mirror of
https://github.com/danieleteti/delphimvcframework.git
synced 2024-11-16 00:05:53 +01:00
4899 lines
210 KiB
Plaintext
4899 lines
210 KiB
Plaintext
|
-*- coding: utf-8 -*-
|
||
|
|
||
|
Changes with Apache 2.4.23
|
||
|
|
||
|
*) mod_ssl: reset client-verify state of ssl when aborting renegotiations.
|
||
|
[Erki Aring <erki@example.ee>, Stefan Eissing]
|
||
|
|
||
|
*) mod_sed: Fix 'x' command processing. [Christophe Jaillet]
|
||
|
|
||
|
*) configure: Fix ./configure edge-case failures around dependencies
|
||
|
of mod_proxy_hcheck. [William Rowe, Ruediger Pluem, Jeff Trawick]
|
||
|
|
||
|
Changes with Apache 2.4.22
|
||
|
|
||
|
*) mod_http2: fix for request abort when connections drops, introduced in
|
||
|
1.5.8
|
||
|
|
||
|
Changes with Apache 2.4.21
|
||
|
|
||
|
*) mod_http2: more rigid error handling in DATA frame assembly, leading
|
||
|
to deterministic connection errors if assembly fails.
|
||
|
[Stefan Eissing, Pal Nilsen <https://github.com/maedox>]
|
||
|
|
||
|
*) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
|
||
|
failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
|
||
|
PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
|
||
|
|
||
|
*) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
|
||
|
to opt-in previous behaviour (2.2) with CRLs verification when checking
|
||
|
certificate(s) with no corresponding CRL. [Yann Ylavic]
|
||
|
|
||
|
*) mpm_event, mpm_worker: Fix computation of MinSpareThreads' lower bound
|
||
|
according the number of listeners buckets. [Yann Ylavic]
|
||
|
|
||
|
*) Add ap_cstr_casecmp[n]() - placeholder of apr_cstr_casecmp[n] functions
|
||
|
for case-insensitive C/POSIX-locale token comparison.
|
||
|
[Jim Jagielski, William Rowe, Yann Ylavic, Branko Čibej]
|
||
|
|
||
|
*) mod_userdir: Constify and save a few bytes in the conf pool when
|
||
|
parsing the "UserDir" directive. [Christophe Jaillet]
|
||
|
|
||
|
*) mod_cache: Fix (max-stale with no '=') and enforce (check
|
||
|
integers after '=') Cache-Control header parsing.
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) core: Add -DDUMP_INCLUDES configtest option to show the tree
|
||
|
of Included configuration files.
|
||
|
[Jacob Champion <champion.pxi gmail.com>]
|
||
|
|
||
|
*) mod_proxy_fcgi: Avoid passing a filename of proxy:fcgi:// as
|
||
|
SCRIPT_FILENAME to a FastCGI server. PR59618.
|
||
|
[Jacob Champion <champion.pxi gmail.com>]
|
||
|
|
||
|
*) mod_dav: Add dav_get_provider_name() function to obtain the name
|
||
|
of the provider from mod_dav.
|
||
|
[Jari Urpalainen <jari.urpalainen nokia.com>]
|
||
|
|
||
|
*) mod_proxy_http2: properly care for HTTP2 flow control of the frontend
|
||
|
connection is HTTP/1.1. [Patch supplied by Evgeny Kotkov]
|
||
|
|
||
|
*) mod_http2: improved cleanup of connection/streams/tasks to always
|
||
|
have deterministic order regardless of event initiating it. Addresses
|
||
|
reported crashes due to memory read after free issues.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_ssl: Correct the interaction between SSLProxyCheckPeerCN and newer
|
||
|
SSLProxyCheckPeerName directives since release 2.4.5, such that disabling
|
||
|
either disables both, and that enabling either triggers the new, more
|
||
|
comprehensive SSLProxyCheckPeerName behavior. Only a single configuration
|
||
|
remains to enable the legacy behavior, which is to explicitly disable
|
||
|
SSLProxyCheckPeerName, and enable SSLProxyCheckPeerCN. [William Rowe]
|
||
|
|
||
|
*) mod_include: add the <!--#comment ...> syntax in order to include comments
|
||
|
in a SSI file. [Christophe Jaillet based on a suggestion from Rob]
|
||
|
|
||
|
*) mod_http2: improved event handling for suspended streams, responses
|
||
|
and window updates. [Stefan Eissing]
|
||
|
|
||
|
*) mod_proxy_hcheck: Provide for dynamic background health
|
||
|
checks on reverse proxies associated with BalancerMember
|
||
|
workers. [Jim Jagielski]
|
||
|
|
||
|
*) mod_http2: Fix async write issue that led to selection of wrong timeout
|
||
|
vs. keepalive timeout selection for idle sessions. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: checking LimitRequestLine, LimitRequestFields and
|
||
|
LimitRequestFieldSize configurated values for incoming streams. Returning
|
||
|
HTTP status 431 for too long/many headers fields and 414 for a too long
|
||
|
pseudo header. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: tracking conn_rec->current_thread on slave connections, so
|
||
|
that mod_lua finds the correct one. Fixes PR 59542. [Stefan Eissing]
|
||
|
|
||
|
*) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
|
||
|
urls. Part of the httpd mod_proxy framework, common settings apply.
|
||
|
Requests from the same HTTP/2 frontend connection against the same backend
|
||
|
are aggregated on a single connection.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: slave connections have conn_rec->aborted flag set when a stream
|
||
|
has been reset by the client. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: merge of some 2.4.x adaptions re filters on slave connections.
|
||
|
Small fixes in bucket beams when forwarding file buckets. Output handling
|
||
|
on master connection uses less FLUSH and passes automatically when more
|
||
|
than half of H2StreamMaxMemSize bytes have accumulated.
|
||
|
Workaround for http: when forwarding partial file buckets to keep the
|
||
|
output filter from closing these too early. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: elimination of fixed master connection buffer for TLS
|
||
|
connections. New scratch bucket handling optimized for TLS write sizes.
|
||
|
File bucket data read directly into scratch buffers, avoiding one
|
||
|
copy. Non-TLS connections continue to pass buckets unchanged to the core
|
||
|
filters to allow sendfile() usage. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2/mod_proxy_http2: h2_request.c is no longer shared between these
|
||
|
modules. This simplifies building on platforms such as Windows, as module
|
||
|
reference used in logging is now clear. [Stefan Eissing]
|
||
|
|
||
|
*) Scoreboard: Fix a regression in 2.4.20 that causes wrong request data
|
||
|
to be displayed on the status page. PR 59333. [Yann Ylavic, William Rowe]
|
||
|
|
||
|
*) mod_http2: fixed a bug that caused mod_proxy_http2 to be called for window
|
||
|
updates on requests it had already reported done. Added synchronization
|
||
|
on early connection/stream close that lets ongoing requests safely drain
|
||
|
their input filters.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: scoreboard updates that summarize the h2 session (and replace
|
||
|
the last request information) will only happen when the session is idle or
|
||
|
in shutdown/done phase. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: new "bucket beam" technology to transport buckets across
|
||
|
threads without buffer copy. Delaying response start until flush or
|
||
|
enough body data has been accumulated. Overall significantly smaller
|
||
|
memory footprint. [Stefan Eissing]
|
||
|
|
||
|
*) core: New CGIVar directive can configure REQUEST_URI to represent the
|
||
|
current URI being processed instead of always the original request.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) scoreboard/status: Restore behavior of showing workers' previous Client,
|
||
|
VHost and Request values when idle, like in 2.4.18 and earlier.
|
||
|
|
||
|
*) mod_http2: r->protocol changed to "HTTP/2.0" (was "HTTP/2") as this will
|
||
|
give expected syntax in CGI's SERVER_PROTOCOL is more compatible with
|
||
|
existing major/minor handling. Fixes PR 59313.
|
||
|
|
||
|
*) mod_http2: disabling mmap for file buckets transport due to segmenation
|
||
|
faults when files change on the fly.
|
||
|
|
||
|
Changes with Apache 2.4.20
|
||
|
|
||
|
*) SECURITY: CVE-2016-1546 (cve.mitre.org)
|
||
|
mod_http2: restricting number of concurrent stream workers per connection
|
||
|
if client is slow.
|
||
|
|
||
|
*) core: Do not read .htaccess if AllowOverride and AllowOverrideList
|
||
|
are "None". PR 58528.
|
||
|
[Michael Schlenker <msc contact.de, Ruediger Pluem, Daniel Ruggeri]
|
||
|
|
||
|
*) mod_proxy_express: Fix possible use of DB handle after close. PR 59230.
|
||
|
[Petr <pgajdos suse.cz>]
|
||
|
|
||
|
*) core/util_script: relax alphanumeric filter of enviroment variable names
|
||
|
on Windows to allow '(' and ')' for passing PROGRAMFILES(X86) et.al.
|
||
|
unadulterated in 64 bit versions of Windows. PR 46751.
|
||
|
[John <john leineweb de>]
|
||
|
|
||
|
*) mod_http2: incrementing keepalives on each request started so that logging
|
||
|
%k gives increasing numbers per master http2 connection.
|
||
|
New documented variables in env, usable in custom log formats: H2_PUSH,
|
||
|
H2_PUSHED, H2_PUSHED_ON, H2_STREAM_ID and H2_STREAM_TAG.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: more efficient passing of response bodies with less contention
|
||
|
and file bucket forwarding. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fix for missing score board updates on request count, fix for
|
||
|
memory leak on slave connection reuse. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: Fix build on Windows from dsp files.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
Changes with Apache 2.4.19
|
||
|
|
||
|
*) mod_include: Add variable DOCUMENT_ARGS, with the arguments to the
|
||
|
request for the SSI document. [Jeff Trawick]
|
||
|
|
||
|
*) mod_authz_host: Add a new "forward-dns" authorization type, not relying on
|
||
|
reverse DNS lookups. [Fabien]
|
||
|
|
||
|
*) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
|
||
|
urls. Uses backend connections for concurrent requests if frontend
|
||
|
connection is http2 as well.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_ssl: Add hooks to allow other modules to perform processing at
|
||
|
several stages of initialization and connection handling. See
|
||
|
mod_ssl_openssl.h. [Jeff Trawick]
|
||
|
|
||
|
*) mod_http2: disabling PUSH when client sends GOAWAY. Slave connections are
|
||
|
reused for several requests, improved performance and better memory use.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_rewrite: Don't implicitly URL-escape the original query string
|
||
|
when no substitution has changed it (like PR50447 but server context)
|
||
|
[Evgeny Kotkov <evgeny.kotkov visualsvn.com>]
|
||
|
|
||
|
*) mod_http2: fixes problem with wrong lifetime of file buckets on main
|
||
|
connection. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fixes incorrect denial of requests without :authority header.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_reqtimeout: Prevent long response times from triggering a timeout once
|
||
|
the request has been fully read. PR 59045. [Yann Ylavic]
|
||
|
|
||
|
*) ap_expr: expression support for variable HTTP2=on|off. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: give control to async mpm for keepalive timeouts only when
|
||
|
no streams are open and even if only after 1 sec delay. Under load, event
|
||
|
mpm discards connections otherwise too quickly. [Stefan Eissing]
|
||
|
|
||
|
*) mod_ssl: Don't lose track of the SSL context if an unlikely failure occurs
|
||
|
in ssl_init_ssl_connection(). [Graham Leggett]
|
||
|
|
||
|
*) mod_rewrite: Add QSL|qslast flag to allow rewrites to files with
|
||
|
literal question marks in their names. PR 58777. [Eric Covener]
|
||
|
|
||
|
*) event: use pre_connection hook to properly initialize connection state for
|
||
|
slave connections. use protocol_switch hook to initialize server config
|
||
|
early based on SNI selected vhost.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) hostname: Test and log useragent_host per-request across various modules,
|
||
|
including the scoreboard, expression and rewrite engines, setenvif,
|
||
|
authz_host, access_compat, custom logging, ssl and REMOTE_HOST variables.
|
||
|
PR55348 [William Rowe]
|
||
|
|
||
|
*) core: Track the useragent_host per-request when mod_remoteip or similar
|
||
|
modules track a per-request useragent_ip. Modules should be updated
|
||
|
to inquire for ap_get_useragent_host() in place of ap_get_remote_host().
|
||
|
[William Rowe]
|
||
|
|
||
|
*) core: fix a bug in <UnDefine ...> directive processing. When used, the last
|
||
|
<Define...>'ed variable was also withdrawn. PR 59019
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_http2: Accept-Encoding is, when present on the initiating request,
|
||
|
added to push promises. This lets compressed content work in pushes.
|
||
|
by the client. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fixed possible read after free when streams were cancelled early
|
||
|
by the client. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fixed possible deadlock during connection shutdown. Thanks to
|
||
|
@FrankStolle for reporting and getting the necessary data.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fixed apr_uint64_t formatting in a log statement to user proper
|
||
|
APR def, thanks to @Sp1l.
|
||
|
|
||
|
*) mod_http2: number of worker threads allowed to a connection is adjusting
|
||
|
dynamically. Starting with 4, the number is doubled when streams can be
|
||
|
served without block on http/2 connection flow. The number is halfed, when
|
||
|
the server has to wait on client flow control grants.
|
||
|
This can happen with a maximum frequency of 5 times per second.
|
||
|
When a connection occupies too many workers, repeatable requests
|
||
|
(GET/HEAD/OPTIONS) are cancelled and placed back in the queue. Should that
|
||
|
not suffice and a stream is busy longer than the server timeout, the
|
||
|
connection will be aborted with error code ENHANCE_YOUR_CALM.
|
||
|
This does *not* limit the number of streams a client may open, rather the
|
||
|
number of server threads a connection might use.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: allowing link header to specify multiple "rel" values,
|
||
|
space-separated inside a quoted string. Prohibiting push when Link
|
||
|
parameter "nopush" is present.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: reworked connection state handling. Idle connections accept a
|
||
|
GOAWAY from the client without further reply. Otherwise the
|
||
|
module makes a best effort to send one last GOAWAY to the client.
|
||
|
|
||
|
*) mod_http2: the values from standard directives Timeout and KeepAliveTimeout
|
||
|
properly are applied to http/2 connections.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: idle connections are returned to async mpms. new hook
|
||
|
"pre_close_connection" used to send GOAWAY frame when not already done.
|
||
|
Setting event mpm server config "by hand" for the main connection to
|
||
|
the correct negotiated server.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: keep-alive blocking reads are done with 1 second timeouts to
|
||
|
check for MPM stopping. Will announce early GOAWAY and finish processing
|
||
|
open streams, then close.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: bytes read/written on slave connections are reported via the
|
||
|
optional mod_logio functions. Fixes PR 58871.
|
||
|
|
||
|
*) prefork: Initialize the POD when running in ONE_PROCESS (or -X) mode to
|
||
|
avoid a crash. [Jan Kaluza, Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: When SSLVerify is disabled (NONE), don't force a renegotiation if
|
||
|
the SSLVerifyDepth applied with the default/handshaken vhost differs from
|
||
|
the one applicable with the finally selected vhost. [Yann Ylavic]
|
||
|
|
||
|
*) core: Ensure that httpd exits with an error status when the MPM fails
|
||
|
to run. [Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
|
||
|
[Jan Kaluza, Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries
|
||
|
to OCSP responders through a HTTP proxy. [Ruediger Pluem]
|
||
|
|
||
|
*) mod_proxy: Play/restore the TLS-SNI on new backend connections which
|
||
|
had to be issued because the remote closed the previous/reusable one
|
||
|
during idle (keep-alive) time. [Yann Ylavic]
|
||
|
|
||
|
*) mod_cache_socache: Fix a possible cached entity body corruption when it
|
||
|
is received from an origin server in multiple batches and forwarded by
|
||
|
mod_proxy. [Yann Ylavic]
|
||
|
|
||
|
*) core: Add expression support to SetHandler.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_remoteip: Prevent an external proxy from presenting an internal
|
||
|
proxy. PR 55962. [Mike Rumph]
|
||
|
|
||
|
*) core: Prevent a server crash in case of an invalid CONNECT request with
|
||
|
a custom error page for status code 400 that uses server side includes.
|
||
|
PR 58929 [Ruediger Pluem]
|
||
|
|
||
|
*) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning
|
||
|
APR_TIMEUP and preserving connection state for later retry.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_ssl: Save some TLS record (application data) fragmentations by
|
||
|
including the last and subsequent suitable buckets when coalescing.
|
||
|
[Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_fcgi: Suppress HTTP error 503 and message 01075,
|
||
|
"Error dispatching request", when the cause appears to be
|
||
|
due to the client closing the connection.
|
||
|
PR58118. [Tobias Adolph <adolph lrz.de>]
|
||
|
|
||
|
*) mod_cgid: Message AH02550, failure to flush a response to the client,
|
||
|
is now logged at TRACE1 level to match the underlying core output filter
|
||
|
severity. [Eric Covener]
|
||
|
|
||
|
*) mime.types: add common extension "m4a" for MPEG 4 Audio.
|
||
|
PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
|
||
|
|
||
|
*) Added many log numbers to log statements that had none.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_log_config: Add GlobalLog to allow a globally defined log to
|
||
|
be inherited by virtual hosts that define a CustomLog.
|
||
|
[Edward Lu]
|
||
|
|
||
|
*) mod_http2: connections how keep a "push diary" where hashes of already
|
||
|
pushed resources are kept. See directive H2PushDiarySize for managing this.
|
||
|
Push diaries can be initialized by clients via the "Cache-Digest" request
|
||
|
header. This carries a base64url encoded. compressed Golomb set as described
|
||
|
in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
|
||
|
Introduced a status handler for HTTP/2 connections, giving various counters
|
||
|
and statistics about the current connection, plus its cache digest value
|
||
|
in a JSON record. Not a replacement for more HTTP/2 in the server status.
|
||
|
Configured as
|
||
|
<Location "/http2-status">
|
||
|
SetHandler http2-status
|
||
|
</Location>
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: Fixed flushing of last GOAWAY frame. Previously, that frame
|
||
|
did not always reach the client, causing some to fail the next request.
|
||
|
Fixed calculation of last stream id accepted as described in rfc7540.
|
||
|
Reading in KEEPALIVE state now correctly shown in scoreboard.
|
||
|
Fixed possible race in connection shutdown after review by Ylavic.
|
||
|
Fixed segfault on connection shutdown, callback ran into a semi dismantled session.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: Added support for experimental accept-push-policy draft
|
||
|
(https://tools.ietf.org/html/draft-ruellan-http-accept-push-policy-00). Clients
|
||
|
may now influence server pushes by sending accept-push-policy headers.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: new r->subprocess_env variables HTTP2 and H2PUSH, set to "on"
|
||
|
when available for request.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fixed bug in input window size calculation by moving chunked
|
||
|
request body encoding into later stage of processing. Fixes PR 58825.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) core: new hook "pre_close_connection" which is run before the lingering
|
||
|
close of connections is started. This gives protocol handlers one last
|
||
|
chance to use a connection before it goes down.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_status/scoreboard: showing connection protocol in new column, new
|
||
|
ap_update_child_status methods for updating server/description. mod_ssl
|
||
|
sets vhost negotiated by servername directly.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
Changes with Apache 2.4.18
|
||
|
|
||
|
*) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
|
||
|
if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: connection level window for flow control is set to protocol
|
||
|
maximum of 2GB-1, preventing window exhaustion when sending data on many
|
||
|
streams with higher cumulative window size.
|
||
|
Reducing write frequency unless push promises need to be flushed.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: required minimum version of libnghttp2 is 1.2.1
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
|
||
|
In earlier version of httpd, you can explicitelly set the 'flusher' parameter
|
||
|
to 'flush' as a workaround. (i.e. flusher=flush)
|
||
|
Add documentation for the 'flusher' parameter when defining a proxy worker.
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
|
||
|
to only staple responses with certificate status "good". [Kaspar Brand]
|
||
|
|
||
|
*) mod_http2: new directive 'H2PushPriority' to allow priority specifications
|
||
|
on server pushed streams according to their content-type.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: fixes crash on connection abort for a busy connection.
|
||
|
fixes crash on a request that did not produce any response.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: trailers are sent after reponse body if set in request_rec
|
||
|
trailers_out before the end-of-request bucket is sent through the
|
||
|
output filters. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: incoming trailers (headers after request body) are properly
|
||
|
forwarded to the processing engine. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
|
||
|
pushes a server/virtual host. Pushes are initiated by the presence
|
||
|
of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: write performance of http2 improved for larger resources,
|
||
|
especially static files. [Stefan Eissing]
|
||
|
|
||
|
*) core: if the first HTTP/1.1 request on a connection goes to a server that
|
||
|
prefers different protocols, these protocols are announced in a Upgrade:
|
||
|
header on the response, mentioning the preferred protocols.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
|
||
|
to control TLS record sizes during connection lifetime.
|
||
|
[Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
|
||
|
requirements of RFC 7540 on TLS connections. [Stefan Eissing]
|
||
|
|
||
|
*) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
|
||
|
that a client could possibly upgrade to. Use in first request on a
|
||
|
connection to announce protocol choices. [Stefan Eissing]
|
||
|
|
||
|
*) mod_http2: reworked deallocation on connection shutdown and worker
|
||
|
abort. Separate parent pool for all workers. worker threads are joined
|
||
|
on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
|
||
|
|
||
|
*) mod_ssl: when receiving requests for other virtual hosts than the handshake
|
||
|
server, the SSL parameters are checked for equality. With equal
|
||
|
configuration, requests are passed for processing. Any change will trigger
|
||
|
the old behaviour of "421 Misdirected Request".
|
||
|
SSL now remembers the cipher suite that was used for the last handshake.
|
||
|
This is compared against for any vhost/directory cipher specification.
|
||
|
Detailed examination of renegotiation is only done when these do not
|
||
|
match.
|
||
|
Renegotiation is 403ed when a master connection is present. Exact reason
|
||
|
is given additionally in a request note. [Stefan Eissing]
|
||
|
|
||
|
*) mod_ssl: Make the output filter more friendly with deferred write and
|
||
|
response pipelining. [Yann Ylavic, Joe Orton]
|
||
|
|
||
|
*) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
|
||
|
alignment (SPARC64, PPC64). [Yann Ylavic]
|
||
|
|
||
|
*) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
|
||
|
fields as described in RFC7230. [Christophe Jaillet]
|
||
|
|
||
|
*) core/util_script: making REDIRECT_URL a full URL is now opt-in
|
||
|
via new 'QualifyRedirectURL' directive.
|
||
|
|
||
|
*) core: Limit to ten the number of tolerated empty lines between request,
|
||
|
and consume them before the pipelining check to avoid possible response
|
||
|
delay when reading the next request without flushing. [Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Extend expression parser registration to support ssl variables
|
||
|
in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
|
||
|
syntax "ssl(VARNAME)". [Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.4.17
|
||
|
|
||
|
*) mod_http2: added donated HTTP/2 implementation via core module. Similar
|
||
|
configuration options to mod_ssl. [Stefan Eissing]
|
||
|
|
||
|
*) mod_proxy: don't recyle backend announced "Connection: close" connections
|
||
|
to avoid reusing it should the close be effective after some new request
|
||
|
is ready to be sent. [Yann Ylavic]
|
||
|
|
||
|
*) mod_substitute: Allow to configure the patterns merge order with the new
|
||
|
SubstituteInheritBefore on|off directive. PR 57641
|
||
|
[Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
|
||
|
|
||
|
*) mod_proxy: Fix ProxySourceAddress binding failure with AH00938.
|
||
|
PR 56687. [Arne de Bruijn <apache arbruijn.dds.nl>
|
||
|
|
||
|
*) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3,
|
||
|
and change the compiled-in default for SSL[Proxy]Protocol to "all -SSLv3",
|
||
|
in accordance with RFC 7568. PR 58349, PR 57120. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: append :!aNULL:!eNULL:!EXP to the cipher string settings,
|
||
|
instead of prepending !aNULL:!eNULL:!EXP: (as was the case in 2.4.7
|
||
|
and later). Enables support for configuring the SUITEB* cipher
|
||
|
strings introduced in OpenSSL 1.0.2. PR 58213. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
|
||
|
of subjectAltName entries of type "otherName" into
|
||
|
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
|
||
|
variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
|
||
|
Kaspar Brand]
|
||
|
|
||
|
*) mod_logio: Fix logging of %^FB (time to first byte) on the first request on
|
||
|
an SSL connection. PR 58454.
|
||
|
[Konstantin J. Chernov <k.j.chernov gmail.com>]
|
||
|
|
||
|
*) mod_cache: r->err_headers_out is not merged into
|
||
|
r->headers when mod_cache is enabled and the response
|
||
|
is cached for the first time. [Edward Lu]
|
||
|
|
||
|
*) mod_slotmem_shm: Fix slots/SHM files names on restart for systems that
|
||
|
can't create new (clear) slots while previous children gracefully stopping
|
||
|
still use the old ones (e.g. Windows, OS2). mod_proxy_balancer failed to
|
||
|
restart whenever the number of configured balancers/members changed during
|
||
|
restart. PR 58024. [Yann Ylavic]
|
||
|
|
||
|
*) core/util_script: make REDIRECT_URL a full URL. PR 57785. [Nick Kew]
|
||
|
|
||
|
*) MPMs: Support SO_REUSEPORT to create multiple duplicated listener
|
||
|
records for scalability. [Yingqi Lu <yingqi.lu@intel.com>,
|
||
|
Jeff Trawick, Jim Jagielski, Yann Ylavic]
|
||
|
|
||
|
*) mod_alias: Introduce expression parser support for Alias, ScriptAlias
|
||
|
and Redirect. Limit Redirect expressions to directory (Location) context
|
||
|
and redirect statuses (implicit or explicit).
|
||
|
[Graham Leggett, Yann Ylavic, Ruediger Pluem]
|
||
|
|
||
|
*) mod_proxy: Fix a race condition that caused a failed worker to be retried
|
||
|
before the retry period is over. [Ruediger Pluem]
|
||
|
|
||
|
*) mod_autoindex: Allow autoindexes when neither mod_dir nor mod_mime are
|
||
|
loaded. [Eric Covener]
|
||
|
|
||
|
*) mod_rewrite: Allow cookies set by mod_rewrite to contain ':' by accepting
|
||
|
';' as an alternate separator. PR47241.
