httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r20352 [2/3] - /dev/httpd/
Date Thu, 06 Jul 2017 19:28:46 GMT
Modified: dev/httpd/CHANGES_2.2
==============================================================================
--- dev/httpd/CHANGES_2.2 (original)
+++ dev/httpd/CHANGES_2.2 Thu Jul  6 19:28:45 2017
@@ -1,3459 +1,3464 @@
-                                                         -*- coding: utf-8 -*-
-Changes with Apache 2.2.33
-
-  *) SECURITY: CVE-2017-7668 (cve.mitre.org)
-     The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
-     bug in token list parsing, which allows ap_find_token() to search past
-     the end of its input string. By maliciously crafting a sequence of
-     request headers, an attacker may be able to cause a segmentation fault,
-     or to force ap_find_token() to return an incorrect value.
-     [Jacob Champion]
-
-  *) SECURITY: CVE-2017-3169 (cve.mitre.org)
-     mod_ssl may dereference a NULL pointer when third-party modules call
-     ap_hook_process_connection() during an HTTP request to an HTTPS port.
-     [Yann Ylavic]
-
-  *) SECURITY: CVE-2017-3167 (cve.mitre.org)
-     Use of the ap_get_basic_auth_pw() by third-party modules outside of the
-     authentication phase may lead to authentication requirements being
-     bypassed.
-     [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
-
-  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
-     mod_mime can read one byte past the end of a buffer when sending a
-     malicious Content-Type response header.  [Yann Ylavic]
-  
-  *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
-     [Joe Orton]
-
-Changes with Apache 2.2.32
-
-  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
-     Enforce HTTP request grammar corresponding to RFC7230 for request lines
-     and request headers, to prevent response splitting and cache pollution by
-     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
-
-  *) Validate HTTP response header grammar defined by RFC7230, resulting
-     in a 500 error in the event that invalid response header contents are
-     detected when serving the response, to avoid response splitting and cache
-     pollution by malicious clients, upstream servers or faulty modules.
-     [Stefan Fritsch, Eric Covener, Yann Ylavic]
-
-  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
-     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
-  *) core: Avoid a possible truncation of the faulty header included in the
-     HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
-
-  *) core: Enforce LimitRequestFieldSize after multiple headers with the same
-     name have been merged. [Stefan Fritsch]
-
-  *) core: Drop Content-Length header and message-body from HTTP 204 responses.
-     PR 51350 [Luca Toscano]
-
-  *) core: Permit unencoded ';' characters to appear in proxy requests and
-     Location: response headers. Corresponds to modern browser behavior.
-     [William Rowe]
-
-  *) core: ap_rgetline_core now pulls from r->proto_input_filters.
-
-  *) core: Correctly parse an IPv6 literal host specification in an absolute
-     URL in the request line. [Stefan Fritsch]
-
-  *) core: New directive RegisterHttpMethod for registering non-standard
-     HTTP methods. [Stefan Fritsch]
-
-  *) core: Limit to ten the number of tolerated empty lines between request.
-     [Yann Ylavic]
-
-  *) core: reject NULLs in request line or request headers.
-     PR 43039 [Nick Kew]
-
-  *) mod_proxy: Use the correct server name for SNI in case the backend
-     SSL connection itself is established via a proxy server.
-     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
-
-  *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
-     directives.  [Mike Rumph <mike.rumph oracle.com>]
-
-  *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
-     [Kaspar Brand]
-
-  *) mod_proxy: Correctly consider error response codes by the backend when
-     processing failonstatus. PR 59869 [Ruediger Pluem]
-
-  *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
-     had to be issued because the remote closed the previous/reusable one
-     during idle (keep-alive) time.  [Yann Ylavic]
-
-  *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.
-     [Jan Kaluza, Yann Ylavic]
-
-  *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
-     use a different scoreboard slot then the original one.  PR 58267.
-     [Ruediger Pluem]
-
-  *) mod_proxy: Fix a race condition that caused a failed worker to be retried
-     before the retry period is over. [Ruediger Pluem]
-
-  *) mod_proxy: don't recyle backend announced "Connection: close" connections
-     to avoid reusing it should the close be effective after some new request
-     is ready to be sent.  [Yann Ylavic]
-
-  *) mod_mem_cache: Fix concurrent removal of stale entries which could lead
-     to a crash.  PR 43724.  [Yann Ylavic]
-
-  *) mime.types: add common extension "m4a" for MPEG 4 Audio.
-     PR 57895 [Dylan Millikin <dylan.millikin gmail.com>]
-
-  *) mod_substitute: Allow to configure the patterns merge order with the new
-     SubstituteInheritBefore on|off directive.  PR 57641
-     [Marc.Stern <Marc.Stern approach.be>, Yann Ylavic, William Rowe]
-
-  *) mod_mem_cache: Don't cache incomplete responses when the client
-     connection is aborted before the body is fully read.  PR 45049.
-     [Nick Pace <nick simplylogic.net>, Edward Lu, Yann Ylavic]
-
-  *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
-     failures under Visual Studio 2015 and other mismatched MSVCRT flavors.
-     PR59630 [Jan Ehrhardt <phpdev ehrhardt.nl>]
-
-  *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
-     PR 57167 [Edward Lu <Chaosed0 gmail.com>]
-
-Changes with Apache 2.2.31
-
-  *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers.
-     [Yann Ylavic, Gregg Smith]
-
-Changes with Apache 2.2.30 (not released)
-
-  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
-     core: Fix chunk header parsing defect.
-     Remove apr_brigade_flatten(), buffering and duplicated code from
-     the HTTP_IN filter, parse chunks in a single pass with zero copy.
-     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
-     authorized characters.  [Graham Leggett, Yann Ylavic]
-
-  *) http: Fix LimitRequestBody checks when there is no more bytes to read.
