httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r17788 - /dev/httpd/ /release/httpd/
Date Thu, 12 Jan 2017 18:38:03 GMT
Author: wrowe
Date: Thu Jan 12 18:38:03 2017
New Revision: 17788

Log:
Push 2.2.32 to /dist/http for announcement Friday

Added:
    release/httpd/CHANGES_2.2.32
      - copied unchanged from r17787, dev/httpd/CHANGES_2.2.32
    release/httpd/httpd-2.2.32-win32-src.zip
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32-win32-src.zip
    release/httpd/httpd-2.2.32-win32-src.zip.asc
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32-win32-src.zip.asc
    release/httpd/httpd-2.2.32-win32-src.zip.md5
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32-win32-src.zip.md5
    release/httpd/httpd-2.2.32-win32-src.zip.sha1
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32-win32-src.zip.sha1
    release/httpd/httpd-2.2.32.tar.bz2
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.bz2
    release/httpd/httpd-2.2.32.tar.bz2.asc
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.bz2.asc
    release/httpd/httpd-2.2.32.tar.bz2.md5
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.bz2.md5
    release/httpd/httpd-2.2.32.tar.bz2.sha1
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.bz2.sha1
    release/httpd/httpd-2.2.32.tar.gz
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.gz
    release/httpd/httpd-2.2.32.tar.gz.asc
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.gz.asc
    release/httpd/httpd-2.2.32.tar.gz.md5
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.gz.md5
    release/httpd/httpd-2.2.32.tar.gz.sha1
      - copied unchanged from r17787, dev/httpd/httpd-2.2.32.tar.gz.sha1
Removed:
    dev/httpd/CHANGES_2.2.32
    dev/httpd/CHANGES_2.4.25
    dev/httpd/httpd-2.2.32-win32-src.zip
    dev/httpd/httpd-2.2.32-win32-src.zip.asc
    dev/httpd/httpd-2.2.32-win32-src.zip.md5
    dev/httpd/httpd-2.2.32-win32-src.zip.sha1
    dev/httpd/httpd-2.2.32.tar.bz2
    dev/httpd/httpd-2.2.32.tar.bz2.asc
    dev/httpd/httpd-2.2.32.tar.bz2.md5
    dev/httpd/httpd-2.2.32.tar.bz2.sha1
    dev/httpd/httpd-2.2.32.tar.gz
    dev/httpd/httpd-2.2.32.tar.gz.asc
    dev/httpd/httpd-2.2.32.tar.gz.md5
    dev/httpd/httpd-2.2.32.tar.gz.sha1
Modified:
    release/httpd/CHANGES_2.2

Modified: release/httpd/CHANGES_2.2
==============================================================================
--- release/httpd/CHANGES_2.2 (original)
+++ release/httpd/CHANGES_2.2 Thu Jan 12 18:38:03 2017
@@ -1,4 +1,99 @@
                                                          -*- coding: utf-8 -*-
+Changes with Apache 2.2.32
+
+  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+     Enforce HTTP request grammar corresponding to RFC7230 for request lines
+     and request headers, to prevent response splitting and cache pollution by
+     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+
+  *) Validate HTTP response header grammar defined by RFC7230, resulting
+     in a 500 error in the event that invalid response header contents are
+     detected when serving the response, to avoid response splitting and cache
+     pollution by malicious clients, upstream servers or faulty modules.
+     [Stefan Fritsch, Eric Covener, Yann Ylavic]
+
+  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
+  *) core: Avoid a possible truncation of the faulty header included in the
+     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
+
+  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
+     name have been merged. [Stefan Fritsch]
+
+  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
+     PR 51350 [Luca Toscano]
+
+  *) core: Permit unencoded ';' characters to appear in proxy requests and
+     Location: response headers. Corresponds to modern browser behavior.
+     [William Rowe]
+
+  *) core: ap_rgetline_core now pulls from r->proto_input_filters.
+
+  *) core: Correctly parse an IPv6 literal host specification in an absolute
+     URL in the request line. [Stefan Fritsch]
+
+  *) core: New directive RegisterHttpMethod for registering non-standard
+     HTTP methods. [Stefan Fritsch]
+
+  *) core: Limit to ten the number of tolerated empty lines between request.
+     [Yann Ylavic]
+
+  *) core: reject NULLs in request line or request headers.
+     PR 43039 [Nick Kew]
+
+  *) mod_proxy: Use the correct server name for SNI in case the backend
+     SSL connection itself is established via a proxy server.
+     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
+  *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
+     directives.  [Mike Rumph <mike.rumph oracle.com>]
+
+  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
+     [Kaspar Brand]
+
+  *) mod_proxy: Correctly consider error response codes by the backend when
+     processing failonstatus. PR 59869 [Ruediger Pluem]
+
+  *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
+     had to be issued because the remote closed the previous/reusable one
+     during idle (keep-alive) time.  [Yann Ylavic]
+
+  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
+     [Jan Kaluza, Yann Ylavic]
+
+  *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
+     use a different scoreboard slot then the original one.  PR 58267.
+     [Ruediger Pluem]
+
+  *) mod_proxy: Fix a race condition that caused a failed worker to be retried
+     before the retry period is over. [Ruediger Pluem]
+
+  *) mod_proxy: don't recyle backend announced "Connection: close" connections
+     to avoid reusing it should the close be effective after some new request
+     is ready to be sent.  [Yann Ylavic]
+
+  *) mod_mem_cache: Fix concurrent removal of stale entries which could lead
+     to a crash.  PR 43724.  [Yann Ylavic]
+
+  *) mime.types: add common extension "m4a" for MPEG 4 Audio.
+     PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
+
+  *) mod_substitute: Allow to configure the patterns merge order with the new
+     SubstituteInheritBefore on|off directive.  PR 57641
+     [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
+
+  *) mod_mem_cache: Don't cache incomplete responses when the client
+     connection is aborted before the body is fully read.  PR 45049.
+     [Nick Pace <nick simplylogic.net>, Edward Lu, Yann Ylavic]
+
+  *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
+     failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
+     PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
+
+  *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
+     PR 57167 [Edward Lu <Chaosed0 gmail.com>]
+
 Changes with Apache 2.2.31
 
   *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
@@ -128,7 +223,7 @@ Changes with Apache 2.2.29
   *) Corrected docs/manual pages for new MergeTrailers directive and other
      out of date documentation. [William Rowe]
 
-Changes with Apache 2.2.28
+Changes with Apache 2.2.28 (not released)
 
   *) SECURITY: CVE-2014-0118 (cve.mitre.org)
      mod_deflate: The DEFLATE input filter (inflates request bodies) now
@@ -2284,7 +2379,7 @@ Changes with Apache 2.2.2
   *) Default handler: Don't return output filter apr_status_t values.
      PR 31759.  [Jeff Trawick, Ruediger Pluem, Joe Orton]
 
-Changes with Apache 2.2.1
+Changes with Apache 2.2.1 (not released)
 
   *) SECURITY: CVE-2005-3357 (cve.mitre.org)
      mod_ssl: Fix a possible crash during access control checks if a



Mime
View raw message