| Leggett] |
| |
| *) mod_dav: Improve error handling in dav_method_put(), add new |
| dav_join_error() function. PR 54145. [Ben Reser <ben reser.org>] |
| |
| *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. |
| PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] |
| |
| *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead |
| property on a resource for which there is no dead property in the same |
| namespace httpd segfaults. PR 52559 [Diego Santa Cruz |
| <diego.santaCruz spinetix.com>] |
| |
| *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't |
| result in a 412 Precondition Failed for a COPY operation. PR54610 |
| [Timothy Wood <tjw omnigroup.com>] |
| |
| *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, |
| we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>] |
| |
| *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive. |
| Gracefully step aside if the body size is zero. [Graham Leggett] |
| |
| *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional |
| 'standard' keyword . It was unused and not documented. |
| PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet] |
| |
| *) core: Do not over allocate memory within 'ap_rgetline_core' for |
| the common case. [Christophe Jaillet] |
| |
| *) core: speed up (for common cases) and reduce memory usage of |
| ap_escape_logitem(). This should save 70-100 bytes in the request |
| pool for a default config. [Christophe Jaillet] |
| |
| *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 |
| [Timothy Wood <tjw omnigroup.com>] |
| |
| *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett, |
| Co-Advisor <coad measurement-factory.com>] |
| |
| *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the |
| semantics of the proxy-revalidate directive. [Graham Leggett] |
| |
| *) mod_ssl: add support for subjectAltName-based host name checking |
| in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand] |
| |
| *) core: Use the proper macro for HTTP/1.1. [Graham Leggett] |
| |
| *) event MPM: Provide error handling for ThreadStackSize. PR 54311 |
| [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet] |
| |
| *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. |
| PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] |
| |
| *) core: Improve error message where client's request-line exceeds |
| LimitRequestLine. PR 54384 [Christophe Jaillet] |
| |
| *) mod_macro: New module that provides macros within configuration files. |
| [Fabien Coelho] |
| |
| *) mod_cache_socache: New cache implementation backed by mod_socache |
| that replaces mod_mem_cache known from httpd 2.2. [Graham |
| Leggett] |
| |
| *) htpasswd: Add -v option to verify a password. [Stefan Fritsch] |
| |
| *) mod_proxy: Add BalancerInherit and ProxyPassInherit to control |
| whether Proxy Balancers and Workers are inherited by vhosts |
| (default is On). [Jim Jagielski] |
| |
| *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind |
| password. [Daniel Ruggeri] |
| |
| *) Added balancer parameter failontimeout to allow server admin |
| to configure an IO timeout as an error in the balancer. |
| [Daniel Ruggeri] |
| |
| *) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan |
| Fritsch] |
| |
| *) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch] |
| |
| *) core: Add workaround for gcc bug on sparc/64bit. PR 52900. |
| [Stefan Fritsch] |
| |
| *) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used |
| together. PR 54881. [Ruediger Pluem] |
| |
| *) htdigest: Fix buffer overflow when reading digest password file |
| with very long lines. PR 54893. [Rainer Jung] |
| |
| *) ap_expr: Add the ability to base64 encode and base64 decode |
| strings and to generate their SHA1 and MD5 hash. |
| [Graham Leggett, Stefan Fritsch] |
| |
| *) mod_log_config: Fix crash when logging request end time for a failed |
| request. PR 54828 [Rainer Jung] |
| |
| *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs |
| with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. |
| [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand] |
| |
| *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits |
| in the error log to debug level. [William Rowe] |
| |
| *) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always |
| using compiled in defaults of 1000000/1 respectively. [Eric Covener] |
| |
| *) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/ |
| DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file. [Jeff Trawick] |
| |
| *) mod_include: Use new ap_expr for 'elif', like 'if', |
| if legacy parser is not specified. PR 54548 [Tom Donovan] |
| |
| *) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(), |
| r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc(). |
| [Guenter Knauf] |
| |
| *) mod_lua: Add multipart form data handling. [Daniel Gruno] |
| |
| *) mod_lua: If a LuaMapHandler doesn't return any value, log a warning |
| and treat it as apache2.OK. [Eric Covener] |
| |
| *) mod_lua: Add bindings for apr_dbd/mod_dbd database access |
| [Daniel Gruno] |
| |
| *) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content |
| filters in Lua [Daniel Gruno] |
| |
| *) mod_lua: Allow scripts handled by the lua-script handler to return |
| a status code to the client (such as a 302 or a 500) [Daniel Gruno] |
| |
| *) mod_lua: Decline handling 'lua-script' if the file doesn't exist, |
| rather than throwing an internal server error. [Daniel Gruno] |
| |
| *) mod_lua: Add functions r:flush and r:sendfile as well as additional |
| request information to the request_rec structure. [Daniel Gruno] |
| |
| *) mod_lua: Add a server scope for Lua states, which creates a pool of |
| states with managable minimum and maximum size. [Daniel Gruno] |
| |
| *) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping |
| URIs to Lua scripts and functions using regular expressions. |
| [Daniel Gruno] |
| |
| *) mod_lua: Add new directive LuaCodeCache for controlling in-memory |
| caching of lua scripts. [Daniel Gruno] |
| |
| Changes with Apache 2.4.4 |
| |
| *) SECURITY: CVE-2012-3499 (cve.mitre.org) |
| Various XSS flaws due to unescaped hostnames and URIs HTML output in |
| mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. |
| [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] |
| |
| *) SECURITY: CVE-2012-4558 (cve.mitre.org) |
| XSS in mod_proxy_balancer manager interface. [Jim Jagielski, |
| Niels Heinen <heinenn google com>] |
| |
| *) mod_dir: Add support for the value 'disabled' in FallbackResource. |
| [Vincent Deffontaines] |
| |
| *) mod_proxy_connect: Don't keepalive the connection to the client if the |
| backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>] |
| |
| *) mod_lua: Add bindings for mod_dbd/apr_dbd database access. |
| [Daniel Gruno] |
| |
| *) mod_proxy: Allow for persistence of local changes made via the |
| balancer-manager between graceful/normal restarts and power |
| cycles. [Jim Jagielski] |
| |
| *) mod_proxy: Fix startup crash with mis-defined balancers. |
| PR 52402. [Jim Jagielski] |
| |
| *) --with-module: Fix failure to integrate them into some existing |
| module directories. PR 40097. [Jeff Trawick] |
| |
| *) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton] |
| |
| *) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody |
| PR 54435. [Pavel Mateja <pavel netsafe.cz>] |
| |
| *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416. |
| [Rainer Jung] |
| |
| *) htcacheclean: Fix list options "-a" and "-A". |
| [Rainer Jung] |
| |
| *) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm. |
| [Jim Jagielski] |
| |
| *) mod_proxy: non-existance of byrequests is not an immediate error. |
| [Jim Jagielski] |
| |
| *) mod_proxy_balancer: Improve output of balancer-manager (re: Drn, |
| Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>] |
| |
| *) configure: Fix processing of --disable-FEATURE for various features. |
| [Jeff Trawick] |
| |
| *) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal |
| redirect. PR 52230. |
| |
| *) various modules, rotatelogs: Replace use of apr_file_write() with |
| apr_file_write_full() to prevent incomplete writes. PR 53131. |
| [Nicolas Viennot <apache viennot biz>, Stefan Fritsch] |
| |
| *) ab: Support socket timeout (-s timeout). |
| [Guido Serra <zeph fsfe org>] |
| |
| *) httxt2dbm: Correct length computation for the 'value' stored in the |
| DBM file. PR 47650 [jon buckybox com] |
| |
| *) core: Be more correct about rejecting directives that cannot work in <If> |
| sections. [Stefan Fritsch] |
| |
| *) core: Fix directives like LogLevel that need to know if they are invoked |
| at virtual host context or in Directory/Files/Location/If sections to |
| work properly in If sections that are not in a Directory/Files/Location. |
| [Stefan Fritsch] |
| |
| *) mod_xml2enc: Fix problems with charset conversion altering the |
| Content-Length. [Micha Lenk <micha lenk info>] |
| |
| *) ap_expr: Add req_novary function that allows HTTP header lookups |
| without adding the name to the Vary header. [Stefan Fritsch] |
| |
| *) mod_slotmem_*: Add in new fgrab() function which forces a grab and |
| slot allocation on a specified slot. Allow for clearing of inuse |
| array. [Jim Jagielski] |
| |
| *) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS |
| AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan |
| dyndns org>, <ast domdv de>, Jim Jagielski] |
| |
| *) mod_auth_form: Make sure that get_notes_auth() sets the user as does |
| get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER |
| does not vanish during mod_include driven subrequests. [Graham |
| Leggett] |
| |
| *) mod_cache_disk: Resolve errors while revalidating disk-cached files on |
| Windows ("...rename tempfile to datafile failed..."). PR 38827 |
| [Eric Covener] |
| |
| *) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski] |
| |
| *) htpasswd, htdbm: Optionally read passwords from stdin, as more |
| secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas |
| paltanavicius gmail com>, Stefan Fritsch] |
| |
| *) htpasswd, htdbm: Add support for bcrypt algorithm (requires |
| apr-util 1.5 or higher). PR 49288. [Stefan Fritsch] |
| |
| *) htpasswd, htdbm: Put full 48bit of entropy into salt, improve |
| error handling. Add some of htpasswd's improvements to htdbm, |
| e.g. warn if password is truncated by crypt(). [Stefan Fritsch] |
| |
| *) mod_auth_form: Support the expr parser in the |
| AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and |
| AuthFormLogoutLocation directives. [Graham Leggett] |
| |
| *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange |
| for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>, |
| Christophe Renou, Peter Sylvester] |
| |
| *) mod_rewrite: Stop mergeing RewriteBase down to subdirectories |
| unless new option 'RewriteOptions MergeBase' is configured. |
| PR 53963. [Eric Covener] |
| |
| *) mod_header: Allow for exposure of loadavg and server load using new |
| format specifiers %l, %i, %b [Jim Jagielski] |
| |
| *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make |
| ap_pregcomp() abort if out of memory. This raises the minimum PCRE |
| requirement to version 6.0. [Stefan Fritsch] |
| |
| *) mod_proxy: Add ability to configure the sticky session separator. |
| PR 53893. [<inu inusasha de>, Jim Jagielski] |
| |
| *) mod_dumpio: Correctly log large messages |
| PR 54179 [Marek Wianecki <mieszek2 interia pl>] |
| |
| *) core: Don't fail at startup with AH00554 when Include points to |
| a directory without any wildcard character. [Eric Covener] |
| |
| *) core: Fail startup if the argument to ServerTokens is unrecognized. |
| [Jackie Zhang <jackie.qq.zhang gmail.com>] |
| |
| *) mod_log_forensic: Don't log a spurious "-" if a request has been rejected |
| before mod_log_forensic could attach its id to it. [Stefan Fritsch] |
| |
| *) rotatelogs: Omit the second argument for the first invocation of |
| a post-rotate program when -p is used, per the documentation. |
| [Joe Orton] |
| |
| *) mod_session_dbd: fix a segmentation fault in the function dbd_remove. |
| PR 53452. [<rebanerebane gmail com>, Reimo Rebane] |
| |
| *) core: Functions to provide server load values: ap_get_sload() and |
| ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>, |
| Jeff Trawick] |
| |
| *) mod_ldap: Fix regression in handling "server unavailable" errors on |
| Windows. PR 54140. [Eric Covener] |
| |
| *) syslog logging: Remove stray ", referer" at the end of some messages. |
| [Jeff Trawick] |
| |
| *) "Iterate" directives: Report an error if no arguments are provided. |
| [Jeff Trawick] |
| |
| *) mod_ssl: Change default for SSLCompression to off, as compression |
| causes security issues in most setups. (The so called "CRIME" attack). |
| [Stefan Fritsch] |
| |
| *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output |
| to more accurately report the negotiated protocol. PR 53916. |
| [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand] |
| |
| *) core: ErrorDocument now works for requests without a Host header. |
| PR 48357. [Jeff Trawick] |
| |
| *) prefork: Avoid logging harmless errors during graceful stop. |
| [Joe Orton, Jeff Trawick] |
| |
| *) mod_proxy: When concatting for PPR, avoid cases where we |
| concat ".../" and "/..." to create "...//..." [Jim Jagielski] |
| |
| *) mod_cache: Wrong content type and character set when |
| mod_cache serves stale content because of a proxy error. |
| PR 53539. [Rainer Jung, Ruediger Pluem] |
| |
| *) mod_proxy_ajp: Fix crash in packet dump code when logging |
| with LogLevel trace7 or trace8. PR 53730. [Rainer Jung] |
| |
| *) httpd.conf: Removed the configuration directives setting a bad_DNT |
| environment introduced in 2.4.3. The actual directives are commented |
| out in the default conf file. |
| |
| *) core: Apply length limit when logging Status header values. |
| [Jeff Trawick, Chris Darroch] |
| |
| *) mod_proxy_balancer: The nonce is only derived from the UUID iff |
| not set via the 'nonce' balancer param. [Jim Jagielski] |
| |
| *) mod_ssl: Match wildcard SSL certificate names in proxy mode. |
| PR 53006. [Joe Orton] |
| |
| *) Windows: Fix output of -M, -L, and similar command-line options |
| which display information about the server configuration. |
| [Jeff Trawick] |
| |
| Changes with Apache 2.4.3 |
| |
| *) SECURITY: CVE-2012-3502 (cve.mitre.org) |
| mod_proxy_ajp, mod_proxy_http: Fix an issue in back end |
| connection closing which could lead to privacy issues due |
| to a response mixup. PR 53727. [Rainer Jung] |
| |
| *) SECURITY: CVE-2012-2687 (cve.mitre.org) |
| mod_negotiation: Escape filenames in variant list to prevent a |
| possible XSS for a site where untrusted users can upload files to |
| a location with MultiViews enabled. [Niels Heinen <heinenn google.com>] |
| |
| *) mod_authnz_ldap: Don't try a potentially expensive nested groups |
| search before exhausting all AuthLDAPGroupAttribute checks on the |
| current group. PR 52464 [Eric Covener] |
| |
| *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an |
| authorization provider in lua. [Stefan Fritsch] |
| |
| *) core: Be less strict when checking whether Content-Type is set to |
| "application/x-www-form-urlencoded" when parsing POST data, |
| or we risk losing data with an appended charset. PR 53698 |
| [Petter Berntsen <petterb gmail.com>] |
| |
| *) httpd.conf: Added configuration directives to set a bad_DNT environment |
| variable based on User-Agent and to remove the DNT header field from |
| incoming requests when a match occurs. This currently has the effect of |
| removing DNT from requests by MSIE 10.0 because it deliberately violates |
| the current specification of DNT semantics for HTTP. [Roy T. Fielding] |
| |
| *) mod_socache_shmcb: Fix bus error due to a misalignment |
| in some 32 bit builds, especially on Solaris Sparc. |
| PR 53040. [Rainer Jung] |
| |
| *) mod_cache: Set content type in case we return stale content. |
| [Ruediger Pluem] |
| |
| *) Windows: Fix SSL failures on windows with AcceptFilter https none. |
| PR 52476. [Jeff Trawick] |
| |
| *) ab: Fix read failure when targeting SSL server. [Jeff Trawick] |
| |
| *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: |
| - mod_auth_digest: shared memory file |
| [Jeff Trawick] |
| |
| *) htpasswd: Use correct file mode for checking if file is writable. |
| PR 45923. [Stefan Fritsch] |
| |
| *) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T. |