-     [Michael Kaufmann <mail michael-kaufmann.ch>]
-
-  *) core: Allow spaces after chunk-size for compatibility with implementations
-     using a pre-filled buffer.  [Yann Ylavic, Jeff Trawick]
-
-  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
-     no longer send warning-level unrecognized_name(112) alerts. PR 56241.
-     [Kaspar Brand]
-
-  *) http: Make ap_die() robust against any HTTP error code and not modify
-     response status (finally logged) when nothing is to be done. PR 56035.
-     [Yann Ylavic]
-
-  *) core, modules: Avoid error response/document handling by the core if some
-     handler or input filter already did it while reading the request (causing
-     a double response body).  [Yann Ylavic]
-
-  *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions
-     5+ instead of just for FreeBSD 5. PR 53824.  [Jeff Trawick,
-     Olli Hauer <ohauer gmx de>]
-
-  *) mod_proxy: use the original (non absolute) form of the request-line's URI
-     for requests embedded in CONNECT payloads used to connect SSL backends via
-     a ProxyRemote forward-proxy.  PR 55892.  [Hendrik Harms <hendrik.harms
-     gmail com>, William Rowe, Yann Ylavic]
-
-  *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
-     internationalization.  [William Rowe]
-
-  *) mod_log_config: Implement logging for sub second timestamps and
-     request end time.  [Rainer Jung]
-
-  *) mod_log_config: Ensure that time data is consistent if multiple
-     duration patterns are used in combination, e.g. %D and %{ms}T.
-     [Rainer Jung]
-
-  *) mod_log_config: Add "%{UNIT}T" format to output request duration in
-     seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us").
-     [Ben Reser, Rainer Jung]
-
-  *) In alignment with RFC 7525, the default recommended SSLCipherSuite
-     and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the
-     default recommended SSLProtocol and SSLProxyProtocol directives now
-     exclude SSLv3. Existing configurations must be adjusted by the
-     administrator. [William Rowe]
-
-  *) core: Avoid potential use of uninitialized (NULL) request data in
-     request line error path. [Yann Ylavic]
- 
-  *) mod_proxy_http: Use the "Connection: close" header for requests to
-     backends not recycling connections (disablereuse), including the default
-     reverse and forward proxies.  [Yann Ylavic]
-
-  *) mod_proxy: Add ap_connection_reusable() for checking if a connection
-     is reusable as of this point in processing.  [Jeff Trawick]
-
-  *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across
-     graceful restarts, even if new workers are added, old ones removed, or
-     the order changes.  [Jan Kaluza, Yann Ylavic]
-
-  *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. 
-     PR 57100.  [Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>,
-     Yann Ylavic]
-
-  *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by
-     allowing custom parameters to be configured via SSLCertificateFile,
-     and by adding standardized DH parameters for 1024/2048/3072/4096 bits.
-     Unless custom parameters are configured, the standardized parameters
-     are applied based on the certificate's RSA/DSA key size. [Kaspar Brand]
- 
-  *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA
-     keys, and unconditionally disable aNULL, eNULL and EXP ciphers
-     (not overridable via SSLCipherSuite). [Kaspar Brand]
-
-  *) mod_ssl: Add support for configuring persistent TLS session ticket
-     encryption/decryption keys (useful for clustered environments).
-     [Paul Querna, Kaspar Brand]
-
-  *) SSLProtocol and SSLCipherSuite recommendations in the example/default
-     conf/extra/httpd-ssl.conf file are now global in scope, affecting all
-     VirtualHosts (matching 2.4 default configuration). [William Rowe]
-
-  *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the
-     selected DB engine.  PR 46421.  [Jan Kaluza].
-
-  *) Turn static function get_server_name_for_url() into public
-     ap_get_server_name_for_url() and use it where appropriate. This
-     fixes mod_rewrite generating invalid URLs for redirects to IPv6
-     literal addresses. PR 52831 [Stefan Fritsch]
-
-  *) dav_validate_request: avoid validating locks and ETags when there are
-     no If headers providing them on a resource we aren't modifying.
-     [Ben Reser]
-
-  *) mod_ssl: New directive SSLSessionTickets (On|Off).
-     The directive controls the use of TLS session tickets (RFC 5077),
-     default value is "On" (unchanged behavior).
-     Session ticket creation uses a random key created during web
-     server startup and recreated during restarts. No other key
-     recreation mechanism is available currently. Therefore using session
-     tickets without restarting the web server with an appropriate frequency
-     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
-
-  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
-     compile against APR-1.2.x (minimum required version). [Yann Ylavic]
-
-  *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts
-     computed for subsequent requests.  PR 56729.  [Eric Covener]
-
-Changes with Apache 2.2.29
-
-  *) Corrected docs/manual pages for new MergeTrailers directive and other
-     out of date documentation. [William Rowe]
-
-Changes with Apache 2.2.28 (not released)
-
-  *) SECURITY: CVE-2014-0118 (cve.mitre.org)
-     mod_deflate: The DEFLATE input filter (inflates request bodies) now
-     limits the length and compression ratio of inflated request bodies to avoid
-     denial of service via highly compressed bodies.  See directives
-     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
-     and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
-
-  *) SECURITY: CVE-2014-0231 (cve.mitre.org)
-     mod_cgid: Fix a denial of service against CGI scripts that do
-     not consume stdin that could lead to lingering HTTPD child processes
-     filling up the scoreboard and eventually hanging the server.  By
-     default, the client I/O timeout (Timeout directive) now applies to
-     communication with scripts.  The CGIDScriptTimeout directive can be
-     used to set a different timeout for communication with scripts.