|
||
|
[<bugzilla schermesser com>, Eric Covener]
|
||
|
|
||
|
*) apxs: Add HTTPD_VERSION and HTTPD_MMN to the variables available with
|
||
|
apxs -q. PR58202. [Daniel Shahaf <danielsh apache.org>]
|
||
|
|
||
|
*) mod_rewrite: Avoid a crash when lacking correct DB access permissions
|
||
|
when using RewriteMap with MapType dbd or fastdbd. [Christophe Jaillet]
|
||
|
|
||
|
*) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
|
||
|
PR 57868. [Jose Kahan <jose w3.org>, Yann Ylavic]
|
||
|
|
||
|
*) mod_socache_memcache: Add the 'MemcacheConnTTL' directive to control how
|
||
|
long to keep idle connections with the memcache server(s).
|
||
|
Change default value from 600 usec (!) to 15 sec. PR 58091
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_dir: Prevent the internal identifier "httpd/unix-directory" from
|
||
|
appearing as a Content-Type response header when requests for a directory
|
||
|
are rewritten by mod_rewrite. [Eric Covener]
|
||
|
|
||
|
Changes with Apache 2.4.16
|
||
|
|
||
|
*) http: Fix LimitRequestBody checks when there is no more bytes to read.
|
||
|
[Michael Kaufmann <mail michael-kaufmann.ch>]
|
||
|
|
||
|
*) mod_alias: Revert expression parser support for Alias, ScriptAlias
|
||
|
and Redirect due to a regression (introduced in 2.4.13, not released).
|
||
|
|
||
|
*) mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere
|
||
|
with the timeouts computed for subsequent requests. PR 56729.
|
||
|
[Eric Covener, Yann Ylavic]
|
||
|
|
||
|
*) core: Avoid a possible truncation of the faulty header included in the
|
||
|
HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
|
||
|
|
||
|
*) mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead
|
||
|
of an error during a compare operation. [Eric Covener]
|
||
|
|
||
|
Changes with Apache 2.4.15 (not released)
|
||
|
|
||
|
*) mod_ext_filter, mod_charset_lite: Avoid inadvertent filtering of protocol
|
||
|
data during read of chunked request bodies. PR 58049.
|
||
|
[Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) mod_ldap: Stop leaking LDAP connections when 'LDAPConnectionPoolTTL 0'
|
||
|
is configured. PR 58037. [Ted Phelps <phelps gnusto.com>]
|
||
|
|
||
|
*) core: Allow spaces after chunk-size for compatibility with implementations
|
||
|
using a pre-filled buffer. [Yann Ylavic, Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Remove deprecated SSLCertificateChainFile warning.
|
||
|
[Yann Ylavic]
|
||
|
|
||
|
Changes with Apache 2.4.14 (not released)
|
||
|
|
||
|
*) SECURITY: CVE-2015-3183 (cve.mitre.org)
|
||
|
core: Fix chunk header parsing defect.
|
||
|
Remove apr_brigade_flatten(), buffering and duplicated code from
|
||
|
the HTTP_IN filter, parse chunks in a single pass with zero copy.
|
||
|
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
|
||
|
authorized characters. [Graham Leggett, Yann Ylavic]
|
||
|
|
||
|
*) SECURITY: CVE-2015-3185 (cve.mitre.org)
|
||
|
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
|
||
|
with new ap_some_authn_required and ap_force_authn hook. [Ben Reser]
|
||
|
|
||
|
Changes with Apache 2.4.13 (not released)
|
||
|
|
||
|
*) SECURITY: CVE-2015-0253 (cve.mitre.org)
|
||
|
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
|
||
|
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
|
||
|
[Yann Ylavic]
|
||
|
|
||
|
*) SECURITY: CVE-2015-0228 (cve.mitre.org)
|
||
|
mod_lua: A maliciously crafted websockets PING after a script
|
||
|
calls r:wsupgrade() can cause a child process crash.
|
||
|
[Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) mod_proxy: Don't put the worker in error state for 500 or 503 errors
|
||
|
returned by the backend unless failonstatus is configured to. PR 56925.
|
||
|
[Yann Ylavic]
|
||
|
|
||
|
*) core: Don't lowercase the argument to SetHandler if it begins with
|
||
|
"proxy:unix". PR 57968. [Eric Covener]
|
||
|
|
||
|
*) mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
|
||
|
the OCSP response for a different certificate. mod_ssl has an additional
|
||
|
global mutex, "ssl-stapling-refresh". PR 57131 (partial fix).
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_authz_dbm: Fix crashes when "dbm-file-group" is used and
|
||
|
authz modules were loaded in the "wrong" order. [Joe Orton]
|
||
|
|
||
|
*) mod_authn_dbd, mod_authz_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
|
||
|
of DB lookup entries independently of the selected DB engine. PR 46421.
|
||
|
[Steven whitson <steven.whitson gmail com>, Jan Kaluza, Yann Ylavic].
|
||
|
|
||
|
*) In alignment with RFC 7525, the default recommended SSLCipherSuite
|
||
|
and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
|
||
|
default recommended SSLProtocol and SSLProxyProtocol directives now
|
||
|
exclude SSLv3. Existing configurations must be adjusted by the
|
||
|
administrator. [William Rowe]
|
||
|
|
||
|
*) mod_ssl: Add support for extracting subjectAltName entries of type
|
||
|
rfc822Name and dNSName into SSL_{CLIENT,SERVER}_SAN_{Email,DNS}_n
|
||
|
environment variables. Also addresses PR 57207. [Kaspar Brand]
|
||
|
|
||
|
*) dav_validate_request: avoid validating locks and ETags when there are
|
||
|
no If headers providing them on a resource we aren't modifying.
|
||
|
[Ben Reser]
|
||
|
|
||
|
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
|
||
|
response header to be used by the application, for when the application
|
||
|
or framework is unable to return Location in the internal-redirect
|
||
|
form. [Jeff Trawick]
|
||
|
|
||
|
*) core: Cleanup the request soon/even if some output filter fails to
|
||
|
handle the EOR bucket. [Yann Ylavic]
|
||
|
|
||
|
*) mpm_event: Allow for timer events duplicates. [Jim Jagielski, Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy, mod_ssl, mod_cache_socache, mod_socache_*: Support machine
|
||
|
readable server-status produced when using the "?auto" query string.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_status: Add more data to machine readable server-status produced
|
||
|
when using the "?auto" query string. [Rainer Jung]
|
||
|
|
||
|
*) mod_ssl: Check for the Entropy Gathering Daemon (EGD) availability at
|
||
|
configure time (RAND_egd), and complain if SSLRandomSeed requires using
|
||
|
it otherwise. [Bernard Spil <pil.oss gmail com>, Stefan Sperling,
|
||
|
Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: make sure to consistently output SSLCertificateChainFile
|
||
|
deprecation warnings, when encountered in a VirtualHost block.
|
||
|
[Falco Schwarz <hiding falco.me>]
|
||
|
|
||
|
*) mod_log_config: Add "%{UNIT}T" format to output request duration in
|
||
|
seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
|
||
|
[Ben Reser, Rainer Jung]
|
||
|
|
||
|
*) Allow FallbackResource to work when a directory is requested and
|
||
|
there is no autoindex nor DirectoryIndex.
|
||
|
[Jack <tjerk.meesters gmail.com>, Eric Covener]
|
||
|
|
||
|
*) mod_proxy_wstunnel: Bypass the handler while the connection is not
|
||
|
upgraded to WebSocket, so that other modules can possibly take over
|
||
|
the leading HTTP requests. [Yann Ylavic]
|
||
|
|
||
|
*) mod_http: Fix incorrect If-Match handling. PR 57358
|
||
|
[Kunihiko Sakamoto <ksakamoto google.com>]
|
||
|
|
||
|
*) mod_ssl: Add a warning if protocol given in SSLProtocol or SSLProxyProtocol
|
||
|
will override other parameters given in the same directive. This could be
|
||
|
a missing + or - prefix. PR 52820 [Christophe Jaillet]
|
||
|
|
||
|
*) core, modules: Avoid error response/document handling by the core if some
|
||
|
handler or input filter already did it while reading the request (causing
|
||
|
a double response body). [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_ajp: Fix client connection errors handling and logged status
|
||
|
when it occurs. PR 56823. [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy: Use the correct server name for SNI in case the backend
|
||
|
SSL connection itself is established via a proxy server.
|
||
|
PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
|
||
|
|
||
|
*) mod_ssl: Fix possible crash when loading server certificate constraints.
|
||
|
PR 57694. [Paul Spangler <paul.spangler ni com>, Yann Ylavic]
|
||
|
|
||
|
*) build: Don't load both mod_cgi and mod_cgid in the default configuration
|
||
|
if they're both built. [olli hauer <ohauer gmx.de>]
|
||
|
|
||
|
*) mod_logio: Add LogIOTrackTTFB and %^FB logformat to log the time
|
||
|
taken to start writing response headers. [Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Avoid compilation errors with LibreSSL related to
|
||
|
the use of ENGINE_CTRL_CHIL_SET_FORKCHECK.
|
||
|
[Stuart Henderson <sthen openbsd.org>]
|
||
|
|
||
|
*) mod_proxy_http: Use the "Connection: close" header for requests to
|
||
|
backends not recycling connections (disablereuse), including the default
|
||
|
reverse and forward proxies. [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy: Add ap_connection_reusable() for checking if a connection
|
||
|
is reusable as of this point in processing. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
|
||
|
Gateway) when no response is ever received from the backend.
|
||
|
[Jan Kaluza]
|
||
|
|
||
|
*) core_filters: Restore/disable TCP_NOPUSH option after non-blocking
|
||
|
sendfile. [Yann Ylavic]
|
||
|
|
||
|
*) mod_buffer: Forward flushed input data immediately and avoid (unlikely)
|
||
|
access to freed memory. [Yann Ylavic, Christophe Jaillet]
|
||
|
|
||
|
*) core: Add CGIPassAuth directive to control whether HTTP authorization
|
||
|
headers are passed to scripts as CGI variables. PR 56855. [Jeff
|
||
|
Trawick]
|
||
|
|
||
|
*) core: Initialize scoreboard's used optional functions on graceful restarts
|
||
|
to avoid a crash when relocation occurs. PR 57177. [Yann Ylavic]
|
||
|
|
||
|
*) mod_dav: Avoid a potential integer underflow in the lock timeout value sent
|
||
|
back to a client. The answer to a LOCK request could be an extremly large
|
||
|
integer if the time needed to lock the resource was longer that the
|
||
|
requested timeout given in the LOCK request. In such a case, we now answer
|
||
|
"Second-0". PR55420
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_cgid: Within the first minute of a server start or restart,
|
||
|
allow mod_cgid to retry connecting to its daemon process. Previously,
|
||
|
'No such file or directory: unable to connect to cgi daemon...' could
|
||
|
be logged without an actual retry. PR57685.
|
||
|
[Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) mod_proxy: Use the original (non absolute) form of the request-line's URI
|
||
|
for requests embedded in CONNECT payloads used to connect SSL backends via
|
||
|
a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms <hendrik.harms
|
||
|
gmail com>, William Rowe, Yann Ylavic]
|
||
|
|
||
|
*) http: Make ap_die() robust against any HTTP error code and not modify
|
||
|
response status (finally logged) when nothing is to be done. PR 56035.
|
||
|
[Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_connect/wstunnel: If both client and backend sides get readable
|
||
|
at the same time, don't lose errors occuring while forwarding on the first
|
||
|
side when none occurs next on the other side, and abort. [Yann Ylavic]
|
||
|
|
||
|
*) mod_rewrite: Improve relative substitutions in per-directory/htaccess
|
||
|
context for directories found by mod_userdir and mod_alias. These no
|
||
|
longer require RewriteBase to be specified. [Eric Covener]
|
||
|
|
||
|
*) mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
|
||
|
finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
|
||
|
or force-proxy-request-1.0. [Yann Ylavic]
|
||
|
|
||
|
*) core: If explicitly configured, use the KeepaliveTimeout value of the
|
||
|
virtual host which handled the latest request on the connection, or by
|
||
|
default the one of the first virtual host bound to the same IP:port.
|
||
|
PR56226. [Yann Ylavic]
|
||
|
|
||
|
*) mod_lua: After a r:wsupgrade(), mod_lua was not properly
|
||
|
responding to a websockets PING but instead invoking the specified
|
||
|
script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
|
||
|
a combination of certificate serialNumber and issuer as defined by
|
||
|
CertificateExactMatch in RFC4523. [Graham Leggett]
|
||
|
|
||
|
*) core: Add expression support to ErrorDocument. Switch from a fixed
|
||
|
sized 664 byte array per merge to a hash table. [Graham Leggett]
|
||
|
|
||
|
*) ab: Add missing longest request (100%) to CSV export.
|
||
|
[Marcin Fabrykowski <bugzilla fabrykowski.pl>]
|
||
|
|
||
|
*) mod_macro: Clear macros before initialization to avoid use-after-free
|
||
|
on startup or restart when the module is linked statically. PR 57525
|
||
|
[apache.org tech.futurequest.net, Yann Ylavic]
|
||
|
|
||
|
*) mod_alias: Introduce expression parser support for Alias, ScriptAlias
|
||
|
and Redirect. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context.
|
||
|
PR 57100. [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
|
||
|
Yann Ylavic]
|
||
|
|
||
|
*) mpm_event: Avoid access to the scoreboard from the connection while
|
||
|
it is suspended (waiting for events). [Eric Covener, Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
|
||
|
PR 57334. [Yann Ylavic].
|
||
|
|
||
|
*) mod_deflate: A misplaced check prevents limiting small bodies with the
|
||
|
new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
|
||
|
request attribute to the backend. Recent Tomcat versions will extract
|
||
|
it and provide it as a servlet request attribute named
|
||
|
"org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
|
||
|
|
||
|
*) core: Optimize string concatenation in expression parser when evaluating
|
||
|
a string expression. [Rainer Jung]
|
||
|
|
||
|
*) acinclude.m4: Generate #LoadModule directive in default httpd.conf for
|
||
|
every --enable-mpms-shared. PR 53882. [olli hauer <ohauer gmx.de>,
|
||
|
Yann Ylavic]
|
||
|
|
||
|
*) mod_authn_dbd: Fix the error message logged in case of error while querying
|
||
|
the database. This is associated to AH01656 and AH01661. [Christophe Jaillet]
|
||
|
|
||
|
*) mod_authz_groupfile: Reduce the severity of AH01667 from ERROR to DEBUG,
|
||
|
because it may be evaluated inside <RequireAny>. PR55523. [Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Fix small memory leak during initialization when ECDH is used.
|
||
|
[Jan Kaluza]
|
||
|
|
||
|
Changes with Apache 2.4.12
|
||
|
|
||
|
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
|
||
|
internationalization. [William Rowe]
|
||
|
|
||
|
*) mpm_winnt: Normalize the error and status messages emitted by service.c,
|
||
|
the service control interface for Windows. [William Rowe]
|
||
|
|
||
|
*) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
|
||
|
[ olli hauer <ohauer gmx.de>, Yann Ylavic ]
|
||
|
|
||
|
*) Reverted <DirectoryMatch > behavior regression introduced in 2.4.11
|
||
|
(not released).
|
||
|
|
||
|
Changes with Apache 2.4.11 (not released)
|
||
|
|
||
|
*) SECURITY: CVE-2014-3583 (cve.mitre.org)
|
||
|
mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
|
||
|
response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
|
||
|
|
||
|
*) SECURITY: CVE-2014-3581 (cve.mitre.org)
|
||
|
mod_cache: Avoid a crash when Content-Type has an empty value.
|
||
|
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
|
||
|
|
||
|
*) SECURITY: CVE-2014-8109 (cve.mitre.org)
|
||
|
mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
|
||
|
used in multiple Require directives with different arguments.
|
||
|
PR57204 [Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
|
||
|
core: HTTP trailers could be used to replace HTTP headers
|
||
|
late during request processing, potentially undoing or
|
||
|
otherwise confusing modules that examined or modified
|
||
|
request headers earlier. Adds "MergeTrailers" directive to restore
|
||
|
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
|
||
|
|
||
|
*) mod_ssl: New directive SSLSessionTickets (On|Off).
|
||
|
The directive controls the use of TLS session tickets (RFC 5077),
|
||
|
default value is "On" (unchanged behavior).
|
||
|
Session ticket creation uses a random key created during web
|
||
|
server startup and recreated during restarts. No other key
|
||
|
recreation mechanism is available currently. Therefore using session
|
||
|
tickets without restarting the web server with an appropriate frequency
|
||
|
(e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
|
||
|
|
||
|
*) mod_proxy_fcgi: Provide some basic alternate options for specifying
|
||
|
how PATH_INFO is passed to FastCGI backends by adding significance to
|
||
|
the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
|
||
|
|
||
|
*) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
|
||
|
to opt-in to connection reuse and other Proxy options via explicitly
|
||
|
declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
|
||
|
setting proxy option disablereuse=off. [Eric Covener] PR 57378.
|
||
|
|
||
|
*) event: Update the internal "connection id" when requests
|
||
|
move from thread to thread. Reuse can confuse modules like
|
||
|
mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
|
||
|
|
||
|
*) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
|
||
|
passed to fastcgi backends. [Eric Covener]
|
||
|
|
||
|
*) core: Configuration files with long lines and continuation characters
|
||
|
are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
|
||
|
|
||
|
*) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
|
||
|
leading 'e' was written in upper case in <!--#if expr="..." -->
|
||
|
statements. [Christophe Jaillet]
|
||
|
|
||
|
*) split-logfile: Fix perl error: 'Can't use string ("example.org:80")
|
||
|
as a symbol ref while "strict refs"'. PR 56329.
|
||
|
[Holger Mauermann <mauermann gmail.com>]
|
||
|
|
||
|
*) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
|
||
|
the URL parameter interpolates to an empty string. PR 56603.
|
||
|
[<ajprout hotmail.com>]
|
||
|
|
||
|
*) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
|
||
|
PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
|
||
|
|
||
|
*) mod_proxy: Preserve original request headers even if they differ
|
||
|
from the ones to be forwarded to the backend. PR 45387.
|
||
|
[Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: dump SSL IO/state for the write side of the connection(s),
|
||
|
like reads (level TRACE4). [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
|
||
|
[Jan Kaluza]
|
||
|
|
||
|
*) mod_ssl: Do not crash when looking up SSL related variables during
|
||
|
expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
|
||
|
|
||
|
*) mod_proxy_ajp: Fix handling of the default port (8009) in the
|
||
|
ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic]
|
||
|
|
||
|
*) mpm_event: Avoid a possible use after free when notifying the end of
|
||
|
connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
|
||
|
improperly or too large. [Jeff Trawick]
|
||
|
|
||
|
*) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
|
||
|
error when parsing or forwarding the response fails. [Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e
|
||
|
PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>]
|
||
|
|
||
|
*) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
|
||
|
determine whether it is a normal close or a real error. PR 57168. [Yann
|
||
|
Ylavic]
|
||
|
|
||
|
*) mod_proxy_wstunnel: abort backend connection on polling error to avoid
|
||
|
further processing. [Yann Ylavic]
|
||
|
|
||
|
*) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
|
||
|
PR 57167 [Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
|
||
|
systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
|
||
|
|
||
|
*) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
|
||
|
CacheLock error occurs during cache revalidation. [Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Move OCSP stapling information from a per-certificate store to
|
||
|
a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
|
||
|
Yann Ylavic, Kaspar Brand]
|
||
|
|
||
|
*) mod_cache_socache: Change average object size hint from 32 bytes to
|
||
|
2048 bytes. [Rainer Jung]
|
||
|
|
||
|
*) mod_cache_socache: Add cache status to server-status. [Rainer Jung]
|
||
|
|
||
|
*) event: Fix worker-listener deadlock in graceful restart.
|
||
|
PR 56960.
|
||
|
|
||
|
*) Concat strings at compile time when possible. PR 53741.
|
||
|
|
||
|
*) mod_substitute: Restrict configuration in .htaccess to
|
||
|
FileInfo as documented. [Rainer Jung]
|
||
|
|
||
|
*) mod_substitute: Make maximum line length configurable. [Rainer Jung]
|
||
|
|
||
|
*) mod_substitute: Fix line length limitation in case of regexp plus flatten.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_proxy: Truncated character worker names are no longer fatal
|
||
|
errors. PR53218. [Jim Jagielski]
|
||
|
|
||
|
*) mod_dav: Set r->status_line in dav_error_response. PR 55426.
|
||
|
|
||
|
*) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
|
||
|
[Yann Ylavic, Christophe Jaillet]
|
||
|
|
||
|
*) http_protocol: fix logic in ap_method_list_(add|remove) in order:
|
||
|
- to correctly reset bits
|
||
|
- not to modify the 'method_mask' bitfield unnecessarily
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_slotmem_shm: Increase log level for some originally debug messages.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
|
||
|
the wrong credentials when a backend connection is reused.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_macro: Add missing APLOGNO for some Warning log messages.
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_cache: Avoid sending 304 responses during failed revalidations
|
||
|
PR56881. [Eric Covener]
|
||
|
|
||
|
*) mod_status: Honor client IP address using mod_remoteip. PR 55886.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
|
||
|
and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
|
||
|
|
||
|
*) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
|
||
|
failed) messages from ERROR to TRACE1. Other filters do not bother
|
||
|
re-reporting failures from lower level filters. PR56832. [Eric Covener]
|
||
|
|
||
|
*) core: Avoid useless warning message when parsing a section guarded by
|
||
|
<IfDefine foo> if $(foo) is used within the section.
|
||
|
PR 56503 [Christophe Jaillet]
|
||
|
|
||
|
*) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
|
||
|
application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>]
|
||
|
|
||
|
*) mod_proxy_http: Proxy responses with error status and
|
||
|
"ProxyErrorOverride On" hang until proxy timeout.
|
||
|
PR53420 [Rainer Jung]
|
||
|
|
||
|
*) mod_log_config: Allow three character log formats to be registered. For
|
||
|
backwards compatibility, the first character of a three-character format
|
||
|
must be the '^' (caret) character. [Eric Covener]
|
||
|
|
||
|
*) mod_lua: Don't quote Expires and Path values. PR 56734.
|
||
|
[Keith Mashinter, <kmashint yahoo com>]
|
||
|
|
||
|
*) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
|
||
|
stanzas under virtual hosts. PR 56870. [Eric Covener]
|
||
|
|
||
|
Changes with Apache 2.4.10
|
||
|
|
||
|
*) SECURITY: CVE-2014-0117 (cve.mitre.org)
|
||
|
mod_proxy: Fix crash in Connection header handling which allowed a denial
|
||
|
of service attack against a reverse proxy with a threaded MPM.
|
||
|
[Ben Reser]
|
||
|
|
||
|
*) SECURITY: CVE-2014-3523 (cve.mitre.org)
|
||
|
Fix a memory consumption denial of service in the WinNT MPM, used in all
|
||
|
Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) SECURITY: CVE-2014-0226 (cve.mitre.org)
|
||
|
Fix a race condition in scoreboard handling, which could lead to
|
||
|
a heap buffer overflow. [Joe Orton, Eric Covener]
|
||
|
|
||
|
*) SECURITY: CVE-2014-0118 (cve.mitre.org)
|
||
|
mod_deflate: The DEFLATE input filter (inflates request bodies) now
|
||
|
limits the length and compression ratio of inflated request bodies to
|
||
|
avoid denial of service via highly compressed bodies. See directives
|
||
|
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
|
||
|
and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
|
||
|
|
||
|
*) SECURITY: CVE-2014-0231 (cve.mitre.org)
|
||
|
mod_cgid: Fix a denial of service against CGI scripts that do
|
||
|
not consume stdin that could lead to lingering HTTPD child processes
|
||
|
filling up the scoreboard and eventually hanging the server. By
|
||
|
default, the client I/O timeout (Timeout directive) now applies to
|
||
|
communication with scripts. The CGIDScriptTimeout directive can be
|
||
|
used to set a different timeout for communication with scripts.
|
||
|
[Rainer Jung, Eric Covener, Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
|
||
|
resumed by TLS session resumption (RFC 5077). [Rainer Jung]
|
||
|
|
||
|
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
|
||
|
and that coincides with the end of stream ("Zlib error flushing inflate
|
||
|
buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
|
||
|
|
||
|
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
|
||
|
like we already do for the remote port. [Rainer Jung]
|
||
|
|
||
|
*) core: Include any error notes set by modules in the canned error
|
||
|
response for 403 errors. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Set an error note for requests rejected due to
|
||
|
SSLStrictSNIVHostCheck. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Fix issue with redirects to error documents when handling
|
||
|
SNI errors. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
|
||
|
larger keys and support up to 8192-bit keys. [Ruediger Pluem,
|
||
|
Joe Orton]
|
||
|
|
||
|
*) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
|
||
|
[Ben Reser]
|
||
|
|
||
|
*) WinNT MPM: Improve error handling for termination events in child.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy: When ping/pong is configured for a worker, don't send or
|
||
|
forward "100 Continue" (interim) response to the client if it does
|
||
|
not expect one. [Yann Ylavic]
|
||
|
|
||
|
*) mod_ldap: Be more conservative with the last-used time for
|
||
|
LDAPConnectionPoolTTL. PR54587 [Eric Covener]
|
||
|
|
||
|
*) mod_ldap: LDAP connections used for authn were not respecting
|
||
|
LDAPConnectionPoolTTL. PR54587 [Eric Covener]
|
||
|
|
||
|
*) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
|
||
|
or occasional missed mod_status updates under load. PR 56639.
|
||
|
[Edward Lu <Chaosed0 gmail com>]
|
||
|
|
||
|
*) mod_authnz_ldap: Support primitive LDAP servers do not accept
|
||
|
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
|
||
|
filter "none" to be specified in AuthLDAPURL. [Eric Covener]
|
||
|
|
||
|
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
|
||
|
[Lukas Bezdicka <social v3.sk>]
|
||
|
|
||
|
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
|
||
|
chunks. PR 46146. [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy: Allow reverse-proxy to be set via explicit handler.
|
||
|
[ryo takatsuki <ryotakatsuki gmail com>]
|
||
|
|
||
|
*) ab: support custom HTTP method with -m argument. PR 56604.
|
||
|
[Roman Jurkov <winfinit gmail.com>]
|
||
|
|
||
|
*) mod_proxy_balancer: Correctly encode user provided data in management
|
||
|
interface. PR 56532 [Maksymilian, <max cert.cx>]
|
||
|
|
||
|
*) mod_proxy: Don't limit the size of the connectable Unix Domain Socket
|
||
|
paths. [Graham Dumpleton, Christophe Jaillet, Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_fcgi: Support iobuffersize parameter. [Jeff Trawick]
|
||
|
|
||
|
*) event: Send the SSL close notify alert when the KeepAliveTimeout
|
||
|
expires. PR54998. [Yann Ylavic]
|
||
|
|
||
|
*) mod_ssl: Ensure that the SSL close notify alert is flushed to the client.