| <mi apache aldan algebra com>] |
| |
| *) mod_ssl: Add new directive SSLCompression to disable TLS-level |
| compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch] |
| |
| *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to |
| client_ip to match conn_rec. [Stefan Fritsch] |
| |
| *) mod_lua: Change prototype of vm_construct, to work around gcc bug which |
| causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>] |
| |
| *) mpm_event: Don't count connections in lingering close state when |
| calculating how many additional connections may be accepted. |
| [Stefan Fritsch] |
| |
| *) mod_ssl: If exiting during initialization because of a fatal error, |
| log a message to the main error log pointing to the appropriate |
| virtual host error log. [Stefan Fritsch] |
| |
| *) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on |
| one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>] |
| |
| *) mod_proxy_balancer: Restore balancing after a failed worker has |
| recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] |
| |
| *) mod_setenvif: Compile some global regex only once during startup. |
| This should save some memory, especially with .htaccess. |
| [Stefan Fritsch] |
| |
| *) core: Add the port number to the vhost's name in the scoreboard. |
| [Stefan Fritsch] |
| |
| *) mod_proxy: Fix ProxyPassReverse for balancer configurations. |
| PR 45434. [Joe Orton] |
| |
| *) mod_lua: Add the parsebody function for parsing POST data. PR 53064. |
| [Daniel Gruno] |
| |
| *) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS. |
| [Stefan Fritsch] |
| |
| *) mod_proxy: Fix memory leak or possible corruption in ProxyBlock |
| implementation. [Ruediger Pluem, Joe Orton] |
| |
| *) mod_proxy: Check hostname from request URI against ProxyBlock list, |
| not forward proxy, if ProxyRemote* is configured. [Joe Orton] |
| |
| *) mod_proxy_connect: Avoid DNS lookup on hostname from request URI |
| if ProxyRemote* is configured. PR 43697. [Joe Orton] |
| |
| *) mpm_event, mpm_worker: Remain active amidst prevalent child process |
| resource shortages. [Jeff Trawick] |
| |
| *) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen] |
| |
| *) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR: |
| - core: the scoreboard (ScoreBoardFile), pid file (PidFile), and |
| mutexes (Mutex) |
| [Jim Jagielski] |
| |
| *) ab: Fix bind() errors. [Joe Orton] |
| |
| *) mpm_event: Don't do a blocking write when starting a lingering close |
| from the listener thread. PR 52229. [Stefan Fritsch] |
| |
| *) mod_so: If a filename without slashes is specified for LoadFile or |
| LoadModule and the file cannot be found in the server root directory, |
| try to use the standard dlopen() search path. [Stefan Fritsch] |
| |
| *) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced |
| after child process resource shortages. [Jeff Trawick] |
| |
| *) mpm_prefork: Reduce spawn rate after a child process exits due to |
| unexpected poll or accept failure. [Jeff Trawick] |
| |
| *) core: Log value of Status header line in script responses rather |
| than the fixed header name. [Chris Darroch] |
| |
| *) mpm_ssl: Fix handling of empty response from OCSP server. |
| [Jim Meyering <meyering redhat.com>, Joe Orton] |
| |
| *) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch] |
| |
| *) mod_authz_core: If an expression in "Require expr" returns denied and |
| references %{REMOTE_USER}, trigger authentication and retry. PR 52892. |
| [Stefan Fritsch] |
| |
| *) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch] |
| |
| *) mod_deflate: Skip compression if compression is enabled at SSL level. |
| [Stefan Fritsch] |
| |
| *) core: Add missing HTTP status codes registered with IANA. |
| [Julian Reschke <julian.reschke gmx.de>, Rainer Jung] |
| |
| *) mod_ldap: Treat the "server unavailable" condition as a transient |
| error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>] |
| |
| *) core: Fix spurious "not allowed here" error returned when the Options |
| directive is used in .htaccess and "AllowOverride Options" (with no |
| specific options restricted) is configured. PR 53444. [Eric Covener] |
| |
| *) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>. |
| PR 53048. [Stefan Fritsch] |
| |
| *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". |
| PR 53104. [Greg Ames] |
| |
| *) mod_ext_filter: Fix error_log spam when input filters are configured. |
| [Joe Orton] |
| |
| *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] |
| |
| *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). |
| [Paul Wouters <pwouters redhat.com>, Joe Orton] |
| |
| *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if |
| the chosen listener is configured for https. [Joe Orton] |
| |
| *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when |
| forwarding to SSL backends. PR 53134. |
| [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem] |
| |
| *) mod_info: Display all registered providers. [Stefan Fritsch] |
| |
| *) mod_ssl: Send the error message for speaking http to an https port using |
| HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when |
| using SNI. PR 50823. [Stefan Fritsch] |
| |
| *) core: Fix segfault in logging if r->useragent_addr or c->client_addr is |
| unset. PR 53265. [Stefan Fritsch] |
| |
| *) log_server_status: Bring Perl style forward to the present, use |
| standard modules, update for new format of server-status output. |
| PR 45424. [Richard Bowen, Dave Brondsema, and others] |
| |
| *) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups. |
| [Joe Orton, André Malo] |
| |
| *) core: Prevent "httpd -k restart" from killing server in presence of |
| config error. [Joe Orton] |
| |
| *) mod_proxy_fcgi: If there is an error reading the headers from the |
| backend, send an error to the client. PR 52879. [Stefan Fritsch] |
| |
| Changes with Apache 2.4.2 |
| |
| *) SECURITY: CVE-2012-0883 (cve.mitre.org) |
| envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the |
| current working directory to be searched for DSOs. [Stefan Fritsch] |
| |
| *) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski] |
| |
| *) mod_ssl: Fix crash with threaded MPMs due to race condition when |
| initializing EC temporary keys. [Stefan Fritsch] |
| |
| *) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly. |
| PR 53023. [Axel Reinhold <apache freakout.de>, André Malo] |
| |
| *) mod_proxy: Add the forcerecovery balancer parameter that determines if |
| recovery for balancer workers is enforced. [Ruediger Pluem] |
| |
| *) Fix MPM DSO load failure on AIX. [Jeff Trawick] |
| |
| *) mod_proxy: Correctly set up reverse proxy worker. PR 52935. |
| [Petter Berntsen <petterb gmail.com>] |
| |
| *) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing |
| compile problems on GNU hurd. [Stefan Fritsch] |
| |
| *) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir. |
| [Jeff Trawick] |
| |
| *) core: Fix breakage of Listen directives with MPMs that use a |
| per-directory config. PR 52904. [Stefan Fritsch] |
| |
| *) core: Disallow directives in AllowOverrideList which are only allowed |
| in VirtualHost or server context. These are usually not prepared to be |
| called in .htaccess files. [Stefan Fritsch] |
| |
| *) core: In AllowOverrideList, do not allow 'None' together with other |
| directives. PR 52823. [Stefan Fritsch] |
| |
| *) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm. |
| [Jim Jagielski] |
| |
| *) core: Fix merging of AllowOverrideList and ContentDigest. |
| [Stefan Fritsch] |
| |
| *) mod_request: Fix validation of the KeptBodySize argument so it |
| doesn't always throw a configuration error. PR 52981 [Eric Covener] |
| |
| *) core: Add filesystem paths to access denied / access failed messages |
| AH00035 and AH00036. [Eric Covener] |
| |
| *) mod_dumpio: Properly handle errors from subsequent input filters. |
| PR 52914. [Stefan Fritsch] |
| |
| *) Unix MPMs: Fix small memory leak in parent process if connect() |
| failed when waking up children. [Joe Orton] |
| |
| *) "DirectoryIndex disabled" now undoes DirectoryIndex settings in |
| the current configuration section, not just previous config sections. |
| PR 52845. [Eric Covener] |
| |
| *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to |
| response headers not being sent. PR 52766. [Stefan Fritsch] |
| |
| *) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand] |
| |
| *) core: Check during config test that directories for the access |
| logs actually exist. PR 29941. [Stefan Fritsch] |
| |
| *) mod_xml2enc, mod_proxy_html: Enable per-module loglevels. |
| [Stefan Fritsch] |
| |
| *) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755. |
| [Stefan Fritsch] |
| |
| *) mod_session: Sessions are encoded as application/x-www-form-urlencoded |
| strings, however we do not handle the encoding of spaces properly. |
| Fixed. [Graham Leggett] |
| |
| *) Configuration: Example in comment should use a path consistent |
| with the default configuration. PR 52715. |
| [Rich Bowen, Jens Schleusener, Rainer Jung] |
| |
| *) Configuration: Switch documentation links from trunk to 2.4. |
| [Rainer Jung] |
| |
| *) configure: Fix out of tree build using apr and apr-util in srclib. |
| [Rainer Jung] |
| |
| Changes with Apache 2.4.1 |
| |
| *) SECURITY: CVE-2012-0053 (cve.mitre.org) |
| Fix an issue in error responses that could expose "httpOnly" cookies |
| when no custom ErrorDocument is specified for status code 400. |
| [Eric Covener] |
| |
| *) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk] |
| |
| *) core: Check during configtest that the directories for error logs exist. |
| PR 29941 [Stefan Fritsch] |
| |
| *) Core configuration: add AllowOverride option to treat syntax |
| errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski] |
| |
| *) core: Fix memory consumption in core output filter with streaming |
| bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch] |
| |
| *) configure: Disable modules at configure time if a prerequisite module |
| is not enabled. PR 52487. [Stefan Fritsch] |
| |
| *) Rewrite and proxy now decline what they don't support rather |
| than fail the request. [Joe Orton] |
| |
| *) Fix building against external apr plus apr-util if apr is not installed |
| in a system default path. [Rainer Jung] |
| |
| *) Doxygen fixes and improvements. [Joe Orton, Igor Galić] |
| |
| *) core: Fix building against PCRE 8.30 by switching from the obsolete |
| pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] |
| |
| Changes with Apache 2.4.0 |
| |
| *) SECURITY: CVE-2012-0031 (cve.mitre.org) |
| Fix scoreboard issue which could allow an unprivileged child process |
| to cause the parent to crash at shutdown rather than terminate |
| cleanly. [Joe Orton] |
| |
| *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch] |
| |
| *) SECURITY: CVE-2012-0021 (cve.mitre.org) |
| mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format |
| string is in use and a client sends a nameless, valueless cookie, causing |
| a denial of service. The issue existed since version 2.2.17 and 2.3.3. |
| PR 52256. [Rainer Canavan <rainer-apache 7val com>] |
| |
| *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit |
| control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive. |
| [Kaspar Brand] |
| |
| *) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1 |
| or later, to improve binary compatibility with future OpenSSL releases. |
| [Kaspar Brand] |
| |
| *) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass, |
| but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime |
| behave identically in both cases. PR52342. [Graham Leggett] |
| |
| *) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with |
| corresponding man pages. [Graham Leggett] |
| |
| *) Distinguish properly between the bindir and sbindir directories when |
| installing binaries. Previously all binaries were silently installed to |
| sbindir, whether they were system administration commands or not. |
| [Graham Leggett] |
| |
| Changes with Apache 2.3.16 |
| |
| *) SECURITY: CVE-2011-4317 (cve.mitre.org) |
| Resolve additional cases of URL rewriting with ProxyPassMatch or |
| RewriteRule, where particular request-URIs could result in undesired |
| backend network exposure in some configurations. |
| [Joe Orton] |
| |
| *) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid |
| additional DoS potential. [Stefan Fritsch] |
| |
| *) core, all modules: Add unique tag to most error log messages. [Stefan |
| Fritsch] |
| |
| *) mod_socache_memcache: Change provider name from "mc" to "memcache" to |
| match module name. [Stefan Fritsch] |
| |
| *) mod_slotmem_shm: Change provider name from "shared" to "shm" to match |
| module name. [Stefan Fritsch] |
| |
| *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This |
| requires an apr-util fix in which is available in apr-util >= 1.4.0. |
| PR 42682. [Stefan Fritsch] |
| |
| *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible |
| for RewriteRules to be placed in .htaccess files that match the directory |
| with no trailing slash. PR 48304. |
| [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>] |
| |
| *) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that |
| the administrator can hide the keys from the configuration. [Graham |
| Leggett] |
| |
| *) Introduce a per request version of the remote IP address, which can be |
| optionally modified by a module when the effective IP of the client |
| is not the same as the real IP of the client (such as a load balancer). |
| Introduce a per connection "peer_ip" and a per request "client_ip" to |
| distinguish between the raw IP address of the connection and the effective |
| IP address of the request. [Graham Leggett] |
| |
| *) ap_pass_brigade_fchk() function added. [Jim Jagielski] |
| |
| *) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch] |
| |
| *) mod_cache_disk: Make sure we check return codes on all writes and |
| attempts to close, and clean up after ourselves in these cases. |
| PR43589. [Graham Leggett] |
| |
| *) mod_cache_disk: Remove the unnecessary intermediate brigade while |
| writing to disk. Fixes a problem where mod_disk_cache was leaving |
| buckets in the intermediate brigade and not passing them to out on |
| exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett] |
| |
| *) mod_ssl: use a shorter setting for SSLCipherSuite in the default |
| default configuration file, and add some more information about |
| configuring a speed-optimized alternative. |
| [Kaspar Brand] |
| |
| *) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand] |
| |
| *) mod_lua: Stop losing track of all but the most specific LuaHook* directives |
| when multiple per-directory config sections are used. Adds LuaInherit |
| directive to control how parent sections are merged. [Eric Covener] |
| |
| *) Server directive display (-L): Include directives of DSOs. |
| [Jeff Trawick] |
| |
| *) mod_cache: Make sure we merge headers correctly when we handle a |
| non cacheable conditional response. PR52120. [Graham Leggett] |
| |
| *) Pre GA removal of components that will not be included: |
| - mod_noloris was superseded by mod_reqtimeout |
| - mod_serf |
| - mpm_simple |
| [Rainer Jung] |
| |
| *) core: Set MaxMemFree 2048 by default. [Stefan Fritsch] |
| |
| *) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch] |
| |
| *) configure: Additional modules loaded by default: mod_headers. |
| Modules moved from module set "few" to "most" and no longer loaded |
| by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer, |
| mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request, |
| mod_userdir. [Rainer Jung] |
| |
| *) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung] |
| |
| *) configure: Only load the really imporant modules (i.e. those enabled by |
| the 'few' selection) by default. Don't handle modules enabled with |
| --enable-foo specially. [Stefan Fritsch] |
| |
| *) end-generation hook: Fix false notification of end-of-generation for |
| temporary intervals with no active MPM children. [Jeff Trawick] |
| |
| *) mod_ssl: Add support for configuring persistent TLS session ticket |
| encryption/decryption keys (useful for clustered environments). |
| [Paul Querna, Kaspar Brand] |
| |
| *) mod_usertrack: Use random value instead of remote IP address. |
| [Stefan Fritsch] |
| |
| Changes with Apache 2.3.15 |
| |
| *) SECURITY: CVE-2011-3348 (cve.mitre.org) |
| mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not |
| recognized. [Jean-Frederic Clere] |
| |
| *) SECURITY: CVE-2011-3192 (cve.mitre.org) |
| core: Fix handling of byte-range requests to use less memory, to avoid |
| denial of service. If the sum of all ranges in a request is larger than |
| the original file, ignore the ranges and send the complete file. |
| PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, |
| <lowprio20 gmail.com>] |
| |
| *) SECURITY: CVE-2011-3607 (cve.mitre.org) |
| core: Fix integer overflow in ap_pregsub. This can be triggered e.g. |
| with mod_setenvif via a malicious .htaccess. [Stefan Fritsch] |
| |
| *) SECURITY: CVE-2011-3368 (cve.mitre.org) |
| Reject requests where the request-URI does not match the HTTP |
| specification, preventing unexpected expansion of target URLs in |
| some reverse proxy configurations. [Joe Orton] |
| |
| *) configure: Load all modules in the generated default configuration |
| when using --enable-load-all-modules. [Rainer Jung] |
| |
| *) mod_reqtimeout: Change the default to set some reasonable timeout |
| values. [Stefan Fritsch] |
| |
| *) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove |
| the inode. PR 49623. [Stefan Fritsch] |
| |
| *) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener] |
| |
| *) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName} |
| can now additionally be run as "early" or "late" relative to other modules. |
| [Eric Covener] |
| |
| *) configure: By default, only load those modules that are either required |
| or explicitly selected by a configure --enable-foo argument. The |
| LoadModule statements for modules enabled by --enable-mods-shared=most |
| and friends will be commented out. [Stefan Fritsch] |
| |
| *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and |
| LuaHookQuickHandler) from being configured in <Directory>, <Files>, |
| and htaccess where the configuration would have been ignored. |
| [Eric Covener] |
| |
| *) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors |
| in LuaMapHandler scripts [Eric Covener] |
| |
| *) mod_log_debug: Rename optional argument from if= to expr=, to be more |
| in line with other config directives. [Stefan Fritsch] |
| |
| *) mod_headers: Require an expression to be specified with expr=, to be more |
| in line with other config directives. [Stefan Fritsch] |
| |
| *) mod_substitute: To prevent overboarding memory usage, limit line length |
| to 1MB. [Stefan Fritsch] |
| |
| *) mod_lua: Make the query string (r.args) writable. [Eric Covener] |
| |
| *) mod_include: Add support for application/x-www-form-urlencoded encoding |
| and decoding. [Graham Leggett] |
| |
| *) rotatelogs: Add -c option to force logfile creation in every rotation |
| interval, even if empty. [Jan Kaluža <jkaluza redhat.com>] |
| |
| *) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings. |
| [Stefan Fritsch] |
| |
| *) mod_session_crypto: Refactor to support the new apr_crypto API. |
| [Graham Leggett] |
| |
| *) http: Add missing Location header if local URL-path is used as |
| ErrorDocument for 30x. [Stefan Fritsch] |
| |
| *) mod_buffer: Make sure we step down for subrequests, but not for internal |
| redirects triggered by mod_rewrite. [Graham Leggett] |
| |
| *) mod_lua: add r:construct_url as a wrapper for ap_construct_url. |
| [Eric Covener] |
| |
| *) mod_remote_ip: Fix configuration of internal proxies. PR 49272. |
| [Jim Riggs <jim riggs me>] |
| |
| *) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific |
| server IP endpoint and remote client IP upon connection. [William Rowe] |
| |
| *) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with |
| PeerExtList(). [Stefan Fritsch] |
| |
| *) mpm_prefork, mpm_worker, mpm_event: If a child is created just before |
| graceful restart and then exits because of a missing lock file, don't |
| shutdown the whole server. PR 39311. [Shawn Michael |
| <smichael rightnow com>] |
| |
| *) mpm_event: Check the return value from ap_run_create_connection. |
| PR: 41194. [Davi Arnaut] |
| |
| *) mod_mime_magic: Add signatures for PNG and SWF to the example config. |
| PR: 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>] |
| |
| *) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items |
| from the parsed (or default) config. This is useful for init scripts that |
| need to setup temporary directories and permissions. [Stefan Fritsch] |
| |
| *) core, mod_actions, mod_asis: Downgrade error log messages which accompany |
| a 404 request status from loglevel error to info. PR: 35768. [Stefan |
| Fritsch] |
| |
| *) core: Fix hook sorting with Perl modules. PR: 45076. [Torsten Foertsch |
| <torsten foertsch gmx net>] |
| |
| *) core: Enforce LimitRequestFieldSize after multiple headers with the same |
| name have been merged. [Stefan Fritsch] |
| |
| *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory |
| usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>, |
| Stefan Fritsch] |
| |
| *) mod_ssl: At startup, when checking a server certificate whether it |
| matches the configured ServerName, also take dNSName entries in the |
| subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand] |
| |
| *) mod_substitute: Reduce memory usage and copying of data. PR 50559. |
| [Stefan Fritsch] |
| |
| *) mod_ssl/proxy: enable the SNI extension for backend TLS connections |
| [Kaspar Brand] |
| |
| *) Add wrappers for malloc, calloc, realloc that check for out of memory |
| situations and use them in many places. PR 51568, PR 51569, PR 51571. |
| [Stefan Fritsch] |
| |
| *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is |
| false but RLIMIT_* are defined. PR51371. [Eric Covener] |
| |
| *) core: Correctly obey ServerName / ServerAlias if the Host header from the |
| request matches the VirtualHost address. |
| PR 51709. [Micha Lenk <micha lenk.info>] |
| |
| *) mod_unique_id: Use random number generator to initialize counter. |
| PR 45110. [Stefan Fritsch] |
| |
| *) core: Add convenience API for apr_random. [Stefan Fritsch] |
| |
| *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control |
| the number of overlapping and reversing ranges (respectively) permitted |
| before returning the entire resource, with a default limit of 20. |
| [Jim Jagielski] |
| |
| *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false |
| if called from a virtual host with mod_ldap directives in it. Did not |
| affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener] |
| |
| *) mod_filter: Instead of dropping the Accept-Ranges header when a filter |
| registered with AP_FILTER_PROTO_NO_BYTERANGE is present, |
| set the header value to "none". [Eric Covener, Ruediger Pluem] |
| |
| *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' |
| in the case Ranges are being ignored with MaxRanges none. |
| [Eric Covener] |
| |
| *) mod_ssl: revamp CRL-based revocation checking when validating |
| certificates of clients or proxied servers. Completely delegate |
| CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck |
| directive for controlling the revocation checking mode. [Kaspar Brand] |
| |
| *) core: Add MaxRanges directive to control the number of ranges permitted |
| before returning the entire resource, with a default limit of 200. |
| [Eric Covener] |
| |
| *) mod_cache: Ensure that CacheDisable can correctly appear within |
| a LocationMatch. [Graham Leggett] |
| |
| *) mod_cache: Fix the moving of the CACHE filter, which erroneously |
| stood down if the original filter was not added by configuration. |
| [Graham Leggett] |
| |
| *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand] |
| |
| *) mod_authz_groupfile: Increase length limit of lines in the group file to |
| 16MB. PR 43084. [Stefan Fritsch] |
| |
| *) core: Increase length limit of lines in the configuration file to 16MB. |
| PR 45888. PR 50824. [Stefan Fritsch] |
| |
| *) core: Add API for resizable buffers. [Stefan Fritsch] |
| |
| *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have |
| LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such |
| as Tivoli Directory Server 6.3 and later. [Eric Covener] |
| |
| *) mod_ldap: Change default number of retries from 10 to 3, and add |
| an LDAPRetries and LDAPRetryDelay directives. [Eric Covener] |
| |
| *) mod_authnz_ldap: Don't retry during authentication, because this just |
| multiplies the ample retries already being done by mod_ldap. [Eric Covener] |
| |
| *) configure: Allow to explicitly disable modules even with module selection |
| 'reallyall'. [Stefan Fritsch] |
| |
| *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the |
| RewriteEngine is disabled in server context, avoiding a crash while |
| referencing the invalid int: map at runtime. PR 50994. |
| [Ben Noordhuis <info noordhuis nl>] |
| |
| *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand] |
| |
| *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand] |
| |
| *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit. |
| [Kaspar Brand] |
| |
| *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the |
| cookie is set when modules such as mod_rewrite trigger a redirect. Also |
| use r->err_headers_out for the cookie, for the same reason. PR29755. |
| [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener] |
| |
| *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and |
| 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch] |
| |
| *) configure: Enable ldap modules in 'all' and 'most' selections if ldap |
| is compiled into apr-util. [Stefan Fritsch] |
| |
| *) core: Add ap_check_cmd_context()-check if a command is executed in |
| .htaccess file. [Stefan Fritsch] |
| |
| *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590. |
| [Torsten Foertsch <torsten foertsch gmx net>] |
| |
| *) mod_authn_socache: Fix to work in .htaccess if not configured anywhere |
| in httpd.conf, and introduce an AuthnCacheEnable directive. |
| PR 51991 [Nick Kew] |
| |
| *) mod_xml2enc: new (formerly third-party) module supporting |
| internationalisation for filters via smart charset sniffing |
| and conversion. [Nick Kew] |
| |
| *) mod_proxy_html: new (formerly third-party) module to fix up |
| HTML links in a reverse proxy situation, where a backend |
| generates URLs that are not resolvable by Clients. [Nick Kew] |
| |
| Changes with Apache 2.3.14 |
| |
| *) mod_proxy_ajp: Improve trace logging. [Rainer Jung] |
| |
| *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. |
| [Rainer Jung] |
| |
| *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse, |
| e.g. to reverse proxy "Location: https://other-internal-server/login" |
| [Nick Kew] |
| |
| *) prefork, worker, event: Make sure crashes are logged to the error log if |
| httpd has already detached from the console. [Stefan Fritsch] |
| |
| *) prefork, worker, event: Reduce period during startup/restart where a |
| successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>] |
| |
| *) mod_allowmethods: Correct Merging of "reset" and do not allow an |
| empty parameter list for the AllowMethods directive. [Rainer Jung] |
| |
| *) configure: Update selection of modules for 'all' and 'most'. 'all' will |
| now enable all modules except for example and test modules. Make the |
| selection for 'most' more useful (including ssl and proxy). Both 'all' |
| and 'most' will now disable modules if dependencies are missing instead |
| of aborting. If a specific module is requested with --enable-XXX=yes, |
| missing dependencies will still cause configure to exit with an error. |
| [Stefan Fritsch] |
| |
| *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done |
| in 2.3.13. [Stefan Fritsch] |
| |
| *) core: For '*' or '_default_' vhosts, use a wildcard address of any |
| address family, rather than IPv4 only. [Joe Orton] |
| |
| *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable |
| include [ ] for literal IPv6 addresses, as mandated by RFC 3875. |
| PR 26005. [Stefan Fritsch] |
| |
| *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203. |
| [Nagae Hidetake <nagae eagan jp>] |
| |
| *) core: Add more logging to ap_scan_script_header_err* functions. Add |
| ap_scan_script_header_err*_ex functions that take a module index for |
| logging. |
| mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the |
| new functions in order to make logging configurable per-module. |
| [Stefan Fritsch] |
| |
| *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to |
| the proper index. [Eric Covener] |
| |
| *) mod_deflate: Don't try to compress requests with a zero sized body. |
| PR 51350. [Stefan Fritsch] |
| |
| *) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton, |
| <root linkage white-void net>] |
| |
| *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX, |
| REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the |
| whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>, |
| Stefan Fritsch] |
| |
| *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch] |
| |
| *) mod_log_debug: New module that allows to log custom messages at various |
| phases in the request processing. [Stefan Fritsch] |
| |
| *) mod_ssl: Add some debug logging when loading server certificates. |
| PR 37912. [Nick Burch <nick burch alfresco com>] |
| |
| *) configure: Support reallyall option also for --enable-mods-static. |
| [Rainer Jung] |
| |
| *) mod_socache_dc: add --with-distcache to configure for choosing |
| the distcache installation directory. [Rainer Jung] |
| |
| *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD |
| instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung] |
| |
| *) mod_lua, mod_deflate: respect platform specific runpath linker |
| flag. [Rainer Jung] |
| |
| *) configure: Only link the httpd binary against PCRE. No other support |
| binary needs PCRE. [Rainer Jung] |
| |
| *) configure: tolerate dependency checking failures for modules if |
| they have been enabled implicitely. [Rainer Jung] |
| |
| *) configure: Allow to specify module specific custom linker flags via |
| the MOD_XXX_LDADD variables. [Rainer Jung] |
| |
| Changes with Apache 2.3.13 |
| |
| *) ab: Support specifying the local address to use. PR 48930. |
| [Peter Schuller <scode spotify com>] |
| |
| *) core: Add support to ErrorLogFormat for logging the system unique |
| thread id under Linux. [Stefan Fritsch] |
| |
| *) event: New AsyncRequestWorkerFactor directive to influence how many |
| connections will be accepted per process. [Stefan Fritsch] |
| |
| *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which |
| describes more accurately what it does. [Stefan Fritsch] |
| |
| *) rotatelogs: Add -p argument to specify custom program to invoke |
| after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>, |
| Joe Orton] |
| |
| *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand] |
| |
| *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0. |
| PR 48215. [Kaspar Brand] |
| |
| *) mod_status: Display information about asynchronous connections in the |
| server-status. PR 44377. [Stefan Fritsch] |
| |
| *) mpm_event: If the number of connections of a process is very high, or if |
| all workers are busy, don't accept new connections in that process. |
| [Stefan Fritsch] |
| |
| *) mpm_event: Process lingering close asynchronously instead of tying up |
| worker threads. [Jeff Trawick, Stefan Fritsch] |
| |
| *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept |
| around. [Stefan Fritsch] |
| |
| *) mpm_event: Fix graceful restart aborting connections. PR 43359. |
| [Takashi Sato <takashi lans-tv com>] |
| |
| *) mod_ssl: Disable AECDH ciphers in example config. PR 51363. |
| [Rob Stradling <rob comodo com>] |
| |
| *) core: Introduce new function ap_get_conn_socket() to access the socket of |
| a connection. [Stefan Fritsch] |
| |
| *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham |
| Leggett] |
| |
| *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT, |
| CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198. |
| [Stefan Fritsch] |
| |
| *) core: Allow to override document_root on a per-request basis. Introduce |
| new context_document_root and context_prefix which provide information |
| about non-global URI-to-directory mappings (from e.g. mod_userdir or |
| mod_alias) to scripts. PR 49705. [Stefan Fritsch] |
| |
| *) core: Add <ElseIf> and <Else> to complement <If> sections. |
| [Stefan Fritsch] |
| |
| *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel. |