-     [Rainer Jung, Eric Covener, Yann Ylavic]
-
-  *) SECURITY: CVE-2014-0226 (cve.mitre.org)
-     Fix a race condition in scoreboard handling, which could lead to
-     a heap buffer overflow.  [Joe Orton, Eric Covener, Jeff Trawick]
- 
-  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
-     core: HTTP trailers could be used to replace HTTP headers
-     late during request processing, potentially undoing or
-     otherwise confusing modules that examined or modified
-     request headers earlier.  Adds "MergeTrailers" directive to restore
-     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
-
-  *) core: Detect incomplete request and response bodies, log an error and
-     forward it to the underlying filters. PR 55475.  [Yann Ylavic]
-
-  *) mod_deflate: Handle Zlib header and validation bytes received in multiple
-     chunks. PR 46146. [Yann Ylavic]
-
-  *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
-     differs. PR 55782.  [Yann Ylavic]
- 
-  *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
-     [Lukas Bezdicka <social v3.sk>]
-
-  *) mod_dav: Fix improper encoding in PROPFIND responses.  PR 56480.
-     [Ben Reser]
-
-  *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
-     resumed by TLS session resumption (RFC 5077). [Rainer Jung]
-
-  *) mod_proxy_ajp: Forward local IP address as a custom request attribute
-     like we already do for the remote port. [Rainer Jung]
-
-  *) mod_deflate: Don't fail when flushing inflated data to the user-agent
-     and that coincides with the end of stream ("Zlib error flushing inflate
-     buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
-
-  *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary 
-     header might not get the benefit of the thundering herd protection due to 
-     an incorrect internal cache key.  PR 50317. 
-     [Ruediger Pluem, Jan Kaluza, Yann Ylavic]
-
-  *) mod_rewrite: Support session cookies with the CO= flag when later
-     parameters are used.  The doc for this implied the feature had been
-     backported for quite some time.  PR56014 [Eric Covener]
-
-  *) mod_cache: Don't remove stale cache entries that cannot be conditionally
-     revalidated. This prevents the thundering herd protection from serving
-     stale responses during a revalidation. PR 50317.
-     [Eric Covener, Jan Kaluza,  Ruediger Pluem]
-
-  *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds. 
-     PR 41270. [Dean Gaudet <dean arctic org>]
-
-Changes with Apache 2.2.27
-
-  *) SECURITY: CVE-2014-0098 (cve.mitre.org)
-     Clean up cookie logging with fewer redundant string parsing passes.
-     Log only cookies with a value assignment. Prevents segfaults when
-     logging truncated cookies.
-     [William Rowe, Ruediger Pluem, Jim Jagielski]
-
-  *) SECURITY: CVE-2013-6438 (cve.mitre.org)
-     mod_dav: Keep track of length of cdata properly when removing
-     leading spaces. Eliminates a potential denial of service from
-     specifically crafted DAV WRITE requests
-     [Amin Tora <Amin.Tora neustar.biz>]
-
-  *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
-     TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
-
-  *) mod_proxy_http: Core dumped under high load. PR 50335.
-     [Jan Kaluza <jkaluza redhat.com>]
-
-  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
-     [Christophe Jaillet]
-
-  *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
-     is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
-
-  *) mod_ldap: Fix a potential memory leak or corruption.  PR 54936.
-     [Zhenbo Xu <zhenbo1987 gmail com>]
-
-  *) mod_ssl: Do not perform SNI / Host header comparison in case of a
-     forward proxy request. [Ruediger Pluem]
-
-  *) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows. 
-     PR46679 [Bob Ionescu]
-
-Changes with Apache 2.2.26
-
-  *) mod_dav: dav_resource->uri treated as unencoded. This was an
-     unnecessary ABI changed introduced in 2.2.25  PR 55397.  [Ben Reser]
-
-  *) mod_dav: Do not validate locks against parent collection of COPY
-     source URI.  PR 55304.  [Ben Reser]
-
-  *) mod_ssl: Check SNI hostname against Host header case-insensitively.
-     PR 49491.  [Mayank Agrawal <magrawal.08 gmail.com>]
-
-  *) mod_ssl: enable support for ECC keys and ECDH ciphers.  Tested against
-     OpenSSL 1.0.0b3.  [Vipul Gupta vipul.gupta sun.com, Sander Temme,
-     Stefan Fritsch]
-
-  *) mod_ssl: Change default for SSLCompression to off, as compression
-     causes security issues in most setups. (The so called "CRIME" attack).
-     [Stefan Fritsch]
-
-  *) mod_ssl: Fix compilation error when OpenSSL does not contain
-     support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
-     [Rainer Jung, Kaspar Brand]
-
-  *) mod_dav: Fix double encoding of URIs in XML and Location header (caused
-     by unintential ABI change in 2.2.25).  PR 55397.  [Ben Reser] 
-
-Changes with Apache 2.2.25
-
-  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
-     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
-     the source href (sent as part of the request body as XML) pointing to a
-     URI that is not configured for DAV will trigger a segfault. [Ben Reser
-     <ben reser.org>]
-
-  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
-     mod_rewrite: Ensure that client data written to the RewriteLog is
-     escaped to prevent terminal escape sequences from entering the
-     log file.  [Eric Covener, Jeff Trawick, Joe Orton]
-
-  *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
-     strings.  The default limit for ap_pregsub() can be adjusted at compile
-      time by defining AP_PREGSUB_MAXLEN.  [Stefan Fritsch, Jeff Trawick]
-
-  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
-     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
-     <apache heilbrun.org>]
-
-  *) mod_setenvif: Log error on substitution overflow.
-     [Stefan Fritsch]
-
-  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
-     [Kaspar Brand]
-
-  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
-     forwarding to SSL backends. PR 53134.
-     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
-
-  *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
-     in the error log to debug level.  [William Rowe]
-
-  *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
-     with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
-     [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
-
-  *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
-     admin to configure an IO timeout as an error in the balancer.