|
||
|
PR54998. [Tim Kosse <tim.kosse filezilla-project.org>, Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy: Shutdown (eg. SSL close notify) the backend connection before
|
||
|
closing. [Yann Ylavic]
|
||
|
|
||
|
*) mod_auth_form: Add a debug message when the fields on a form are not
|
||
|
recognised. [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
|
||
|
response. PR 55547. [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
|
||
|
scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
|
||
|
|
||
|
*) mod_socache_shmcb: Correct counting of expirations for status display.
|
||
|
Expirations happening during retrieval were not counted. [Rainer Jung]
|
||
|
|
||
|
*) mod_cache: Retry unconditional request with the full URL (including the
|
||
|
query-string) when the origin server's 304 response does not match the
|
||
|
conditions used to revalidate the stale entry. [Yann Ylavic].
|
||
|
|
||
|
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
|
||
|
variables as a result of AliasMatch. [Eric Covener]
|
||
|
|
||
|
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
|
||
|
PR 55547. [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
|
||
|
Support default SCGI port (4000). [Jeff Trawick]
|
||
|
|
||
|
*) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
|
||
|
is enabled. [Eric Covener]
|
||
|
|
||
|
*) mod_expires: don't add Expires header to error responses (4xx/5xx),
|
||
|
be they generated or forwarded. PR 55669. [Yann Ylavic]
|
||
|
|
||
|
*) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
|
||
|
(regression in 2.4.9 release) [Jeff Trawick]
|
||
|
|
||
|
*) mod_authn_socache: Fix crash at startup in certain configurations.
|
||
|
PR 56371. (regression in 2.4.7) [Jan Kaluza]
|
||
|
|
||
|
*) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
|
||
|
programs to the form used in releases up to 2.4.7, and emulate
|
||
|
a backwards-compatible behavior for existing setups. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
|
||
|
OCSP requests should use a nonce to be checked against the responder's
|
||
|
one. PR 56233. [Yann Ylavic, Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: "SSLEngine off" will now override a Listen-based default
|
||
|
and does disable mod_ssl for the vhost. [Joe Orton]
|
||
|
|
||
|
*) mod_lua: Enforce the max post size allowed via r:parsebody()
|
||
|
[Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Use binary comparison to find boundaries for multipart
|
||
|
objects, as to not terminate our search prematurely when hitting
|
||
|
a NULL byte. [Daniel Gruno]
|
||
|
|
||
|
*) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
|
||
|
versions before 0.9.8h and not specifying an SSLCertificateChainFile
|
||
|
(regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
|
||
|
no longer send warning-level unrecognized_name(112) alerts,
|
||
|
and limit startup warnings to cases where an OpenSSL version
|
||
|
without TLS extension support is used. PR 56241. [Kaspar Brand]
|
||
|
|
||
|
*) mod_proxy_html: Avoid some possible memory access violation in case of
|
||
|
specially crafted files, when the ProxyHTMLMeta directive is turned on.
|
||
|
Follow up of PR 56287 [Christophe Jaillet]
|
||
|
|
||
|
*) mod_auth_form: Make sure the optional functions are loaded even when
|
||
|
the AuthFormProvider isn't specified. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
|
||
|
(and logging garbled file names). PR 56306. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: fix merging of global and vhost-level settings with the
|
||
|
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
|
||
|
directives. PR 56353. [Kaspar Brand]
|
||
|
|
||
|
*) mod_headers: Allow the "value" parameter of Header and RequestHeader to
|
||
|
contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
|
||
|
|
||
|
*) rotatelogs: Avoid creation of zombie processes when -p is used on
|
||
|
Unix platforms. [Joe Orton]
|
||
|
|
||
|
*) mod_authnz_fcgi: New module to enable FastCGI authorizer
|
||
|
applications to authenticate and/or authorize clients.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy: Do not try to parse the regular expressions passed by
|
||
|
ProxyPassMatch as URL as they do not follow their syntax.
|
||
|
PR 56074. [Ruediger Pluem]
|
||
|
|
||
|
*) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
|
||
|
under the Event MPM. PR56216. [Frank Meier <frank meier ergon ch>]
|
||
|
|
||
|
*) mod_proxy_fcgi: Fix sending of response without some HTTP headers
|
||
|
that might be set by filters. PR 55558. [Jim Riggs <jim riggs.me>]
|
||
|
|
||
|
*) mod_proxy_html: Do not delete the wrong data from HTML code when a
|
||
|
"http-equiv" meta tag specifies a Content-Type behind any other
|
||
|
"http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]
|
||
|
|
||
|
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
|
||
|
differs. PR 55782. [Yann Ylavic]
|
||
|
|
||
|
*) Add suspend_connection and resume_connection hooks to notify modules
|
||
|
when the thread/connection relationship changes. (Should be implemented
|
||
|
for any third-party async MPMs.) [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
|
||
|
hangups from websockets origin servers. PR 56299
|
||
|
[Yann Ylavic, Edward Lu <Chaosed0 gmail com>, Eric Covener]
|
||
|
|
||
|
*) mod_proxy_wstunnel: Don't pool backend websockets connections,
|
||
|
because we need to handshake every time. PR 55890.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_lua: Redesign how request record table access behaves,
|
||
|
in order to utilize the request record from within these tables.
|
||
|
[Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Add r:wspeek for peeking at WebSocket frames. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Log an error when the initial parsing of a Lua file fails.
|
||
|
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
|
||
|
|
||
|
*) mod_lua: Reformat and escape script error output.
|
||
|
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
|
||
|
|
||
|
*) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
|
||
|
from causing response splitting.
|
||
|
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
|
||
|
|
||
|
*) mod_lua: Disallow newlines in table values inside the request_rec,
|
||
|
to prevent HTTP Response Splitting via tainted headers.
|
||
|
[Daniel Gruno, Felipe Daragon <filipe syhunt com>]
|
||
|
|
||
|
*) mod_lua: Remove the non-working early/late arguments for
|
||
|
LuaHookCheckUserID. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Change IVM storage to use shm [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: More verbose error logging when a handler function cannot be
|
||
|
found. [Daniel Gruno]
|
||
|
|
||
|
Changes with Apache 2.4.9
|
||
|
|
||
|
*) mod_ssl: Work around a bug in some older versions of OpenSSL that
|
||
|
would cause a crash in SSL_get_certificate for servers where the
|
||
|
certificate hadn't been sent. [Stephen Henson]
|
||
|
|
||
|
*) mod_lua: Add a fixups hook that checks if the original request is intended
|
||
|
for LuaMapHandler. This fixes a bug where FallbackResource invalidates the
|
||
|
LuaMapHandler directive in certain cases by changing the URI before the map
|
||
|
handler code executes [Daniel Gruno, Daniel Ferradal <dferradal gmail com>].
|
||
|
|
||
|
Changes with Apache 2.4.8 (not released)
|
||
|
|
||
|
*) SECURITY: CVE-2014-0098 (cve.mitre.org)
|
||
|
Clean up cookie logging with fewer redundant string parsing passes.
|
||
|
Log only cookies with a value assignment. Prevents segfaults when
|
||
|
logging truncated cookies.
|
||
|
[William Rowe, Ruediger Pluem, Jim Jagielski]
|
||
|
|
||
|
*) SECURITY: CVE-2013-6438 (cve.mitre.org)
|
||
|
mod_dav: Keep track of length of cdata properly when removing
|
||
|
leading spaces. Eliminates a potential denial of service from
|
||
|
specifically crafted DAV WRITE requests
|
||
|
[Amin Tora <Amin.Tora neustar.biz>]
|
||
|
|
||
|
*) core: Support named groups and backreferences within the LocationMatch,
|
||
|
DirectoryMatch, FilesMatch and ProxyMatch directives. (Requires
|
||
|
non-ancient PCRE library) [Graham Leggett]
|
||
|
|
||
|
*) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
|
||
|
TE/CL conflicts. [Yann Ylavic, Jim Jagielski]
|
||
|
|
||
|
*) core: Detect incomplete request and response bodies, log an error and
|
||
|
forward it to the underlying filters. PR 55475 [Yann Ylavic]
|
||
|
|
||
|
*) mod_dir: Add DirectoryCheckHandler to allow a 2.2-like behavior, skipping
|
||
|
execution when a handler is already set. PR53929. [Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Do not perform SNI / Host header comparison in case of a
|
||
|
forward proxy request. [Ruediger Pluem]
|
||
|
|
||
|
*) mod_ssl: Remove the hardcoded algorithm-type dependency for the
|
||
|
SSLCertificateFile and SSLCertificateKeyFile directives, to enable
|
||
|
future algorithm agility, and deprecate the SSLCertificateChainFile
|
||
|
directive (obsoleted by SSLCertificateFile). [Kaspar Brand]
|
||
|
|
||
|
*) mod_rewrite: Add RewriteOptions InheritDown, InheritDownBefore,
|
||
|
and IgnoreInherit to allow RewriteRules to be pushed from parent scopes
|
||
|
to child scopes without explicitly configuring each child scope.
|
||
|
PR56153. [Edward Lu <Chaosed0 gmail com>]
|
||
|
|
||
|
*) prefork: Fix long delays when doing a graceful restart.
|
||
|
PR 54852 [Jim Jagielski, Arkadiusz Miskiewicz <arekm maven pl>]
|
||
|
|
||
|
*) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
|
||
|
5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_wstunnel: Avoid busy loop on client errors, drop message
|
||
|
IDs 02445, 02446, and 02448 to TRACE1 from DEBUG. PR 56145.
|
||
|
[Joffroy Christen <joffroy.christen solvaxis com>, Eric Covener]
|
||
|
|
||
|
*) mod_remoteip: Correct the trusted proxy match test. PR 54651.
|
||
|
[Yoshinori Ehara <yoshinori ehara gmail com>, Eugene L <eugenel amazon com>]
|
||
|
|
||
|
*) mod_proxy_fcgi: Fix error message when an unexpected protocol version
|
||
|
number is received from the application. PR 56110. [Jeff Trawick]
|
||
|
|
||
|
*) mod_remoteip: Use the correct IP addresses to populate the proxy_ips field.
|
||
|
PR 55972. [Mike Rumph]
|
||
|
|
||
|
*) mod_lua: Update r:setcookie() to accept a table of options and add domain,
|
||
|
path and httponly to the list of options available to set.
|
||
|
PR 56128 [Edward Lu <Chaosed0 gmail com>, Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Fix r:setcookie() to add, rather than replace,
|
||
|
the Set-Cookie header. PR56105
|
||
|
[Kevin J Walters <kjw ms com>, Edward Lu <Chaosed0 gmail com>]
|
||
|
|
||
|
*) mod_lua: Allow for database results to be returned as a hash with
|
||
|
row-name/value pairs instead of just row-number/value. [Daniel Gruno]
|
||
|
|
||
|
*) mod_rewrite: Add %{CONN_REMOTE_ADDR} as the non-useragent counterpart to
|
||
|
%{REMOTE_ADDR}. PR 56094. [Edward Lu <Chaosed0 gmail com>]
|
||
|
|
||
|
*) WinNT MPM: If ap_run_pre_connection() fails or sets c->aborted, don't
|
||
|
save the socket for reuse by the next worker as if it were an
|
||
|
APR_SO_DISCONNECTED socket. Restores 2.2 behavior. [Eric Covener]
|
||
|
|
||
|
*) mod_dir: Don't search for a DirectoryIndex or DirectorySlash on a URL
|
||
|
that was just rewritten by mod_rewrite. PR53929. [Eric Covener]
|
||
|
|
||
|
*) mod_session: When we have a session we were unable to decode,
|
||
|
behave as if there was no session at all. [Thomas Eckert
|
||
|
<thomas.r.w.eckert gmail com>]
|
||
|
|
||
|
*) mod_session: Fix problems interpreting the SessionInclude and
|
||
|
SessionExclude configuration. PR 56038. [Erik Pearson
|
||
|
<erik adaptations.com>]
|
||
|
|
||
|
*) mod_authn_core: Allow <AuthnProviderAlias>'es to be seen from auth
|
||
|
stanzas under virtual hosts. PR 55622. [Eric Covener]
|
||
|
|
||
|
*) mod_proxy_fcgi: Use apr_socket_timeout_get instead of hard-coded
|
||
|
30 seconds timeout. [Jan Kaluza]
|
||
|
|
||
|
*) build: only search for modules (config*.m4) in known subdirectories, see
|
||
|
build/config-stubs. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache_disk: Fix potential hangs on Windows when using mod_cache_disk.
|
||
|
PR 55833. [Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Add support for OpenSSL configuration commands by introducing
|
||
|
the SSLOpenSSLConfCmd directive. [Stephen Henson, Kaspar Brand]
|
||
|
|
||
|
*) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
|
||
|
is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
|
||
|
|
||
|
*) mod_authz_user, mod_authz_host, mod_authz_groupfile, mod_authz_dbm,
|
||
|
mod_authz_dbd, mod_authnz_ldap: Support the expression parser within the
|
||
|
require directives. [Graham Leggett]
|
||
|
|
||
|
*) mod_proxy_http: Core dumped under high load. PR 50335.
|
||
|
[Jan Kaluza <jkaluza redhat.com>]
|
||
|
|
||
|
*) mod_socache_shmcb.c: Remove arbitrary restriction on shared memory size
|
||
|
previously limited to 64MB. [Jens Låås <jelaas gmail.com>]
|
||
|
|
||
|
*) mod_lua: Use binary copy when dealing with uploads through r:parsebody()
|
||
|
to prevent truncating files. [Daniel Gruno]
|
||
|
|
||
|
Changes with Apache 2.4.7
|
||
|
|
||
|
*) SECURITY: CVE-2013-4352 (cve.mitre.org)
|
||
|
mod_cache: Fix a NULL pointer deference which allowed untrusted
|
||
|
origin servers to crash mod_cache in a forward proxy
|
||
|
configuration. [Graham Leggett]
|
||
|
|
||
|
*) APR 1.5.0 or later is now required for the event MPM.
|
||
|
|
||
|
*) slotmem_shm: Error detection. [Jim Jagielski]
|
||
|
|
||
|
*) event: Use skiplist data structure. [Jim Jagielski]
|
||
|
|
||
|
*) event: Fail at startup with message AP02405 if the APR atomic
|
||
|
implementation is not compatible with the MPM. [Jim Jagielski]
|
||
|
|
||
|
*) mpm_unix: Add ap_mpm_podx_* implementation to avoid code duplication
|
||
|
and align w/ trunk. [Jim Jagielski]
|
||
|
|
||
|
*) Fix potential rejection of valid MaxMemFree and ThreadStackSize
|
||
|
directives. [Mike Rumph <mike.rumph oracle.com>]
|
||
|
|
||
|
*) mod_proxy_fcgi: Remove 64K limit on encoded length of all envvars.
|
||
|
An individual envvar with an encoded length of more than 16K will be
|
||
|
omitted. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_fcgi: Handle reading protocol data that is split between
|
||
|
packets. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
|
||
|
allowing custom parameters to be configured via SSLCertificateFile,
|
||
|
and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
|
||
|
Unless custom parameters are configured, the standardized parameters
|
||
|
are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
|
||
|
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
|
||
|
(not overridable via SSLCipherSuite). [Kaspar Brand]
|
||
|
|
||
|
*) mod_proxy: Added support for unix domain sockets as the
|
||
|
backend server endpoint. This also introduces an unintended
|
||
|
incompatibility for third party modules using the mod_proxy
|
||
|
proxy_worker_shared structure, especially for balancer lbmethod
|
||
|
modules. [Jim Jagielski, Blaise Tarr <blaise tarr gmail com>]
|
||
|
|
||
|
*) Add experimental cmake-based build system for Windows. [Jeff Trawick,
|
||
|
Tom Donovan]
|
||
|
|
||
|
*) event MPM: Fix possible crashes (third party modules accessing c->sbh)
|
||
|
or occasional missed mod_status updates for some keepalive requests
|
||
|
under load. [Eric Covener]
|
||
|
|
||
|
*) mod_authn_socache: Support optional initialization arguments for
|
||
|
socache providers. [Chris Darroch]
|
||
|
|
||
|
*) mod_session: Reset the max-age on session save. PR 47476. [Alexey
|
||
|
Varlamov <alexey.v.varlamov gmail com>]
|
||
|
|
||
|
*) mod_session: After parsing the value of the header specified by the
|
||
|
SessionHeader directive, remove the value from the response. PR 55279.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_headers: Allow for format specifiers in the substitution string
|
||
|
when using Header edit. [Daniel Ruggeri]
|
||
|
|
||
|
*) mod_dav: dav_resource->uri is treated as unencoded. This was an
|
||
|
unnecessary ABI changed introduced in 2.4.6. PR 55397.
|
||
|
|
||
|
*) mod_dav: Don't require lock tokens for COPY source. PR 55306.
|
||
|
|
||
|
*) core: Don't truncate output when sending is interrupted by a signal,
|
||
|
such as from an exiting CGI process. PR 55643. [Jeff Trawick]
|
||
|
|
||
|
*) WinNT MPM: Exit the child if the parent process crashes or is terminated.
|
||
|
[Oracle Corporation]
|
||
|
|
||
|
*) Windows: Correct failure to discard stderr in some error log
|
||
|
configurations. (Error message AH00093) [Jeff Trawick]
|
||
|
|
||
|
*) mod_session_crypto: Allow using exec: calls to obtain session
|
||
|
encryption key. [Daniel Ruggeri]
|
||
|
|
||
|
*) core: Add missing Reason-Phrase in HTTP response headers.
|
||
|
PR 54946. [Rainer Jung]
|
||
|
|
||
|
*) mod_rewrite: Make rewrite websocket-aware to allow proxying.
|
||
|
PR 55598. [Chris Harris <chris.harris kitware com>]
|
||
|
|
||
|
*) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
|
||
|
instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
|
||
|
|
||
|
*) ab: Add wait time, fix processing time, and output write errors only if
|
||
|
they occured. [Christophe Jaillet]
|
||
|
|
||
|
*) worker MPM: Don't forcibly kill worker threads if the child process is
|
||
|
exiting gracefully. [Oracle Corporation]
|
||
|
|
||
|
*) core: apachectl -S prints wildcard name-based virtual hosts twice.
|
||
|
PR54948 [Eric Covener]
|
||
|
|
||
|
*) mod_auth_basic: Add AuthBasicUseDigestAlgorithm directive to
|
||
|
allow migration of passwords from digest to basic authentication.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) ab: Add a new -l parameter in order not to check the length of the responses.
|
||
|
This can be usefull with dynamic pages.
|
||
|
PR9945, PR27888, PR42040 [<ccikrs1 cranbrook edu>]
|
||
|
|
||
|
*) Suppress formatting of startup messages written to the console when
|
||
|
ErrorLogFormat is used. [Jeff Trawick]
|
||
|
|
||
|
*) mod_auth_digest: Be more specific when the realm mismatches because the
|
||
|
realm has not been specified. [Graham Leggett]
|
||
|
|
||
|
*) mod_proxy: Add a note in the balancer manager stating whether changes
|
||
|
will or will not be persisted and whether settings are inherited.
|
||
|
[Daniel Ruggeri, Jim Jagielski]
|
||
|
|
||
|
*) core: Add util_fcgi.h and associated definitions and support
|
||
|
routines for FastCGI, based largely on mod_proxy_fcgi.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_headers: Add 'Header note header-name note-name' for copying a response
|
||
|
headers value into a note. [Eric Covener]
|
||
|
|
||
|
*) mod_headers: Add 'setifempty' command to Header and RequestHeader.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_logio: new format-specifier %S (sum) which is the sum of received
|
||
|
and sent byte counts.
|
||
|
PR54015 [Christophe Jaillet]
|
||
|
|
||
|
*) mod_deflate: Improve error detection when decompressing request bodies
|
||
|
with trailing garbage: handle case where trailing bytes are in
|
||
|
the same bucket. [Rainer Jung]
|
||
|
|
||
|
*) mod_authz_groupfile, mod_authz_user: Reduce severity of AH01671 and AH01663
|
||
|
from ERROR to DEBUG, since these modules do not know what mod_authz_core
|
||
|
is doing with their AUTHZ_DENIED return value. [Eric Covener]
|
||
|
|
||
|
*) mod_ldap: add TRACE5 for LDAP retries. [Eric Covener]
|
||
|
|
||
|
*) mod_ldap: retry on an LDAP timeout during authn. [Eric Covener]
|
||
|
|
||
|
*) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
|
||
|
SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
|
||
|
default, sans rebind authentication callback.
|
||
|
[Jan Kaluza <kaluze AT redhat.com>]
|
||
|
|
||
|
*) core: Log a message at TRACE1 when the client aborts a connection.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) WinNT MPM: Don't crash during child process initialization if the
|
||
|
Listen protocol is unrecognized. [Jeff Trawick]
|
||
|
|
||
|
*) modules: Fix some compiler warnings. [Guenter Knauf]
|
||
|
|
||
|
*) Sync 2.4 and trunk
|
||
|
- Avoid some memory allocation and work when TRACE1 is not activated
|
||
|
- fix typo in include guard
|
||
|
- indent
|
||
|
- No need to lower the string before removing the path, it is just
|
||
|
a waste of time...
|
||
|
- Save a few cycles
|
||
|
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
|
||
|
|
||
|
*) mod_filter: Add "change=no" as a proto-flag to FilterProtocol
|
||
|
to remove a providers initial flags set at registration time.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) core, mod_ssl: Enable the ability for a module to reverse the sense of
|
||
|
a poll event from a read to a write or vice versa. This is a step on
|
||
|
the way to allow mod_ssl taking full advantage of the event MPM.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) Makefile.win: Install proper pcre DLL file during debug build install.
|
||
|
PR 55235. [Ben Reser <ben reser org>]
|
||
|
|
||
|
*) mod_ldap: Fix a potential memory leak or corruption. PR 54936.
|
||
|
[Zhenbo Xu <zhenbo1987 gmail com>]
|
||
|
|
||
|
*) ab: Fix potential buffer overflows when processing the T and X
|
||
|
command-line options. PR 55360.
|
||
|
[Mike Rumph <mike.rumph oracle.com>]
|
||
|
|
||
|
*) fcgistarter: Specify SO_REUSEADDR to allow starting a server
|
||
|
with old connections in TIME_WAIT. [Jeff Trawick]
|
||
|
|
||
|
*) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
|
||
|
and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be
|
||
|
used without patches to httpd core. [Stefan Fritsch]
|
||
|
|
||
|
*) support/htdbm: fix processing of -t command line switch. Regression
|
||
|
introduced in 2.4.4
|
||
|
PR 55264 [Jo Rhett <jrhett netconsonance com>]
|
||
|
|
||
|
*) mod_lua: add websocket support via r:wsupgrade, r:wswrite, r:wsread
|
||
|
and r:wsping. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: add support for writing/reading cookies via r:getcookie and
|
||
|
r:setcookie. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: If the first yield() of a LuaOutputFilter returns a string, it should
|
||
|
be prefixed to the response as documented. [Eric Covener]
|
||
|
Note: Not present in 2.4.7 CHANGES
|
||
|
|
||
|
*) mod_lua: Remove ETAG, Content-Length, and Content-MD5 when a LuaOutputFilter
|
||
|
is configured without mod_filter. [Eric Covener]
|
||
|
Note: Not present in 2.4.7 CHANGES
|
||
|
|
||
|
*) mod_lua: Register LuaOutputFilter scripts as changing the content and
|
||
|
content-length by default, when run my mod_filter. Previously,
|
||
|
growing or shrinking a response that started with Content-Length set
|
||
|
would require mod_filter and FilterProtocol change=yes. [Eric Covener]
|
||
|
Note: Not present in 2.4.7 CHANGES
|
||
|
|
||
|
*) mod_lua: Return a 500 error if a LuaHook* script doesn't return a
|
||
|
numeric return code. [Eric Covener]
|
||
|
Note: Not present in 2.4.7 CHANGES
|
||
|
|
||
|
Changes with Apache 2.4.6
|
||
|
|
||
|
*) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was
|
||
|
not released) and found post-2.4.5 tagging.
|
||
|
|
||
|
Changes with Apache 2.4.5
|
||
|
|
||
|
*) SECURITY: CVE-2013-1896 (cve.mitre.org)
|
||
|
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
|
||
|
the source href (sent as part of the request body as XML) pointing to a
|
||
|
URI that is not configured for DAV will trigger a segfault. [Ben Reser
|
||
|
<ben reser.org>]
|
||
|
|
||
|
*) SECURITY: CVE-2013-2249 (cve.mitre.org)
|
||
|
mod_session_dbd: Make sure that dirty flag is respected when saving
|
||
|
sessions, and ensure the session ID is changed each time the session
|
||
|
changes. This changes the format of the updatesession SQL statement.
|
||
|
Existing configurations must be changed.
|
||
|
[Takashi Sato, Graham Leggett]
|
||
|
|
||
|
*) mod_auth_basic: Add a generic mechanism to fake basic authentication
|
||
|
using the ap_expr parser. AuthBasicFake allows the administrator to
|
||
|
construct their own username and password for basic authentication based
|
||
|
on their needs. [Graham Leggett]
|
||
|
|
||
|
*) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254.
|
||
|
[Jackie Zhang <jackie qq zhang gmail com>]
|
||
|
|
||
|
*) mod_proxy: Ensure we don't attempt to amend a table we are iterating
|
||
|
through, ensuring that all headers listed by Connection are removed.
|
||
|
[Graham Leggett, Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_proxy_http: Make the proxy-interim-response environment variable
|
||
|
effective by formally overriding origin server behaviour. [Graham
|
||
|
Leggett, Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_proxy: Fix seg-faults when using the global pool on threaded
|
||
|
MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
|
||
|
Jim Jagielski]
|
||
|
|
||
|
*) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
|
||
|
Gracefully step aside if the body size is zero. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Fix possible truncation of OCSP responses when reading from the
|
||
|
server. [Joe Orton]
|
||
|
|
||
|
*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
|
||
|
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
|
||
|
<apache heilbrun.org>]
|
||
|
|
||
|
*) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged
|
||
|
correctly. [Jens Låås <jelaas gmail.com>]
|
||
|
|
||
|
*) rotatelogs: add -n number-of-files option to rotate through a number
|
||
|
of fixed-name logfiles. [Eric Covener]
|
||
|
|
||
|
*) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) mod_cache_socache: Use the name of the socache implementation when performing
|
||
|
a lookup rather than using the raw arguments. [Martin Ksellmann
|
||
|
<martin@ksellmann.de>]
|
||
|
|
||
|
*) core: Add dirwalk_stat hook. [Jeff Trawick]
|
||
|
|
||
|
*) core: Add post_perdir_config hook.