| [Stefan Fritsch] |
| |
| *) mod_include: Make the "#if expr" element use the new "ap_expr" expression |
| parser. The old parser can still be used by setting the new directive |
| SSILegacyExprParser. [Stefan Fritsch] |
| |
| *) core: Add some features to ap_expr for use by mod_include: a restricted |
| mode that does not allow to bypass request access restrictions; new |
| variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an |
| alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by |
| the consumer; an extensible ap_expr_exec_ctx() API that allows to use that |
| data entry. [Stefan Fritsch] |
| |
| *) mod_include: Merge directory configs instead of one SSI* config directive |
| causing all other per-directory SSI* config directives to be reset. |
| [Stefan Fritsch] |
| |
| *) mod_charset_lite: Remove DebugLevel option in favour of per-module |
| loglevel. [Stefan Fritsch] |
| |
| *) core: Add ap_regexec_len() function that works with non-null-terminated |
| strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>] |
| |
| *) mod_authnz_ldap: If the LDAP server returns constraint violation, |
| don't treat this as an error but as "auth denied". [Stefan Fritsch] |
| |
| *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO |
| for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>, |
| Jim Jagielski] |
| |
| *) mod_cache: When content is served stale, and there is no means to |
| revalidate the content using ETag or Last-Modified, and we have |
| mandated no stale-on-error behaviour, stand down and don't cache. |
| Saves a cache write that will never be read. |
| [Graham Leggett] |
| |
| *) mod_reqtimeout: Fix a timed out connection going into the keep-alive |
| state after a timeout when discarding a request body. PR 51103. |
| [Stefan Fritsch] |
| |
| *) core: Add various file existance test operators to ap_expr. |
| [Stefan Fritsch] |
| |
| *) mod_proxy_express: New mass reverse-proxy switch extension for |
| mod_proxy. [Jim Jagielski] |
| |
| *) configure: Fix script error when configuring module set "reallyall". |
| [Rainer Jung] |
| |
| Changes with Apache 2.3.12 |
| |
| *) configure, core: Provide easier support for APR's hook probe |
| capability. [Jim Jagielski, Jeff Trawick] |
| |
| *) Silence autoconf 2.68 warnings. [Rainer Jung] |
| |
| *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only |
| [Scott Hill <shill genscape.com>] |
| |
| *) support: Make sure check_forensic works with mod_unique_id loaded |
| [Joe Schaefer] |
| |
| *) Add child_status hook for tracking creation/termination of MPM child |
| processes. Add end_generation hook for notification when the last |
| MPM child of a generation exits. [Jeff Trawick] |
| |
| *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per |
| process as opposed to disabling caching completely. This allows to use |
| the non-shared-memory cache as a workaround for the shared memory cache |
| not being available during graceful restarts. PR 48958. [Stefan Fritsch] |
| |
| *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API, |
| necessary if a module (like mod_perl) registers additional modules late |
| in the startup phase. [Stefan Fritsch] |
| |
| *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072. |
| [Torsten Förtsch <torsten foertsch gmx net>] |
| |
| *) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick] |
| |
| *) MinGW build improvements. PR 49535. [John Vandenberg |
| <jayvdb gmail.com>, Jeff Trawick] |
| |
| *) core: Support module names with colons in loglevel configuration. |
| [Torsten Förtsch <torsten foertsch gmx net>] |
| |
| *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. |
| [Stefan Fritsch] |
| |
| *) core: Abort if the MPM is changed across restart. [Jeff Trawick] |
| |
| *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. |
| [Peter Pramberger <peter pramberger.at>, Jim Jagielski] |
| |
| *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913. |
| [Mark Montague <mark catseye.org>, Jim Jagielski] |
| |
| *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an |
| error code. Abort with a nice error message if a config line is too long. |
| Partial fix for PR 50824. [Stefan Fritsch] |
| |
| *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is |
| specified. PR 31956. [Stefan Fritsch] |
| |
| *) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM |
| helper function ap_remove_pid() added. [Jeff Trawick] |
| |
| *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various] |
| |
| *) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff |
| Trawick] |
| |
| *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch |
| <torsten.foertsch gmx.net>] |
| |
| *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes |
| in request URL path info but not decode them. Change behavior of option |
| "On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256, |
| PR 46830. [Dan Poirier] |
| |
| *) mod_ssl: Check SNI hostname against Host header case-insensitively. |
| PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>] |
| |
| *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime |
| of bound backend LDAP connections. PR47634 [Eric Covener] |
| |
| *) mod_cache: Make CacheEnable and CacheDisable configurable per |
| directory in addition to per server, making them work from within |
| a LocationMatch. [Graham Leggett] |
| |
| *) worker, event, prefork: Correct several issues when built as |
| DSOs; most notably, the scoreboard was reinitialized during graceful |
| restart, such that processes of the previous generation were not |
| observable. [Jeff Trawick] |
| |
| Changes with Apache 2.3.11 |
| |
| *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. |
| Win32's cscript interpreter can only use a single quote as comment char. |
| [Guenter Knauf] |
| |
| *) mod_proxy: balancer-manager now uses POST instead of GET. |
| [Jim Jagielski] |
| |
| *) core: new util function: ap_parse_form_data(). Previously, |
| this capability was tucked away in mod_request. [Jim Jagielski] |
| |
| *) core: new hook: ap_run_pre_read_request. [Jim Jagielski] |
| |
| *) modules: Fix many modules that were not correctly initializing if they |
| were not active during server startup but got enabled later during a |
| graceful restart. [Stefan Fritsch] |
| |
| *) core: Create new ap_state_query function that allows modules to determine |
| if the current configuration run is the initial one at server startup, |
| and if the server is started for testing/config dumping only. |
| [Stefan Fritsch] |
| |
| *) mod_proxy: Runtime configuration of many parameters for existing |
| balancers via the balancer-manager. [Jim Jagielski] |
| |
| *) mod_proxy: Runtime addition of new workers (BalancerMember) for existing |
| balancers via the balancer-manager. [Jim Jagielski] |
| |
| *) mod_cache: When a bad Expires date is present, we need to behave as if |
| the Expires is in the past, not as if the Expires is missing. PR 16521. |
| [Co-Advisor <coad measurement-factory.com>] |
| |
| *) mod_cache: We must ignore quoted-string values that appear in a |
| Cache-Control header. PR 50199. [Graham Leggett] |
| |
| *) mod_dav: Revert change to send 501 error if unknown Content-* header is |
| received for a PUT request. PR 42978. [Stefan Fritsch] |
| |
| *) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must |
| take precedence if present. PR 35247. [Graham Leggett] |
| |
| *) mod_ssl: Fix a possible startup failure if multiple SSL vhosts |
| are configured with the same ServerName and private key file. |
| [Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton] |
| |
| *) mod_socache_dc: Make module compile by fixing some typos. |
| PR 50735 [Mark Montague <mark catseye.org>] |
| |
| *) prefork: Update MPM state in children during a graceful stop or |
| restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>] |
| |
| *) mod_mime: Ignore leading dots when looking for mime extensions. |
| PR 50434 [Stefan Fritsch] |
| |
| *) core: Add support to set variables with the 'Define' directive. The |
| variables that can then be used in the config using the ${VAR} syntax |
| known from envvar interpolation. [Stefan Fritsch] |
| |
| *) mod_proxy_http: make adding of X-Forwarded-* headers configurable. |
| ProxyAddHeaders defaults to On. [Vincent Deffontaines] |
| |
| *) mod_slotmem_shm: Increase memory alignment for slotmem data. |
| [Rainer Jung] |
| |
| *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout, |
| SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew. |
| [Kaspar Brand <httpd-dev.2011 velox.ch>] |
| |
| *) mod_ssl: Revamp output buffering to reduce network overhead for |
| output fragmented into many buckets, such as chunked HTTP responses. |
| [Joe Orton] |
| |
| *) core: Apply <If> sections to all requests, not only to file base requests. |
| Allow to use <If> inside <Directory>, <Location>, and <Files> sections. |
| The merging of <If> sections now happens after the merging of <Location> |
| sections, even if an <If> section is embedded inside a <Directory> or |
| <Files> section. [Stefan Fritsch] |
| |
| *) mod_proxy: Refactor usage of shared data by dropping the scoreboard |
| and using slotmem. Create foundation for dynamic growth/changes of |
| members within a balancer. Remove BalancerNonce in favor of a |
| per-balancer 'nonce' parameter. [Jim Jagielski] |
| |
| *) mod_status: Don't show slots which are disabled by MaxClients as open. |
| PR: 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch] |
| |
| *) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and |
| AP_MPMQ_MAX_THREADS. |
| |
| *) mod_authz_core: Fix bug in merging logic if user-based and non-user-based |
| authorization directives were mixed. [Stefan Fritsch] |
| |
| *) mod_authn_socache: change directive name from AuthnCacheProvider |
| to AuthnCacheProvideFor. The term "provider" is overloaded in |
| this module, and we should avoid confusion between the provider |
| of a backend (AuthnCacheSOCache) and the authn provider(s) for |
| which this module provides cacheing (AuthnCacheProvideFor). |
| [Nick Kew] |
| |
| *) mod_proxy_http: Allocate the fake backend request from a child pool |
| of the backend connection, instead of misusing the pool of the frontend |
| request. Fixes a thread safety issue where buckets set aside in the |
| backend connection leak into other threads, and then disappear when |
| the frontend request is cleaned up, in turn causing corrupted buckets |
| to make other threads spin. [Graham Leggett] |
| |
| *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables |
| to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and |
| escape other special characters with backslashes. The old format can |
| still be used with the LegacyDNStringFormat argument to SSLOptions. |
| |
| *) core, mod_rewrite: Make the REQUEST_SCHEME variable available to |
| scripts and mod_rewrite. [Stefan Fritsch] |
| |
| *) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in |
| RewriteCond. [Stefan Fritsch] |
| |
| *) mod_rewrite: Allow to unset environment variables using E=!VAR. |
| PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch] |
| |
| *) mod_headers: Restore the 2.3.8 and earlier default for the first |
| argument of the Header directive ("onsuccess"). [Eric Covener] |
| |
| *) core: Disallow the mixing of relative and absolute Options PR 33708. |
| [Sönke Tesch <st kino-fahrplan.de>] |
| |
| *) core: When exporting request headers to HTTP_* environment variables, |
| drop variables whose names contain invalid characters. Describe in the |
| docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>] |
| |
| *) core: When selecting an IP-based virtual host, favor an exact match for |
| the port over a wildcard (or omitted) port instead of favoring the one |
| that came first in the configuration file. [Eric Covener] |
| |
| *) core: Overlapping virtual host address/port combinations now implicitly |
| enable name-based virtual hosting for that address. The NameVirtualHost |
| directive has no effect, and _default_ is interpreted the same as "*". |
| [Eric Covener] |
| |
| *) core: In the absence of any Options directives, the default is now |
| "FollowSymlinks" instead of "All". [Igor Galić] |
| |
| *) rotatelogs: Add -e option to write logs through to stdout for optional |
| further processing. [Graham Leggett] |
| |
| *) mod_ssl: Correctly read full lines in input filter when the line is |
| incomplete during first read. PR 50481. [Ruediger Pluem] |
| |
| *) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow |
| sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization |
| fails for an authenticated user. PR 40721. [Stefan Fritsch] |
| |
| Changes with Apache 2.3.10 |
| |
| *) mod_rewrite: Don't implicitly URL-escape the original query string |
| when no substitution has changed it. PR 50447. [Eric Covener] |
| |
| *) core: Honor 'AcceptPathInfo OFF' during internal redirects, |
| such as per-directory mod_rewrite substitutions. PR 50349. |
| [Eric Covener] |
| |
| *) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base |
| rules/conditions before the overridden rules/conditions. PR 39313. |
| [Jérôme Grandjanny <jerome.grandjanny cea.fr>] |
| |
| *) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored |
| filenames in higher precedence configuration sections. PR 24243. |
| [Eric Covener] |
| |
| *) mod_cgid: RLimit* directive support for mod_cgid. PR 42135 |
| [Eric Covener] |
| |
| *) core: Fail startup when the argument to ServerName looks like a glob |
| or a regular expression instead of a hostname (*?[]). PR 39863 |
| [Rahul Nair <rahul.g.nair gmail.com>] |
| |
| *) mod_userdir: Add merging of enable, disable, and filename arguments |
| to UserDir directive, leaving enable/disable of userlists unmerged. |
| PR 44076 [Eric Covener] |
| |
| *) httpd: When no -k option is provided on the httpd command line, the server |
| was starting without checking for an existing pidfile. PR 50350 |
| [Eric Covener] |
| |
| *) mod_proxy: Put the worker in error state if the SSL handshake with the |
| backend fails. PR 50332. |
| [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] |
| |
| *) mod_cache_disk: Fix Windows build which was broken after renaming |
| the module. [Gregg L. Smith] |
| |
| Changes with Apache 2.3.9 |
| |
| *) SECURITY: CVE-2010-1623 (cve.mitre.org) |
| Fix a denial of service attack against mod_reqtimeout. |
| [Stefan Fritsch] |
| |
| *) mod_headers: Change default first argument of Header directive |
| from "onsuccess" to "always". [Eric Covener] |
| |
| *) mod_include: Add the onerror attribute to the include element, |
| allowing an URL to be specified to include on error. [Graham |
| Leggett] |
| |
| *) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be |
| consistent with the naming of other modules. [Graham Leggett] |
| |
| *) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on |
| expression. [Stefan Fritsch] |
| |
| *) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292. |
| [Stefan Fritsch] |
| |
| *) suEXEC: Add Suexec directive to disable suEXEC without renaming the |
| binary (Suexec Off), or force startup failure if suEXEC is required |
| but not supported (Suexec On). Change SuexecUserGroup to fail |
| startup instead of just printing a warning if suEXEC is disabled. |
| [Jeff Trawick] |
| |
| *) core: Add Error directive for aborting startup or htaccess processing |
| with a specified error message. [Jeff Trawick] |
| |
| *) mod_rewrite: Fix the RewriteEngine directive to work within a |
| location. Previously, once RewriteEngine was switched on globally, |
| it was impossible to switch off. [Graham Leggett] |
| |
| *) core, mod_include, mod_ssl: Move the expression parser derived from |
| mod_include back into mod_include. Replace ap_expr with a parser |
| derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework |
| ap_expr's public interface and provide hooks for modules to add variables |
| and functions. [Stefan Fritsch] |
| |
| *) core: Do the hook sorting earlier so that the hooks are properly sorted |
| for the pre_config hook and during parsing the config. [Stefan Fritsch] |
| |
| *) core: In the absence of any AllowOverride directives, the default is now |
| "None" instead of "All". PR49823 [Eric Covener] |
| |
| *) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in |
| <Directory> or <Files>. PR47765 [Eric Covener] |
| |
| *) prefork/worker/event MPMS: default value (when no directive is present) |