-     [Daniel Ruggeri]
-
-  *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
-     password.  [Daniel Ruggeri]
-
-  *) htdigest: Fix buffer overflow when reading digest password file
-     with very long lines. PR 54893. [Rainer Jung]
-
-  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
-     [Timothy Wood <tjw omnigroup.com>]
-
-  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
-     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
-
-  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
-     result in a 412 Precondition Failed for a COPY operation. PR54610
-     [Timothy Wood <tjw omnigroup.com>]
-
-  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
-     property on a resource for which there is no dead property in the same
-     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
-     <diego.santaCruz spinetix.com>]
-
-  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
-     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
-
-  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
-     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]
-
-Changes with Apache 2.2.24
-
-  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
-     Various XSS flaws due to unescaped hostnames and URIs HTML output in
-     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
-     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
-
-  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
-     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
-     Niels Heinen <heinenn google com>]
-
-  *) mod_rewrite: Stop merging RewriteBase down to subdirectories
-     unless new option 'RewriteOptions MergeBase' is configured.
-     Merging RewriteBase was unconditionally turned on in 2.2.23.
-     PR 53963. [Eric Covener]
-
-  *) mod_ssl: Send the error message for speaking http to an https port using
-     HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
-     using SNI. PR 50823. [Stefan Fritsch]
-
-  *) mod_ssl: log revoked certificates at level INFO
-     instead of DEBUG. PR 52162. [Stefan Fritsch]
-
-  *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
-     [Rainer Jung]
-
-  *) mod_dir: Add support for the value 'disabled' in FallbackResource.
-     [Vincent Deffontaines]
-
-  *) mod_ldap: Fix regression in handling "server unavailable" errors on
-     Windows.  PR 54140.  [Eric Covener]
-
-  *) mod_ssl: fix a regression with the string rendering of the "UID" RDN
-     introduced in 2.2.15. PR 54510. [Kaspar Brand]
-     
-  *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
-     to more accurately report the negotiated protocol. PR 53916.
-     [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]
-
-  *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
-     Response if they so choose to do so. Previously an attempt to cache a 206
-     was arbitrarily allowed if the response contained an Expires or
-     Cache-Control header, and arbitrarily denied if both headers were missing.
-     Currently the disk and memory cache providers do not cache 206 Partial
-     Responses. [Graham Leggett]
-
-  *) core: Remove unintentional APR 1.3 dependency introduced with
-     Apache 2.2.22. [Eric Covener]
-
-  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
-     the chosen listener is configured for https. [Joe Orton]
-
-  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
-     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
-
-Changes with Apache 2.2.23
-
-  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
-     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
-     current working directory to be searched for DSOs. [Stefan Fritsch]
-
-  *) SECURITY: CVE-2012-2687 (cve.mitre.org)
-     mod_negotiation: Escape filenames in variant list to prevent a
-     possible XSS for a site where untrusted users can upload files to
-     a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
-
-  *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 
-     [Paul Wouters <pwouters redhat.com>, Joe Orton]
-
-  *) mod_ldap: Treat the "server unavailable" condition as a transient
-     error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>]
-
-  *) core: Add filesystem paths to access denied / access failed messages.
-     [Eric Covener]
-
-  *) core: Fix error handling in ap_scan_script_header_err_brigade() if there
-     is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch]
-
-  *) core: Prevent "httpd -k restart" from killing server in presence of
-     config error. [Joe Orton]
-
-  *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
-     control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive,
-     adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'.
-     [Kaspar Brand, William Rowe]
-
-  *) mod_log_config: Fix %{abc}C truncating cookie values at first "=".
-     PR 53104. [Greg Ames]
-
-  *) Unix MPMs: Fix small memory leak in parent process if connect()
-     failed when waking up children.  [Joe Orton]
-
-  *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
-     [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
-
-  *) Added SSLProxyMachineCertificateChainFile directive so the proxy client
-     can select the proper client certificate when using a chain and the
-     remote server only lists the root CA as allowed.
-
-  *) mpm_event, mpm_worker: Remain active amidst prevalent child process
-     resource shortages.  [Jeff Trawick]
-
-  *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton]
-
-  *) mod_rewrite: Fix the RewriteEngine directive to work within a
-     location. Previously, once RewriteEngine was switched on globally,
-     it was impossible to switch off. [Graham Leggett]
-
-  *) mod_proxy_balancer: Restore balancing after a failed worker has
-     recovered when using lbmethod_bybusyness.  PR 48735.  [Jeff Trawick]
-
-  *) mod_dumpio: Properly handle errors from subsequent input filters.
-     PR 52914. [Stefan Fritsch]
-
-  *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child
-     process resource shortages.  [Jeff Trawick]
-
-  *) mpm_prefork: Reduce spawn rate after a child process exits due to
-     unexpected poll or accept failure.  [Jeff Trawick]
-
-  *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid
-     from logging bogus data in case of errors. [Stefan Fritsch]
-
-  *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the
-     response is a 206 Partial Content. This stops a reverse proxied partial
-     response from becoming cached, and then being served in subsequent
-     responses. PR 49113. [Graham Leggett]
-
-  *) configure: Fix usage with external apr and apu in non-default paths
-     and recent gcc versions >= 4.6. [Jean-Frederic Clere]
-
-  *) core: Fix building against PCRE 8.30 by switching from the obsolete
-     pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
-
-  *) mod_proxy: Add the forcerecovery balancer parameter that determines if
-     recovery for balancer workers is enforced. [Ruediger Pluem]
-
-Changes with Apache 2.2.22
-
-  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
-     Reject requests where the request-URI does not match the HTTP
-     specification, preventing unexpected expansion of target URLs in
-     some reverse proxy configurations.  [Joe Orton]
-
-  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
-     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
-     is enabled, could allow local users to gain privileges via a .htaccess
-     file. [Stefan Fritsch, Greg Ames]
-
-  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
-     Resolve additional cases of URL rewriting with ProxyPassMatch or
-     RewriteRule, where particular request-URIs could result in undesired
-     backend network exposure in some configurations.
