Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 64247 invoked from network); 31 Aug 2007 12:15:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 31 Aug 2007 12:15:25 -0000 Received: (qmail 1245 invoked by uid 500); 31 Aug 2007 12:15:20 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 1182 invoked by uid 500); 31 Aug 2007 12:15:20 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 1165 invoked by uid 99); 31 Aug 2007 12:15:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Aug 2007 05:15:20 -0700 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Aug 2007 12:15:23 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 1A6BD1A9832; Fri, 31 Aug 2007 05:15:03 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r571441 - /httpd/httpd/trunk/CHANGES Date: Fri, 31 Aug 2007 12:15:02 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20070831121503.1A6BD1A9832@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jim Date: Fri Aug 31 05:15:02 2007 New Revision: 571441 URL: http://svn.apache.org/viewvc?rev=571441&view=rev Log: Finish cleanup of CHANGES files, to reduce the sync required when backporting, etc... Modified: httpd/httpd/trunk/CHANGES Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=571441&r1=571440&r2=571441&view=diff ============================================================================== --- httpd/httpd/trunk/CHANGES [utf-8] (original) +++ httpd/httpd/trunk/CHANGES [utf-8] Fri Aug 31 05:15:02 2007 @@ -1,5 +1,6 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.0 +[ When backported to 2.2.x, remove entry from this file ] *) mod_proxy_connect: avoid segfault on DNS lookup failure. PR 40756 [Trevin Beattie ] @@ -346,468 +347,6 @@ allowing string-valued client certificate attributes to be used for access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1") [Martin Kraemer, David Reid] - -Changes with Apache 2.2.5 - - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] - - *) mod_deflate: fix protocol handling in deflate input filter - PR 23287 [Nick Kew] - - *) mod_proxy: fix buffer overflow issue - PR 41144 [Davi Arnaut] - - *) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329) - PR 40299 [Dave Hodder ] - - *) mod_filter: fix integer comparisons in dispatch rules - PR 41835 [Nick Kew] - - *) mod_filter: fix merging of ! and = in FilterChain - PR 42186 [Issac Goldstand ] - - *) mod_cache: Let Cache-Control max-age set the expiration of the cached - representation if Expires is not set. [Justin Erenkrantz] - - *) mod_disk_cache: Allow Vary'd responses to be refreshed properly. - [Justin Erenkrantz] - - *) mod_cache: Allow caching of requests with query arguments when - Cache-Control max-age is explicitly specified. [Justin Erenkrantz] - - *) mod_proxy: Print the correct error message for erroneous configured - ProxyPass directives. PR 40439. [serai lans-tv.com] - - *) mod_so: Provide more helpful LoadModule feedback when an error occurs. - [William Rowe] - - *) mod_alias: Accept path components (URL part) in Redirects. PR 35314. - [Nick Kew] - - *) mod_headers: Allow % at the end of a Header value. PR 36609. - [Nick Kew, Ruediger Pluem] - - *) mod_cache: Use the same cache key throughout the whole request processing - to handle escaped URLs correctly. PR 41475. [Ruediger Pluem] - - *) mod_cache: Add CacheIgnoreQueryString directive. PR 41484. - [Fredrik Widlund ] - - *) mod_cache: While serving a cached entity ensure that filters that have - been applied to this cached entity before saving it to the cache are not - applied again. PR 40090. [Ruediger Pluem] - - *) mod_cache: Correctly cache objects whose URL query string has been - modified by mod_rewrite. PR 40805. [Ruediger Pluem] - - *) mod_proxy_http: Change handling of ProxyErrorOverride such that - 3xx responses are no longer over-ridden (handling of 4xx and 5xx - responses is unchanged). PR 39245. - [Jeff Trawick, Bart van der Schans ] - - *) htdbm: Enable crypt support on platforms with crypt() but not - , such as z/OS. [David Jones ] - - *) mod_ssl: initialize thread locks before initializing the hardware - acceleration library, so the latter can make use of the former. - PR 20951. [adunn at ncipher.com] - - *) ab.c: Correct behavior of HTTP request headers sent by ab - in presence of -H command-line overrides. PR 31268, 26554. - [Arvind Srinivasan ] - - *) ab.c: The apr_port_t type is unsigned, but ab was using a - signed format code in its reports. PR 42070. - [Takashi Sato ] - - *) core: Correct a regression since 2.0.x in the handling of AllowOverride - Options. PR 41829. [Torsten Förtsch ] - - *) mod_proxy_http: Handle request bodies larger than 2 GB by converting - the Content-Length header of the request correctly. PR 40883. - [Ruediger Pluem, toadie ] - - *) mod_proxy: Fix some proxy setting inheritance problems (eg: - ProxyTimeout). PR 11540. [Stuart Children ] - - *) Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory - can work after that terminating signal. - [Eric Covener ] - - *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005) - including embedding the .manifest information into each binary. - [William Rowe] - -Changes with Apache 2.2.4 - - *) mod_isapi: Correctly present SERVER_PORT_SECURE. - PR: 40573. [Matt Eaton ] - - *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util - statically like the older support programs. - [Eric Covener ] - - *) core: Fix NONBLOCK status of listening sockets on restart/graceful - PR 37680. [Darius Davis ] - - *) mod_deflate: Rework inflate output and deflate output filter to fix several - issues: Incorrect handling of flush buckets, potential memory leaks, - excessive memory usage in inflate output filter for large compressed - content. PR 39854. [Ruediger Pluem, Nick Kew, Justin Erenkrantz] - - *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer. - [Davi Arnaut ] - - *) Allow mod_dumpio to log at other than DEBUG levels via - the new DumpIOLogLevel directive. [Jim Jagielski] - - *) rotatelogs: Improve error message for open failures. PR 39487. - [Joe Orton] - - *) Better detection and clean up of ldap connection that has been - terminated by the ldap server. PR 40878. - [Rob Baily ] - - *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions - by creating a root pool for object persistence across requests. This - also eliminates the need for custom serialization code. - [Davi Arnaut ] - - *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If - set, REMOTE_USER will be set to this attribute, rather than the - username supplied by the user. Useful for example when you want users - to log in using an email address, but need to supply a userid instead - to the backend. [Graham Leggett] - - *) mod_cgi and mod_cgid: Don't use apr_status_t error return - from input filters as HTTP return value from the handler. - PR 31579. [Nick Kew] - - *) mod_cache: Eliminate a bogus error in the log when a filter returns - AP_FILTER_ERROR. [Niklas Edmundsson ] - - *) core: Fix issue which could cause piped loggers to be orphaned and never - terminate after a graceful restart. PR 40651. [Joe Orton, Ruediger Pluem] - - *) core: Fix address-in-use startup failure caused by corruption of the list - of listen sockets in some configurations with multiple generic Listen - directives. [Jeff Trawick] - - *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew] - - *) mod_proxy: Add explicit flushing feature. When Servlet container sends AJP - body message with size 0, this means that Servlet container has asked for - an explicit flush. Create flush bucket in that case. This feature has been - added to the recent Tomcat versions without breaking the AJP protocol. - [Mladen Turk] - - *) mod_proxy_balancer: Set the new environment variable BALANCER_ROUTE_CHANGED - if a worker with a route different from the one supplied by the client - had been chosen or if the client supplied no routing information for - a balancer with sticky sessions. [Ruediger Pluem] - - *) mod_proxy_balancer: Add information about the route, the sticky session - and the worker used during a request as environment variables. PR 39806. - [Brian ] - - *) mod_proxy: Don't try to use dead backend connection. PR 37770. - [Olivier BOEL ] - - *) mod_proxy_balancer: Extract stickysession routing information contained as - parameter in the URL correctly. PR 40400. - [Ruediger Pluem, Tomokazu Harada ] - - *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol. - A new worker directive ping=timeout will cause CPING packet - to be send expecting CPONG packet within defined timeout. - In case the backend is too busy this will fail instead - sending the full header. [Mladen Turk] - - *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an - authority component and an empty path, the empty path is to be equivalent - to "/". It explicitly cites the following four URIs as equivalents: - http://example.com - http://example.com/ - http://example.com:/ - http://example.com:80/ - [Davi Arnaut ] - - *) mod_cache: Don't cache requests with a expires date in the past; - otherwise mod_cache will always try to cache the URL. This bug - might lead to numerous rename() errors on win32 if the URL was - previously cached. [Davi Arnaut ] - - *) mod_disk_cache: Make sure that only positive integers are accepted - for the CacheMaxFileSize and CacheMinFileSize parameters in the - config file. PR39380. [Niklas Edmundsson ] - - *) core: Deal with the widespread use of apr_status_t return values - as HTTP status codes, as documented in PR#31759 (a bug shared by - the default handler, mod_cgi, mod_cgid, mod_proxy, and probably - others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] - - *) mod_ext_filter: Handle filter names which include capital letters. - PR 40323. [Jeff Trawick] - - *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH - support. Also corrects the slashes for Windows. - PR 15993. [William Rowe] - - *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the - token parser