| of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000 |
| to match default configuration and manual. PR47782 [Eric Covener] |
| |
| *) proxy_connect: Don't give up in the middle of a CONNECT tunnel |
| when the child process is starting to exit. PR50220. [Eric Covener] |
| |
| *) mod_autoindex: Fix inheritance of mod_autoindex directives into |
| contexts that don't have any mod_autoindex directives. PR47766. |
| [Eric Covener] |
| |
| *) mod_rewrite: Add END flag for RewriteRule to prevent further rounds |
| of rewrite processing when a per-directory substitution occurs. |
| [Eric Covener] |
| |
| *) mod_ssl: Make sure to always log an error if loading of CA certificates |
| fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>] |
| |
| *) mod_dav: Send 501 error if unknown Content-* header is received for a PUT |
| request (RFC 2616 9.6). PR 42978. [Stefan Fritsch] |
| |
| *) mod_dav: Send 400 error if malformed Content-Range header is received for |
| a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] |
| |
| *) mod_proxy: Release the backend connection as soon as EOS is detected, |
| so the backend isn't forced to wait for the client to eventually |
| acknowledge the data. [Graham Leggett] |
| |
| *) mod_proxy: Optimise ProxyPass within a Location so that it is stored |
| per-directory, and chosen during the location walk. Make ProxyPass |
| work correctly from within a LocationMatch. [Graham Leggett] |
| |
| *) core: Fix segfault if per-module LogLevel is on virtual host |
| scope. PR 50117. [Stefan Fritsch] |
| |
| *) mod_proxy: Move the ProxyErrorOverride directive to have per |
| directory scope. [Graham Leggett] |
| |
| *) mod_allowmethods: New module to deny certain HTTP methods without |
| interfering with authentication/authorization. [Paul Querna, |
| Igor Galić, Stefan Fritsch] |
| |
| *) mod_ssl: Log certificate information and improve error message if client |
| cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>, |
| Stefan Fritsch] |
| |
| *) htcacheclean: Teach htcacheclean to limit cache size by number of |
| inodes in addition to size of files. Prevents a cache disk from |
| running out of space when many small files are cached. |
| [Graham Leggett] |
| |
| *) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which |
| describes more accurately what the directive does. The old name |
| still works but logs a warning. [Stefan Fritsch] |
| |
| *) mod_cache: Optionally serve stale data when a revalidation returns a |
| 5xx response, controlled by the CacheStaleOnError directive. |
| [Graham Leggett] |
| |
| *) htcacheclean: Allow the listing of valid URLs within the cache, with |
| the option to list entry metadata such as sizes and times. [Graham |
| Leggett] |
| |
| *) mod_cache: correctly parse quoted strings in cache headers. |
| PR 50199 [Nick Kew] |
| |
| *) mod_cache: Allow control over the base URL of reverse proxied requests |
| using the CacheKeyBaseURL directive, so that the cache key can be |
| calculated from the endpoint URL instead of the server URL. [Graham |
| Leggett] |
| |
| *) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate, |
| CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire, |
| CacheMinExpire and CacheMaxExpire can be set per directory/location. |
| [Graham Leggett] |
| |
| *) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and |
| CacheReadTime can be set per directory/location. [Graham Leggett] |
| |
| *) core: Speed up config parsing if using a very large number of config |
| files. PR 50002 [andrew cloudaccess net] |
| |
| *) mod_cache: Support the caching of HEAD requests. [Graham Leggett] |
| |
| *) htcacheclean: Allow the option to round up file sizes to a given |
| block size, improving the accuracy of disk usage. [Graham Leggett] |
| |
| *) mod_ssl: Add authz providers for use with mod_authz_core and its |
| RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL), |
| 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and |
| 'ssl-require' (expressions with same syntax as SSLRequire). |
| [Stefan Fritsch] |
| |
| *) mod_ssl: Make the ssl expression parser thread-safe. It now requires |
| bison instead of yacc. [Stefan Fritsch] |
| |
| *) mod_disk_cache: Change on-disk header file format to support the |
| link of the device/inode of the data file to the matching header |
| file, and to support the option of not writing a data file when |
| the data file is empty. [Graham Leggett] |
| |
| *) core/mod_unique_id: Add generate_log_id hook to allow to use |
| the ID generated by mod_unique_id as error log ID for requests. |
| [Stefan Fritsch] |
| |
| *) mod_cache: Make sure that we never allow a 304 Not Modified response |
| that we asked for to leak to the client should the 304 response be |
| uncacheable. PR45341 [Graham Leggett] |
| |
| *) mod_cache: Add the cache_status hook to register the final cache |
| decision hit/miss/revalidate. Add optional support for an X-Cache |
| and/or an X-Cache-Detail header to add the cache status to the |
| response. PR48241 [Graham Leggett] |
| |
| *) mod_authz_host: Add 'local' provider that matches connections originating |
| on the local host. PR 19938. [Stefan Fritsch] |
| |
| *) Event MPM: Fix crash accessing pollset on worker thread when child |
| process is exiting. [Jeff Trawick] |
| |
| *) core: For process invocation (cgi, fcgid, piped loggers and so forth) |
| pass the system library path (LD_LIBRARY_PATH or platform-specific |
| variables) along with the system PATH, by default. Both should be |
| overridden together as desired using PassEnv etc; see mod_env. |
| [William Rowe] |
| |
| *) mod_cache: Introduce CacheStoreExpired, to allow administrators to |
| capture a stale backend response, perform If-Modified-Since requests |
| against the backend, and serving from the cache all 304 responses. |
| This restores pre-2.2.4 cache behavior. [William Rowe] |
| |
| *) mod_rewrite: Introduce <=, >= string comparison operators, and integer |
| comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop |
| the ambiguity of the symlink test "-ltest", introduce -h or -L as |
| symlink test operators. [William Rowe] |
| |
| *) mod_cache: Give the cache provider the opportunity to choose to cache |
| or not cache based on the buckets present in the brigade, such as the |
| presence of a FILE bucket. |
| [Graham Leggett] |
| |
| *) mod_authz_core: Allow authz providers to check args while reading the |
| config and allow to cache parsed args. Move 'all' and 'env' authz |
| providers from mod_authz_host to mod_authz_core. Add 'method' authz |
| provider depending on the HTTP method. [Stefan Fritsch] |
| |
| *) mod_include: Move the request_rec within mod_include to be |
| exposed within include_ctx_t. [Graham Leggett] |
| |
| *) mod_include: Reinstate support for UTF-8 character sets by allowing a |
| variable being echoed or set to be decoded and then encoded as separate |
| steps. PR47686 [Graham Leggett] |
| |
| *) mod_cache: Add a discrete commit_entity() provider function within the |
| mod_cache provider interface which is called to indicate to the |
| provider that caching is complete, giving the provider the opportunity |
| to commit temporary files permanently to the cache in an atomic |
| fashion. Replace the inconsistent use of error cleanups with a formal |
| set of pool cleanups attached to a subpool, which is destroyed on error. |
| [Graham Leggett] |
| |
| *) mod_cache: Change the signature of the store_body() provider function |
| within the mod_cache provider interface to support an "in" brigade |
| and an "out" brigade instead of just a single input brigade. This |
| gives a cache provider the option to consume only part of the brigade |
| passed to it, rather than the whole brigade as was required before. |
| This fixes an out of memory and a request timeout condition that would |
| occur when the original document was a large file. Introduce |
| CacheReadSize and CacheReadTime directives to mod_disk_cache to control |
| the amount of data to attempt to cache at a time. [Graham Leggett] |
| |
| *) core: Add ErrorLogFormat to allow configuring error log format, including |
| additional information that is logged once per connection or request. Add |
| error log IDs for connections and request to allow correlating error log |
| lines and the corresponding access log entry. [Stefan Fritsch] |
| |
| *) core: Disable sendfile by default. [Stefan Fritsch] |
| |
| *) mod_cache: Check the request to determine whether we are allowed |
| to return cached content at all, and respect a "Cache-Control: |
| no-cache" header from a client. Previously, "no-cache" would |
| behave like "max-age=0". [Graham Leggett] |
| |
| *) mod_cache: Use a proper filter context to hold filter data instead |
| of misusing the per-request configuration. Fixes a segfault on trunk |
| when the normal handler is used. [Graham Leggett] |
| |
| *) mod_cgid: Log a warning if the ScriptSock path is truncated because |
| it is too long. PR 49388. [Stefan Fritsch] |
| |
| *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing * |
| and non-* ports on NameVirtualHost, or multiple NameVirtualHost |
| directives for the same address:port, or NameVirtualHost |
| directives with no matching VirtualHosts, or multiple ip-based |
| VirtualHost sections for the same address:port. These were |
| previously accepted with a warning, but the behavior was |
| undefined. [Dan Poirier] |
| |
| *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with |
| Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>] |
| |
| *) core: DirectoryMatch can now match on the end of line character ($), |
| and sub-directories of matched directories are no longer implicitly |
| matched. PR49809 [Eric Covener] |
| |
| *) Regexps: introduce new higher-level regexp utility including parsing |
| and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory |
| [Nick Kew] |
| |
| *) Proxy: support setting source address. PR 29404 |
| [Multiple contributors iterating through bugzilla, |
| Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>, |
| <dan listening-station.net; trunk version Nick Kew] |
| |
| *) HTTP protocol: return 400 not 503 if we have to abort due to malformed |
| chunked encoding. [Nick Kew] |
| |
| Changes with Apache 2.3.8 |
| |
| *) suexec: Support large log files. PR 45856. [Stefan Fritsch] |
| |
| *) core: Abort with sensible error message if no or more than one MPM is |
| loaded. [Stefan Fritsch] |
| |
| *) mod_proxy: Rename erroronstatus to failonstatus. |
| [Daniel Ruggeri <DRuggeri primary.net>] |
| |
| *) mod_dav_fs: Fix broken "creationdate" property. |
| Regression in version 2.3.7. [Rainer Jung] |
| |
| Changes with Apache 2.3.7 |
| |
| *) SECURITY: CVE-2010-1452 (cve.mitre.org) |
| mod_dav, mod_cache, mod_session: Fix Handling of requests without a path |
| segment. PR: 49246 [Mark Drayton, Jeff Trawick] |
| |
| *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076. |
| [Stefan Fritsch] |
| |
| *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639. |
| [Stefan Fritsch] |
| |
| *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers |
| via leveraging 100-Continue as the initial "request". |
| [Jim Jagielski] |
| |
| *) core/mod_authz_core: Introduce new access_checker_ex hook that enables |
| mod_authz_core to bypass authentication if access should be allowed by |
| IP address/env var/... [Stefan Fritsch] |
| |
| *) core: Introduce note_auth_failure hook to allow modules to add support |
| for additional auth types. This makes ap_note_auth_failure() work with |
| mod_auth_digest again. PR 48807. [Stefan Fritsch] |
| |
| *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew] |
| |
| *) mod_authn_socache: new module [Nick Kew] |
| |
| *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch] |
| |
| *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>] |
| |
| *) mod_rewrite: Allow to set environment variables without explicitly |
| giving a value. [Rainer Jung] |
| |
| *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung] |
| |
| *) mod_include: recognise "text/html; parameters" as text/html |
| PR 49616 [Andrey Chernov <ache nagual.pp.ru>] |
| |
| *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH |
| PR 43906 [Nick Kew] |
| |
| *) Core: Extra robustness: don't try authz and segfault if authn |
| fails to set r->user. Log bug and return 500 instead. |
| PR 42995 [Nick Kew] |
| |
| *) HTTP protocol filter: fix handling of longer chunk extensions |
| PR 49474 [<tee.bee gmx.de>] |
| |
| *) Update SSL cipher suite and add example for SSLHonorCipherOrder. |
| [Lars Eilebrecht, Rainer Jung] |
| |
| *) move AddOutputFilterByType from core to mod_filter. This should |
| fix nasty side-effects that happen when content_type is set |
| more than once in processing a request, and make it fully |
| compatible with dynamic and proxied contents. [Nick Kew] |
| |
| *) mod_log_config: Implement logging for sub second timestamps and |
| request end time. [Rainer Jung] |
| |
| Changes with Apache 2.3.6 |
| |
| *) SECURITY: CVE-2009-3555 (cve.mitre.org) |
| mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection |
| attack when compiled against OpenSSL version 0.9.8m or later. Introduces |
| the 'SSLInsecureRenegotiation' directive to reopen this vulnerability |
| and offer unsafe legacy renegotiation with clients which do not yet |
| support the new secure renegotiation protocol, RFC 5746. |
| [Joe Orton, and with thanks to the OpenSSL Team] |
| |
| *) SECURITY: CVE-2009-3555 (cve.mitre.org) |
| mod_ssl: A partial fix for the TLS renegotiation prefix injection attack |
| by rejecting any client-initiated renegotiations. Forcibly disable |
| keepalive for the connection if there is any buffered data readable. Any |
| configuration which requires renegotiation for per-directory/location |
| access control is still vulnerable, unless using OpenSSL >= 0.9.8l. |
| [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] |
| |
| *) SECURITY: CVE-2010-0408 (cve.mitre.org) |
| mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent |
| when request headers indicate a request body is incoming; not a case of |
| HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>] |
| |
| *) SECURITY: CVE-2010-0425 (cve.mitre.org) |
| mod_isapi: Do not unload an isapi .dll module until the request |
| processing is completed, avoiding orphaned callback pointers. |
| [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] |
| |
| *) core: Filter init functions are now run strictly once per request |
| before handler invocation. The init functions are no longer run |
| for connection filters. PR 49328. [Joe Orton] |
| |
| *) core: Adjust the output filter chain correctly in an internal |
| redirect from a subrequest, preserving filters from the main |
| request as necessary. PR 17629. [Joe Orton] |
| |
| *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial |
| Response if they so choose to do so. Previously an attempt to cache a 206 |
| was arbitrarily allowed if the response contained an Expires or |
| Cache-Control header, and arbitrarily denied if both headers were missing. |
| [Graham Leggett] |
| |
| *) core: Add microsecond timestamp fractions, process id and thread id |
| to the error log. [Rainer Jung] |
| |
| *) configure: The "most" module set gets build by default. [Rainer Jung] |
| |
| *) configure: Building dynamic modules (DSO) by default. [Rainer Jung] |
| |
| *) configure: Fix broken VPATH build when using included APR. |
| [Rainer Jung] |
| |
| *) mod_session_crypto: Fix configure problem when building |
| with APR 2 and for VPATH builds with included APR. |
| [Rainer Jung] |
| |
| *) mod_session_crypto: API compatibility with APR 2 crypto and |
| APR Util 1.x crypto. [Rainer Jung] |
| |
| *) ab: Fix memory leak with -v2 and SSL. PR 49383. |
| [Pavel Kankovsky <peak argo troja mff cuni cz>] |
| |
| *) core: Add per-module and per-directory loglevel configuration. |
| Add some more trace logging. |
| mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels. |
| mod_ssl: Replace LogLevelDebugDump with trace log levels. |
| mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info |
| and debug. |
| mod_dumpio: Replace DumpIOLogLevel with trace log levels. |
| [Stefan Fritsch] |
| |
| *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns |
| title page only) when any mod_ldap directives were used in VirtualHost |
| context. [Eric Covener] |