|
||
|
[Steinar Gunderson <sgunderson bigfoot.com>]
|
||
|
|
||
|
*) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
|
||
|
[Christophe Jaillet]
|
||
|
|
||
|
*) mod_remoteip: close file in error path. [Christophe Jaillet]
|
||
|
|
||
|
*) core: make the "default" parameter of the "ErrorDocument" option case
|
||
|
insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>]
|
||
|
|
||
|
*) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive.
|
||
|
PR 54420 [Tianyin Xu <tixu cs ucsd edu>]
|
||
|
|
||
|
*) mod_cache: Make option "CacheDisable" in mod_cache case insensitive.
|
||
|
PR 54462 [Tianyin Xu <tixu cs ucsd edu>]
|
||
|
|
||
|
*) mod_cache: If a 304 response indicates an entity not currently cached, then
|
||
|
the cache MUST disregard the response and repeat the request without the
|
||
|
conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_cache: Ensure that we don't attempt to replace a cached response
|
||
|
with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor
|
||
|
<coad measurement-factory.com>]
|
||
|
|
||
|
*) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions()
|
||
|
with weak validation combined with If-Range and Range headers. Break
|
||
|
out explicit conditional header checks to be useable elsewhere in the
|
||
|
server. Ensure weak validation RFC compliance in the byteranges filter.
|
||
|
Ensure RFC validation compliance when serving cached entities. PR 16142
|
||
|
[Graham Leggett, Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) core: Add the ability to do explicit matching on weak and strong ETags
|
||
|
as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor
|
||
|
<coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_cache: Ensure that updated responses to HEAD requests don't get
|
||
|
mistakenly paired with a previously cached body. Ensure that any existing
|
||
|
body is removed when a HEAD request is cached. [Graham Leggett,
|
||
|
Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Make sure that contradictory entity headers present in a 304
|
||
|
Not Modified response are caught and cause the entity to be removed.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Make sure Vary processing handles multivalued Vary headers and
|
||
|
multivalued headers referred to via Vary. [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: When serving from cache, only the last header of a multivalued
|
||
|
header was taken into account. Fixed. Ensure that Warning headers are
|
||
|
correctly handled as per RFC2616. [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Ignore response headers specified by no-cache=header and
|
||
|
private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure
|
||
|
that these headers are still processed when multiple Cache-Control
|
||
|
headers are present in the response. PR 54706 [Graham Leggett,
|
||
|
Yann Ylavic <ylavic.dev gmail.com>]
|
||
|
|
||
|
*) mod_cache: Invalidate cached entities in response to RFC2616 Section
|
||
|
13.10 Invalidation After Updates or Deletions. PR 15868 [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) mod_dav: Improve error handling in dav_method_put(), add new
|
||
|
dav_join_error() function. PR 54145. [Ben Reser <ben reser.org>]
|
||
|
|
||
|
*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
|
||
|
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
|
||
|
|
||
|
*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
|
||
|
property on a resource for which there is no dead property in the same
|
||
|
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
|
||
|
<diego.santaCruz spinetix.com>]
|
||
|
|
||
|
*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
|
||
|
result in a 412 Precondition Failed for a COPY operation. PR54610
|
||
|
[Timothy Wood <tjw omnigroup.com>]
|
||
|
|
||
|
*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
|
||
|
we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
|
||
|
|
||
|
*) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
|
||
|
Gracefully step aside if the body size is zero. [Graham Leggett]
|
||
|
|
||
|
*) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
|
||
|
'standard' keyword . It was unused and not documented.
|
||
|
PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]
|
||
|
|
||
|
*) core: Do not over allocate memory within 'ap_rgetline_core' for
|
||
|
the common case. [Christophe Jaillet]
|
||
|
|
||
|
*) core: speed up (for common cases) and reduce memory usage of
|
||
|
ap_escape_logitem(). This should save 70-100 bytes in the request
|
||
|
pool for a default config. [Christophe Jaillet]
|
||
|
|
||
|
*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
|
||
|
[Timothy Wood <tjw omnigroup.com>]
|
||
|
|
||
|
*) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
|
||
|
Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
|
||
|
semantics of the proxy-revalidate directive. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: add support for subjectAltName-based host name checking
|
||
|
in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand]
|
||
|
|
||
|
*) core: Use the proper macro for HTTP/1.1. [Graham Leggett]
|
||
|
|
||
|
*) event MPM: Provide error handling for ThreadStackSize. PR 54311
|
||
|
[Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet]
|
||
|
|
||
|
*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
|
||
|
PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
|
||
|
|
||
|
*) core: Improve error message where client's request-line exceeds
|
||
|
LimitRequestLine. PR 54384 [Christophe Jaillet]
|
||
|
|
||
|
*) mod_macro: New module that provides macros within configuration files.
|
||
|
[Fabien Coelho]
|
||
|
|
||
|
*) mod_cache_socache: New cache implementation backed by mod_socache
|
||
|
that replaces mod_mem_cache known from httpd 2.2. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) htpasswd: Add -v option to verify a password. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Add BalancerInherit and ProxyPassInherit to control
|
||
|
whether Proxy Balancers and Workers are inherited by vhosts
|
||
|
(default is On). [Jim Jagielski]
|
||
|
|
||
|
*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
|
||
|
password. [Daniel Ruggeri]
|
||
|
|
||
|
*) Added balancer parameter failontimeout to allow server admin
|
||
|
to configure an IO timeout as an error in the balancer.
|
||
|
[Daniel Ruggeri]
|
||
|
|
||
|
*) mod_auth_digest: Fix crashes if shm initialization failed. [Stefan
|
||
|
Fritsch]
|
||
|
|
||
|
*) htpasswd, htdbm: Fix password generation. PR 54735. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add workaround for gcc bug on sparc/64bit. PR 52900.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_setenvif: Fix crash in case SetEnvif and SetEnvIfExpr are used
|
||
|
together. PR 54881. [Ruediger Pluem]
|
||
|
|
||
|
*) htdigest: Fix buffer overflow when reading digest password file
|
||
|
with very long lines. PR 54893. [Rainer Jung]
|
||
|
|
||
|
*) ap_expr: Add the ability to base64 encode and base64 decode
|
||
|
strings and to generate their SHA1 and MD5 hash.
|
||
|
[Graham Leggett, Stefan Fritsch]
|
||
|
|
||
|
*) mod_log_config: Fix crash when logging request end time for a failed
|
||
|
request. PR 54828 [Rainer Jung]
|
||
|
|
||
|
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
|
||
|
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
|
||
|
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
|
||
|
in the error log to debug level. [William Rowe]
|
||
|
|
||
|
*) mod_cache_disk: CacheMinFileSize and CacheMaxFileSize were always
|
||
|
using compiled in defaults of 1000000/1 respectively. [Eric Covener]
|
||
|
|
||
|
*) mod_lbmethod_heartbeat, mod_heartmonitor: Respect DefaultRuntimeDir/
|
||
|
DEFAULT_REL_RUNTIMEDIR for the heartbeat storage file. [Jeff Trawick]
|
||
|
|
||
|
*) mod_include: Use new ap_expr for 'elif', like 'if',
|
||
|
if legacy parser is not specified. PR 54548 [Tom Donovan]
|
||
|
|
||
|
*) mod_lua: Add some new functions: r:htpassword(), r:mkdir(), r:mkrdir(),
|
||
|
r:rmdir(), r:touch(), r:get_direntries(), r.date_parse_rfc().
|
||
|
[Guenter Knauf]
|
||
|
|
||
|
*) mod_lua: Add multipart form data handling. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: If a LuaMapHandler doesn't return any value, log a warning
|
||
|
and treat it as apache2.OK. [Eric Covener]
|
||
|
|
||
|
*) mod_lua: Add bindings for apr_dbd/mod_dbd database access
|
||
|
[Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Add LuaInputFilter/LuaOutputFilter for creating content
|
||
|
filters in Lua [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Allow scripts handled by the lua-script handler to return
|
||
|
a status code to the client (such as a 302 or a 500) [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Decline handling 'lua-script' if the file doesn't exist,
|
||
|
rather than throwing an internal server error. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Add functions r:flush and r:sendfile as well as additional
|
||
|
request information to the request_rec structure. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Add a server scope for Lua states, which creates a pool of
|
||
|
states with managable minimum and maximum size. [Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Add new directive, LuaMapHandler, for dynamically mapping
|
||
|
URIs to Lua scripts and functions using regular expressions.
|
||
|
[Daniel Gruno]
|
||
|
|
||
|
*) mod_lua: Add new directive LuaCodeCache for controlling in-memory
|
||
|
caching of lua scripts. [Daniel Gruno]
|
||
|
|
||
|
Changes with Apache 2.4.4
|
||
|
|
||
|
*) SECURITY: CVE-2012-3499 (cve.mitre.org)
|
||
|
Various XSS flaws due to unescaped hostnames and URIs HTML output in
|
||
|
mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
|
||
|
[Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
|
||
|
|
||
|
*) SECURITY: CVE-2012-4558 (cve.mitre.org)
|
||
|
XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
|
||
|
Niels Heinen <heinenn google com>]
|
||
|
|
||
|
*) mod_dir: Add support for the value 'disabled' in FallbackResource.
|
||
|
[Vincent Deffontaines]
|
||
|
|
||
|
*) mod_proxy_connect: Don't keepalive the connection to the client if the
|
||
|
backend closes the connection. PR 54474. [Pavel Mateja <pavel netsafe cz>]
|
||
|
|
||
|
*) mod_lua: Add bindings for mod_dbd/apr_dbd database access.
|
||
|
[Daniel Gruno]
|
||
|
|
||
|
*) mod_proxy: Allow for persistence of local changes made via the
|
||
|
balancer-manager between graceful/normal restarts and power
|
||
|
cycles. [Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy: Fix startup crash with mis-defined balancers.
|
||
|
PR 52402. [Jim Jagielski]
|
||
|
|
||
|
*) --with-module: Fix failure to integrate them into some existing
|
||
|
module directories. PR 40097. [Jeff Trawick]
|
||
|
|
||
|
*) htcacheclean: Fix potential segfault if "-p" is omitted. [Joe Orton]
|
||
|
|
||
|
*) mod_proxy_http: Honour special value 0 (unlimited) of LimitRequestBody
|
||
|
PR 54435. [Pavel Mateja <pavel netsafe.cz>]
|
||
|
|
||
|
*) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) htcacheclean: Fix list options "-a" and "-A".
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_slotmem_shm: Fix mistaken reset of num_free for restored shm.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy: non-existance of byrequests is not an immediate error.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy_balancer: Improve output of balancer-manager (re: Drn,
|
||
|
Dis, Ign, Stby). PR 52478 [Danijel <dt-ng rbfh de>]
|
||
|
|
||
|
*) configure: Fix processing of --disable-FEATURE for various features.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_dialup/mod_http: Prevent a crash in mod_dialup in case of internal
|
||
|
redirect. PR 52230.
|
||
|
|
||
|
*) various modules, rotatelogs: Replace use of apr_file_write() with
|
||
|
apr_file_write_full() to prevent incomplete writes. PR 53131.
|
||
|
[Nicolas Viennot <apache viennot biz>, Stefan Fritsch]
|
||
|
|
||
|
*) ab: Support socket timeout (-s timeout).
|
||
|
[Guido Serra <zeph fsfe org>]
|
||
|
|
||
|
*) httxt2dbm: Correct length computation for the 'value' stored in the
|
||
|
DBM file. PR 47650 [jon buckybox com]
|
||
|
|
||
|
*) core: Be more correct about rejecting directives that cannot work in <If>
|
||
|
sections. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Fix directives like LogLevel that need to know if they are invoked
|
||
|
at virtual host context or in Directory/Files/Location/If sections to
|
||
|
work properly in If sections that are not in a Directory/Files/Location.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_xml2enc: Fix problems with charset conversion altering the
|
||
|
Content-Length. [Micha Lenk <micha lenk info>]
|
||
|
|
||
|
*) ap_expr: Add req_novary function that allows HTTP header lookups
|
||
|
without adding the name to the Vary header. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_slotmem_*: Add in new fgrab() function which forces a grab and
|
||
|
slot allocation on a specified slot. Allow for clearing of inuse
|
||
|
array. [Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy_ftp: Fix segfaults on IPv4 requests to hosts with DNS
|
||
|
AAAA records. PR 40841. [Andrew Rucker Jones <arjones simultan
|
||
|
dyndns org>, <ast domdv de>, Jim Jagielski]
|
||
|
|
||
|
*) mod_auth_form: Make sure that get_notes_auth() sets the user as does
|
||
|
get_form_auth() and get_session_auth(). Makes sure that REMOTE_USER
|
||
|
does not vanish during mod_include driven subrequests. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) mod_cache_disk: Resolve errors while revalidating disk-cached files on
|
||
|
Windows ("...rename tempfile to datafile failed..."). PR 38827
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_proxy_balancer: Bring XML output up to date. [Jim Jagielski]
|
||
|
|
||
|
*) htpasswd, htdbm: Optionally read passwords from stdin, as more
|
||
|
secure alternative to -b. PR 40243. [Adomas Paltanavicius <adomas
|
||
|
paltanavicius gmail com>, Stefan Fritsch]
|
||
|
|
||
|
*) htpasswd, htdbm: Add support for bcrypt algorithm (requires
|
||
|
apr-util 1.5 or higher). PR 49288. [Stefan Fritsch]
|
||
|
|
||
|
*) htpasswd, htdbm: Put full 48bit of entropy into salt, improve
|
||
|
error handling. Add some of htpasswd's improvements to htdbm,
|
||
|
e.g. warn if password is truncated by crypt(). [Stefan Fritsch]
|
||
|
|
||
|
*) mod_auth_form: Support the expr parser in the
|
||
|
AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
|
||
|
AuthFormLogoutLocation directives. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
|
||
|
for TLS, RFC 5054). PR 51075. [Quinn Slack <sqs cs stanford edu>,
|
||
|
Christophe Renou, Peter Sylvester]
|
||
|
|
||
|
*) mod_rewrite: Stop mergeing RewriteBase down to subdirectories
|
||
|
unless new option 'RewriteOptions MergeBase' is configured.
|
||
|
PR 53963. [Eric Covener]
|
||
|
|
||
|
*) mod_header: Allow for exposure of loadavg and server load using new
|
||
|
format specifiers %l, %i, %b [Jim Jagielski]
|
||
|
|
||
|
*) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory. Make
|
||
|
ap_pregcomp() abort if out of memory. This raises the minimum PCRE
|
||
|
requirement to version 6.0. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Add ability to configure the sticky session separator.
|
||
|
PR 53893. [<inu inusasha de>, Jim Jagielski]
|
||
|
|
||
|
*) mod_dumpio: Correctly log large messages
|
||
|
PR 54179 [Marek Wianecki <mieszek2 interia pl>]
|
||
|
|
||
|
*) core: Don't fail at startup with AH00554 when Include points to
|
||
|
a directory without any wildcard character. [Eric Covener]
|
||
|
|
||
|
*) core: Fail startup if the argument to ServerTokens is unrecognized.
|
||
|
[Jackie Zhang <jackie.qq.zhang gmail.com>]
|
||
|
|
||
|
*) mod_log_forensic: Don't log a spurious "-" if a request has been rejected
|
||
|
before mod_log_forensic could attach its id to it. [Stefan Fritsch]
|
||
|
|
||
|
*) rotatelogs: Omit the second argument for the first invocation of
|
||
|
a post-rotate program when -p is used, per the documentation.
|
||
|
[Joe Orton]
|
||
|
|
||
|
*) mod_session_dbd: fix a segmentation fault in the function dbd_remove.
|
||
|
PR 53452. [<rebanerebane gmail com>, Reimo Rebane]
|
||
|
|
||
|
*) core: Functions to provide server load values: ap_get_sload() and
|
||
|
ap_get_loadavg(). [Jim Jagielski, Jan Kaluza <jkaluza redhat.com>,
|
||
|
Jeff Trawick]
|
||
|
|
||
|
*) mod_ldap: Fix regression in handling "server unavailable" errors on
|
||
|
Windows. PR 54140. [Eric Covener]
|
||
|
|
||
|
*) syslog logging: Remove stray ", referer" at the end of some messages.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) "Iterate" directives: Report an error if no arguments are provided.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Change default for SSLCompression to off, as compression
|
||
|
causes security issues in most setups. (The so called "CRIME" attack).
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
|
||
|
to more accurately report the negotiated protocol. PR 53916.
|
||
|
[Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
|
||
|
|
||
|
*) core: ErrorDocument now works for requests without a Host header.
|
||
|
PR 48357. [Jeff Trawick]
|
||
|
|
||
|
*) prefork: Avoid logging harmless errors during graceful stop.
|
||
|
[Joe Orton, Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy: When concatting for PPR, avoid cases where we
|
||
|
concat ".../" and "/..." to create "...//..." [Jim Jagielski]
|
||
|
|
||
|
*) mod_cache: Wrong content type and character set when
|
||
|
mod_cache serves stale content because of a proxy error.
|
||
|
PR 53539. [Rainer Jung, Ruediger Pluem]
|
||
|
|
||
|
*) mod_proxy_ajp: Fix crash in packet dump code when logging
|
||
|
with LogLevel trace7 or trace8. PR 53730. [Rainer Jung]
|
||
|
|
||
|
*) httpd.conf: Removed the configuration directives setting a bad_DNT
|
||
|
environment introduced in 2.4.3. The actual directives are commented
|
||
|
out in the default conf file.
|
||
|
|
||
|
*) core: Apply length limit when logging Status header values.
|
||
|
[Jeff Trawick, Chris Darroch]
|
||
|
|
||
|
*) mod_proxy_balancer: The nonce is only derived from the UUID iff
|
||
|
not set via the 'nonce' balancer param. [Jim Jagielski]
|
||
|
|
||
|
*) mod_ssl: Match wildcard SSL certificate names in proxy mode.
|
||
|
PR 53006. [Joe Orton]
|
||
|
|
||
|
*) Windows: Fix output of -M, -L, and similar command-line options
|
||
|
which display information about the server configuration.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
Changes with Apache 2.4.3
|
||
|
|
||
|
*) SECURITY: CVE-2012-3502 (cve.mitre.org)
|
||
|
mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
|
||
|
connection closing which could lead to privacy issues due
|
||
|
to a response mixup. PR 53727. [Rainer Jung]
|
||
|
|
||
|
*) SECURITY: CVE-2012-2687 (cve.mitre.org)
|
||
|
mod_negotiation: Escape filenames in variant list to prevent a
|
||
|
possible XSS for a site where untrusted users can upload files to
|
||
|
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
|
||
|
|
||
|
*) mod_authnz_ldap: Don't try a potentially expensive nested groups
|
||
|
search before exhausting all AuthLDAPGroupAttribute checks on the
|
||
|
current group. PR 52464 [Eric Covener]
|
||
|
|
||
|
*) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
|
||
|
authorization provider in lua. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Be less strict when checking whether Content-Type is set to
|
||
|
"application/x-www-form-urlencoded" when parsing POST data,
|
||
|
or we risk losing data with an appended charset. PR 53698
|
||
|
[Petter Berntsen <petterb gmail.com>]
|
||
|
|
||
|
*) httpd.conf: Added configuration directives to set a bad_DNT environment
|
||
|
variable based on User-Agent and to remove the DNT header field from
|
||
|
incoming requests when a match occurs. This currently has the effect of
|
||
|
removing DNT from requests by MSIE 10.0 because it deliberately violates
|
||
|
the current specification of DNT semantics for HTTP. [Roy T. Fielding]
|
||
|
|
||
|
*) mod_socache_shmcb: Fix bus error due to a misalignment
|
||
|
in some 32 bit builds, especially on Solaris Sparc.
|
||
|
PR 53040. [Rainer Jung]
|
||
|
|
||
|
*) mod_cache: Set content type in case we return stale content.
|
||
|
[Ruediger Pluem]
|
||
|
|
||
|
*) Windows: Fix SSL failures on windows with AcceptFilter https none.
|
||
|
PR 52476. [Jeff Trawick]
|
||
|
|
||
|
*) ab: Fix read failure when targeting SSL server. [Jeff Trawick]
|
||
|
|
||
|
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
|
||
|
- mod_auth_digest: shared memory file
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) htpasswd: Use correct file mode for checking if file is writable.
|
||
|
PR 45923. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Fix crash with dbd RewriteMaps. PR 53663. [Mikhail T.
|
||
|
<mi apache aldan algebra com>]
|
||
|
|
||
|
*) mod_ssl: Add new directive SSLCompression to disable TLS-level
|
||
|
compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
|
||
|
|
||
|
*) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
|
||
|
client_ip to match conn_rec. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_lua: Change prototype of vm_construct, to work around gcc bug which
|
||
|
causes a segfault. PR 52779. [Dick Snippe <Dick Snippe tech omroep nl>]
|
||
|
|
||
|
*) mpm_event: Don't count connections in lingering close state when
|
||
|
calculating how many additional connections may be accepted.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: If exiting during initialization because of a fatal error,
|
||
|
log a message to the main error log pointing to the appropriate
|
||
|
virtual host error log. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy_ajp: Reduce memory usage in case of many keep-alive requests on
|
||
|
one connection. PR 52275. [Naohiro Ooiwa <naohiro ooiwa miraclelinux com>]
|
||
|
|
||
|
*) mod_proxy_balancer: Restore balancing after a failed worker has
|
||
|
recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick]
|
||
|
|
||
|
*) mod_setenvif: Compile some global regex only once during startup.
|
||
|
This should save some memory, especially with .htaccess.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core: Add the port number to the vhost's name in the scoreboard.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Fix ProxyPassReverse for balancer configurations.
|
||
|
PR 45434. [Joe Orton]
|
||
|
|
||
|
*) mod_lua: Add the parsebody function for parsing POST data. PR 53064.
|
||
|
[Daniel Gruno]
|
||
|
|
||
|
*) apxs: Use LDFLAGS from config_vars.mk in addition to CFLAGS and CPPFLAGS.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Fix memory leak or possible corruption in ProxyBlock
|
||
|
implementation. [Ruediger Pluem, Joe Orton]
|
||
|
|
||
|
*) mod_proxy: Check hostname from request URI against ProxyBlock list,
|
||
|
not forward proxy, if ProxyRemote* is configured. [Joe Orton]
|
||
|
|
||
|
*) mod_proxy_connect: Avoid DNS lookup on hostname from request URI
|
||
|
if ProxyRemote* is configured. PR 43697. [Joe Orton]
|
||
|
|
||
|
*) mpm_event, mpm_worker: Remain active amidst prevalent child process
|
||
|
resource shortages. [Jeff Trawick]
|
||
|
|
||
|
*) Add "strict" and "warnings" pragmas to Perl scripts. [Rich Bowen]
|
||
|
|
||
|
*) The following now respect DefaultRuntimeDir/DEFAULT_REL_RUNTIMEDIR:
|
||
|
- core: the scoreboard (ScoreBoardFile), pid file (PidFile), and
|
||
|
mutexes (Mutex)
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) ab: Fix bind() errors. [Joe Orton]
|
||
|
|
||
|
*) mpm_event: Don't do a blocking write when starting a lingering close
|
||
|
from the listener thread. PR 52229. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_so: If a filename without slashes is specified for LoadFile or
|
||
|
LoadModule and the file cannot be found in the server root directory,
|
||
|
try to use the standard dlopen() search path. [Stefan Fritsch]
|
||
|
|
||
|
*) mpm_event, mpm_worker: Fix cases where the spawn rate wasn't reduced
|
||
|
after child process resource shortages. [Jeff Trawick]
|
||
|
|
||
|
*) mpm_prefork: Reduce spawn rate after a child process exits due to
|
||
|
unexpected poll or accept failure. [Jeff Trawick]
|
||
|
|
||
|
*) core: Log value of Status header line in script responses rather
|
||
|
than the fixed header name. [Chris Darroch]
|
||
|
|
||
|
*) mod_ssl: Fix handling of empty response from OCSP server.
|
||
|
[Jim Meyering <meyering redhat.com>, Joe Orton]
|
||
|
|
||
|
*) mpm_event: Fix handling of MaxConnectionsPerChild. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_authz_core: If an expression in "Require expr" returns denied and
|
||
|
references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_deflate: Skip compression if compression is enabled at SSL level.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core: Add missing HTTP status codes registered with IANA.
|
||
|
[Julian Reschke <julian.reschke gmx.de>, Rainer Jung]
|
||
|
|
||
|
*) mod_ldap: Treat the "server unavailable" condition as a transient
|
||
|
error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
|
||
|
|
||
|
*) core: Fix spurious "not allowed here" error returned when the Options
|
||
|
directive is used in .htaccess and "AllowOverride Options" (with no
|
||
|
specific options restricted) is configured. PR 53444. [Eric Covener]
|
||
|
|
||
|
*) mod_authz_core: Fix parsing of Require arguments in <AuthzProviderAlias>.
|
||
|
PR 53048. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
|
||
|
PR 53104. [Greg Ames]
|
||
|
|
||
|
*) mod_ext_filter: Fix error_log spam when input filters are configured.
|
||
|
[Joe Orton]
|
||
|
|
||
|
*) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
|
||
|
|
||
|
*) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
|
||
|
[Paul Wouters <pwouters redhat.com>, Joe Orton]
|
||
|
|
||
|
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
|
||
|
the chosen listener is configured for https. [Joe Orton]
|
||
|
|
||
|
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
|
||
|
forwarding to SSL backends. PR 53134.
|
||
|
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
|
||
|
|
||
|
*) mod_info: Display all registered providers. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: Send the error message for speaking http to an https port using
|
||
|
HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
|
||
|
using SNI. PR 50823. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Fix segfault in logging if r->useragent_addr or c->client_addr is
|
||
|
unset. PR 53265. [Stefan Fritsch]
|
||
|
|
||
|
*) log_server_status: Bring Perl style forward to the present, use
|
||
|
standard modules, update for new format of server-status output.
|
||
|
PR 45424. [Richard Bowen, Dave Brondsema, and others]
|
||
|
|
||
|
*) mod_sed, mod_log_debug, mod_rewrite: Symbol namespace cleanups.