worked while the resulting length was misinterpreted. - PR 29098. [Brock Bland ] - - *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade - attempts to stream the response at the client. Log these as well. - PR 30022, 40470. [William Rowe, Matt Eaton ] - - *) mod_isapi: Ensure we walk through all the methods the developer may have - employed to report their HTTP status result code. - PR 16637 30033 28089. [Matt Lewandowsky , William Rowe] - - *) mod_echo: Fix precedence problem in if statement. PR 40658. - [Larry Cipriani ] - - *) mod_mime_magic: Fix precedence problem in if statement. PR 40656. - [Larry Cipriani ] - - *) The full server version information is now included in the error log at - startup as well as server status reports, irrespective of the setting - of the ServerTokens directive. ap_get_server_version() is now - deprecated, and is replaced by ap_get_server_banner() and - ap_get_server_description(). [Jeff Trawick] - - *) mod_proxy_balancer: Workers can now be defined as part of - a balancer cluster "set" in which members of a lower-numbered set - are preferred over higher numbered ones. [Jim Jagielski] - - *) mod_proxy_balancer: Workers can now be defined as "hot standby" which - will only be used if all other workers are unusable (eg: in - error or disabled). Also, the balancer-manager displays the election - count and I/O counts of all workers. [Jim Jagielski] - - *) mod_proxy_ajp: Close connection to backend if reading of request body - fails. PR 40310. [Ian Abel ] - - *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if - it is in error state before sending "Service Temporarily Unavailable". - PR 38962. [Christian Boitel ] - -Changes with Apache 2.2.3 - - *) SECURITY: CVE-2006-3747 (cve.mitre.org) - mod_rewrite: Fix an off-by-one security problem in the ldap scheme - handling. For some RewriteRules this could lead to a pointer being - written out of bounds. Reported by Mark Dowd of McAfee. - [Mark Cox] - - *) mod_authn_alias: Add a check to make sure that the base provider and the - alias names are different and also that the alias has not been registered - before. PR 40051. [Brad Nicholes] - - *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP - client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529. - [Ray Price , Josh Fenlason ] - - *) mod_cache: Do not overwrite the Content-Type in the cache, for - successfully revalidated cached objects. PR 39647. [Ruediger Pluem] - - *) mod_speling: Add directive to deal with case corrections only - and ignore other misspellings [Olivier Thereaux ] - - *) mod_dbd: Fix dependence on virtualhost configuration in - defining prepared statements (possible segfault at startup - in user modules such as mod_authn_dbd). [Nick Kew] - - *) Add optional 'scheme://' prefix to ServerName directive, - allowing correct determination of the canonical server URL - for use behind a proxy or offload device handling SSL; fixing - redirect generation in those cases. PR 33398. [Sander Temme] - - *) Added server_scheme field to server_rec for above. Minor MMN bump. - [Sander Temme] - - *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593. - [Ruediger Pluem, Joe Orton] - - *) Worker MPM: On graceless shutdown or restart, send signals to - each worker thread to wake them up if they're polling on a - Keep-Alive connection. PR 38737. [Chris Darroch] - - *) worker and event MPMs: fix excessive forking if fork() or child_init - take a long time. PR 39275. - [Greg Ames, Jeff Trawick, Chris Darroch ] - - *) configure: Add "--with-included-apr" flag to force use of the - bundled version of APR at build time. [Joe Orton] - - *) Respect GracefulShutdownTimeout in the worker and event MPMs. - [Chris Darroch, Garrett Rooney] - - *) mod_mem_cache: Set content type correctly when delivering data from - cache. PR 39266. [Ruediger Pluem] - - *) mod_autoindex: Fix filename escaping with FancyIndexing disabled. - PR 38910. [Robby Griffin ] - - *) mod_charset_lite: Bypass translation when the source and dest charsets - are the same. [Jeff Trawick] - -Changes with Apache 2.2.2 - - *) mod_deflate: Allow mod_deflate to handle internal redirects. - [Brian J. France ] - - *) mod_proxy_balancer: Initialize members of a balancer correctly. - PR 38227. [James A. Robinson ] - - *) mod_proxy: Do not release connections from connection pool twice. - PR 38793. [Ruediger Pluem, matthias ] - - *) core: Prevent reading uninitialized memory while reading a line of - protocol input. PR 39282. [Davi Arnaut ] - - *) mod_dbd: Update defaults, improve error reporting. - [Chris Darroch , Nick Kew] - - *) mod_dbd: Create own pool and mutex to avoid problem use of - process pool in request processing. - [Chris Darroch ] - - *) HTML-escape the Expect error message. Not classed as security as - an attacker has no way to influence the Expect header a victim will - send to a target site. Reported by Thiago Zaninotti - . [Mark Cox] - - *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX. - [Jeff