| |
| *) mod_disk_cache: Decline the opportunity to cache if the response is |
| a 206 Partial Content. This stops a reverse proxied partial response |
| from becoming cached, and then being served in subsequent responses. |
| [Graham Leggett] |
| |
| *) mod_deflate: avoid the risk of forwarding data before headers are set. |
| PR 49369 [Matthew Steele <mdsteele google.com>] |
| |
| *) mod_authnz_ldap: Ensure nested groups are checked when the |
| top-level group doesn't have any direct non-group members |
| of attributes in AuthLDAPGroupAttribute. [Eric Covener] |
| |
| *) mod_authnz_ldap: Search or Comparison during authorization phase |
| can use the credentials from the authentication phase |
| (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser). |
| PR 48340 [Domenico Rotiroti, Eric Covener] |
| |
| *) mod_authnz_ldap: Allow the initial DN search during authentication |
| to use the HTTP username/pass instead of an anonymous or hard-coded |
| LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern). |
| [Eric Covener] |
| |
| *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix |
| when this module is used for authorization. See AuthLDAPAuthorizePrefix. |
| PR 45584 [Eric Covener] |
| |
| *) apxs -q: Stop filtering out ':' characters from the reported values. |
| PR 45343. [Bill Cole] |
| |
| *) prefork MPM: Work around possible crashes on child exit in APR reslist |
| cleanup code. PR 43857. [Tom Donovan] |
| |
| *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497. |
| [Bryn Dole <dole blekko.com>] |
| |
| *) Log an error for failures to read a chunk-size, and return 408 instead of |
| 413 when this is due to a read timeout. This change also fixes some cases |
| of two error documents being sent in the response for the same scenario. |
| [Eric Covener] PR49167 |
| |
| *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin |
| to control/set the nonce used in the balancer-manager application. |
| [Jim Jagielski] |
| |
| *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673. |
| [Stefan Fritsch] |
| |
| *) Proxy balancer: support setting error status according to HTTP response |
| code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>] |
| |
| *) htcacheclean: Introduce the ability to clean specific URLs from the |
| cache, if provided as an optional parameter on the command line. |
| [Graham Leggett] |
| |
| *) core: Introduce the IncludeStrict directive, which explicitly fails |
| server startup if no files or directories match a wildcard path. |
| [Graham Leggett] |
| |
| *) htcacheclean: Report additional statistics about entries deleted. |
| PR 48944. [Mark Drayton mark markdrayton.info] |
| |
| *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all |
| builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper |
| build of openssl is required for 'SSLFIPS on'. PR 46270. |
| [Dr Stephen Henson <steve openssl.org>, William Rowe] |
| |
| *) mod_proxy_http: Log the port of the remote server in various messages. |
| PR 48812. [Igor Galić <i galic brainsware org>] |
| |
| *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend |
| connections and other protocol handlers (like mod_ftp). [Stefan Fritsch] |
| |
| *) mod_proxy_ajp: Really regard the operation a success, when the client |
| aborted the connection. In addition adjust the log message if the client |
| aborted the connection. [Ruediger Pluem] |
| |
| *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which |
| allows insecure renegotiation with clients which do not yet |
| support the secure renegotiation protocol. [Joe Orton] |
| |
| *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs |
| is configured for client cert auth. PR 46952. [Joe Orton] |
| |
| *) core: Only log a 408 if it is no keepalive timeout. PR 39785 |
| [Ruediger Pluem, Mark Montague <markmont umich.edu>] |
| |
| *) support/rotatelogs: Add -L option to create a link to the current |
| log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier] |
| |
| *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory |
| setting only, matching most of the documentation and examples. |
| PR 46541 [Paul Reder, Eric Covener] |
| |
| *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument |
| types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener] |
| |
| *) mod_negotiation: Preserve query string over multiviews negotiation. |
| This buglet was fixed for type maps in 2.2.6, but the same issue |
| affected multiviews and was overlooked. |
| PR 33112 [Joergen Thomsen <apache jth.net>] |
| |
| *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert |
| when some are not password-protected. [Eric Covener] |
| |
| *) Fix startup segfault when the Mutex directive is used but no loaded |
| modules use httpd mutexes. PR 48787. [Jeff Trawick] |
| |
| *) Proxy: get the headers right in a HEAD request with |
| ProxyErrorOverride, by checking for an overridden error |
| before not after going into a catch-all code path. |
| PR 41646. [Nick Kew, Stuart Children] |
| |
| *) support/rotatelogs: Support the simplest log rotation case, log |
| truncation. Useful when the log is being processed in real time |
| using a command like tail. [Graham Leggett] |
| |
| *) support/htcacheclean: Teach it how to write a pid file (modelled on |
| httpd's writing of a pid file) so that it becomes possible to run |
| more than one instance of htcacheclean on the same machine. |
| [Graham Leggett] |
| |
| *) Log command line on startup, so there's a record of command line |
| arguments like -f. PR 48752. [Dan Poirier] |
| |
| *) Introduce mod_reflector, a handler capable of reflecting POSTed |
| request bodies back within the response through the output filter |
| stack. Can be used to turn an output filter into a web service. |
| [Graham Leggett] |
| |
| *) mod_proxy_http: Make sure that when an ErrorDocument is served |
| from a reverse proxied URL, that the subrequest respects the status |
| of the original request. This brings the behaviour of proxy_handler |
| in line with default_handler. PR 47106. [Graham Leggett] |
| |
| *) Support wildcards in both the directory and file components of |
| the path specified by the Include directive. [Graham Leggett] |
| |
| *) mod_proxy, mod_proxy_http: Support remote https proxies |
| by using HTTP CONNECT. PR 19188. |
| [Philippe Dutrueux <lilas evidian.com>, Rainer Jung] |
| |
| *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf |
| [Philip M. Gollucci] |
| |
| *) worker: Don't report server has reached MaxClients until it has. |
| Add message when server gets within MinSpareThreads of MaxClients. |
| PR 46996. [Dan Poirier] |
| |
| *) mod_session: Session expiry was being initialised, but not updated |
| on each session save, resulting in timed out sessions when there |
| should not have been. Fixed. [Graham Leggett] |
| |
| *) mod_log_config: Add the R option to log the handler used within the |
| request. [Christian Folini <christian.folini netnea com>] |
| |
| *) mod_include: Allow fine control over the removal of Last-Modified and |
| ETag headers within the INCLUDES filter, making it possible to cache |
| responses if desired. Fix the default value of the SSIAccessEnable |
| directive. [Graham Leggett] |
| |
| *) Add new UnDefine directive to undefine a variable. PR 35350. |
| [Stefan Fritsch] |
| |
| *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax |
| for regex backreferences as mod_rewrite and mod_include: Remove the use |
| of '&' as an alias for '$0' and allow to escape any character with a |
| backslash. PR 48351. [Stefan Fritsch] |
| |
| *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the |
| password to UTF-8. PR 45318. |
| [Johannes Müller <joh_m gmx.de>, Stefan Fritsch] |
| |
| *) ab: Fix calculation of requests per second in HTML output. PR 48594. |
| [Stefan Fritsch] |
| |
| *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user |
| password now result in an informational level log entry instead of |
| warning level. [Eric Covener] |
| |
| Changes with Apache 2.3.5 |
| |
| *) SECURITY: CVE-2010-0434 (cve.mitre.org) |
| Ensure each subrequest has a shallow copy of headers_in so that the |
| parent request headers are not corrupted. Eliminates a problematic |
| optimization in the case of no request body. PR 48359 |
| [Jake Scott, William Rowe, Ruediger Pluem] |
| |
| *) Turn static function get_server_name_for_url() into public |
| ap_get_server_name_for_url() and use it where appropriate. This |
| fixes mod_rewrite generating invalid URLs for redirects to IPv6 |
| literal addresses. [Stefan Fritsch] |
| |
| *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout |
| for LDAP operations like bind and search. [Stefan Fritsch] |
| |
| *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to |
| mod_proxy_ftp. [Takashi Sato] |
| |
| *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to |
| mod_proxy_connect. [Takashi Sato] |
| |
| *) mod_cache: Do an exact match of the keys defined by |
| CacheIgnoreURLSessionIdentifiers against the querystring instead of |
| a partial match. PR 48401. |
| [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem] |
| |
| *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung] |
| |
| *) Core HTTP: disable keepalive when the Client has sent |
| Expect: 100-continue |
| but we respond directly with a non-100 response. |
| Keepalive here led to data from clients continuing being treated as |
| a new request. |
| PR 47087 [Nick Kew] |
| |
| *) Core: reject NULLs in request line or request headers. |
| PR 43039 [Nick Kew] |
| |
| *) Core: (re)-introduce -T commandline option to suppress documentroot |
| check at startup. |
| PR 41887 [Jan van den Berg <janvdberg gmail.com>] |
| |
| *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions, |
| ScanHTMLTitles, ReadmeName, HeaderName |
| PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew] |
| |
| *) Proxy: Fix ProxyPassReverse with relative URL |
| Derived (slightly erroneously) from PR 38864 [Nick Kew] |
| |
| *) mod_headers: align Header Edit with Header Set when used on Content-Type |
| PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>] |
| |
| *) mod_headers: Enable multi-match-and-replace edit option |
| PR 46594 [Nick Kew] |
| |
| *) mod_filter: enable it to act on non-200 responses. |
| PR 48377 [Nick Kew] |
| |
| Changes with Apache 2.3.4 |
| |
| *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex, |
| and WatchdogMutexPath with a single Mutex directive. Add APIs to |
| simplify setup and user customization of APR proc and global mutexes. |
| (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer |
| respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick] |
| |
| *) http_core: KeepAlive no longer accepts other than On|Off. |
| [Takashi Sato] |
| |
| *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error() |
| and dav_new_error_tag() must be adjusted to add an apr_status_t parameter. |
| [Jeff Trawick] |
| |
| *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to |
| try other providers in the case of an LDAP bind failure. |
| PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] |
| |
| *) Build: fix --with-module to work as documented |
| PR 43881 [Gez Saunders <gez.saunders virgin.net>] |
| |
| Changes with Apache 2.3.3 |
| |
| *) SECURITY: CVE-2009-3095 (cve.mitre.org) |
| mod_proxy_ftp: sanity check authn credentials. |
| [Stefan Fritsch <sf fritsch.de>, Joe Orton] |
| |
| *) SECURITY: CVE-2009-3094 (cve.mitre.org) |
| mod_proxy_ftp: NULL pointer dereference on error paths. |
| [Stefan Fritsch <sf fritsch.de>, Joe Orton] |
| |
| *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against |
| OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme] |
| |
| *) mod_dav: Include uri when logging a PUT error due to connection abort. |
| PR 38149. [Stefan Fritsch] |
| |
| *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent |
| resource does not exist or is not a collection. PR 43465. [Stefan Fritsch] |
| |
| *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll |
| (a COPY request where the parent of the destination resource does not |
| exist). PR 39299. [Stefan Fritsch] |
| |
| *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed. |
| PR 42896. [Stefan Fritsch] |
| |
| *) mod_dav_fs: Make PUT create files atomically and no longer destroy the |
| old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch] |
| |
| *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically |
| creating files. On systems with inode numbers, this is a format change of |
| the DavLockDB. The old DavLockDB must be deleted on upgrade. |
| [Stefan Fritsch] |
| |
| *) mod_log_config: Make ${cookie}C correctly match whole cookie names |
| instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>, |
| Stefan Fritsch] |
| |
| *) vhost: A purely-numeric Host: header should not be treated as a port. |
| PR 44979 [Nick Kew] |
| |
| *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5" |
| when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless |
| LDAPReferralHopLimit is explicitly configured. |
| [Eric Covener] |
| |
| *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. |
| [Eric Covener] |
| |
| *) mod_ssl: Add support for OCSP Stapling. PR 43822. |
| [Dr Stephen Henson <shenson oss-institute.org>] |
| |
| *) mod_socache_shmcb: Allow parens in file name if cache size is given. |
| Fixes SSLSessionCache directive mis-parsing parens in pathname. |
| PR 47945. [Stefan Fritsch] |
| |
| *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch] |
| |
| *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch] |
| |
| *) mod_sed: Reduce memory consumption when processing very long lines. |
| PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>] |
| |
| *) ab: Fix segfault in case the argument for -n is a very large number. |
| PR 47178. [Philipp Hagemeister <oss phihag.de>] |
| |
| *) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901. |
| [Stefan Fritsch] |
| |
| *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again |
| for worker MPM. [Takashi Sato] |
| |
| *) mod_dav: Provide a mechanism to obtain the request_rec and pathname |
| from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>, |
| Brian France <brian brianfrance.com>] |
| |
| *) Build: Use install instead of cp if available on installing |
| modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com] |
| |
| *) mod_cache: correctly consider s-maxage in cacheability |
| decisions. [Dan Poirier] |
| |
| *) mod_logio/core: Report more accurate byte counts in mod_status if |
| mod_logio is loaded. PR 25656. [Stefan Fritsch] |
| |
| *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge |
| some cache entries and log a warning. Also increase the default |
| LDAPSharedCacheSize to 500000. This is a more realistic size suitable |
| for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. |
| PR 46749. [Stefan Fritsch] |
| |
| *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if |
| the request is a CONNECT request. [Bill Zajac <billz consultla.com>] |
| |
| *) mod_cache: Teach CacheEnable and CacheDisable to work from within a |
| Location section, in line with how ProxyPass works. [Graham Leggett] |
| |
| *) mod_reqtimeout: New module to set timeouts and minimum data rates for |
| receiving requests from the client. [Stefan Fritsch] |
| |
| *) core: Fix potential memory leaks by making sure to not destroy |
| bucket brigades that have been created by earlier filters. |
| [Stefan Fritsch] |
| |
| *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket |
| brigades in several places. [Stefan Fritsch] |
| |
| *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will |
| match by scheme, or by a wildcarded hostname. PR 40169 |
| [Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett] |
| |
| *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC |
| on the log file instead of closing it. PR 10744. [Nicolas Rachinsky] |
| |
| *) mod_mime: Make RemoveType override the info from TypesConfig. |
| PR 38330. [Stefan Fritsch] |
| |
| *) mod_cache: Introduce the option to run the cache from within the |
| normal request handler, and to allow fine grained control over |
| where in the filter chain content is cached. Adds CacheQuickHandler |
| directive. [Graham Leggett] |
| |
| *) core: Treat timeout reading request as 408 error, not 400. |
| Log 408 errors in access log as was done in Apache 1.3.x. |
| PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, |