|
||
|
[Joe Orton, André Malo]
|
||
|
|
||
|
*) core: Prevent "httpd -k restart" from killing server in presence of
|
||
|
config error. [Joe Orton]
|
||
|
|
||
|
*) mod_proxy_fcgi: If there is an error reading the headers from the
|
||
|
backend, send an error to the client. PR 52879. [Stefan Fritsch]
|
||
|
|
||
|
Changes with Apache 2.4.2
|
||
|
|
||
|
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
|
||
|
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
|
||
|
current working directory to be searched for DSOs. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_slotmem_shm: Honor DefaultRuntimeDir [Jim Jagielski]
|
||
|
|
||
|
*) mod_ssl: Fix crash with threaded MPMs due to race condition when
|
||
|
initializing EC temporary keys. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Fix RewriteCond integer checks to be parsed correctly.
|
||
|
PR 53023. [Axel Reinhold <apache freakout.de>, André Malo]
|
||
|
|
||
|
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
|
||
|
recovery for balancer workers is enforced. [Ruediger Pluem]
|
||
|
|
||
|
*) Fix MPM DSO load failure on AIX. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
|
||
|
[Petter Berntsen <petterb gmail.com>]
|
||
|
|
||
|
*) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
|
||
|
compile problems on GNU hurd. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) core: Fix breakage of Listen directives with MPMs that use a
|
||
|
per-directory config. PR 52904. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Disallow directives in AllowOverrideList which are only allowed
|
||
|
in VirtualHost or server context. These are usually not prepared to be
|
||
|
called in .htaccess files. [Stefan Fritsch]
|
||
|
|
||
|
*) core: In AllowOverrideList, do not allow 'None' together with other
|
||
|
directives. PR 52823. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) core: Fix merging of AllowOverrideList and ContentDigest.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_request: Fix validation of the KeptBodySize argument so it
|
||
|
doesn't always throw a configuration error. PR 52981 [Eric Covener]
|
||
|
|
||
|
*) core: Add filesystem paths to access denied / access failed messages
|
||
|
AH00035 and AH00036. [Eric Covener]
|
||
|
|
||
|
*) mod_dumpio: Properly handle errors from subsequent input filters.
|
||
|
PR 52914. [Stefan Fritsch]
|
||
|
|
||
|
*) Unix MPMs: Fix small memory leak in parent process if connect()
|
||
|
failed when waking up children. [Joe Orton]
|
||
|
|
||
|
*) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
|
||
|
the current configuration section, not just previous config sections.
|
||
|
PR 52845. [Eric Covener]
|
||
|
|
||
|
*) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
|
||
|
response headers not being sent. PR 52766. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
|
||
|
|
||
|
*) core: Check during config test that directories for the access
|
||
|
logs actually exist. PR 29941. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_session: Sessions are encoded as application/x-www-form-urlencoded
|
||
|
strings, however we do not handle the encoding of spaces properly.
|
||
|
Fixed. [Graham Leggett]
|
||
|
|
||
|
*) Configuration: Example in comment should use a path consistent
|
||
|
with the default configuration. PR 52715.
|
||
|
[Rich Bowen, Jens Schleusener, Rainer Jung]
|
||
|
|
||
|
*) Configuration: Switch documentation links from trunk to 2.4.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) configure: Fix out of tree build using apr and apr-util in srclib.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.4.1
|
||
|
|
||
|
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
|
||
|
Fix an issue in error responses that could expose "httpOnly" cookies
|
||
|
when no custom ErrorDocument is specified for status code 400.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
|
||
|
|
||
|
*) core: Check during configtest that the directories for error logs exist.
|
||
|
PR 29941 [Stefan Fritsch]
|
||
|
|
||
|
*) Core configuration: add AllowOverride option to treat syntax
|
||
|
errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
|
||
|
|
||
|
*) core: Fix memory consumption in core output filter with streaming
|
||
|
bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch]
|
||
|
|
||
|
*) configure: Disable modules at configure time if a prerequisite module
|
||
|
is not enabled. PR 52487. [Stefan Fritsch]
|
||
|
|
||
|
*) Rewrite and proxy now decline what they don't support rather
|
||
|
than fail the request. [Joe Orton]
|
||
|
|
||
|
*) Fix building against external apr plus apr-util if apr is not installed
|
||
|
in a system default path. [Rainer Jung]
|
||
|
|
||
|
*) Doxygen fixes and improvements. [Joe Orton, Igor Galić]
|
||
|
|
||
|
*) core: Fix building against PCRE 8.30 by switching from the obsolete
|
||
|
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.4.0
|
||
|
|
||
|
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
|
||
|
Fix scoreboard issue which could allow an unprivileged child process
|
||
|
to cause the parent to crash at shutdown rather than terminate
|
||
|
cleanly. [Joe Orton]
|
||
|
|
||
|
*) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
|
||
|
|
||
|
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
|
||
|
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
|
||
|
string is in use and a client sends a nameless, valueless cookie, causing
|
||
|
a denial of service. The issue existed since version 2.2.17 and 2.3.3.
|
||
|
PR 52256. [Rainer Canavan <rainer-apache 7val com>]
|
||
|
|
||
|
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
|
||
|
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
|
||
|
[Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
|
||
|
or later, to improve binary compatibility with future OpenSSL releases.
|
||
|
[Kaspar Brand]
|
||
|
|
||
|
*) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
|
||
|
but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
|
||
|
behave identically in both cases. PR52342. [Graham Leggett]
|
||
|
|
||
|
*) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
|
||
|
corresponding man pages. [Graham Leggett]
|
||
|
|
||
|
*) Distinguish properly between the bindir and sbindir directories when
|
||
|
installing binaries. Previously all binaries were silently installed to
|
||
|
sbindir, whether they were system administration commands or not.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
Changes with Apache 2.3.16
|
||
|
|
||
|
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
|
||
|
Resolve additional cases of URL rewriting with ProxyPassMatch or
|
||
|
RewriteRule, where particular request-URIs could result in undesired
|
||
|
backend network exposure in some configurations.
|
||
|
[Joe Orton]
|
||
|
|
||
|
*) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
|
||
|
additional DoS potential. [Stefan Fritsch]
|
||
|
|
||
|
*) core, all modules: Add unique tag to most error log messages. [Stefan
|
||
|
Fritsch]
|
||
|
|
||
|
*) mod_socache_memcache: Change provider name from "mc" to "memcache" to
|
||
|
match module name. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
|
||
|
module name. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
|
||
|
requires an apr-util fix in which is available in apr-util >= 1.4.0.
|
||
|
PR 42682. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
|
||
|
for RewriteRules to be placed in .htaccess files that match the directory
|
||
|
with no trailing slash. PR 48304.
|
||
|
[Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
|
||
|
|
||
|
*) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
|
||
|
the administrator can hide the keys from the configuration. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) Introduce a per request version of the remote IP address, which can be
|
||
|
optionally modified by a module when the effective IP of the client
|
||
|
is not the same as the real IP of the client (such as a load balancer).
|
||
|
Introduce a per connection "peer_ip" and a per request "client_ip" to
|
||
|
distinguish between the raw IP address of the connection and the effective
|
||
|
IP address of the request. [Graham Leggett]
|
||
|
|
||
|
*) ap_pass_brigade_fchk() function added. [Jim Jagielski]
|
||
|
|
||
|
*) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache_disk: Make sure we check return codes on all writes and
|
||
|
attempts to close, and clean up after ourselves in these cases.
|
||
|
PR43589. [Graham Leggett]
|
||
|
|
||
|
*) mod_cache_disk: Remove the unnecessary intermediate brigade while
|
||
|
writing to disk. Fixes a problem where mod_disk_cache was leaving
|
||
|
buckets in the intermediate brigade and not passing them to out on
|
||
|
exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: use a shorter setting for SSLCipherSuite in the default
|
||
|
default configuration file, and add some more information about
|
||
|
configuring a speed-optimized alternative.
|
||
|
[Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
|
||
|
|
||
|
*) mod_lua: Stop losing track of all but the most specific LuaHook* directives
|
||
|
when multiple per-directory config sections are used. Adds LuaInherit
|
||
|
directive to control how parent sections are merged. [Eric Covener]
|
||
|
|
||
|
*) Server directive display (-L): Include directives of DSOs.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_cache: Make sure we merge headers correctly when we handle a
|
||
|
non cacheable conditional response. PR52120. [Graham Leggett]
|
||
|
|
||
|
*) Pre GA removal of components that will not be included:
|
||
|
- mod_noloris was superseded by mod_reqtimeout
|
||
|
- mod_serf
|
||
|
- mpm_simple
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]
|
||
|
|
||
|
*) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]
|
||
|
|
||
|
*) configure: Additional modules loaded by default: mod_headers.
|
||
|
Modules moved from module set "few" to "most" and no longer loaded
|
||
|
by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
|
||
|
mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
|
||
|
mod_userdir. [Rainer Jung]
|
||
|
|
||
|
*) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]
|
||
|
|
||
|
*) configure: Only load the really imporant modules (i.e. those enabled by
|
||
|
the 'few' selection) by default. Don't handle modules enabled with
|
||
|
--enable-foo specially. [Stefan Fritsch]
|
||
|
|
||
|
*) end-generation hook: Fix false notification of end-of-generation for
|
||
|
temporary intervals with no active MPM children. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Add support for configuring persistent TLS session ticket
|
||
|
encryption/decryption keys (useful for clustered environments).
|
||
|
[Paul Querna, Kaspar Brand]
|
||
|
|
||
|
*) mod_usertrack: Use random value instead of remote IP address.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
Changes with Apache 2.3.15
|
||
|
|
||
|
*) SECURITY: CVE-2011-3348 (cve.mitre.org)
|
||
|
mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
|
||
|
recognized. [Jean-Frederic Clere]
|
||
|
|
||
|
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
|
||
|
core: Fix handling of byte-range requests to use less memory, to avoid
|
||
|
denial of service. If the sum of all ranges in a request is larger than
|
||
|
the original file, ignore the ranges and send the complete file.
|
||
|
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
|
||
|
<lowprio20 gmail.com>]
|
||
|
|
||
|
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
|
||
|
core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
|
||
|
with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
|
||
|
|
||
|
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
|
||
|
Reject requests where the request-URI does not match the HTTP
|
||
|
specification, preventing unexpected expansion of target URLs in
|
||
|
some reverse proxy configurations. [Joe Orton]
|
||
|
|
||
|
*) configure: Load all modules in the generated default configuration
|
||
|
when using --enable-load-all-modules. [Rainer Jung]
|
||
|
|
||
|
*) mod_reqtimeout: Change the default to set some reasonable timeout
|
||
|
values. [Stefan Fritsch]
|
||
|
|
||
|
*) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
|
||
|
the inode. PR 49623. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener]
|
||
|
|
||
|
*) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
|
||
|
can now additionally be run as "early" or "late" relative to other modules.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) configure: By default, only load those modules that are either required
|
||
|
or explicitly selected by a configure --enable-foo argument. The
|
||
|
LoadModule statements for modules enabled by --enable-mods-shared=most
|
||
|
and friends will be commented out. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
|
||
|
LuaHookQuickHandler) from being configured in <Directory>, <Files>,
|
||
|
and htaccess where the configuration would have been ignored.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
|
||
|
in LuaMapHandler scripts [Eric Covener]
|
||
|
|
||
|
*) mod_log_debug: Rename optional argument from if= to expr=, to be more
|
||
|
in line with other config directives. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_headers: Require an expression to be specified with expr=, to be more
|
||
|
in line with other config directives. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_substitute: To prevent overboarding memory usage, limit line length
|
||
|
to 1MB. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_lua: Make the query string (r.args) writable. [Eric Covener]
|
||
|
|
||
|
*) mod_include: Add support for application/x-www-form-urlencoded encoding
|
||
|
and decoding. [Graham Leggett]
|
||
|
|
||
|
*) rotatelogs: Add -c option to force logfile creation in every rotation
|
||
|
interval, even if empty. [Jan Kaluža <jkaluza redhat.com>]
|
||
|
|
||
|
*) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_session_crypto: Refactor to support the new apr_crypto API.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) http: Add missing Location header if local URL-path is used as
|
||
|
ErrorDocument for 30x. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_buffer: Make sure we step down for subrequests, but not for internal
|
||
|
redirects triggered by mod_rewrite. [Graham Leggett]
|
||
|
|
||
|
*) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
|
||
|
[Jim Riggs <jim riggs me>]
|
||
|
|
||
|
*) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
|
||
|
server IP endpoint and remote client IP upon connection. [William Rowe]
|
||
|
|
||
|
*) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
|
||
|
PeerExtList(). [Stefan Fritsch]
|
||
|
|
||
|
*) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
|
||
|
graceful restart and then exits because of a missing lock file, don't
|
||
|
shutdown the whole server. PR 39311. [Shawn Michael
|
||
|
<smichael rightnow com>]
|
||
|
|
||
|
*) mpm_event: Check the return value from ap_run_create_connection.
|
||
|
PR 41194. [Davi Arnaut]
|
||
|
|
||
|
*) mod_mime_magic: Add signatures for PNG and SWF to the example config.
|
||
|
PR 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]
|
||
|
|
||
|
*) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
|
||
|
from the parsed (or default) config. This is useful for init scripts that
|
||
|
need to setup temporary directories and permissions. [Stefan Fritsch]
|
||
|
|
||
|
*) core, mod_actions, mod_asis: Downgrade error log messages which accompany
|
||
|
a 404 request status from loglevel error to info. PR 35768. [Stefan
|
||
|
Fritsch]
|
||
|
|
||
|
*) core: Fix hook sorting with Perl modules. PR 45076. [Torsten Foertsch
|
||
|
<torsten foertsch gmx net>]
|
||
|
|
||
|
*) core: Enforce LimitRequestFieldSize after multiple headers with the same
|
||
|
name have been merged. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
|
||
|
usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
|
||
|
Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: At startup, when checking a server certificate whether it
|
||
|
matches the configured ServerName, also take dNSName entries in the
|
||
|
subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
|
||
|
|
||
|
*) mod_substitute: Reduce memory usage and copying of data. PR 50559.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
|
||
|
[Kaspar Brand]
|
||
|
|
||
|
*) Add wrappers for malloc, calloc, realloc that check for out of memory
|
||
|
situations and use them in many places. PR 51568, PR 51569, PR 51571.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
|
||
|
false but RLIMIT_* are defined. PR51371. [Eric Covener]
|
||
|
|
||
|
*) core: Correctly obey ServerName / ServerAlias if the Host header from the
|
||
|
request matches the VirtualHost address.
|
||
|
PR 51709. [Micha Lenk <micha lenk.info>]
|
||
|
|
||
|
*) mod_unique_id: Use random number generator to initialize counter.
|
||
|
PR 45110. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add convenience API for apr_random. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
|
||
|
the number of overlapping and reversing ranges (respectively) permitted
|
||
|
before returning the entire resource, with a default limit of 20.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
|
||
|
if called from a virtual host with mod_ldap directives in it. Did not
|
||
|
affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
|
||
|
|
||
|
*) mod_filter: Instead of dropping the Accept-Ranges header when a filter
|
||
|
registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
|
||
|
set the header value to "none". [Eric Covener, Ruediger Pluem]
|
||
|
|
||
|
*) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
|
||
|
in the case Ranges are being ignored with MaxRanges none.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_ssl: revamp CRL-based revocation checking when validating
|
||
|
certificates of clients or proxied servers. Completely delegate
|
||
|
CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
|
||
|
directive for controlling the revocation checking mode. [Kaspar Brand]
|
||
|
|
||
|
*) core: Add MaxRanges directive to control the number of ranges permitted
|
||
|
before returning the entire resource, with a default limit of 200.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_cache: Ensure that CacheDisable can correctly appear within
|
||
|
a LocationMatch. [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Fix the moving of the CACHE filter, which erroneously
|
||
|
stood down if the original filter was not added by configuration.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
|
||
|
|
||
|
*) mod_authz_groupfile: Increase length limit of lines in the group file to
|
||
|
16MB. PR 43084. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Increase length limit of lines in the configuration file to 16MB.
|
||
|
PR 45888. PR 50824. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add API for resizable buffers. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
|
||
|
LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
|
||
|
as Tivoli Directory Server 6.3 and later. [Eric Covener]
|
||
|
|
||
|
*) mod_ldap: Change default number of retries from 10 to 3, and add
|
||
|
an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
|
||
|
|
||
|
*) mod_authnz_ldap: Don't retry during authentication, because this just
|
||
|
multiplies the ample retries already being done by mod_ldap. [Eric Covener]
|
||
|
|
||
|
*) configure: Allow to explicitly disable modules even with module selection
|
||
|
'reallyall'. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
|
||
|
RewriteEngine is disabled in server context, avoiding a crash while
|
||
|
referencing the invalid int: map at runtime. PR 50994.
|
||
|
[Ben Noordhuis <info noordhuis nl>]
|
||
|
|
||
|
*) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
|
||
|
[Kaspar Brand]
|
||
|
|
||
|
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
|
||
|
cookie is set when modules such as mod_rewrite trigger a redirect. Also
|
||
|
use r->err_headers_out for the cookie, for the same reason. PR29755.
|
||
|
[Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
|
||
|
|
||
|
*) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
|
||
|
'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
|
||
|
|
||
|
*) configure: Enable ldap modules in 'all' and 'most' selections if ldap
|
||
|
is compiled into apr-util. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add ap_check_cmd_context()-check if a command is executed in
|
||
|
.htaccess file. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
|
||
|
[Torsten Foertsch <torsten foertsch gmx net>]
|
||
|
|
||
|
*) mod_authn_socache: Fix to work in .htaccess if not configured anywhere
|
||
|
in httpd.conf, and introduce an AuthnCacheEnable directive.
|
||
|
PR 51991 [Nick Kew]
|
||
|
|
||
|
*) mod_xml2enc: new (formerly third-party) module supporting
|
||
|
internationalisation for filters via smart charset sniffing
|
||
|
and conversion. [Nick Kew]
|
||
|
|
||
|
*) mod_proxy_html: new (formerly third-party) module to fix up
|
||
|
HTML links in a reverse proxy situation, where a backend
|
||
|
generates URLs that are not resolvable by Clients. [Nick Kew]
|
||
|
|
||
|
Changes with Apache 2.3.14
|
||
|
|
||
|
*) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
|
||
|
|
||
|
*) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
|
||
|
e.g. to reverse proxy "Location: https://other-internal-server/login"
|
||
|
[Nick Kew]
|
||
|
|
||
|
*) prefork, worker, event: Make sure crashes are logged to the error log if
|
||
|
httpd has already detached from the console. [Stefan Fritsch]
|
||
|
|
||
|
*) prefork, worker, event: Reduce period during startup/restart where a
|
||
|
successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
|
||
|
|
||
|
*) mod_allowmethods: Correct Merging of "reset" and do not allow an
|
||
|
empty parameter list for the AllowMethods directive. [Rainer Jung]
|
||
|
|
||
|
*) configure: Update selection of modules for 'all' and 'most'. 'all' will
|
||
|
now enable all modules except for example and test modules. Make the
|
||
|
selection for 'most' more useful (including ssl and proxy). Both 'all'
|
||
|
and 'most' will now disable modules if dependencies are missing instead
|
||
|
of aborting. If a specific module is requested with --enable-XXX=yes,
|
||
|
missing dependencies will still cause configure to exit with an error.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
|
||
|
in 2.3.13. [Stefan Fritsch]
|
||
|
|
||
|
*) core: For '*' or '_default_' vhosts, use a wildcard address of any
|
||
|
address family, rather than IPv4 only. [Joe Orton]
|
||
|
|
||
|
*) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
|
||
|
include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
|
||
|
PR 26005. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
|
||
|
[Nagae Hidetake <nagae eagan jp>]
|
||
|
|
||
|
*) core: Add more logging to ap_scan_script_header_err* functions. Add
|
||
|
ap_scan_script_header_err*_ex functions that take a module index for
|
||
|
logging.
|
||
|
mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
|
||
|
new functions in order to make logging configurable per-module.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
|
||
|
the proper index. [Eric Covener]
|
||
|
|
||
|
*) mod_deflate: Don't try to compress requests with a zero sized body.
|
||
|
PR 51350. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton,
|
||
|
<root linkage white-void net>]
|
||
|
|
||
|
*) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
|
||
|
REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
|
||
|
whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
|
||
|
Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_log_debug: New module that allows to log custom messages at various
|
||
|
phases in the request processing. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: Add some debug logging when loading server certificates.
|
||
|
PR 37912. [Nick Burch <nick burch alfresco com>]
|
||
|
|
||
|
*) configure: Support reallyall option also for --enable-mods-static.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_socache_dc: add --with-distcache to configure for choosing
|
||
|
the distcache installation directory. [Rainer Jung]
|
||
|
|
||
|
*) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
|
||
|
instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
|
||
|
|
||
|
*) mod_lua, mod_deflate: respect platform specific runpath linker
|
||
|
flag. [Rainer Jung]
|
||
|
|
||
|
*) configure: Only link the httpd binary against PCRE. No other support
|
||
|
binary needs PCRE. [Rainer Jung]
|
||
|
|
||
|
*) configure: tolerate dependency checking failures for modules if
|
||
|
they have been enabled implicitely. [Rainer Jung]
|
||
|
|
||
|
*) configure: Allow to specify module specific custom linker flags via
|
||
|
the MOD_XXX_LDADD variables. [Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.3.13
|
||
|
|
||
|
*) ab: Support specifying the local address to use. PR 48930.
|
||
|
[Peter Schuller <scode spotify com>]
|
||
|
|
||
|
*) core: Add support to ErrorLogFormat for logging the system unique
|
||
|
thread id under Linux. [Stefan Fritsch]
|
||
|
|
||
|
*) event: New AsyncRequestWorkerFactor directive to influence how many
|
||
|
connections will be accepted per process. [Stefan Fritsch]
|
||
|
|
||
|
*) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
|
||
|
describes more accurately what it does. [Stefan Fritsch]
|
||
|
|
||
|
*) rotatelogs: Add -p argument to specify custom program to invoke
|
||
|
after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
|
||
|
Joe Orton]
|
||
|
|
||
|
*) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
|
||
|
|
||
|
*) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
|
||
|
PR 48215. [Kaspar Brand]
|
||
|
|
||
|
*) mod_status: Display information about asynchronous connections in the
|
||
|
server-status. PR 44377. [Stefan Fritsch]
|
||
|
|
||
|
*) mpm_event: If the number of connections of a process is very high, or if
|
||
|
all workers are busy, don't accept new connections in that process.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mpm_event: Process lingering close asynchronously instead of tying up
|
||
|
worker threads. [Jeff Trawick, Stefan Fritsch]
|
||
|
|
||
|
*) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
|
||
|
around. [Stefan Fritsch]
|
||
|
|
||
|
*) mpm_event: Fix graceful restart aborting connections. PR 43359.
|
||
|
[Takashi Sato <takashi lans-tv com>]
|
||
|
|
||
|
*) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
|
||
|
[Rob Stradling <rob comodo com>]
|
||
|
|
||
|
*) core: Introduce new function ap_get_conn_socket() to access the socket of
|
||
|
a connection. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
|
||
|
CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core: Allow to override document_root on a per-request basis. Introduce
|
||
|
new context_document_root and context_prefix which provide information
|
||
|
about non-global URI-to-directory mappings (from e.g. mod_userdir or
|
||
|
mod_alias) to scripts. PR 49705. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add <ElseIf> and <Else> to complement <If> sections.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_include: Make the "#if expr" element use the new "ap_expr" expression
|
||
|
parser. The old parser can still be used by setting the new directive
|
||
|
SSILegacyExprParser. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add some features to ap_expr for use by mod_include: a restricted
|
||
|
mode that does not allow to bypass request access restrictions; new
|
||
|
variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
|
||
|
alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
|
||
|
the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
|
||
|
data entry. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_include: Merge directory configs instead of one SSI* config directive
|
||
|
causing all other per-directory SSI* config directives to be reset.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_charset_lite: Remove DebugLevel option in favour of per-module
|
||
|
loglevel. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add ap_regexec_len() function that works with non-null-terminated
|
||
|
strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
|
||
|
|
||
|
*) mod_authnz_ldap: If the LDAP server returns constraint violation,
|
||
|
don't treat this as an error but as "auth denied". [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
|
||
|
for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
|
||
|
Jim Jagielski]
|
||
|
|
||
|
*) mod_cache: When content is served stale, and there is no means to
|
||
|
revalidate the content using ETag or Last-Modified, and we have
|
||
|
mandated no stale-on-error behaviour, stand down and don't cache.
|
||
|
Saves a cache write that will never be read.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_reqtimeout: Fix a timed out connection going into the keep-alive
|
||
|
state after a timeout when discarding a request body. PR 51103.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core: Add various file existance test operators to ap_expr.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy_express: New mass reverse-proxy switch extension for
|
||
|
mod_proxy. [Jim Jagielski]
|
||
|
|
||
|
*) configure: Fix script error when configuring module set "reallyall".
|
||
|
[Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.3.12
|
||
|
|
||
|
*) configure, core: Provide easier support for APR's hook probe
|
||
|
capability. [Jim Jagielski, Jeff Trawick]
|
||
|
|
||
|
*) Silence autoconf 2.68 warnings. [Rainer Jung]
|
||
|
|
||
|
*) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
|
||
|
[Scott Hill <shill genscape.com>]
|
||
|
|
||
|
*) support: Make sure check_forensic works with mod_unique_id loaded
|
||
|
[Joe Schaefer]
|
||
|
|
||
|
*) Add child_status hook for tracking creation/termination of MPM child
|
||
|
processes. Add end_generation hook for notification when the last
|
||
|
MPM child of a generation exits. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
|
||
|
process as opposed to disabling caching completely. This allows to use
|
||
|
the non-shared-memory cache as a workaround for the shared memory cache
|
||
|
not being available during graceful restarts. PR 48958. [Stefan Fritsch]
|
||
|
|
||
|
*) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
|
||
|
necessary if a module (like mod_perl) registers additional modules late
|
||
|
in the startup phase. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
|
||
|
[Torsten Förtsch <torsten foertsch gmx net>]
|
||
|
|
||
|
*) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]
|
||
|
|
||
|
*) MinGW build improvements. PR 49535. [John Vandenberg
|
||
|
<jayvdb gmail.com>, Jeff Trawick]
|
||
|
|
||
|
*) core: Support module names with colons in loglevel configuration.