Trawick] - - *) htdbm: Warn the user when adding a plaintext password on a platform - where it wouldn't work with the server (i.e., anywhere that has - crypt()). [Jeff Trawick] - - *) mod_proxy: don't reuse a connection that may be to the wrong backend - PR 39253 [Ruediger Pluem] - - *) Default handler: Don't return output filter apr_status_t values. - PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] - -Changes with Apache 2.2.1 - - *) SECURITY: CVE-2005-3357 (cve.mitre.org) - mod_ssl: Fix a possible crash during access control checks if a - non-SSL request is processed for an SSL vhost (such as the - "HTTP request received on SSL port" error message when an 400 - ErrorDocument is configured, or if using "SSLEngine optional"). - PR 37791. [Rüdiger Plüm, Joe Orton] - - *) SECURITY: CVE-2005-3352 (cve.mitre.org) - mod_imagemap: Escape untrusted referer header before outputting - in HTML to avoid potential cross-site scripting. Change also - made to ap_escape_html so we escape quotes. Reported by JPCERT. - [Mark Cox] - - *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now - configurable at runtime via the 'flushpackets' and 'flushwait' worker - params. Minor MMN bump. [Jim Jagielski] - - *) mod_proxy: Fix incorrect usage of local and shared worker init. - PR 38403. [Jim Jagielski] - - *) mod_isapi: Fix compiler errors on Unix platforms. - [William Rowe] - - *) mod_proxy_http: Send HTTP Keep-Alive Headers. PR 38524. - [Rüdiger Plüm, Joe Orton] - - *) mod_disk_cache: Return the correct error codes from bucket read - failures, instead of APR_EGENERAL. - [Brian Akins ] - - *) Add APR/APR-Util Compiled and Runtime Version numbers to the - output of 'httpd -V'. [William Rowe] - - *) http: If a connection is aborted while waiting for a chunked line, - flag the connection as errored out. [Justin Erenkrantz] - - *) core: Reject invalid Expect header immediately. PR 38123. - [Ruediger Pluem] - - *) mod_proxy: Fix KeepAlives not being allowed and set to - backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski] - - *) mod_proxy: If we get an error reading the upstream response, - close the connection. [Justin Erenkrantz, Roy T. Fielding, - Jim Jagielski, Ruediger Pluem] - - *) mod_proxy_ajp: Support common headers of the AJP protocol in responses. - PR 38340. [Aleksey Pesternikov ] - - *) mod_proxy_balancer: Do not overwrite the status of initialized workers and - respect the configured status of uninitilized workers when creating a new - child process. [Ruediger Pluem] - - *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of - the ajp message to prevent mod_proxy_ajp from reading beyond the buffer - boundaries and thus revealing possibly sensitive memory contents to the - client. [Ruediger Pluem] - - *) Ensure that the proper status line is written to the client, fixing - incorrect status lines caused by filters which modify r->status without - resetting r->status_line, such as the built-in byterange filter. - [Jeff Trawick] - - *) mod_speling: Stop crashing with certain non-file requests. [Jeff Trawick] - - *) mod_cache: Make caching of reverse proxies possible again. PR 38017. - [Ruediger Pluem] - - *) Modify apr[util] .h detection to avoid breakage on VPATH builds - using Solaris make (amoung others) and avoid breakage in ./buildconf - when srclib/apr[-util] are symlinks rather than directories proper. - [William Rowe] - - *) Chunk filter: Fix chunk filter to create correct chunks in the case that - a flush bucket is surrounded by data buckets. [Ruediger Pluem] - - *) Fix syntax error in httpd.h with strict compilers. PR 38740. - [Per Olausson ] - - *) Preserve the Content-Length header for a proxied HEAD response. - PR 18757. [Greg Ames] - - *) Fix recursive ErrorDocument handling. PR 36090. - [Chris Darroch ] - - *) Don't hang on error return from post_read_request. PR37790 [Nick Kew] - - *) Fix off-by-one error in proxy_balancer. PR37753 - [Kazuhiro Osawa ] - -Changes with Apache 2.2.0 - - *) mod_negotiation: Minor performance tweak by reusing already calculated - strlen. - [Ruediger Pluem, Christophe Jaillet ] - - *) Remove support for 'On' and 'Off' for AuthBasicProvider and - AuthDigestProvider. [Joshua Slive, Justin Erenkrantz] - - *) Add in new UseCanonicalPhysicalPort directive, which controls - whether or not Apache will ever use the actual physical port - when constructing the canonical port number. [Jim Jagielski] - - *) mod_dav: Fix a null pointer dereference in an error code path during the - handling of MKCOL. - [Ruediger Pluem, Ghassan Misherghi ] - - *) Fix DESTDIR=... installation when using bundled copy of APR. - [Torsten Foertsch ] - - *) mod_proxy_balancer: When finding best worker, use case insensitive - match for scheme and host, but case sensitive for the rest of - the path. [Jim Jagielski, Ruediger Pluem] - [Apache 2.1.0-dev includes those bug fixes and changes with the Apache 2.2.xx tree as documented, and except as noted, below.]