-     [Joe Orton]
-
-  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
-     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
-     string is in use and a client sends a nameless, valueless cookie, causing
-     a denial of service. The issue existed since version 2.2.17. PR 52256.
-     [Rainer Canavan <rainer-apache 7val com>]
-
-  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
-     Fix scoreboard issue which could allow an unprivileged child process 
-     to cause the parent to crash at shutdown rather than terminate 
-     cleanly.  [Joe Orton]
-
-  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
-     Fix an issue in error responses that could expose "httpOnly" cookies
-     when no custom ErrorDocument is specified for status code 400.
-     [Eric Covener]
-
-  *) SECURITY: CVE-2012-4557 (cve.mitre.org)
-     mod_proxy_ajp: Try to prevent a single long request from marking a worker
-     in error. [Jean-Frederic Clere]
-
-  *) config: Update the default mod_ssl configuration: Disable SSLv2, only
-     allow >= 128bit ciphers, add commented example for speed optimized cipher
-     list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand]
-
-  *) core: Fix segfault in ap_send_interim_response(). PR 52315.
-     [Stefan Fritsch]
-
-  *) mod_log_config: Prevent segfault. PR 50861. [Torsten F�rtsch
-     <torsten.foertsch gmx.net>]
-
-  *) mod_win32: Invert logic for env var UTF-8 fixing.
-     Now we exclude a list of vars which we know for sure they dont hold UTF-8
-     chars; all other vars will be fixed. This has the benefit that now also
-     all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
-     [Guenter Knauf]
-
-  *) core: Fix hook sorting for Perl modules, a regression introduced in
-     2.2.21. PR: 45076. [Torsten Foertsch <torsten foertsch gmx net>]
-
-  *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
-     A range of '0-' will now return 206 instead of 200. PR 51878.
-     [Jim Jagielski]
-
-  *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
-     of "0").  [Rainer Jung]
-
-  *) mod_substitute: Fix buffer overrun.  [Ruediger Pluem, Rainer Jung]
-
-Changes with Apache 2.2.21
-
-  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
-     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
-     recognized.  [Jean-Frederic Clere]
-
-  *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20.
-     PR 51748. [<lowprio20 gmail.com>]
-
-  *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
-     registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
-     set the header value to "none". [Eric Covener, Ruediger Pluem]
-
-  *) mod_proxy_ajp: Ignore flushing if headers have not been sent.
-     PR 51608 [Ruediger Pluem]
-
-  *) mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751.
-     [Stefan Fritsch]
-
-  *) mod_alias: Adjust log severity of "incomplete redirection target"
-     message. PR 44020.
-
-  *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
-     RewriteEngine is disabled in server context, avoiding a crash while
-     referencing the invalid int: map at runtime. PR 50994.
-     [Ben Noordhuis <info noordhuis nl>]
-
-  *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
-     in the case Ranges are being ignored with MaxRanges none.
-     [Eric Covener]
-
-  *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
-     [Rainer Jung]
-
-Changes with Apache 2.2.20
-
-  *) SECURITY: CVE-2011-3192 (cve.mitre.org)
-     core: Fix handling of byte-range requests to use less memory, to avoid
-     denial of service. If the sum of all ranges in a request is larger than
-     the original file, ignore the ranges and send the complete file.
-     PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]
-
-  *) mod_authnz_ldap: If the LDAP server returns constraint violation,
-     don't treat this as an error but as "auth denied". [Stefan Fritsch]
-
-  *) mod_filter: Fix FilterProvider conditions of type "resp=" (response
-     headers) for CGI. [Joe Orton, Rainer Jung]
-
-  *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
-     state after a timeout when discarding a request body. PR 51103.
-     [Stefan Fritsch]
-
-  *) core: Do the hook sorting earlier so that the hooks are properly sorted
-     for the pre_config hook and during parsing the config. [Stefan Fritsch]
-
-Changes with Apache 2.2.19
-
-  *) Revert ABI breakage in 2.2.18 caused by the function signature change
-     of ap_unescape_url_keep2f().  This release restores the signature from
-     2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
-     [Eric Covener]
-
-Changes with Apache 2.2.18
-
-  *) Log an error for failures to read a chunk-size, and return 408 instead
-     413 when this is due to a read timeout.  This change also fixes some cases
-     of two error documents being sent in the response for the same scenario.
-     [Eric Covener] PR49167
-
-  *) core: Only log a 408 if it is no keepalive timeout. PR 39785
-     [Ruediger Pluem,  Mark Montague <markmont umich.edu>]
-
-  *) core: Treat timeout reading request as 408 error, not 400.
-     Log 408 errors in access log as was done in Apache 1.3.x.
-     PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch,
-     Dan Poirier]
-
-  *) Core HTTP: disable keepalive when the Client has sent
-     Expect: 100-continue
-     but we respond directly with a non-100 response.  Keepalive here led
-     to data from clients continuing being treated as a new request.
-     PR 47087.  [Nick Kew]
-
-  *) htpasswd: Change the default algorithm for htpasswd to MD5 on all
-     platforms. Crypt with its 8 character limit is not useful anymore;
-     improve out of disk space handling (PR 30877); print a warning if
-     a password is truncated by crypt. [Stefan Fritsch]
-
-  *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
-     Win32's cscript interpreter can only use a single quote as comment char.