|
||
|
[Torsten Förtsch <torsten foertsch gmx net>]
|
||
|
|
||
|
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core: Abort if the MPM is changed across restart. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
|
||
|
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
|
||
|
[Mark Montague <mark catseye.org>, Jim Jagielski]
|
||
|
|
||
|
*) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
|
||
|
error code. Abort with a nice error message if a config line is too long.
|
||
|
Partial fix for PR 50824. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
|
||
|
specified. PR 31956. [Stefan Fritsch]
|
||
|
|
||
|
*) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM
|
||
|
helper function ap_remove_pid() added. [Jeff Trawick]
|
||
|
|
||
|
*) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]
|
||
|
|
||
|
*) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff
|
||
|
Trawick]
|
||
|
|
||
|
*) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
|
||
|
<torsten.foertsch gmx.net>]
|
||
|
|
||
|
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
|
||
|
in request URL path info but not decode them. Change behavior of option
|
||
|
"On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
|
||
|
PR 46830. [Dan Poirier]
|
||
|
|
||
|
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
|
||
|
PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
|
||
|
|
||
|
*) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
|
||
|
of bound backend LDAP connections. PR47634 [Eric Covener]
|
||
|
|
||
|
*) mod_cache: Make CacheEnable and CacheDisable configurable per
|
||
|
directory in addition to per server, making them work from within
|
||
|
a LocationMatch. [Graham Leggett]
|
||
|
|
||
|
*) worker, event, prefork: Correct several issues when built as
|
||
|
DSOs; most notably, the scoreboard was reinitialized during graceful
|
||
|
restart, such that processes of the previous generation were not
|
||
|
observable. [Jeff Trawick]
|
||
|
|
||
|
Changes with Apache 2.3.11
|
||
|
|
||
|
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
|
||
|
Win32's cscript interpreter can only use a single quote as comment char.
|
||
|
[Guenter Knauf]
|
||
|
|
||
|
*) mod_proxy: balancer-manager now uses POST instead of GET.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) core: new util function: ap_parse_form_data(). Previously,
|
||
|
this capability was tucked away in mod_request. [Jim Jagielski]
|
||
|
|
||
|
*) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
|
||
|
|
||
|
*) modules: Fix many modules that were not correctly initializing if they
|
||
|
were not active during server startup but got enabled later during a
|
||
|
graceful restart. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Create new ap_state_query function that allows modules to determine
|
||
|
if the current configuration run is the initial one at server startup,
|
||
|
and if the server is started for testing/config dumping only.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Runtime configuration of many parameters for existing
|
||
|
balancers via the balancer-manager. [Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy: Runtime addition of new workers (BalancerMember) for existing
|
||
|
balancers via the balancer-manager. [Jim Jagielski]
|
||
|
|
||
|
*) mod_cache: When a bad Expires date is present, we need to behave as if
|
||
|
the Expires is in the past, not as if the Expires is missing. PR 16521.
|
||
|
[Co-Advisor <coad measurement-factory.com>]
|
||
|
|
||
|
*) mod_cache: We must ignore quoted-string values that appear in a
|
||
|
Cache-Control header. PR 50199. [Graham Leggett]
|
||
|
|
||
|
*) mod_dav: Revert change to send 501 error if unknown Content-* header is
|
||
|
received for a PUT request. PR 42978. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must
|
||
|
take precedence if present. PR 35247. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
|
||
|
are configured with the same ServerName and private key file.
|
||
|
[Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
|
||
|
|
||
|
*) mod_socache_dc: Make module compile by fixing some typos.
|
||
|
PR 50735 [Mark Montague <mark catseye.org>]
|
||
|
|
||
|
*) prefork: Update MPM state in children during a graceful stop or
|
||
|
restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>]
|
||
|
|
||
|
*) mod_mime: Ignore leading dots when looking for mime extensions.
|
||
|
PR 50434 [Stefan Fritsch]
|
||
|
|
||
|
*) core: Add support to set variables with the 'Define' directive. The
|
||
|
variables that can then be used in the config using the ${VAR} syntax
|
||
|
known from envvar interpolation. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy_http: make adding of X-Forwarded-* headers configurable.
|
||
|
ProxyAddHeaders defaults to On. [Vincent Deffontaines]
|
||
|
|
||
|
*) mod_slotmem_shm: Increase memory alignment for slotmem data.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
|
||
|
SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
|
||
|
[Kaspar Brand <httpd-dev.2011 velox.ch>]
|
||
|
|
||
|
*) mod_ssl: Revamp output buffering to reduce network overhead for
|
||
|
output fragmented into many buckets, such as chunked HTTP responses.
|
||
|
[Joe Orton]
|
||
|
|
||
|
*) core: Apply <If> sections to all requests, not only to file base requests.
|
||
|
Allow to use <If> inside <Directory>, <Location>, and <Files> sections.
|
||
|
The merging of <If> sections now happens after the merging of <Location>
|
||
|
sections, even if an <If> section is embedded inside a <Directory> or
|
||
|
<Files> section. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Refactor usage of shared data by dropping the scoreboard
|
||
|
and using slotmem. Create foundation for dynamic growth/changes of
|
||
|
members within a balancer. Remove BalancerNonce in favor of a
|
||
|
per-balancer 'nonce' parameter. [Jim Jagielski]
|
||
|
|
||
|
*) mod_status: Don't show slots which are disabled by MaxClients as open.
|
||
|
PR 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]
|
||
|
|
||
|
*) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and
|
||
|
AP_MPMQ_MAX_THREADS.
|
||
|
|
||
|
*) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
|
||
|
authorization directives were mixed. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_authn_socache: change directive name from AuthnCacheProvider
|
||
|
to AuthnCacheProvideFor. The term "provider" is overloaded in
|
||
|
this module, and we should avoid confusion between the provider
|
||
|
of a backend (AuthnCacheSOCache) and the authn provider(s) for
|
||
|
which this module provides cacheing (AuthnCacheProvideFor).
|
||
|
[Nick Kew]
|
||
|
|
||
|
*) mod_proxy_http: Allocate the fake backend request from a child pool
|
||
|
of the backend connection, instead of misusing the pool of the frontend
|
||
|
request. Fixes a thread safety issue where buckets set aside in the
|
||
|
backend connection leak into other threads, and then disappear when
|
||
|
the frontend request is cleaned up, in turn causing corrupted buckets
|
||
|
to make other threads spin. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
|
||
|
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
|
||
|
escape other special characters with backslashes. The old format can
|
||
|
still be used with the LegacyDNStringFormat argument to SSLOptions.
|
||
|
|
||
|
*) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
|
||
|
scripts and mod_rewrite. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in
|
||
|
RewriteCond. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Allow to unset environment variables using E=!VAR.
|
||
|
PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]
|
||
|
|
||
|
*) mod_headers: Restore the 2.3.8 and earlier default for the first
|
||
|
argument of the Header directive ("onsuccess"). [Eric Covener]
|
||
|
|
||
|
*) core: Disallow the mixing of relative and absolute Options PR 33708.
|
||
|
[Sönke Tesch <st kino-fahrplan.de>]
|
||
|
|
||
|
*) core: When exporting request headers to HTTP_* environment variables,
|
||
|
drop variables whose names contain invalid characters. Describe in the
|
||
|
docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]
|
||
|
|
||
|
*) core: When selecting an IP-based virtual host, favor an exact match for
|
||
|
the port over a wildcard (or omitted) port instead of favoring the one
|
||
|
that came first in the configuration file. [Eric Covener]
|
||
|
|
||
|
*) core: Overlapping virtual host address/port combinations now implicitly
|
||
|
enable name-based virtual hosting for that address. The NameVirtualHost
|
||
|
directive has no effect, and _default_ is interpreted the same as "*".
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) core: In the absence of any Options directives, the default is now
|
||
|
"FollowSymlinks" instead of "All". [Igor Galić]
|
||
|
|
||
|
*) rotatelogs: Add -e option to write logs through to stdout for optional
|
||
|
further processing. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Correctly read full lines in input filter when the line is
|
||
|
incomplete during first read. PR 50481. [Ruediger Pluem]
|
||
|
|
||
|
*) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow
|
||
|
sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization
|
||
|
fails for an authenticated user. PR 40721. [Stefan Fritsch]
|
||
|
|
||
|
Changes with Apache 2.3.10
|
||
|
|
||
|
*) mod_rewrite: Don't implicitly URL-escape the original query string
|
||
|
when no substitution has changed it. PR 50447. [Eric Covener]
|
||
|
|
||
|
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
|
||
|
such as per-directory mod_rewrite substitutions. PR 50349.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base
|
||
|
rules/conditions before the overridden rules/conditions. PR 39313.
|
||
|
[Jérôme Grandjanny <jerome.grandjanny cea.fr>]
|
||
|
|
||
|
*) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored
|
||
|
filenames in higher precedence configuration sections. PR 24243.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_cgid: RLimit* directive support for mod_cgid. PR 42135
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) core: Fail startup when the argument to ServerName looks like a glob
|
||
|
or a regular expression instead of a hostname (*?[]). PR 39863
|
||
|
[Rahul Nair <rahul.g.nair gmail.com>]
|
||
|
|
||
|
*) mod_userdir: Add merging of enable, disable, and filename arguments
|
||
|
to UserDir directive, leaving enable/disable of userlists unmerged.
|
||
|
PR 44076 [Eric Covener]
|
||
|
|
||
|
*) httpd: When no -k option is provided on the httpd command line, the server
|
||
|
was starting without checking for an existing pidfile. PR 50350
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_proxy: Put the worker in error state if the SSL handshake with the
|
||
|
backend fails. PR 50332.
|
||
|
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
|
||
|
|
||
|
*) mod_cache_disk: Fix Windows build which was broken after renaming
|
||
|
the module. [Gregg L. Smith]
|
||
|
|
||
|
Changes with Apache 2.3.9
|
||
|
|
||
|
*) SECURITY: CVE-2010-1623 (cve.mitre.org)
|
||
|
Fix a denial of service attack against mod_reqtimeout.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_headers: Change default first argument of Header directive
|
||
|
from "onsuccess" to "always". [Eric Covener]
|
||
|
|
||
|
*) mod_include: Add the onerror attribute to the include element,
|
||
|
allowing an URL to be specified to include on error. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be
|
||
|
consistent with the naming of other modules. [Graham Leggett]
|
||
|
|
||
|
*) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on
|
||
|
expression. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
|
||
|
binary (Suexec Off), or force startup failure if suEXEC is required
|
||
|
but not supported (Suexec On). Change SuexecUserGroup to fail
|
||
|
startup instead of just printing a warning if suEXEC is disabled.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) core: Add Error directive for aborting startup or htaccess processing
|
||
|
with a specified error message. [Jeff Trawick]
|
||
|
|
||
|
*) mod_rewrite: Fix the RewriteEngine directive to work within a
|
||
|
location. Previously, once RewriteEngine was switched on globally,
|
||
|
it was impossible to switch off. [Graham Leggett]
|
||
|
|
||
|
*) core, mod_include, mod_ssl: Move the expression parser derived from
|
||
|
mod_include back into mod_include. Replace ap_expr with a parser
|
||
|
derived from mod_ssl's parser. Make mod_ssl use the new parser. Rework
|
||
|
ap_expr's public interface and provide hooks for modules to add variables
|
||
|
and functions. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Do the hook sorting earlier so that the hooks are properly sorted
|
||
|
for the pre_config hook and during parsing the config. [Stefan Fritsch]
|
||
|
|
||
|
*) core: In the absence of any AllowOverride directives, the default is now
|
||
|
"None" instead of "All". PR49823 [Eric Covener]
|
||
|
|
||
|
*) mod_proxy: Don't allow ProxyPass or ProxyPassReverse in
|
||
|
<Directory> or <Files>. PR47765 [Eric Covener]
|
||
|
|
||
|
*) prefork/worker/event MPMS: default value (when no directive is present)
|
||
|
of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000
|
||
|
to match default configuration and manual. PR47782 [Eric Covener]
|
||
|
|
||
|
*) proxy_connect: Don't give up in the middle of a CONNECT tunnel
|
||
|
when the child process is starting to exit. PR50220. [Eric Covener]
|
||
|
|
||
|
*) mod_autoindex: Fix inheritance of mod_autoindex directives into
|
||
|
contexts that don't have any mod_autoindex directives. PR47766.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_rewrite: Add END flag for RewriteRule to prevent further rounds
|
||
|
of rewrite processing when a per-directory substitution occurs.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Make sure to always log an error if loading of CA certificates
|
||
|
fails. PR 40312. [Paul Tiemann <issues apache org ourdetour com>]
|
||
|
|
||
|
*) mod_dav: Send 501 error if unknown Content-* header is received for a PUT
|
||
|
request (RFC 2616 9.6). PR 42978. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_dav: Send 400 error if malformed Content-Range header is received for
|
||
|
a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Release the backend connection as soon as EOS is detected,
|
||
|
so the backend isn't forced to wait for the client to eventually
|
||
|
acknowledge the data. [Graham Leggett]
|
||
|
|
||
|
*) mod_proxy: Optimise ProxyPass within a Location so that it is stored
|
||
|
per-directory, and chosen during the location walk. Make ProxyPass
|
||
|
work correctly from within a LocationMatch. [Graham Leggett]
|
||
|
|
||
|
*) core: Fix segfault if per-module LogLevel is on virtual host
|
||
|
scope. PR 50117. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Move the ProxyErrorOverride directive to have per
|
||
|
directory scope. [Graham Leggett]
|
||
|
|
||
|
*) mod_allowmethods: New module to deny certain HTTP methods without
|
||
|
interfering with authentication/authorization. [Paul Querna,
|
||
|
Igor Galić, Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: Log certificate information and improve error message if client
|
||
|
cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
|
||
|
Stefan Fritsch]
|
||
|
|
||
|
*) htcacheclean: Teach htcacheclean to limit cache size by number of
|
||
|
inodes in addition to size of files. Prevents a cache disk from
|
||
|
running out of space when many small files are cached.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) core: Rename MaxRequestsPerChild to MaxConnectionsPerChild, which
|
||
|
describes more accurately what the directive does. The old name
|
||
|
still works but logs a warning. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache: Optionally serve stale data when a revalidation returns a
|
||
|
5xx response, controlled by the CacheStaleOnError directive.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) htcacheclean: Allow the listing of valid URLs within the cache, with
|
||
|
the option to list entry metadata such as sizes and times. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) mod_cache: correctly parse quoted strings in cache headers.
|
||
|
PR 50199 [Nick Kew]
|
||
|
|
||
|
*) mod_cache: Allow control over the base URL of reverse proxied requests
|
||
|
using the CacheKeyBaseURL directive, so that the cache key can be
|
||
|
calculated from the endpoint URL instead of the server URL. [Graham
|
||
|
Leggett]
|
||
|
|
||
|
*) mod_cache: CacheLastModifiedFactor, CacheStoreNoStore, CacheStorePrivate,
|
||
|
CacheStoreExpired, CacheIgnoreNoLastMod, CacheDefaultExpire,
|
||
|
CacheMinExpire and CacheMaxExpire can be set per directory/location.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_disk_cache: CacheMaxFileSize, CacheMinFileSize, CacheReadSize and
|
||
|
CacheReadTime can be set per directory/location. [Graham Leggett]
|
||
|
|
||
|
*) core: Speed up config parsing if using a very large number of config
|
||
|
files. PR 50002 [andrew cloudaccess net]
|
||
|
|
||
|
*) mod_cache: Support the caching of HEAD requests. [Graham Leggett]
|
||
|
|
||
|
*) htcacheclean: Allow the option to round up file sizes to a given
|
||
|
block size, improving the accuracy of disk usage. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Add authz providers for use with mod_authz_core and its
|
||
|
RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
|
||
|
'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
|
||
|
'ssl-require' (expressions with same syntax as SSLRequire).
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_ssl: Make the ssl expression parser thread-safe. It now requires
|
||
|
bison instead of yacc. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_disk_cache: Change on-disk header file format to support the
|
||
|
link of the device/inode of the data file to the matching header
|
||
|
file, and to support the option of not writing a data file when
|
||
|
the data file is empty. [Graham Leggett]
|
||
|
|
||
|
*) core/mod_unique_id: Add generate_log_id hook to allow to use
|
||
|
the ID generated by mod_unique_id as error log ID for requests.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache: Make sure that we never allow a 304 Not Modified response
|
||
|
that we asked for to leak to the client should the 304 response be
|
||
|
uncacheable. PR45341 [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Add the cache_status hook to register the final cache
|
||
|
decision hit/miss/revalidate. Add optional support for an X-Cache
|
||
|
and/or an X-Cache-Detail header to add the cache status to the
|
||
|
response. PR48241 [Graham Leggett]
|
||
|
|
||
|
*) mod_authz_host: Add 'local' provider that matches connections originating
|
||
|
on the local host. PR 19938. [Stefan Fritsch]
|
||
|
|
||
|
*) Event MPM: Fix crash accessing pollset on worker thread when child
|
||
|
process is exiting. [Jeff Trawick]
|
||
|
|
||
|
*) core: For process invocation (cgi, fcgid, piped loggers and so forth)
|
||
|
pass the system library path (LD_LIBRARY_PATH or platform-specific
|
||
|
variables) along with the system PATH, by default. Both should be
|
||
|
overridden together as desired using PassEnv etc; see mod_env.
|
||
|
[William Rowe]
|
||
|
|
||
|
*) mod_cache: Introduce CacheStoreExpired, to allow administrators to
|
||
|
capture a stale backend response, perform If-Modified-Since requests
|
||
|
against the backend, and serving from the cache all 304 responses.
|
||
|
This restores pre-2.2.4 cache behavior. [William Rowe]
|
||
|
|
||
|
*) mod_rewrite: Introduce <=, >= string comparison operators, and integer
|
||
|
comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop
|
||
|
the ambiguity of the symlink test "-ltest", introduce -h or -L as
|
||
|
symlink test operators. [William Rowe]
|
||
|
|
||
|
*) mod_cache: Give the cache provider the opportunity to choose to cache
|
||
|
or not cache based on the buckets present in the brigade, such as the
|
||
|
presence of a FILE bucket.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_authz_core: Allow authz providers to check args while reading the
|
||
|
config and allow to cache parsed args. Move 'all' and 'env' authz
|
||
|
providers from mod_authz_host to mod_authz_core. Add 'method' authz
|
||
|
provider depending on the HTTP method. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_include: Move the request_rec within mod_include to be
|
||
|
exposed within include_ctx_t. [Graham Leggett]
|
||
|
|
||
|
*) mod_include: Reinstate support for UTF-8 character sets by allowing a
|
||
|
variable being echoed or set to be decoded and then encoded as separate
|
||
|
steps. PR47686 [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Add a discrete commit_entity() provider function within the
|
||
|
mod_cache provider interface which is called to indicate to the
|
||
|
provider that caching is complete, giving the provider the opportunity
|
||
|
to commit temporary files permanently to the cache in an atomic
|
||
|
fashion. Replace the inconsistent use of error cleanups with a formal
|
||
|
set of pool cleanups attached to a subpool, which is destroyed on error.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Change the signature of the store_body() provider function
|
||
|
within the mod_cache provider interface to support an "in" brigade
|
||
|
and an "out" brigade instead of just a single input brigade. This
|
||
|
gives a cache provider the option to consume only part of the brigade
|
||
|
passed to it, rather than the whole brigade as was required before.
|
||
|
This fixes an out of memory and a request timeout condition that would
|
||
|
occur when the original document was a large file. Introduce
|
||
|
CacheReadSize and CacheReadTime directives to mod_disk_cache to control
|
||
|
the amount of data to attempt to cache at a time. [Graham Leggett]
|
||
|
|
||
|
*) core: Add ErrorLogFormat to allow configuring error log format, including
|
||
|
additional information that is logged once per connection or request. Add
|
||
|
error log IDs for connections and request to allow correlating error log
|
||
|
lines and the corresponding access log entry. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Disable sendfile by default. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache: Check the request to determine whether we are allowed
|
||
|
to return cached content at all, and respect a "Cache-Control:
|
||
|
no-cache" header from a client. Previously, "no-cache" would
|
||
|
behave like "max-age=0". [Graham Leggett]
|
||
|
|
||
|
*) mod_cache: Use a proper filter context to hold filter data instead
|
||
|
of misusing the per-request configuration. Fixes a segfault on trunk
|
||
|
when the normal handler is used. [Graham Leggett]
|
||
|
|
||
|
*) mod_cgid: Log a warning if the ScriptSock path is truncated because
|
||
|
it is too long. PR 49388. [Stefan Fritsch]
|
||
|
|
||
|
*) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
|
||
|
and non-* ports on NameVirtualHost, or multiple NameVirtualHost
|
||
|
directives for the same address:port, or NameVirtualHost
|
||
|
directives with no matching VirtualHosts, or multiple ip-based
|
||
|
VirtualHost sections for the same address:port. These were
|
||
|
previously accepted with a warning, but the behavior was
|
||
|
undefined. [Dan Poirier]
|
||
|
|
||
|
*) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
|
||
|
Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]
|
||
|
|
||
|
*) core: DirectoryMatch can now match on the end of line character ($),
|
||
|
and sub-directories of matched directories are no longer implicitly
|
||
|
matched. PR49809 [Eric Covener]
|
||
|
|
||
|
*) Regexps: introduce new higher-level regexp utility including parsing
|
||
|
and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
|
||
|
[Nick Kew]
|
||
|
|
||
|
*) Proxy: support setting source address. PR 29404
|
||
|
[Multiple contributors iterating through bugzilla,
|
||
|
Aron Ujvari <xanco nikhok.hu>, Aleksey Midenkov <asm uezku.kemsu.ru>,
|
||
|
<dan listening-station.net; trunk version Nick Kew]
|
||
|
|
||
|
*) HTTP protocol: return 400 not 503 if we have to abort due to malformed
|
||
|
chunked encoding. [Nick Kew]
|
||
|
|
||
|
Changes with Apache 2.3.8
|
||
|
|
||
|
*) suexec: Support large log files. PR 45856. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Abort with sensible error message if no or more than one MPM is
|
||
|
loaded. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy: Rename erroronstatus to failonstatus.
|
||
|
[Daniel Ruggeri <DRuggeri primary.net>]
|
||
|
|
||
|
*) mod_dav_fs: Fix broken "creationdate" property.
|
||
|
Regression in version 2.3.7. [Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.3.7
|
||
|
|
||
|
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
|
||
|
mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
|
||
|
segment. PR 49246 [Mark Drayton, Jeff Trawick]
|
||
|
|
||
|
*) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
|
||
|
via leveraging 100-Continue as the initial "request".