| Stefan Fritsch <sf fritsch.de>, Dan Poirier] |
| |
| *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN, |
| SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl. |
| [Peter Sylvester <peter.sylvester edelweb.fr>] |
| |
| *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8. |
| PR15866. [Dan Poirier] |
| |
| *) ab: ab segfaults in verbose mode on https sites |
| PR46393. [Ryan Niebur] |
| |
| *) mod_dav: Allow other modules to become providers and add resource types |
| to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>, |
| Brian France <brian brianfrance.com>] |
| |
| *) mod_dav: Allow other modules to add things to the DAV or Allow headers |
| of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>, |
| Brian France <brian brianfrance.com>] |
| |
| *) core: Lower memory usage of core output filter. |
| [Stefan Fritsch <sf sfritsch.de>] |
| |
| *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and |
| LocationMatch sections. PR47754. [Dan Poirier] |
| |
| *) mod_request: Make sure the KeptBodySize directive rejects values |
| that aren't valid numbers. [Graham Leggett] |
| |
| *) mod_session_crypto: Sanity check should the potentially encrypted |
| session cookie be too short. [Graham Leggett] |
| |
| *) mod_session.c: Prevent a segfault when session is added but not |
| configured. [Graham Leggett] |
| |
| *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] |
| |
| *) mod_auth_digest: Fail server start when nonce count checking |
| is configured without shared memory, or md5-sess algorithm is |
| configured. [Dan Poirier] |
| |
| *) mod_proxy_connect: The connect method doesn't work if the client is |
| connecting to the apache proxy through an ssl socket. Fixed. |
| PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand, |
| David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango, |
| Kevin Croft, Rudolf Cardinal] |
| |
| *) mod_ssl: The error message when SSLCertificateFile is missing should |
| at least give the name or position of the problematic virtual host |
| definition. [Stefan Fritsch sf sfritsch.de] |
| |
| *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier] |
| |
| *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>] |
| |
| *) mod_headers: generalise the envclause to support expression |
| evaluation with ap_expr parser [Nick Kew] |
| |
| *) mod_cache: Introduce the thundering herd lock, a mechanism to keep |
| the flood of requests at bay that strike a backend webserver as |
| a cached entity goes stale. [Graham Leggett] |
| |
| *) mod_auth_digest: Fix usage of shared memory and re-enable it. |
| PR 16057 [Dan Poirier] |
| |
| *) Preserve Port information over internal redirects |
| PR 35999 [Jonas Ringh <jonas.ringh cixit.se>] |
| |
| *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, |
| rather than BAD_GATEWAY or (especially) NOT_FOUND. |
| PR 46971 [evanc nortel.com] |
| |
| *) Various modules: Do better checking of pollset operations in order to |
| avoid segmentation faults if they fail. PR 46467 |
| [Stefan Fritsch <sf sfritsch.de>] |
| |
| *) mod_autoindex: Correctly create an empty cell if the description |
| for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>] |
| |
| *) ab: Fix broken error messages after resolver or connect() failures. |
| [Jeff Trawick] |
| |
| *) SECURITY: CVE-2009-1890 (cve.mitre.org) |
| Fix a potential Denial-of-Service attack against mod_proxy in a |
| reverse proxy configuration, where a remote attacker can force a |
| proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] |
| |
| *) SECURITY: CVE-2009-1191 (cve.mitre.org) |
| mod_proxy_ajp: Avoid delivering content from a previous request which |
| failed to send a request body. PR 46949 [Ruediger Pluem] |
| |
| *) htdbm: Fix possible buffer overflow if dbm database has very |
| long values. PR 30586 [Dan Poirier] |
| |
| *) core: Return APR_EOF if request body is shorter than the length announced |
| by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>] |
| |
| *) mod_suexec: correctly set suexec_enabled when httpd is run by a |
| non-root user and may have insufficient permissions. |
| PR 42175 [Jim Radford <radford blackbean.org>] |
| |
| *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute |
| type. PR 45107. [Michael Ströder <michael stroeder.com>, |
| Peter Sylvester <peter.sylvester edelweb.fr>] |
| |
| *) mod_proxy_http: fix case sensitivity checking transfer encoding |
| PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>] |
| |
| *) mod_alias: ensure Redirect issues a valid URL. |
| PR 44020 [Håkon Stordahl <hakon stordahl.org>] |
| |
| *) mod_dir: add FallbackResource directive, to enable admin to specify |
| an action to happen when a URL maps to no file, without resorting |
| to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] |
| |
| *) mod_cgid: Do not leak the listening Unix socket file descriptor to the |
| CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>] |
| |
| *) mod_rewrite: Remove locking for writing to the rewritelog. |
| PR 46942 [Dan Poirier <poirier pobox.com>] |
| |
| *) mod_alias: check sanity in Redirect arguments. |
| PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski] |
| |
| *) mod_proxy_http: fix Host: header for literal IPv6 addresses. |
| PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>] |
| |
| *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore |
| defined session identifiers encoded in the URL when caching. |
| [Ruediger Pluem] |
| |
| *) mod_rewrite: Fix the error string returned by RewriteRule. |
| RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd |
| argument of RewriteRule was not started with "[" or not ended with "]". |
| PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>] |
| |
| *) Windows: Fix usage message. |
| [Rainer Jung] |
| |
| *) apachectl: When passing through arguments to httpd in |
| non-SysV mode, use the "$@" syntax to preserve arguments. |
| [Eric Covener] |
| |
| *) mod_dbd: add DBDInitSQL directive to enable SQL statements to |
| be run when a connection is opened. PR 46827 |
| [Marko Kevac <mkevac gmail.com>] |
| |
| *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock). |
| PR 47037. [Jeff Trawick] |
| |
| *) mod_proxy_ajp: Check more strictly that the backend follows the AJP |
| protocol. [Mladen Turk] |
| |
| *) mod_proxy_ajp: Forward remote port information by default. |
| [Rainer Jung] |
| |
| *) Allow MPMs to be loaded dynamically, as with most other modules. Use |
| --enable-mpms-shared={list|"all"} to enable. This required changes to |
| the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed |
| header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child, |
| ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be |
| called until after the register-hooks phase. [Jeff Trawick] |
| |
| *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives |
| to enable stricter checking of remote server certificates. |
| [Ruediger Pluem] |
| |
| *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect |
| returns EINPROGRESS and a subsequent poll() returns only POLLERR. |
| Observed on HP-UX. [Eric Covener] |
| |
| *) Remove broken support for BeOS, TPF, and even older platforms such |
| as A/UX, Next, and Tandem. [Jeff Trawick] |
| |
| *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with |
| globbing characters to be retrieved instead of converted into a |
| directory listing. PR 46789 [Dan Poirier <poirier pobox.com>] |
| |
| *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation |
| of module state across unload/load. [Jeff Trawick] |
| |
| *) mod_substitute: Fix a memory leak. PR 44948 |
| [Dan Poirier <poirier pobox.com>] |
| |
| Changes with Apache 2.3.2 |
| |
| *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung] |
| |
| *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid |
| HTML injections and HTTP response splitting. PR 46837. |
| [Geoff Keating <geoffk apple.com>] |
| |
| *) mod_ssl: add support for type-safe STACK constructs in OpenSSL |
| development HEAD. PR 45521. [Kaspar Brand, Sander Temme] |
| |
| *) ab: Fix maintenance of the pollset to resolve EALREADY errors |
| with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris). |
| PR 44584. Use APR_POLLSET_NOCOPY for better performance with some |
| pollset implementations. [Jeff Trawick] |
| |
| *) mod_disk_cache: The module now turns off sendfile support if |
| 'EnableSendfile off' is defined globally. [Lars Eilebrecht] |
| |
| *) mod_deflate: Adjust content metadata before bailing out on 304 |
| responses so that the metadata does not differ from 200 response. |
| [Roy T. Fielding] |
| |
| *) mod_deflate: Fix creation of invalid Etag headers. We now make sure |
| that the Etag value is properly quoted when adding the gzip marker. |
| PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding] |
| |
| *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185. |
| [Peter Harlow] |
| |
| *) Disabled DefaultType directive and removed ap_default_type() |
| from core. We now exclude Content-Type from responses for which |
| a media type has not been configured via mime.types, AddType, |
| ForceType, or some other mechanism. PR 13986. [Roy T. Fielding] |
| |
| *) mod_rewrite: Add IPV6 variable to RewriteCond |
| [Ryan Phillips <ryan-apache trolocsis.com>] |
| |
| *) core: Enhance KeepAliveTimeout to support a value in milliseconds. |
| PR 46275. [Takashi Sato] |
| |
| *) rotatelogs: Allow size units B, K, M, G and combination of |
| time and size based rotation. [Rainer Jung] |
| |
| *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung] |
| |
| *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508 |
| [<tlhackque yahoo.com>] |
| |
| *) core: Translate the the status line to ASCII on EBCDIC platforms in |
| ap_send_interim_response() and for locally generated "100 Continue" |
| responses. [Eric Covener] |
| |
| *) prefork: Fix child process hang during graceful restart/stop in |
| configurations with multiple listening sockets. PR 42829. [Joe Orton, |
| Jeff Trawick] |
| |
| *) mod_session_crypto: Ensure that SessionCryptoDriver can only be |
| set in the global scope. [Graham Leggett] |
| |
| *) mod_ext_filter: We need to detect failure to startup the filter |
| program (a mangled response is not acceptable). Fix to detect |
| failure, and offer configuration option either to abort or |
| to remove the filter and continue. |
| PR 41120 [Nick Kew] |
| |
| *) mod_session_crypto: Rewrite the session_crypto module against the |
| apr_crypto API. [Graham Leggett] |
| |
| *) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest |
| until the main request is cleaned up. [Graham Leggett] |
| |
| Changes with Apache 2.3.1 |
| |
| *) ap_slotmem: Add in new slot-based memory access API impl., including |
| 2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski, |
| Jean-Frederic Clere, Brian Akins <brian.akins turner.com>] |
| |
| *) mod_include: support generating non-ASCII characters as entities in SSI |
| PR 25202 [Nick Kew] |
| |
| *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars |
| PR 25202 [Nick Kew] |
| |
| *) mod_rewrite: fix "B" flag breakage by reverting r5589343 |
| PR 45529 [Bob Ionescu <bobsiegen googlemail.com>] |
| |
| *) CGI: return 504 (Gateway timeout) rather than 500 when a script |
| times out before returning status line/headers. |
| PR 42190 [Nick Kew] |
| |
| *) mod_cgid: fix segfault problem on solaris. |
| PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>] |
| |
| *) mod_proxy_scgi: Added. [André Malo] |
| |
| *) mod_cache: Introduce 'no-cache' per-request environment variable |
| to prevent the saving of an otherwise cacheable response. |
| [Eric Covener] |
| |
| *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome |
| way that per-directory rewrites append the previous notion of PATH_INFO |
| to each substitution before evaluating subsequent rules. |
| PR 38642 [Eric Covener] |
| |
| *) mod_cgid: Do not add an empty argument when calling the CGI script. |
| PR 46380 [Ruediger Pluem] |
| |
| *) scoreboard: Remove unused sb_type from process_score. |
| [Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch] |
| |
| *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the |
| size of the buffer used for the request-body where necessary |
| during a per-dir renegotiation. PR 39243. [Joe Orton] |
| |
| *) mod_proxy_fdpass: New module to pass a client connection over to a separate |
| process that is reading from a unix daemon socket. |
| |
| *) mod_ssl: Improve environment variable extraction to be more |
| efficient and to correctly handle DNs with duplicate tags. |
| PR 45975. [Joe Orton] |
| |
| *) Remove the obsolete serial attribute from the RPM spec file. Compile |
| against the external pcre. Add missing binaries fcgistarter, and |
| mod_socache* and mod_session*. [Graham Leggett] |
| |
| Changes with Apache 2.3.0 |
| |
| *) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna] |
| |
| *) Remove X-Pad header which was added as a work around to a bug in |
| Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>] |
| |
| *) Add DTrace Statically Defined Tracing (SDT) probes. |
| [Theo Schlossnagle <jesus omniti.com>, Paul Querna] |
| |
| *) mod_proxy_balancer: Move all load balancing implementations |
| as individual, self-contained mod_proxy submodules under |
| modules/proxy/balancers [Jim Jagielski] |
| |
| *) Rename APIs to include ap_ prefix: |
| find_child_by_pid -> ap_find_child_by_pid |
| suck_in_APR -> ap_suck_in_APR |
| sys_privileges_handlers -> ap_sys_privileges_handlers |
| unixd_accept -> ap_unixd_accept |
| unixd_config -> ap_unixd_config |
| unixd_killpg -> ap_unixd_killpg |
| unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms |
| unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms |
| unixd_set_rlimit -> ap_unixd_set_rlimit |
| [Paul Querna] |
| |
| *) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers |
| based on heartbeats. [Paul Querna] |
| |
| *) mod_heartmonitor: New module to collect heartbeats, and write out a file |
| so that other modules can load balance traffic as needed. [Paul Querna] |
| |
| *) mod_heartbeat: New module to generate multicast heartbeats to know if a |
| server is online. [Paul Querna] |
| |
| *) mod_buffer: Honour the flush bucket and flush the buffer in the |
| input filter. Make sure that metadata buckets are written to |
| the buffer, not to the final brigade. [Graham Leggett] |
| |
| *) mod_buffer: Optimise the buffering of heap buckets when the heap |
| buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett, |
| Ruediger Pluem] |
| |
| *) mod_buffer: Optional support for buffering of the input and output |
| filter stacks. Can collapse many small buckets into fewer larger |
| buckets, and prevents excessively small chunks being sent over |
| the wire. [Graham Leggett] |
| |
| *) mod_privileges: new module to make httpd on Solaris privileges-aware |
| and to enable different virtualhosts to run with different |
| privileges and Unix user/group IDs [Nick Kew] |
| |
| *) mod_mem_cache: this module has been removed. [William Rowe] |
| |
| *) authn/z: Remove mod_authn_default and mod_authz_default. |
| [Chris Darroch] |
| |
| *) authz: Fix handling of authz configurations, make default authz |
| logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject, |
| and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge |
| directives. [Chris Darroch] |
| |
| *) mod_authn_core: Prevent crash when provider alias created to |
| provider which is not yet registered. [Chris Darroch] |
| |
| *) mod_authn_core: Add AuthType of None to support disabling |
| authentication. [Chris Darroch] |
| |
| *) core: Allow <Limit> and <LimitExcept> directives to nest, and |
| constrain their use to conform with that of other access control |
| and authorization directives. [Chris Darroch] |
| |
| *) unixd: turn existing code into a module, and turn the set user/group |
| and chroot into a child_init function. [Nick Kew] |
| |
| *) mod_dir: Support "DirectoryIndex disabled" |
| Suggested By André Warnier <aw ice-sa.com> [Eric Covener] |
| |
| *) mod_ssl: Send Content-Type application/ocsp-request for POST requests to |
| OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>] |
| |
| *) mod_authnz_ldap: don't return NULL-valued environment variables to |
| other modules. PR 39045 [Francois Pesce <francois.pesce gmail.com>] |
| |
| *) Don't adjust case in pathname components that are not of interest |