-     [Guenter Knauf]
-
-  *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer
-     linkers. [Stefan Fritsch]
-
-  *) MinGW build improvements.  PR 49535.  [John Vandenberg
-     <jayvdb gmail.com>, Jeff Trawick]
-
-  *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
-     [Stefan Fritsch]
-
-  *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
-     in request URL path info but not decode them. PR 35256,
-     PR 46830.  [Dan Poirier]
-
-  *) mod_rewrite: Allow to unset environment variables. PR 50746.
-     [Rainer Jung]
-
-  *) suEXEC: Add Suexec directive to disable suEXEC without renaming the
-     binary (Suexec Off), or force startup failure if suEXEC is required
-     but not supported (Suexec On).  [Jeff Trawick]
-
-  *) mod_proxy: Put the worker in error state if the SSL handshake with the
-     backend fails. PR 50332.
-     [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
-
-  *) prefork: Update MPM state in children during a graceful restart.
-     Allow the HTTP connection handling loop to terminate early
-     during a graceful restart.  PR 41743.
-     [Andrew Punch <andrew.punch 247realmedia.com>]
-
-  *) mod_ssl: Correctly read full lines in input filter when the line is
-     incomplete during first read. PR 50481. [Ruediger Pluem]
-
-  *) mod_autoindex: Merge IndexOptions from server to directory context when
-     the directory has no mod_autoindex directives. PR 47766. [Eric Covener]
-
-  *) mod_cache: Make sure that we never allow a 304 Not Modified response
-     that we asked for to leak to the client should the 304 response be
-     uncacheable. PR45341 [Graham Leggett]
-
-  *) mod_dav: Send 400 error if malformed Content-Range header is received for
-     a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch]
-
-  *) mod_userdir: Add merging of enable, disable, and filename arguments
-     to UserDir directive, leaving enable/disable of userlists unmerged.
-     PR 44076 [Eric Covener]
-
-  *) core: Honor 'AcceptPathInfo OFF' during internal redirects,
-     such as per-directory mod_rewrite substitutions.  PR 50349.
-     [Eric Covener]
-
-  *) mod_cache: Check the request to determine whether we are allowed
-     to return cached content at all, and respect a "Cache-Control:
-     no-cache" header from a client. Previously, "no-cache" would
-     behave like "max-age=0". [Graham Leggett]
-
-  *) mod_mem_cache: Add a debug msg when a streaming response exceeds
-     MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary
-     'memory allocation failed' debug message. PR 49604. [Eric Covener]
-
-  *) proxy_connect: Don't give up in the middle of a CONNECT tunnel
-     when the child process is starting to exit.  PR50220. [Eric Covener]
-
-Changes with Apache 2.2.17
-
-  *) prefork MPM: Run cleanups for final request when process exits gracefully
-     to work around a flaw in apr-util.  PR 43857.  [Tom Donovan]
-
-  *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
-     connections and other protocol handlers (like mod_ftp). Enforce the
-     timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
-     close time from 30 to 2 seconds. [Stefan Fritsch]
-
-  *) Proxy balancer: support setting error status according to HTTP response
-     code from a backend.  PR 48939.  [Daniel Ruggeri <DRuggeri primary.net>]
-
-  *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
-     password to UTF-8. PR 45318.
-     [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
-
-  *) core: check symlink ownership if both FollowSymlinks and
-     SymlinksIfOwnerMatch are set [Nick Kew]
-
-  *) core: fix origin checking in SymlinksIfOwnerMatch
-     PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>]
-
-  *) mod_headers: Enable multi-match-and-replace edit option
-     PR 46594 [Nick Kew]
-
-  *) mod_log_config: Make ${cookie}C correctly match whole cookie names
-     instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
-     Stefan Fritsch]
-
-  *) mod_dir, mod_negotiation: Pass the output filter information
-     to newly created sub requests; as these are later on used
-     as true requests with an internal redirect. This allows for
-     mod_cache et.al. to trap the results of the redirect.
-     PR 17629, 43939
-     [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem]
-
-  *) rotatelogs: Fix possible buffer overflow if admin configures a
-     mongo log file path. [Jeff Trawick]
-
-  *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton]
-
-  *) vhost: A purely-numeric Host: header should not be treated as a port.
-     PR 44979 [Nick Kew]
-
-  *) core: (re)-introduce -T commandline option to suppress documentroot
-     check at startup.
-     PR 41887 [Jan van den Berg <janvdberg gmail.com>]
-
-Changes with Apache 2.2.16
-
-  *) SECURITY: CVE-2010-1452 (cve.mitre.org)
-     mod_dav, mod_cache: Fix Handling of requests without a path segment.
-     PR: 49246 [Mark Drayton, Jeff Trawick]
-
-  *) SECURITY: CVE-2010-2068 (cve.mitre.org)
-     mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
-     for platforms Windows, Netware and OS2.  PR: 49417. [Rainer Jung]
-
-  *) core: Filter init functions are now run strictly once per request
-     before handler invocation.  The init functions are no longer run
-     for connection filters.  PR 49328.  [Joe Orton]
-
-  *) mod_filter: enable it to act on non-200 responses.
-     PR 48377 [Nick Kew]
-
-  *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
-     title page only) when any mod_ldap directives were used in VirtualHost
-     context.  [Eric Covener]
-
-  *) mod_ssl: Fix segfault at startup if proxy client certs are shared
-     across multiple vhosts.  PR 39915.  [Joe Orton]
-
-  *) mod_proxy_http: Log the port of the remote server in various messages.