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) core/mod_authz_core: Introduce new access_checker_ex hook that enables
|
||
|
mod_authz_core to bypass authentication if access should be allowed by
|
||
|
IP address/env var/... [Stefan Fritsch]
|
||
|
|
||
|
*) core: Introduce note_auth_failure hook to allow modules to add support
|
||
|
for additional auth types. This makes ap_note_auth_failure() work with
|
||
|
mod_auth_digest again. PR 48807. [Stefan Fritsch]
|
||
|
|
||
|
*) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
|
||
|
|
||
|
*) mod_authn_socache: new module [Nick Kew]
|
||
|
|
||
|
*) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
|
||
|
|
||
|
*) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
|
||
|
|
||
|
*) mod_rewrite: Allow to set environment variables without explicitly
|
||
|
giving a value. [Rainer Jung]
|
||
|
|
||
|
*) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
|
||
|
|
||
|
*) mod_include: recognise "text/html; parameters" as text/html
|
||
|
PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
|
||
|
|
||
|
*) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
|
||
|
PR 43906 [Nick Kew]
|
||
|
|
||
|
*) Core: Extra robustness: don't try authz and segfault if authn
|
||
|
fails to set r->user. Log bug and return 500 instead.
|
||
|
PR 42995 [Nick Kew]
|
||
|
|
||
|
*) HTTP protocol filter: fix handling of longer chunk extensions
|
||
|
PR 49474 [<tee.bee gmx.de>]
|
||
|
|
||
|
*) Update SSL cipher suite and add example for SSLHonorCipherOrder.
|
||
|
[Lars Eilebrecht, Rainer Jung]
|
||
|
|
||
|
*) move AddOutputFilterByType from core to mod_filter. This should
|
||
|
fix nasty side-effects that happen when content_type is set
|
||
|
more than once in processing a request, and make it fully
|
||
|
compatible with dynamic and proxied contents. [Nick Kew]
|
||
|
|
||
|
*) mod_log_config: Implement logging for sub second timestamps and
|
||
|
request end time. [Rainer Jung]
|
||
|
|
||
|
Changes with Apache 2.3.6
|
||
|
|
||
|
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
|
||
|
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
|
||
|
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
|
||
|
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
|
||
|
and offer unsafe legacy renegotiation with clients which do not yet
|
||
|
support the new secure renegotiation protocol, RFC 5746.
|
||
|
[Joe Orton, and with thanks to the OpenSSL Team]
|
||
|
|
||
|
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
|
||
|
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
|
||
|
by rejecting any client-initiated renegotiations. Forcibly disable
|
||
|
keepalive for the connection if there is any buffered data readable. Any
|
||
|
configuration which requires renegotiation for per-directory/location
|
||
|
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
|
||
|
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
|
||
|
|
||
|
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
|
||
|
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
|
||
|
when request headers indicate a request body is incoming; not a case of
|
||
|
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
|
||
|
|
||
|
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
|
||
|
mod_isapi: Do not unload an isapi .dll module until the request
|
||
|
processing is completed, avoiding orphaned callback pointers.
|
||
|
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
|
||
|
|
||
|
*) core: Filter init functions are now run strictly once per request
|
||
|
before handler invocation. The init functions are no longer run
|
||
|
for connection filters. PR 49328. [Joe Orton]
|
||
|
|
||
|
*) core: Adjust the output filter chain correctly in an internal
|
||
|
redirect from a subrequest, preserving filters from the main
|
||
|
request as necessary. PR 17629. [Joe Orton]
|
||
|
|
||
|
*) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
|
||
|
Response if they so choose to do so. Previously an attempt to cache a 206
|
||
|
was arbitrarily allowed if the response contained an Expires or
|
||
|
Cache-Control header, and arbitrarily denied if both headers were missing.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) core: Add microsecond timestamp fractions, process id and thread id
|
||
|
to the error log. [Rainer Jung]
|
||
|
|
||
|
*) configure: The "most" module set gets build by default. [Rainer Jung]
|
||
|
|
||
|
*) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
|
||
|
|
||
|
*) configure: Fix broken VPATH build when using included APR.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_session_crypto: Fix configure problem when building
|
||
|
with APR 2 and for VPATH builds with included APR.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) mod_session_crypto: API compatibility with APR 2 crypto and
|
||
|
APR Util 1.x crypto. [Rainer Jung]
|
||
|
|
||
|
*) ab: Fix memory leak with -v2 and SSL. PR 49383.
|
||
|
[Pavel Kankovsky <peak argo troja mff cuni cz>]
|
||
|
|
||
|
*) core: Add per-module and per-directory loglevel configuration.
|
||
|
Add some more trace logging.
|
||
|
mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
|
||
|
mod_ssl: Replace LogLevelDebugDump with trace log levels.
|
||
|
mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
|
||
|
and debug.
|
||
|
mod_dumpio: Replace DumpIOLogLevel with trace log levels.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
|
||
|
title page only) when any mod_ldap directives were used in VirtualHost
|
||
|
context. [Eric Covener]
|
||
|
|
||
|
*) mod_disk_cache: Decline the opportunity to cache if the response is
|
||
|
a 206 Partial Content. This stops a reverse proxied partial response
|
||
|
from becoming cached, and then being served in subsequent responses.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_deflate: avoid the risk of forwarding data before headers are set.
|
||
|
PR 49369 [Matthew Steele <mdsteele google.com>]
|
||
|
|
||
|
*) mod_authnz_ldap: Ensure nested groups are checked when the
|
||
|
top-level group doesn't have any direct non-group members
|
||
|
of attributes in AuthLDAPGroupAttribute. [Eric Covener]
|
||
|
|
||
|
*) mod_authnz_ldap: Search or Comparison during authorization phase
|
||
|
can use the credentials from the authentication phase
|
||
|
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
|
||
|
PR 48340 [Domenico Rotiroti, Eric Covener]
|
||
|
|
||
|
*) mod_authnz_ldap: Allow the initial DN search during authentication
|
||
|
to use the HTTP username/pass instead of an anonymous or hard-coded
|
||
|
LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
|
||
|
when this module is used for authorization. See AuthLDAPAuthorizePrefix.
|
||
|
PR 45584 [Eric Covener]
|
||
|
|
||
|
*) apxs -q: Stop filtering out ':' characters from the reported values.
|
||
|
PR 45343. [Bill Cole]
|
||
|
|
||
|
*) prefork MPM: Work around possible crashes on child exit in APR reslist
|
||
|
cleanup code. PR 43857. [Tom Donovan]
|
||
|
|
||
|
*) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
|
||
|
[Bryn Dole <dole blekko.com>]
|
||
|
|
||
|
*) Log an error for failures to read a chunk-size, and return 408 instead of
|
||
|
413 when this is due to a read timeout. This change also fixes some cases
|
||
|
of two error documents being sent in the response for the same scenario.
|
||
|
[Eric Covener] PR49167
|
||
|
|
||
|
*) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
|
||
|
to control/set the nonce used in the balancer-manager application.
|
||
|
[Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) Proxy balancer: support setting error status according to HTTP response
|
||
|
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
|
||
|
|
||
|
*) htcacheclean: Introduce the ability to clean specific URLs from the
|
||
|
cache, if provided as an optional parameter on the command line.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) core: Introduce the IncludeStrict directive, which explicitly fails
|
||
|
server startup if no files or directories match a wildcard path.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) htcacheclean: Report additional statistics about entries deleted.
|
||
|
PR 48944. [Mark Drayton mark markdrayton.info]
|
||
|
|
||
|
*) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
|
||
|
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
|
||
|
build of openssl is required for 'SSLFIPS on'. PR 46270.
|
||
|
[Dr Stephen Henson <steve openssl.org>, William Rowe]
|
||
|
|
||
|
*) mod_proxy_http: Log the port of the remote server in various messages.
|
||
|
PR 48812. [Igor Galić <i galic brainsware org>]
|
||
|
|
||
|
*) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
|
||
|
connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy_ajp: Really regard the operation a success, when the client
|
||
|
aborted the connection. In addition adjust the log message if the client
|
||
|
aborted the connection. [Ruediger Pluem]
|
||
|
|
||
|
*) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
|
||
|
allows insecure renegotiation with clients which do not yet
|
||
|
support the secure renegotiation protocol. [Joe Orton]
|
||
|
|
||
|
*) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
|
||
|
is configured for client cert auth. PR 46952. [Joe Orton]
|
||
|
|
||
|
*) core: Only log a 408 if it is no keepalive timeout. PR 39785
|
||
|
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
|
||
|
|
||
|
*) support/rotatelogs: Add -L option to create a link to the current
|
||
|
log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
|
||
|
|
||
|
*) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
|
||
|
setting only, matching most of the documentation and examples.
|
||
|
PR 46541 [Paul Reder, Eric Covener]
|
||
|
|
||
|
*) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
|
||
|
types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
|
||
|
|
||
|
*) mod_negotiation: Preserve query string over multiviews negotiation.
|
||
|
This buglet was fixed for type maps in 2.2.6, but the same issue
|
||
|
affected multiviews and was overlooked.
|
||
|
PR 33112 [Joergen Thomsen <apache jth.net>]
|
||
|
|
||
|
*) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
|
||
|
when some are not password-protected. [Eric Covener]
|
||
|
|
||
|
*) Fix startup segfault when the Mutex directive is used but no loaded
|
||
|
modules use httpd mutexes. PR 48787. [Jeff Trawick]
|
||
|
|
||
|
*) Proxy: get the headers right in a HEAD request with
|
||
|
ProxyErrorOverride, by checking for an overridden error
|
||
|
before not after going into a catch-all code path.
|
||
|
PR 41646. [Nick Kew, Stuart Children]
|
||
|
|
||
|
*) support/rotatelogs: Support the simplest log rotation case, log
|
||
|
truncation. Useful when the log is being processed in real time
|
||
|
using a command like tail. [Graham Leggett]
|
||
|
|
||
|
*) support/htcacheclean: Teach it how to write a pid file (modelled on
|
||
|
httpd's writing of a pid file) so that it becomes possible to run
|
||
|
more than one instance of htcacheclean on the same machine.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) Log command line on startup, so there's a record of command line
|
||
|
arguments like -f. PR 48752. [Dan Poirier]
|
||
|
|
||
|
*) Introduce mod_reflector, a handler capable of reflecting POSTed
|
||
|
request bodies back within the response through the output filter
|
||
|
stack. Can be used to turn an output filter into a web service.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_proxy_http: Make sure that when an ErrorDocument is served
|
||
|
from a reverse proxied URL, that the subrequest respects the status
|
||
|
of the original request. This brings the behaviour of proxy_handler
|
||
|
in line with default_handler. PR 47106. [Graham Leggett]
|
||
|
|
||
|
*) Support wildcards in both the directory and file components of
|
||
|
the path specified by the Include directive. [Graham Leggett]
|
||
|
|
||
|
*) mod_proxy, mod_proxy_http: Support remote https proxies
|
||
|
by using HTTP CONNECT. PR 19188.
|
||
|
[Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
|
||
|
|
||
|
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
|
||
|
[Philip M. Gollucci]
|
||
|
|
||
|
*) worker: Don't report server has reached MaxClients until it has.
|
||
|
Add message when server gets within MinSpareThreads of MaxClients.
|
||
|
PR 46996. [Dan Poirier]
|
||
|
|
||
|
*) mod_session: Session expiry was being initialised, but not updated
|
||
|
on each session save, resulting in timed out sessions when there
|
||
|
should not have been. Fixed. [Graham Leggett]
|
||
|
|
||
|
*) mod_log_config: Add the R option to log the handler used within the
|
||
|
request. [Christian Folini <christian.folini netnea com>]
|
||
|
|
||
|
*) mod_include: Allow fine control over the removal of Last-Modified and
|
||
|
ETag headers within the INCLUDES filter, making it possible to cache
|
||
|
responses if desired. Fix the default value of the SSIAccessEnable
|
||
|
directive. [Graham Leggett]
|
||
|
|
||
|
*) Add new UnDefine directive to undefine a variable. PR 35350.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
|
||
|
for regex backreferences as mod_rewrite and mod_include: Remove the use
|
||
|
of '&' as an alias for '$0' and allow to escape any character with a
|
||
|
backslash. PR 48351. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
|
||
|
password to UTF-8. PR 45318.
|
||
|
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
|
||
|
|
||
|
*) ab: Fix calculation of requests per second in HTML output. PR 48594.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
|
||
|
password now result in an informational level log entry instead of
|
||
|
warning level. [Eric Covener]
|
||
|
|
||
|
Changes with Apache 2.3.5
|
||
|
|
||
|
*) SECURITY: CVE-2010-0434 (cve.mitre.org)
|
||
|
Ensure each subrequest has a shallow copy of headers_in so that the
|
||
|
parent request headers are not corrupted. Eliminates a problematic
|
||
|
optimization in the case of no request body. PR 48359
|
||
|
[Jake Scott, William Rowe, Ruediger Pluem]
|
||
|
|
||
|
*) Turn static function get_server_name_for_url() into public
|
||
|
ap_get_server_name_for_url() and use it where appropriate. This
|
||
|
fixes mod_rewrite generating invalid URLs for redirects to IPv6
|
||
|
literal addresses. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
|
||
|
for LDAP operations like bind and search. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
|
||
|
mod_proxy_ftp. [Takashi Sato]
|
||
|
|
||
|
*) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
|
||
|
mod_proxy_connect. [Takashi Sato]
|
||
|
|
||
|
*) mod_cache: Do an exact match of the keys defined by
|
||
|
CacheIgnoreURLSessionIdentifiers against the querystring instead of
|
||
|
a partial match. PR 48401.
|
||
|
[Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
|
||
|
|
||
|
*) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
|
||
|
|
||
|
*) Core HTTP: disable keepalive when the Client has sent
|
||
|
Expect: 100-continue
|
||
|
but we respond directly with a non-100 response.
|
||
|
Keepalive here led to data from clients continuing being treated as
|
||
|
a new request.
|
||
|
PR 47087 [Nick Kew]
|
||
|
|
||
|
*) Core: reject NULLs in request line or request headers.
|
||
|
PR 43039 [Nick Kew]
|
||
|
|
||
|
*) Core: (re)-introduce -T commandline option to suppress documentroot
|
||
|
check at startup.
|
||
|
PR 41887 [Jan van den Berg <janvdberg gmail.com>]
|
||
|
|
||
|
*) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
|
||
|
ScanHTMLTitles, ReadmeName, HeaderName
|
||
|
PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
|
||
|
|
||
|
*) Proxy: Fix ProxyPassReverse with relative URL
|
||
|
Derived (slightly erroneously) from PR 38864 [Nick Kew]
|
||
|
|
||
|
*) mod_headers: align Header Edit with Header Set when used on Content-Type
|
||
|
PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
|
||
|
|
||
|
*) mod_headers: Enable multi-match-and-replace edit option
|
||
|
PR 46594 [Nick Kew]
|
||
|
|
||
|
*) mod_filter: enable it to act on non-200 responses.
|
||
|
PR 48377 [Nick Kew]
|
||
|
|
||
|
Changes with Apache 2.3.4
|
||
|
|
||
|
*) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
|
||
|
and WatchdogMutexPath with a single Mutex directive. Add APIs to
|
||
|
simplify setup and user customization of APR proc and global mutexes.
|
||
|
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
|
||
|
respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick]
|
||
|
|
||
|
*) http_core: KeepAlive no longer accepts other than On|Off.
|
||
|
[Takashi Sato]
|
||
|
|
||
|
*) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error()
|
||
|
and dav_new_error_tag() must be adjusted to add an apr_status_t parameter.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
|
||
|
try other providers in the case of an LDAP bind failure.
|
||
|
PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
|
||
|
|
||
|
*) Build: fix --with-module to work as documented
|
||
|
PR 43881 [Gez Saunders <gez.saunders virgin.net>]
|
||
|
|
||
|
Changes with Apache 2.3.3
|
||
|
|
||
|
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
|
||
|
mod_proxy_ftp: sanity check authn credentials.
|
||
|
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
|
||
|
|
||
|
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
|
||
|
mod_proxy_ftp: NULL pointer dereference on error paths.
|
||
|
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
|
||
|
|
||
|
*) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
|
||
|
OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme]
|
||
|
|
||
|
*) mod_dav: Include uri when logging a PUT error due to connection abort.
|
||
|
PR 38149. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_dav: Return 409 instead of 500 for a LOCK request if the parent
|
||
|
resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll
|
||
|
(a COPY request where the parent of the destination resource does not
|
||
|
exist). PR 39299. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed.
|
||
|
PR 42896. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_dav_fs: Make PUT create files atomically and no longer destroy the
|
||
|
old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
|
||
|
|
||
|
*) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically
|
||
|
creating files. On systems with inode numbers, this is a format change of
|
||
|
the DavLockDB. The old DavLockDB must be deleted on upgrade.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) mod_log_config: Make ${cookie}C correctly match whole cookie names
|
||
|
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
|
||
|
Stefan Fritsch]
|
||
|
|
||
|
*) vhost: A purely-numeric Host: header should not be treated as a port.
|
||
|
PR 44979 [Nick Kew]
|
||
|
|
||
|
*) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5"
|
||
|
when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless
|
||
|
LDAPReferralHopLimit is explicitly configured.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Add support for OCSP Stapling. PR 43822.
|
||
|
[Dr Stephen Henson <shenson oss-institute.org>]
|
||
|
|
||
|
*) mod_socache_shmcb: Allow parens in file name if cache size is given.
|
||
|
Fixes SSLSessionCache directive mis-parsing parens in pathname.
|
||
|
PR 47945. [Stefan Fritsch]
|
||
|
|
||
|
*) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch]
|
||
|
|
||
|
*) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_sed: Reduce memory consumption when processing very long lines.
|
||
|
PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
|
||
|
|
||
|
*) ab: Fix segfault in case the argument for -n is a very large number.
|
||
|
PR 47178. [Philipp Hagemeister <oss phihag.de>]
|
||
|
|
||
|
*) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) configure: Fix THREADED_MPMS so that mod_cgid is enabled again
|
||
|
for worker MPM. [Takashi Sato]
|
||
|
|
||
|
*) mod_dav: Provide a mechanism to obtain the request_rec and pathname
|
||
|
from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>,
|
||
|
Brian France <brian brianfrance.com>]
|
||
|
|
||
|
*) Build: Use install instead of cp if available on installing
|
||
|
modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
|
||
|
|
||
|
*) mod_cache: correctly consider s-maxage in cacheability
|
||
|
decisions. [Dan Poirier]
|
||
|
|
||
|
*) mod_logio/core: Report more accurate byte counts in mod_status if
|
||
|
mod_logio is loaded. PR 25656. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
|
||
|
some cache entries and log a warning. Also increase the default
|
||
|
LDAPSharedCacheSize to 500000. This is a more realistic size suitable
|
||
|
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
|
||
|
PR 46749. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
|
||
|
the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
|
||
|
|
||
|
*) mod_cache: Teach CacheEnable and CacheDisable to work from within a
|
||
|
Location section, in line with how ProxyPass works. [Graham Leggett]
|
||
|
|
||
|
*) mod_reqtimeout: New module to set timeouts and minimum data rates for
|
||
|
receiving requests from the client. [Stefan Fritsch]
|
||
|
|
||
|
*) core: Fix potential memory leaks by making sure to not destroy
|
||
|
bucket brigades that have been created by earlier filters.
|
||
|
[Stefan Fritsch]
|
||
|
|
||
|
*) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket
|
||
|
brigades in several places. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache: Fix uri_meets_conditions() so that CacheEnable will
|
||
|
match by scheme, or by a wildcarded hostname. PR 40169
|
||
|
[Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
|
||
|
|
||
|
*) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC
|
||
|
on the log file instead of closing it. PR 10744. [Nicolas Rachinsky]
|
||
|
|
||
|
*) mod_mime: Make RemoveType override the info from TypesConfig.
|
||
|
PR 38330. [Stefan Fritsch]
|
||
|
|
||
|
*) mod_cache: Introduce the option to run the cache from within the
|
||
|
normal request handler, and to allow fine grained control over
|
||
|
where in the filter chain content is cached. Adds CacheQuickHandler
|
||
|
directive. [Graham Leggett]
|
||
|
|
||
|
*) core: Treat timeout reading request as 408 error, not 400.
|
||
|
Log 408 errors in access log as was done in Apache 1.3.x.
|
||
|
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
|
||
|
Stefan Fritsch <sf fritsch.de>, Dan Poirier]
|
||
|
|
||
|
*) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN,
|
||
|
SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl.
|
||
|
[Peter Sylvester <peter.sylvester edelweb.fr>]
|
||
|
|
||
|
*) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8.
|
||
|
PR15866. [Dan Poirier]
|
||
|
|
||
|
*) ab: ab segfaults in verbose mode on https sites
|
||
|
PR46393. [Ryan Niebur]
|
||
|
|
||
|
*) mod_dav: Allow other modules to become providers and add resource types
|
||
|
to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>,
|
||
|
Brian France <brian brianfrance.com>]
|
||
|
|
||
|
*) mod_dav: Allow other modules to add things to the DAV or Allow headers
|
||
|
of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>,
|
||
|
Brian France <brian brianfrance.com>]
|
||
|
|
||
|
*) core: Lower memory usage of core output filter.
|
||
|
[Stefan Fritsch <sf sfritsch.de>]
|
||
|
|
||
|
*) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
|
||
|
LocationMatch sections. PR47754. [Dan Poirier]
|
||
|
|
||
|
*) mod_request: Make sure the KeptBodySize directive rejects values
|
||
|
that aren't valid numbers. [Graham Leggett]
|
||
|
|
||
|
*) mod_session_crypto: Sanity check should the potentially encrypted
|
||
|
session cookie be too short. [Graham Leggett]
|
||
|
|
||
|
*) mod_session.c: Prevent a segfault when session is added but not
|
||
|
configured. [Graham Leggett]
|
||
|
|
||
|
*) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
|
||
|
|
||
|
*) mod_auth_digest: Fail server start when nonce count checking
|
||
|
is configured without shared memory, or md5-sess algorithm is
|
||
|
configured. [Dan Poirier]
|
||
|
|
||
|
*) mod_proxy_connect: The connect method doesn't work if the client is
|
||
|
connecting to the apache proxy through an ssl socket. Fixed.
|
||
|
PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand,
|
||
|
David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango,
|
||
|
Kevin Croft, Rudolf Cardinal]
|
||
|
|
||
|
*) mod_ssl: The error message when SSLCertificateFile is missing should
|
||
|
at least give the name or position of the problematic virtual host
|
||
|
definition. [Stefan Fritsch sf sfritsch.de]
|
||
|
|
||
|
*) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
|
||
|
|
||
|
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
|
||
|
|
||
|
*) mod_headers: generalise the envclause to support expression
|
||
|
evaluation with ap_expr parser [Nick Kew]
|
||
|
|
||
|
*) mod_cache: Introduce the thundering herd lock, a mechanism to keep
|
||
|
the flood of requests at bay that strike a backend webserver as
|
||
|
a cached entity goes stale. [Graham Leggett]
|
||
|
|
||
|
*) mod_auth_digest: Fix usage of shared memory and re-enable it.
|
||
|
PR 16057 [Dan Poirier]
|
||
|
|
||
|
*) Preserve Port information over internal redirects
|
||
|
PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]
|
||
|
|
||
|
*) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
|
||
|
rather than BAD_GATEWAY or (especially) NOT_FOUND.
|
||
|
PR 46971 [evanc nortel.com]
|
||
|
|
||
|
*) Various modules: Do better checking of pollset operations in order to
|
||
|
avoid segmentation faults if they fail. PR 46467
|
||
|
[Stefan Fritsch <sf sfritsch.de>]
|
||
|
|
||
|
*) mod_autoindex: Correctly create an empty cell if the description
|
||
|
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
|
||
|
|
||
|
*) ab: Fix broken error messages after resolver or connect() failures.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) SECURITY: CVE-2009-1890 (cve.mitre.org)
|
||
|
Fix a potential Denial-of-Service attack against mod_proxy in a
|
||
|
reverse proxy configuration, where a remote attacker can force a
|
||
|
proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
|
||
|
|
||
|
*) SECURITY: CVE-2009-1191 (cve.mitre.org)
|
||
|
mod_proxy_ajp: Avoid delivering content from a previous request which
|
||
|
failed to send a request body. PR 46949 [Ruediger Pluem]
|
||
|
|
||
|
*) htdbm: Fix possible buffer overflow if dbm database has very
|
||
|
long values. PR 30586 [Dan Poirier]
|
||
|
|
||
|
*) core: Return APR_EOF if request body is shorter than the length announced
|
||
|
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
|
||
|
|
||
|
*) mod_suexec: correctly set suexec_enabled when httpd is run by a
|
||
|
non-root user and may have insufficient permissions.
|
||
|
PR 42175 [Jim Radford <radford blackbean.org>]
|
||
|
|
||
|
*) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
|
||
|
type. PR 45107. [Michael Ströder <michael stroeder.com>,
|
||
|
Peter Sylvester <peter.sylvester edelweb.fr>]
|
||
|
|
||
|
*) mod_proxy_http: fix case sensitivity checking transfer encoding
|
||
|
PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
|
||
|
|
||
|
*) mod_alias: ensure Redirect issues a valid URL.
|
||
|
PR 44020 [Håkon Stordahl <hakon stordahl.org>]
|
||
|
|
||
|
*) mod_dir: add FallbackResource directive, to enable admin to specify
|
||
|
an action to happen when a URL maps to no file, without resorting
|
||
|
to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
|
||
|
|
||
|
*) mod_cgid: Do not leak the listening Unix socket file descriptor to the
|
||
|
CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
|
||
|
|
||
|
*) mod_rewrite: Remove locking for writing to the rewritelog.
|
||
|
PR 46942 [Dan Poirier <poirier pobox.com>]
|
||
|
|
||
|
*) mod_alias: check sanity in Redirect arguments.
|
||
|
PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
|
||
|
|
||
|
*) mod_proxy_http: fix Host: header for literal IPv6 addresses.
|
||
|
PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
|
||
|
|
||
|
*) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
|
||
|
defined session identifiers encoded in the URL when caching.
|
||
|
[Ruediger Pluem]
|
||
|
|
||
|
*) mod_rewrite: Fix the error string returned by RewriteRule.
|
||
|
RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
|
||
|
argument of RewriteRule was not started with "[" or not ended with "]".
|
||
|
PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
|
||
|
|
||
|
*) Windows: Fix usage message.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) apachectl: When passing through arguments to httpd in
|
||
|
non-SysV mode, use the "$@" syntax to preserve arguments.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_dbd: add DBDInitSQL directive to enable SQL statements to
|
||
|
be run when a connection is opened. PR 46827
|
||
|
[Marko Kevac <mkevac gmail.com>]
|
||
|
|
||
|
*) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
|
||
|
PR 47037. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_ajp: Check more strictly that the backend follows the AJP
|
||
|
protocol. [Mladen Turk]
|
||
|
|
||
|
*) mod_proxy_ajp: Forward remote port information by default.
|
||
|
[Rainer Jung]
|
||
|
|
||
|
*) Allow MPMs to be loaded dynamically, as with most other modules. Use
|
||
|
--enable-mpms-shared={list|"all"} to enable. This required changes to
|
||
|
the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed
|
||
|
header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child,
|
||
|
ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be
|
||
|
called until after the register-hooks phase. [Jeff Trawick]
|
||
|
|
||
|
*) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
|
||
|
to enable stricter checking of remote server certificates.
|
||
|
[Ruediger Pluem]
|
||
|
|
||
|
*) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect
|
||
|
returns EINPROGRESS and a subsequent poll() returns only POLLERR.
|
||
|
Observed on HP-UX. [Eric Covener]
|
||
|
|
||
|
*) Remove broken support for BeOS, TPF, and even older platforms such
|
||
|
as A/UX, Next, and Tandem. [Jeff Trawick]
|
||
|
|
||
|
*) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with
|
||
|
globbing characters to be retrieved instead of converted into a
|
||
|
directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
|
||
|
|
||
|
*) Provide ap_retained_data_create()/ap_retained_data_get() for preservation
|
||
|
of module state across unload/load. [Jeff Trawick]
|
||
|
|
||
|
*) mod_substitute: Fix a memory leak. PR 44948
|
||
|
[Dan Poirier <poirier pobox.com>]
|
||
|
|
||
|
Changes with Apache 2.3.2
|
||
|
|
||
|
*) mod_mime_magic: Fix detection of compressed content. [Rainer Jung]
|
||
|
|
||
|
*) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
|
||
|
HTML injections and HTTP response splitting. PR 46837.
|
||
|
[Geoff Keating <geoffk apple.com>]
|
||
|
|
||
|
*) mod_ssl: add support for type-safe STACK constructs in OpenSSL
|
||
|
development HEAD. PR 45521. [Kaspar Brand, Sander Temme]
|
||
|
|
||
|
*) ab: Fix maintenance of the pollset to resolve EALREADY errors
|
||
|
with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
|
||
|
PR 44584. Use APR_POLLSET_NOCOPY for better performance with some
|
||
|
pollset implementations. [Jeff Trawick]
|
||
|
|
||
|
*) mod_disk_cache: The module now turns off sendfile support if
|
||
|
'EnableSendfile off' is defined globally. [Lars Eilebrecht]
|
||
|
|
||
|
*) mod_deflate: Adjust content metadata before bailing out on 304
|
||
|
responses so that the metadata does not differ from 200 response.
|
||
|
[Roy T. Fielding]
|
||
|
|
||
|
*) mod_deflate: Fix creation of invalid Etag headers. We now make sure
|
||
|
that the Etag value is properly quoted when adding the gzip marker.
|
||
|
PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding]
|
||
|
|
||
|
*) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185.
|
||
|
[Peter Harlow]
|
||
|
|
||
|
*) Disabled DefaultType directive and removed ap_default_type()
|
||
|
from core. We now exclude Content-Type from responses for which
|
||
|
a media type has not been configured via mime.types, AddType,
|
||
|
ForceType, or some other mechanism. PR 13986. [Roy T. Fielding]
|
||
|
|
||
|
*) mod_rewrite: Add IPV6 variable to RewriteCond
|
||
|
[Ryan Phillips <ryan-apache trolocsis.com>]
|
||
|
|
||
|
*) core: Enhance KeepAliveTimeout to support a value in milliseconds.