| to mod_mime. Fixes mod_negotiation's use of such components. |
| PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>] |
| |
| *) Be tolerant in what you accept - accept slightly broken |
| status lines from a backend provided they include a valid status code. |
| PR 44995 [Rainer Jung <rainer.jung kippdata.de>] |
| |
| *) New module mod_sed: filter Request/Response bodies through sed |
| [Basant Kumar Kukreja <basant.kukreja sun.com>] |
| |
| *) mod_auth_form: Make sure that basic authentication is correctly |
| faked directly after login. [Graham Leggett] |
| |
| *) mod_session_cookie, mod_session_dbd: Make sure cookies are set both |
| within the output headers and error output headers, so that the |
| session is maintained across redirects. [Graham Leggett] |
| |
| *) mod_auth_form: Make sure the logged in user is populated correctly |
| after a form login. Fixes a missing REMOTE_USER variable directly |
| following a login. [Graham Leggett] |
| |
| *) mod_session_cookie: Make sure that cookie attributes are correctly |
| included in the blank cookie when cookies are removed. This fixes an |
| inability to log out when using mod_auth_form. [Graham Leggett] |
| |
| *) mod_session: Prevent a segfault when a CGI script sets a cookie with a |
| null value. [David Shane Holden <dpejesh apache.org>] |
| |
| *) core, authn/z: Determine registered authn/z providers directly in |
| ap_setup_auth_internal(), which allows optional functions that just |
| wrapped ap_list_provider_names() to be removed from authn/z modules. |
| [Chris Darroch] |
| |
| *) authn/z: Convert common provider version strings to macros. |
| [Chris Darroch] |
| |
| *) core: When testing for slash-terminated configuration paths in |
| ap_location_walk(), don't look past the start of an empty string |
| such as that created by a <Location ""> directive. |
| [Chris Darroch] |
| |
| *) core, mod_proxy: If a kept_body is present, it becomes safe for |
| subrequests to support message bodies. Make sure that safety |
| checks within the core and within the proxy are not triggered |
| when kept_body is present. This makes it possible to embed |
| proxied POST requests within mod_include. [Graham Leggett] |
| |
| *) mod_auth_form: Make sure the input filter stack is properly set |
| up before reading the login form. Make sure the kept body filter |
| is correctly inserted to ensure the body can be read a second |
| time safely should the authn be successful. [Graham Leggett, |
| Ruediger Pluem] |
| |
| *) mod_request: Insert the KEPT_BODY filter via the insert_filter |
| hook instead of during fixups. Add a safety check to ensure the |
| filters cannot be inserted more than once. [Graham Leggett, |
| Ruediger Pluem] |
| |
| *) ap_cache_cacheable_headers_out() will (now) always |
| merge an error headers _before_ clearing them and _before_ |
| merging in the actual entity headers and doing normal |
| hop-by-hop cleansing. [Dirk-Willem van Gulik]. |
| |
| *) cache: retire ap_cache_cacheable_hdrs_out() which was used |
| for both in- and out-put headers; and replace it by a single |
| ap_cache_cacheable_headers() wrapped in a in- and out-put |
| specific ap_cache_cacheable_headers_in()/out(). The latter |
| which will also merge error and ensure content-type. To keep |
| cache modules consistent with ease. This API change bumps |
| up the minor MM by one [Dirk-Willem van Gulik]. |
| |
| *) Move the KeptBodySize directive, kept_body filters and the |
| ap_parse_request_body function out of the http module and into a |
| new module called mod_request, reducing the size of the core. |
| [Graham Leggett] |
| |
| *) mod_dbd: Handle integer configuration directive parameters with a |
| dedicated function. |
| |
| *) Change the directives within the mod_session* modules to be valid |
| both inside and outside the location/directory sections, as |
| suggested by wrowe. [Graham Leggett] |
| |
| *) mod_auth_form: Add a module capable of allowing end users to log |
| in using an HTML form, storing the credentials within mod_session. |
| [Graham Leggett] |
| |
| *) Add a function to the http filters that is able to parse an HTML |
| form request with the type of application/x-www-form-urlencoded. |
| [Graham Leggett] |
| |
| *) mod_session_crypto: Initialise SSL in the post config hook. |
| [Ruediger Pluem, Graham Leggett] |
| |
| *) mod_session_dbd: Add a session implementation capable of storing |
| session information in a SQL database via the dbd interface. Useful |
| for sites where session privacy is important. [Graham Leggett] |
| |
| *) mod_session_crypto: Add a session encoding implementation capable |
| of encrypting and decrypting sessions wherever they may be stored. |
| Introduces a level of privacy when sessions are stored on the |
| browser. [Graham Leggett] |
| |
| *) mod_session_cookie: Add a session implementation capable of storing |
| session information within cookies on the browser. Useful for high |
| volume sites where server bound sessions are too resource intensive. |
| [Graham Leggett] |
| |
| *) mod_session: Add a generic session interface to unify the different |
| attempts at saving persistent sessions across requests. |
| [Graham Leggett] |
| |
| *) core, authn/z: Avoid calling access control hooks for internal requests |
| with configurations which match those of initial request. Revert to |
| original behaviour (call access control hooks for internal requests |
| with URIs different from initial request) if any access control hooks or |
| providers are not registered as permitting this optimization. |
| Introduce wrappers for access control hook and provider registration |
| which can accept additional mode and flag data. [Chris Darroch] |
| |
| *) Introduced ap_expr API for expression evaluation. |
| This is adapted from mod_include, which is the first module |
| to use the new API. |
| [Nick Kew] |
| |
| *) mod_authz_dbd: When redirecting after successful login/logout per |
| AuthzDBDRedirectQuery, do not report authorization failure, and use |
| first row returned by database query instead of last row. |
| [Chris Darroch] |
| |
| *) mod_ldap: Correctly return all requested attribute values |
| when some attributes have a null value. |
| PR 44560 [Anders Kaseorg <anders kaseorg.com>] |
| |
| *) core: check symlink ownership if both FollowSymlinks and |
| SymlinksIfOwnerMatch are set [Nick Kew] |
| |
| *) core: fix origin checking in SymlinksIfOwnerMatch |
| PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>] |
| |
| *) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the |
| 'most' set for '--enable-modules' and '--enable-shared-mods'. Include |
| mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik] |
| |
| *) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these |
| contain public function declarations which are useful for |
| third party module authors. PR 42431 [Dirk-Willem van Gulik]. |
| |
| *) mod_dir, mod_negotiation: pass the output filter information |
| to newly created sub requests; as these are later on used |
| as true requests with an internal redirect. This allows for |
| mod_cache et.al. to trap the results of the redirect. |
| [Dirk-Willem van Gulik, Ruediger Pluem] |
| |
| *) mod_ldap: Add support (taking advantage of the new APR capability) |
| for ldap rebind callback while chasing referrals. This allows direct |
| searches on LDAP servers (in particular MS Active Directory 2003+) |
| using referrals without the use of the global catalog. |
| PRs 26538, 40268, and 42557 [Paul J. Reder] |
| |
| *) ApacheMonitor.exe: Introduce --kill argument for use by the |
| installer. This will permit the installation tool to remove |
| all running instances before attempting to remove the .exe. |
| [William Rowe] |
| |
| *) mod_ssl: Add support for OCSP validation of client certificates. |
| PR 41123. [Marc Stern <marc.stern approach.be>, Joe Orton] |
| |
| *) mod_serf: New module for Reverse Proxying. [Paul Querna] |
| |
| *) core: Add the option to keep aside a request body up to a certain |
| size that would otherwise be discarded, to be consumed by filters |
| such as mod_include. When enabled for a directory, POST requests |
| to shtml files can be passed through to embedded scripts as POST |
| requests, rather being downgraded to GET requests. [Graham Leggett] |
| |
| *) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton] |
| |
| *) scoreboard: Correctly declare ap_time_process_request. |
| PR 43789 [Tom Donovan <Tom.Donovan acm.org>] |
| |
| *) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member |
| from the connection rec, ap_get_scoreboard_worker(proc, thread) will now |
| provide the unusual legacy lookup. [William Rowe] |
| |
| *) mpm winnt: fix null pointer dereference |
| PR 42572 [Davi Arnaut] |
| |
| *) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn |
| parameters to the environment. Improve portability to |
| EBCDIC machines by using apr_toupper(). [Martin Kraemer] |
| |
| *) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability |
| to authorize an authenticated user via a "require ldap-group X" directive |
| where the user is not in group X, but is in a subgroup contained in X. |
| PR 42891 [Paul J. Reder] |
| |
| *) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna] |
| |
| *) apxs: Enhance -q flag to print all known variables and their values |
| when invoked without variable name(s). |
| [William Rowe, Sander Temme] |
| |
| *) apxs: Eliminate run-time check for mod_so. PR 40653. |
| [David M. Lee <dmlee crossroads.com>] |
| |
| *) beos MPM: Create pmain pool and run modules' child_init hooks when |
| entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run(). |
| [Chris Darroch] |
| |
| *) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that |
| cleanups registered in modules' child_init hooks are performed. |
| [Chris Darroch] |
| |
| *) Fix issue which could cause error messages to be written to access logs |
| on Win32. PR 40476. [Tom Donovan <Tom.Donovan acm.org>] |
| |
| *) The LockFile directive, which specifies the location of |
| the accept() mutex lockfile, is deprecated. Instead, the |
| AcceptMutex directive now takes an optional lockfile |
| location parameter, ala SSLMutex. [Jim Jagielski] |
| |
| *) mod_authn_dbd: Export any additional columns queried in the SQL select |
| into the environment with the name AUTHENTICATE_<COLUMN>. This brings |
| mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett] |
| |
| *) mod_dbd: Key the storage of prepared statements on the hex string |
| value of server_rec, rather than the server name, as the server name |
| may change (eg when the server name is set) at any time, causing |
| weird behaviour in modules dependent on mod_dbd. [Graham Leggett] |
| |
| *) mod_proxy_fcgi: Added win32 build. [Mladen Turk] |
| |
| *) sendfile_nonblocking() takes the _brigade_ as an argument, gets |
| the first bucket from the brigade, finds it not to be a FILE |
| bucket and barfs. The fix is to pass a bucket rather than a brigade. |
| [Niklas Edmundsson <nikke acc.umu.se>] |
| |
| *) mod_rewrite: support rewritemap by SQL query [Nick Kew] |
| |
| *) ap_get_server_version() has been removed. Third-party modules must |
| now use ap_get_server_banner() or ap_get_server_description(). |
| [Jeff Trawick] |
| |
| *) All MPMs: Introduce a check_config phase between pre_config and |
| open_logs, to allow modules to review interdependent configuration |
| directive values and adjust them while messages can still be logged |
| to the console. Handle relevant MPM directives during this phase |
| and format messages for both the console and the error log, as |
| appropriate. [Chris Darroch] |
| |
| *) core: Do not allow internal redirects like the DirectoryIndex of mod_dir |
| to circumvent the symbolic link checks imposed by FollowSymLinks and |
| SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe] |
| |
| *) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ] |
| configures the I/O Dump of SSL traffic, when LogLevel is set to Debug. |
| The default is none as this is far greater debugging resolution than |
| the typical administrator is prepared to untangle. [William Rowe] |
| |
| *) mod_disk_cache: If possible, check if the size of an object to cache is |
| within the configured boundaries before actually saving data. |
| [Niklas Edmundsson <nikke acc.umu.se>] |
| |
| *) Worker and event MPMs: Remove improper scoreboard updates which were |
| performed in the event of a fork() failure. [Chris Darroch] |
| |
| *) Add support for fcgi:// proxies to mod_rewrite. |
| [Markus Schiegl <ms schiegl.com>] |
| |
| *) Remove incorrect comments from scoreboard.h regarding conditional |
| loading of worker_score structure with mod_status, and remove unused |
| definitions relating to old life_status field. |
| [Chris Darroch <chrisd pearsoncmg.com>] |
| |
| *) Remove allocation of memory for unused array of lb_score pointers |
| in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>] |
| |
| *) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy. |
| [Garrett Rooney, Jim Jagielski, Paul Querna] |
| |
| *) Event MPM: Fill in the scoreboard's tid field. PR 38736. |
| [Chris Darroch <chrisd pearsoncmg.com>] |
| |
| *) mod_charset_lite: Remove Content-Length when output filter can |
| invalidate it. Warn when input filter can invalidate it. |
| [Jeff Trawick] |
| |
| *) Authz: Add the new module mod_authn_core that will provide common |
| authn directives such as 'AuthType', 'AuthName'. Move the directives |
| 'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias |
| into mod_authn_core. [Brad Nicholes] |
| |
| *) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy' |
| into the new module mod_access_compat which can be loaded to provide |
| support for these directives. |
| [Brad Nicholes] |
| |
| *) Authz: Move the 'Require' directive from the core module as well as |
| add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>' |
| and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR' |
| logic into the authorization processing. [Brad Nicholes] |
| |
| *) Authz: Add the new module mod_authz_core which acts as the |
| authorization provider vector and contains common authz |
| directives. [Brad Nicholes] |
| |
| *) Authz: Renamed mod_authz_dbm authz providers from 'group' and |
| 'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes] |
| |
| *) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle |
| host-based access control provided by mod_authz_host and invoked |
| through the 'Require' directive. [Brad Nicholes] |
| |
| *) Authz: Convert all of the authz modules from hook based to |
| provider based. [Brad Nicholes] |
| |
| *) mod_cache: Add CacheMinExpire directive to set the minimum time in |
| seconds to cache a document. |
| [Brian Akins <brian.akins turner.com>, Ruediger Pluem] |
| |
| *) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew] |
| |
| *) Fix typo in ProxyStatus syntax error message. |
| [Christophe Jaillet <christophe.jaillet wanadoo.fr>] |
| |
| *) Asynchronous write completion for the Event MPM. [Brian Pane] |
| |
| *) Added an End-Of-Request bucket type. The logging of a request and |
| the freeing of its pool are now done when the EOR bucket is destroyed. |
| This has the effect of delaying the logging until right after the last |
| of the response is sent; ap_core_output_filter() calls the access logger |
| indirectly when it destroys the EOR bucket. [Brian Pane] |
| |
| *) Rewrite of logresolve support utility: IPv6 addresses are now supported |
| and the format of statistical output has changed. [Colm MacCarthaigh] |
| |
| *) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane] |
| |
| *) Added new connection states for handler and write completion |
| [Brian Pane] |
| |
| *) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264. |
| [Justin Erenkrantz] |
| |
| *) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive, |
| allowing string-valued client certificate attributes to be used for |
| access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1") |
| [Martin Kraemer, David Reid] |
| |
| [Apache 2.3.0-dev includes those bug fixes and changes with the |
| Apache 2.2.xx tree as documented, and except as noted, below.] |
| |
| Changes with Apache 2.2.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup |
| |
| Changes with Apache 2.0.x and later: |
| |
| *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup |
| |