-     PR 48812. [Igor Galić <i galic brainsware org>]
-
-  *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
-     [Philip M. Gollucci]
-
-  *) mod_dir: add FallbackResource directive, to enable admin to specify
-     an action to happen when a URL maps to no file, without resorting
-     to ErrorDocument or mod_rewrite.  PR 47184 [Nick Kew]
-
-  *) mod_rewrite: Allow to set environment variables without explicitly
-     giving a value. [Rainer Jung]
-
-Changes with Apache 2.2.15
-
-  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
-     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
-     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
-     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
-     and offer unsafe legacy renegotiation with clients which do not yet
-     support the new secure renegotiation protocol, RFC 5746.
-     [Joe Orton, and with thanks to the OpenSSL Team]
-
-  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
-     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
-     for OpenSSL versions prior to 0.9.8l; reject any client-initiated
-     renegotiations. Forcibly disable keepalive for the connection if there
-     is any buffered data readable. Any configuration which requires
-     renegotiation for per-directory/location access control is still
-     vulnerable, unless using openssl 0.9.8l or later.
-     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
-
-  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
-     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
-     when request headers indicate a request body is incoming; not a case of
-     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]
-
-  *) SECURITY: CVE-2010-0425 (cve.mitre.org)
-     mod_isapi: Do not unload an isapi .dll module until the request
-     processing is completed, avoiding orphaned callback pointers.
-     [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
-
-  *) SECURITY: CVE-2010-0434 (cve.mitre.org)
-     Ensure each subrequest has a shallow copy of headers_in so that the
-     parent request headers are not corrupted.  Eliminates a problematic
-     optimization in the case of no request body.  PR 48359.
-     [Jake Scott, William Rowe, Ruediger Pluem]
-
-  *) mod_reqtimeout: New module to set timeouts and minimum data rates for
-     receiving requests from the client. [Stefan Fritsch]
-
-  *) mod_proxy_ajp: Really regard the operation a success, when the client
-     aborted the connection. In addition adjust the log message if the client
-     aborted the connection. [Ruediger Pluem]
-
-  *) mod_negotiation: Preserve query string over multiviews negotiation.
-     This buglet was fixed for type maps in 2.2.6, but the same issue
-     affected multiviews and was overlooked.
-     PR 33112.  [Joergen Thomsen <apache jth.net>]
-
-  *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
-     the flood of requests at bay that strike a backend webserver as
-     a cached entity goes stale. [Graham Leggett]
-
-  *) mod_proxy_http: Make sure that when an ErrorDocument is served
-     from a reverse proxied URL, that the subrequest respects the status
-     of the original request. This brings the behaviour of proxy_handler
-     in line with default_handler. PR 47106. [Graham Leggett]
-
-  *) mod_log_config: Add the R option to log the handler used within the
-     request. [Christian Folini <christian.folini netnea com>]
-
-  *) mod_include: Allow fine control over the removal of Last-Modified and
-     ETag headers within the INCLUDES filter, making it possible to cache
-     responses if desired. Fix the default value of the SSIAccessEnable
-     directive. [Graham Leggett]
-
-  *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
-     is configured for client cert auth. PR 46952.  [Joe Orton]
-
-  *) core: Fix potential memory leaks by making sure to not destroy
-     bucket brigades that have been created by earlier filters.
-     [Stefan Fritsch]
-
-  *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
-     try other providers in the case of an LDAP bind failure.
-     PR 46608.  [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
-
-  *) mod_proxy, mod_proxy_http: Support remote https proxies
-     by using HTTP CONNECT.
-     PR 19188.  [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
-
-  *) worker: Don't report server has reached MaxClients until it has.
-     Add message when server gets within MinSpareThreads of MaxClients.
-     PR 46996.  [Dan Poirier]
-
-  *) mod_ssl: When extracting certificate subject/issuer names to the
-     SSL_*_DN_* variables, handle RDNs with duplicate tags by
-     exporting multiple varialables with an "_n" integer suffix.
-     PR 45875.  [Joe Orton, Peter Sylvester <peter.sylvester edelweb.fr>]
-
-  *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
-     password now result in an informational level log entry instead of
-     warning level.  [Eric Covener]
-
-  *) core: Preserve Port information over internal redirects
-     PR 35999.  [Jonas Ringh <jonas.ringh cixit.se>]
-
-  *) mod_filter: fix FilterProvider matching where "dispatch" string
-     doesn't exist.
-     PR 48054.  [<tietew gmail.com>]
-
-  *) Build: fix --with-module to work as documented
-     PR 43881.  [Gez Saunders <gez.saunders virgin.net>]
-
-  *) mod_mime: Make RemoveType override the info from TypesConfig.
-     PR 38330.  [Stefan Fritsch]
-
-  *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
-     rather than BAD_GATEWAY or (especially) NOT_FOUND.
-     PR 46971.  [Evan Champion <evanc nortel.com>]
-
-  *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
-     [Eric Covener]
-
-  *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
-     some cache entries and log a warning. Also increase the default
-     LDAPSharedCacheSize to 500000. This is a more realistic size suitable
-     for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
-     PR 46749.  [Stefan Fritsch]
-
-  *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses,
-     per RFC 2616, 13.8.  PR15866.  [Dan Poirier]
-
-  *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
-     the request is a CONNECT request.  PR 47928.
-     [Bill Zajac <billz consultla.com>]
-
-  *) mod_cache: correctly consider s-maxage in cacheability
-     decisions.  [Dan Poirier]
-
-  *) core: Return APR_EOF if request body is shorter than the length announced
-     by the client. PR 33098.  [Stefan Fritsch]
-
-  *) mod_rewrite: Add scgi scheme detection.  [André Malo]
-
-  *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
-     LocationMatch sections.  PR 47754.  [Dan Poirier]
-
-  *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g.