|
||
|
PR 46275. [Takashi Sato]
|
||
|
|
||
|
*) rotatelogs: Allow size units B, K, M, G and combination of
|
||
|
time and size based rotation. [Rainer Jung]
|
||
|
|
||
|
*) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung]
|
||
|
|
||
|
*) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508
|
||
|
[<tlhackque yahoo.com>]
|
||
|
|
||
|
*) core: Translate the the status line to ASCII on EBCDIC platforms in
|
||
|
ap_send_interim_response() and for locally generated "100 Continue"
|
||
|
responses. [Eric Covener]
|
||
|
|
||
|
*) prefork: Fix child process hang during graceful restart/stop in
|
||
|
configurations with multiple listening sockets. PR 42829. [Joe Orton,
|
||
|
Jeff Trawick]
|
||
|
|
||
|
*) mod_session_crypto: Ensure that SessionCryptoDriver can only be
|
||
|
set in the global scope. [Graham Leggett]
|
||
|
|
||
|
*) mod_ext_filter: We need to detect failure to startup the filter
|
||
|
program (a mangled response is not acceptable). Fix to detect
|
||
|
failure, and offer configuration option either to abort or
|
||
|
to remove the filter and continue.
|
||
|
PR 41120 [Nick Kew]
|
||
|
|
||
|
*) mod_session_crypto: Rewrite the session_crypto module against the
|
||
|
apr_crypto API. [Graham Leggett]
|
||
|
|
||
|
*) mod_auth_form: Fix a pool lifetime issue, don't remove the subrequest
|
||
|
until the main request is cleaned up. [Graham Leggett]
|
||
|
|
||
|
Changes with Apache 2.3.1
|
||
|
|
||
|
*) ap_slotmem: Add in new slot-based memory access API impl., including
|
||
|
2 providers (mod_sharedmem and mod_plainmem) [Jim Jagielski,
|
||
|
Jean-Frederic Clere, Brian Akins <brian.akins turner.com>]
|
||
|
|
||
|
*) mod_include: support generating non-ASCII characters as entities in SSI
|
||
|
PR 25202 [Nick Kew]
|
||
|
|
||
|
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
|
||
|
PR 25202 [Nick Kew]
|
||
|
|
||
|
*) mod_rewrite: fix "B" flag breakage by reverting r5589343
|
||
|
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
|
||
|
|
||
|
*) CGI: return 504 (Gateway timeout) rather than 500 when a script
|
||
|
times out before returning status line/headers.
|
||
|
PR 42190 [Nick Kew]
|
||
|
|
||
|
*) mod_cgid: fix segfault problem on solaris.
|
||
|
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
|
||
|
|
||
|
*) mod_proxy_scgi: Added. [André Malo]
|
||
|
|
||
|
*) mod_cache: Introduce 'no-cache' per-request environment variable
|
||
|
to prevent the saving of an otherwise cacheable response.
|
||
|
[Eric Covener]
|
||
|
|
||
|
*) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
|
||
|
way that per-directory rewrites append the previous notion of PATH_INFO
|
||
|
to each substitution before evaluating subsequent rules.
|
||
|
PR 38642 [Eric Covener]
|
||
|
|
||
|
*) mod_cgid: Do not add an empty argument when calling the CGI script.
|
||
|
PR 46380 [Ruediger Pluem]
|
||
|
|
||
|
*) scoreboard: Remove unused sb_type from process_score.
|
||
|
[Torsten Foertsch <torsten.foertsch gmx.net>, Chris Darroch]
|
||
|
|
||
|
*) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
|
||
|
size of the buffer used for the request-body where necessary
|
||
|
during a per-dir renegotiation. PR 39243. [Joe Orton]
|
||
|
|
||
|
*) mod_proxy_fdpass: New module to pass a client connection over to a separate
|
||
|
process that is reading from a unix daemon socket.
|
||
|
|
||
|
*) mod_ssl: Improve environment variable extraction to be more
|
||
|
efficient and to correctly handle DNs with duplicate tags.
|
||
|
PR 45975. [Joe Orton]
|
||
|
|
||
|
*) Remove the obsolete serial attribute from the RPM spec file. Compile
|
||
|
against the external pcre. Add missing binaries fcgistarter, and
|
||
|
mod_socache* and mod_session*. [Graham Leggett]
|
||
|
|
||
|
Changes with Apache 2.3.0
|
||
|
|
||
|
*) mod_ratelimit: New module to do bandwidth rate limiting. [Paul Querna]
|
||
|
|
||
|
*) Remove X-Pad header which was added as a work around to a bug in
|
||
|
Netscape 2.x to 4.0b2. [Takashi Sato <takashi lans-tv.com>]
|
||
|
|
||
|
*) Add DTrace Statically Defined Tracing (SDT) probes.
|
||
|
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
|
||
|
|
||
|
*) mod_proxy_balancer: Move all load balancing implementations
|
||
|
as individual, self-contained mod_proxy submodules under
|
||
|
modules/proxy/balancers [Jim Jagielski]
|
||
|
|
||
|
*) Rename APIs to include ap_ prefix:
|
||
|
find_child_by_pid -> ap_find_child_by_pid
|
||
|
suck_in_APR -> ap_suck_in_APR
|
||
|
sys_privileges_handlers -> ap_sys_privileges_handlers
|
||
|
unixd_accept -> ap_unixd_accept
|
||
|
unixd_config -> ap_unixd_config
|
||
|
unixd_killpg -> ap_unixd_killpg
|
||
|
unixd_set_global_mutex_perms -> ap_unixd_set_global_mutex_perms
|
||
|
unixd_set_proc_mutex_perms -> ap_unixd_set_proc_mutex_perms
|
||
|
unixd_set_rlimit -> ap_unixd_set_rlimit
|
||
|
[Paul Querna]
|
||
|
|
||
|
*) mod_lbmethod_heartbeat: New module to load balance mod_proxy workers
|
||
|
based on heartbeats. [Paul Querna]
|
||
|
|
||
|
*) mod_heartmonitor: New module to collect heartbeats, and write out a file
|
||
|
so that other modules can load balance traffic as needed. [Paul Querna]
|
||
|
|
||
|
*) mod_heartbeat: New module to generate multicast heartbeats to know if a
|
||
|
server is online. [Paul Querna]
|
||
|
|
||
|
*) mod_buffer: Honour the flush bucket and flush the buffer in the
|
||
|
input filter. Make sure that metadata buckets are written to
|
||
|
the buffer, not to the final brigade. [Graham Leggett]
|
||
|
|
||
|
*) mod_buffer: Optimise the buffering of heap buckets when the heap
|
||
|
buckets stay exactly APR_BUCKET_BUFF_SIZE long. [Graham Leggett,
|
||
|
Ruediger Pluem]
|
||
|
|
||
|
*) mod_buffer: Optional support for buffering of the input and output
|
||
|
filter stacks. Can collapse many small buckets into fewer larger
|
||
|
buckets, and prevents excessively small chunks being sent over
|
||
|
the wire. [Graham Leggett]
|
||
|
|
||
|
*) mod_privileges: new module to make httpd on Solaris privileges-aware
|
||
|
and to enable different virtualhosts to run with different
|
||
|
privileges and Unix user/group IDs [Nick Kew]
|
||
|
|
||
|
*) mod_mem_cache: this module has been removed. [William Rowe]
|
||
|
|
||
|
*) authn/z: Remove mod_authn_default and mod_authz_default.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) authz: Fix handling of authz configurations, make default authz
|
||
|
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
|
||
|
and AuthzMergeRules directives with Match, <Match*>, and AuthzMerge
|
||
|
directives. [Chris Darroch]
|
||
|
|
||
|
*) mod_authn_core: Prevent crash when provider alias created to
|
||
|
provider which is not yet registered. [Chris Darroch]
|
||
|
|
||
|
*) mod_authn_core: Add AuthType of None to support disabling
|
||
|
authentication. [Chris Darroch]
|
||
|
|
||
|
*) core: Allow <Limit> and <LimitExcept> directives to nest, and
|
||
|
constrain their use to conform with that of other access control
|
||
|
and authorization directives. [Chris Darroch]
|
||
|
|
||
|
*) unixd: turn existing code into a module, and turn the set user/group
|
||
|
and chroot into a child_init function. [Nick Kew]
|
||
|
|
||
|
*) mod_dir: Support "DirectoryIndex disabled"
|
||
|
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
|
||
|
|
||
|
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
|
||
|
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
|
||
|
|
||
|
*) mod_authnz_ldap: don't return NULL-valued environment variables to
|
||
|
other modules. PR 39045 [Francois Pesce <francois.pesce gmail.com>]
|
||
|
|
||
|
*) Don't adjust case in pathname components that are not of interest
|
||
|
to mod_mime. Fixes mod_negotiation's use of such components.
|
||
|
PR 43250 [Basant Kumar Kukreja <basant.kukreja sun.com>]
|
||
|
|
||
|
*) Be tolerant in what you accept - accept slightly broken
|
||
|
status lines from a backend provided they include a valid status code.
|
||
|
PR 44995 [Rainer Jung <rainer.jung kippdata.de>]
|
||
|
|
||
|
*) New module mod_sed: filter Request/Response bodies through sed
|
||
|
[Basant Kumar Kukreja <basant.kukreja sun.com>]
|
||
|
|
||
|
*) mod_auth_form: Make sure that basic authentication is correctly
|
||
|
faked directly after login. [Graham Leggett]
|
||
|
|
||
|
*) mod_session_cookie, mod_session_dbd: Make sure cookies are set both
|
||
|
within the output headers and error output headers, so that the
|
||
|
session is maintained across redirects. [Graham Leggett]
|
||
|
|
||
|
*) mod_auth_form: Make sure the logged in user is populated correctly
|
||
|
after a form login. Fixes a missing REMOTE_USER variable directly
|
||
|
following a login. [Graham Leggett]
|
||
|
|
||
|
*) mod_session_cookie: Make sure that cookie attributes are correctly
|
||
|
included in the blank cookie when cookies are removed. This fixes an
|
||
|
inability to log out when using mod_auth_form. [Graham Leggett]
|
||
|
|
||
|
*) mod_session: Prevent a segfault when a CGI script sets a cookie with a
|
||
|
null value. [David Shane Holden <dpejesh apache.org>]
|
||
|
|
||
|
*) core, authn/z: Determine registered authn/z providers directly in
|
||
|
ap_setup_auth_internal(), which allows optional functions that just
|
||
|
wrapped ap_list_provider_names() to be removed from authn/z modules.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) authn/z: Convert common provider version strings to macros.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) core: When testing for slash-terminated configuration paths in
|
||
|
ap_location_walk(), don't look past the start of an empty string
|
||
|
such as that created by a <Location ""> directive.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) core, mod_proxy: If a kept_body is present, it becomes safe for
|
||
|
subrequests to support message bodies. Make sure that safety
|
||
|
checks within the core and within the proxy are not triggered
|
||
|
when kept_body is present. This makes it possible to embed
|
||
|
proxied POST requests within mod_include. [Graham Leggett]
|
||
|
|
||
|
*) mod_auth_form: Make sure the input filter stack is properly set
|
||
|
up before reading the login form. Make sure the kept body filter
|
||
|
is correctly inserted to ensure the body can be read a second
|
||
|
time safely should the authn be successful. [Graham Leggett,
|
||
|
Ruediger Pluem]
|
||
|
|
||
|
*) mod_request: Insert the KEPT_BODY filter via the insert_filter
|
||
|
hook instead of during fixups. Add a safety check to ensure the
|
||
|
filters cannot be inserted more than once. [Graham Leggett,
|
||
|
Ruediger Pluem]
|
||
|
|
||
|
*) ap_cache_cacheable_headers_out() will (now) always
|
||
|
merge an error headers _before_ clearing them and _before_
|
||
|
merging in the actual entity headers and doing normal
|
||
|
hop-by-hop cleansing. [Dirk-Willem van Gulik].
|
||
|
|
||
|
*) cache: retire ap_cache_cacheable_hdrs_out() which was used
|
||
|
for both in- and out-put headers; and replace it by a single
|
||
|
ap_cache_cacheable_headers() wrapped in a in- and out-put
|
||
|
specific ap_cache_cacheable_headers_in()/out(). The latter
|
||
|
which will also merge error and ensure content-type. To keep
|
||
|
cache modules consistent with ease. This API change bumps
|
||
|
up the minor MM by one [Dirk-Willem van Gulik].
|
||
|
|
||
|
*) Move the KeptBodySize directive, kept_body filters and the
|
||
|
ap_parse_request_body function out of the http module and into a
|
||
|
new module called mod_request, reducing the size of the core.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_dbd: Handle integer configuration directive parameters with a
|
||
|
dedicated function.
|
||
|
|
||
|
*) Change the directives within the mod_session* modules to be valid
|
||
|
both inside and outside the location/directory sections, as
|
||
|
suggested by wrowe. [Graham Leggett]
|
||
|
|
||
|
*) mod_auth_form: Add a module capable of allowing end users to log
|
||
|
in using an HTML form, storing the credentials within mod_session.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) Add a function to the http filters that is able to parse an HTML
|
||
|
form request with the type of application/x-www-form-urlencoded.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_session_crypto: Initialise SSL in the post config hook.
|
||
|
[Ruediger Pluem, Graham Leggett]
|
||
|
|
||
|
*) mod_session_dbd: Add a session implementation capable of storing
|
||
|
session information in a SQL database via the dbd interface. Useful
|
||
|
for sites where session privacy is important. [Graham Leggett]
|
||
|
|
||
|
*) mod_session_crypto: Add a session encoding implementation capable
|
||
|
of encrypting and decrypting sessions wherever they may be stored.
|
||
|
Introduces a level of privacy when sessions are stored on the
|
||
|
browser. [Graham Leggett]
|
||
|
|
||
|
*) mod_session_cookie: Add a session implementation capable of storing
|
||
|
session information within cookies on the browser. Useful for high
|
||
|
volume sites where server bound sessions are too resource intensive.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) mod_session: Add a generic session interface to unify the different
|
||
|
attempts at saving persistent sessions across requests.
|
||
|
[Graham Leggett]
|
||
|
|
||
|
*) core, authn/z: Avoid calling access control hooks for internal requests
|
||
|
with configurations which match those of initial request. Revert to
|
||
|
original behaviour (call access control hooks for internal requests
|
||
|
with URIs different from initial request) if any access control hooks or
|
||
|
providers are not registered as permitting this optimization.
|
||
|
Introduce wrappers for access control hook and provider registration
|
||
|
which can accept additional mode and flag data. [Chris Darroch]
|
||
|
|
||
|
*) Introduced ap_expr API for expression evaluation.
|
||
|
This is adapted from mod_include, which is the first module
|
||
|
to use the new API.
|
||
|
[Nick Kew]
|
||
|
|
||
|
*) mod_authz_dbd: When redirecting after successful login/logout per
|
||
|
AuthzDBDRedirectQuery, do not report authorization failure, and use
|
||
|
first row returned by database query instead of last row.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) mod_ldap: Correctly return all requested attribute values
|
||
|
when some attributes have a null value.
|
||
|
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
|
||
|
|
||
|
*) core: check symlink ownership if both FollowSymlinks and
|
||
|
SymlinksIfOwnerMatch are set [Nick Kew]
|
||
|
|
||
|
*) core: fix origin checking in SymlinksIfOwnerMatch
|
||
|
PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
|
||
|
|
||
|
*) Activate mod_cache, mod_file_cache and mod_disk_cache as part of the
|
||
|
'most' set for '--enable-modules' and '--enable-shared-mods'. Include
|
||
|
mod_mem_cache in 'all' as well. [Dirk-Willem van Gulik]
|
||
|
|
||
|
*) Also install mod_so.h, mod_rewrite.h and mod_cache.h; as these
|
||
|
contain public function declarations which are useful for
|
||
|
third party module authors. PR 42431 [Dirk-Willem van Gulik].
|
||
|
|
||
|
*) mod_dir, mod_negotiation: pass the output filter information
|
||
|
to newly created sub requests; as these are later on used
|
||
|
as true requests with an internal redirect. This allows for
|
||
|
mod_cache et.al. to trap the results of the redirect.
|
||
|
[Dirk-Willem van Gulik, Ruediger Pluem]
|
||
|
|
||
|
*) mod_ldap: Add support (taking advantage of the new APR capability)
|
||
|
for ldap rebind callback while chasing referrals. This allows direct
|
||
|
searches on LDAP servers (in particular MS Active Directory 2003+)
|
||
|
using referrals without the use of the global catalog.
|
||
|
PRs 26538, 40268, and 42557 [Paul J. Reder]
|
||
|
|
||
|
*) ApacheMonitor.exe: Introduce --kill argument for use by the
|
||
|
installer. This will permit the installation tool to remove
|
||
|
all running instances before attempting to remove the .exe.
|
||
|
[William Rowe]
|
||
|
|
||
|
*) mod_ssl: Add support for OCSP validation of client certificates.
|
||
|
PR 41123. [Marc Stern <marc.stern approach.be>, Joe Orton]
|
||
|
|
||
|
*) mod_serf: New module for Reverse Proxying. [Paul Querna]
|
||
|
|
||
|
*) core: Add the option to keep aside a request body up to a certain
|
||
|
size that would otherwise be discarded, to be consumed by filters
|
||
|
such as mod_include. When enabled for a directory, POST requests
|
||
|
to shtml files can be passed through to embedded scripts as POST
|
||
|
requests, rather being downgraded to GET requests. [Graham Leggett]
|
||
|
|
||
|
*) mod_ssl: Fix TLS upgrade (RFC 2817) support. PR 41231. [Joe Orton]
|
||
|
|
||
|
*) scoreboard: Correctly declare ap_time_process_request.
|
||
|
PR 43789 [Tom Donovan <Tom.Donovan acm.org>]
|
||
|
|
||
|
*) core; scoreboard: ap_get_scoreboard_worker(sbh) now takes the sbh member
|
||
|
from the connection rec, ap_get_scoreboard_worker(proc, thread) will now
|
||
|
provide the unusual legacy lookup. [William Rowe]
|
||
|
|
||
|
*) mpm winnt: fix null pointer dereference
|
||
|
PR 42572 [Davi Arnaut]
|
||
|
|
||
|
*) mod_authnz_ldap, mod_authn_dbd: Tidy up the code to expose authn
|
||
|
parameters to the environment. Improve portability to
|
||
|
EBCDIC machines by using apr_toupper(). [Martin Kraemer]
|
||
|
|
||
|
*) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
|
||
|
to authorize an authenticated user via a "require ldap-group X" directive
|
||
|
where the user is not in group X, but is in a subgroup contained in X.
|
||
|
PR 42891 [Paul J. Reder]
|
||
|
|
||
|
*) mod_ssl: Add support for caching SSL Sessions in memcached. [Paul Querna]
|
||
|
|
||
|
*) apxs: Enhance -q flag to print all known variables and their values
|
||
|
when invoked without variable name(s).
|
||
|
[William Rowe, Sander Temme]
|
||
|
|
||
|
*) apxs: Eliminate run-time check for mod_so. PR 40653.
|
||
|
[David M. Lee <dmlee crossroads.com>]
|
||
|
|
||
|
*) beos MPM: Create pmain pool and run modules' child_init hooks when
|
||
|
entering ap_mpm_run(), then destroy pmain when exiting ap_mpm_run().
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) netware MPM: Destroy pmain pool when exiting ap_mpm_run() so that
|
||
|
cleanups registered in modules' child_init hooks are performed.
|
||
|
[Chris Darroch]
|
||
|
|
||
|
*) Fix issue which could cause error messages to be written to access logs
|
||
|
on Win32. PR 40476. [Tom Donovan <Tom.Donovan acm.org>]
|
||
|
|
||
|
*) The LockFile directive, which specifies the location of
|
||
|
the accept() mutex lockfile, is deprecated. Instead, the
|
||
|
AcceptMutex directive now takes an optional lockfile
|
||
|
location parameter, ala SSLMutex. [Jim Jagielski]
|
||
|
|
||
|
*) mod_authn_dbd: Export any additional columns queried in the SQL select
|
||
|
into the environment with the name AUTHENTICATE_<COLUMN>. This brings
|
||
|
mod_authn_dbd behaviour in line with mod_authnz_ldap. [Graham Leggett]
|
||
|
|
||
|
*) mod_dbd: Key the storage of prepared statements on the hex string
|
||
|
value of server_rec, rather than the server name, as the server name
|
||
|
may change (eg when the server name is set) at any time, causing
|
||
|
weird behaviour in modules dependent on mod_dbd. [Graham Leggett]
|
||
|
|
||
|
*) mod_proxy_fcgi: Added win32 build. [Mladen Turk]
|
||
|
|
||
|
*) sendfile_nonblocking() takes the _brigade_ as an argument, gets
|
||
|
the first bucket from the brigade, finds it not to be a FILE
|
||
|
bucket and barfs. The fix is to pass a bucket rather than a brigade.
|
||
|
[Niklas Edmundsson <nikke acc.umu.se>]
|
||
|
|
||
|
*) mod_rewrite: support rewritemap by SQL query [Nick Kew]
|
||
|
|
||
|
*) ap_get_server_version() has been removed. Third-party modules must
|
||
|
now use ap_get_server_banner() or ap_get_server_description().
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) All MPMs: Introduce a check_config phase between pre_config and
|
||
|
open_logs, to allow modules to review interdependent configuration
|
||
|
directive values and adjust them while messages can still be logged
|
||
|
to the console. Handle relevant MPM directives during this phase
|
||
|
and format messages for both the console and the error log, as
|
||
|
appropriate. [Chris Darroch]
|
||
|
|
||
|
*) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
|
||
|
to circumvent the symbolic link checks imposed by FollowSymLinks and
|
||
|
SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]
|
||
|
|
||
|
*) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
|
||
|
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
|
||
|
The default is none as this is far greater debugging resolution than
|
||
|
the typical administrator is prepared to untangle. [William Rowe]
|
||
|
|
||
|
*) mod_disk_cache: If possible, check if the size of an object to cache is
|
||
|
within the configured boundaries before actually saving data.
|
||
|
[Niklas Edmundsson <nikke acc.umu.se>]
|
||
|
|
||
|
*) Worker and event MPMs: Remove improper scoreboard updates which were
|
||
|
performed in the event of a fork() failure. [Chris Darroch]
|
||
|
|
||
|
*) Add support for fcgi:// proxies to mod_rewrite.
|
||
|
[Markus Schiegl <ms schiegl.com>]
|
||
|
|
||
|
*) Remove incorrect comments from scoreboard.h regarding conditional
|
||
|
loading of worker_score structure with mod_status, and remove unused
|
||
|
definitions relating to old life_status field.
|
||
|
[Chris Darroch <chrisd pearsoncmg.com>]
|
||
|
|
||
|
*) Remove allocation of memory for unused array of lb_score pointers
|
||
|
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
|
||
|
|
||
|
*) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
|
||
|
[Garrett Rooney, Jim Jagielski, Paul Querna]
|
||
|
|
||
|
*) Event MPM: Fill in the scoreboard's tid field. PR 38736.
|
||
|
[Chris Darroch <chrisd pearsoncmg.com>]
|
||
|
|
||
|
*) mod_charset_lite: Remove Content-Length when output filter can
|
||
|
invalidate it. Warn when input filter can invalidate it.
|
||
|
[Jeff Trawick]
|
||
|
|
||
|
*) Authz: Add the new module mod_authn_core that will provide common
|
||
|
authn directives such as 'AuthType', 'AuthName'. Move the directives
|
||
|
'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
|
||
|
into mod_authn_core. [Brad Nicholes]
|
||
|
|
||
|
*) Authz: Move the directives 'Order', 'Allow', 'Deny' and 'Satisfy'
|
||
|
into the new module mod_access_compat which can be loaded to provide
|
||
|
support for these directives.
|
||
|
[Brad Nicholes]
|
||
|
|
||
|
*) Authz: Move the 'Require' directive from the core module as well as
|
||
|
add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
|
||
|
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
|
||
|
logic into the authorization processing. [Brad Nicholes]
|
||
|
|
||
|
*) Authz: Add the new module mod_authz_core which acts as the
|
||
|
authorization provider vector and contains common authz
|
||
|
directives. [Brad Nicholes]
|
||
|
|
||
|
*) Authz: Renamed mod_authz_dbm authz providers from 'group' and
|
||
|
'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
|
||
|
|
||
|
*) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
|
||
|
host-based access control provided by mod_authz_host and invoked
|
||
|
through the 'Require' directive. [Brad Nicholes]
|
||
|
|
||
|
*) Authz: Convert all of the authz modules from hook based to
|
||
|
provider based. [Brad Nicholes]
|
||
|
|
||
|
*) mod_cache: Add CacheMinExpire directive to set the minimum time in
|
||
|
seconds to cache a document.
|
||
|
[Brian Akins <brian.akins turner.com>, Ruediger Pluem]
|
||
|
|
||
|
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
|
||
|
|
||
|
*) Fix typo in ProxyStatus syntax error message.
|
||
|
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
|
||
|
|
||
|
*) Asynchronous write completion for the Event MPM. [Brian Pane]
|
||
|
|
||
|
*) Added an End-Of-Request bucket type. The logging of a request and
|
||
|
the freeing of its pool are now done when the EOR bucket is destroyed.
|
||
|
This has the effect of delaying the logging until right after the last
|
||
|
of the response is sent; ap_core_output_filter() calls the access logger
|
||
|
indirectly when it destroys the EOR bucket. [Brian Pane]
|
||
|
|
||
|
*) Rewrite of logresolve support utility: IPv6 addresses are now supported
|
||
|
and the format of statistical output has changed. [Colm MacCarthaigh]
|
||
|
|
||
|
*) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane]
|
||
|
|
||
|
*) Added new connection states for handler and write completion
|
||
|
[Brian Pane]
|
||
|
|
||
|
*) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
|
||
|
[Justin Erenkrantz]
|
||
|
|
||
|
*) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
|
||
|
allowing string-valued client certificate attributes to be used for
|
||
|
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
|
||
|
[Martin Kraemer, David Reid]
|
||
|
|
||
|
[Apache 2.3.0-dev includes those bug fixes and changes with the
|
||
|
Apache 2.2.xx tree as documented, and except as noted, below.]
|
||
|
|
||
|
Changes with Apache 2.2.x and later:
|
||
|
|
||
|
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup
|
||
|
|
||
|
Changes with Apache 2.0.x and later:
|
||
|
|
||
|
*) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup
|
||
|
|