-     [Guenter Knauf]
-
-Changes with Apache 2.2.14
-
-  *) SECURITY: CVE-2009-2699 (cve.mitre.org)
-     Fixed in APR 1.3.9.  Faulty error handling in the Solaris pollset support
-     (Event Port backend) which could trigger hangs in the prefork and event
-     MPMs on that platform.  PR 47645.  [Jeff Trawick]
-
-  *) SECURITY: CVE-2009-3095 (cve.mitre.org)
-     mod_proxy_ftp: sanity check authn credentials.
-     [Stefan Fritsch <sf fritsch.de>, Joe Orton]
-
-  *) SECURITY: CVE-2009-3094 (cve.mitre.org)
-     mod_proxy_ftp: NULL pointer dereference on error paths.
-     [Stefan Fritsch <sf fritsch.de>, Joe Orton]
-
-  *) mod_proxy_scgi: Backport from trunk. [André Malo]
-
-  *) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
-     has been defined at a very high level.  PR 45946.  [Eric Covener]
-
-  *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
-
-  *) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
-     usage() in synch with the manual and the implementation (0 and -1
-     both disable the cache). [Eric Covener]
-
-  *) mod_ssl: The error message when SSLCertificateFile is missing should
-     at least give the name or position of the problematic virtual host
-     definition. [Stefan Fritsch sf sfritsch.de]
-
-  *) htdbm: Fix possible buffer overflow if dbm database has very
-     long values.  PR 30586 [Dan Poirier]
-
-  *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
-
-  *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
-     type.  PR 45107.  [Michael Ströder <michael stroeder.com>,
-     Peter Sylvester <peter.sylvester edelweb.fr>]
-
-  *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
-     defined session identifiers encoded in the URL when caching.
-     [Ruediger Pluem]
-
-  *) mod_mem_cache: fix seg fault under load due to pool concurrency problem
-     PR: 47672 [Dan Poirier <poirier pobox.com>]
-
-  *) mod_autoindex: Correctly create an empty cell if the description
-     for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
-
-Changes with Apache 2.2.13
-
-  *) SECURITY: CVE-2009-2412 (cve.mitre.org)
-     Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow
-     in pools and rmm, where size alignment was taking place.
-     [Matt Lewis <mattlewis@google.com>, Sander Striker]
-
-  *) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas.  Report
-     warnings compiling mod_ssl against OpenSSL to the httpd developers.
-     [Guenter Knauf]
-
-  *) mod_cgid: Do not add an empty argument when calling the CGI script.
-     PR 46380 [Ruediger Pluem]
-
-  *) Fix potential segfaults with use of the legacy ap_rputs() etc
-     interfaces, in cases where an output filter fails.  PR 36780.
-     [Joe Orton]
-
-Changes with Apache 2.2.12
-
-  *) SECURITY: CVE-2009-1891 (cve.mitre.org)
-     Fix a potential Denial-of-Service attack against mod_deflate or other
-     modules, by forcing the server to consume CPU time in compressing a
-     large file after a client disconnects.  PR 39605.
-     [Joe Orton, Ruediger Pluem]
-
-  *) SECURITY: CVE-2009-1195 (cve.mitre.org)
-     Prevent the "Includes" Option from being enabled in an .htaccess
-     file if the AllowOverride restrictions do not permit it.
-     [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
-      Ruediger Pluem, Jeff Trawick]
-
-  *) SECURITY: CVE-2009-1890 (cve.mitre.org)
-     Fix a potential Denial-of-Service attack against mod_proxy in a
-     reverse proxy configuration, where a remote attacker can force a
-     proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]
-
-  *) SECURITY: CVE-2009-1191 (cve.mitre.org)
-     mod_proxy_ajp: Avoid delivering content from a previous request which
-     failed to send a request body. PR 46949 [Ruediger Pluem]
-
-  *) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
-     The bundled copy of the APR-util library has been updated, fixing three
-     different security issues which may affect particular configurations
-     and third-party modules.
-
-  *) mod_headers: Make 'Header set Content-Type' effective on responses
-     that already have a Content-Type.  [Issac Goldstand]
-
-  *) mod_include: fix potential segfault when handling back references
-     on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
-
-  *) mod_alias: check sanity in Redirect arguments.
-     PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
-
-  *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
-     PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
-
-  *) mod_rewrite: Remove locking for writing to the rewritelog.
-     PR 46942
-
-  *) mod_alias: Ensure Redirect emits HTTP-compliant URLs.
-     PR 44020
-
-  *) mod_proxy_http: fix case sensitivity checking transfer encoding
-     PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
-
-  *) mod_rewrite: Fix the error string returned by RewriteRule.
-     RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
-     argument of RewriteRule was not started with "[" or not ended with "]".
-     PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
-
-  *) mod_proxy: Complete ProxyPassReverse to handle balancer URL's.  Given;
-       BalancerMember balancer://alias http://example.com/foo
-       ProxyPassReverse /bash balancer://alias/bar
-     backend url http://example.com/foo/bar/that is now translated /bash/that
-     [William Rowe]
-
-  *) New piped log syntax: Use "||process args" to launch the given process
-     without invoking the shell/command interpreter.  Use "|$command line"
-     (the default behavior of "|command line" in 2.2) to invoke using shell,
-     consuming an additional shell process for the lifetime of the logging
-     pipe program but granting additional process invocation flexibility.
-     [William Rowe]
-
-  *) mod_ssl: Add server name indication support (RFC 4366) and better
-     support for name based virtual hosts with SSL. PR 34607
-     [Peter Sylvester <peter.sylvester edelweb.fr>,
-      Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
-      Ruediger Pluem]
-
-  *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
-     HTML injections and HTTP response splitting.  PR 46837.
-     [Geoff Keating <geoffk apple.com>]
-
-  *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains
-     including multiple INCLUDES filters. PR 39369 [Joe Orton]
-
-  *) mod_rewrite: When evaluating a proxy rule in directory context, do
-     escape the filename by default. PR 46428 [Joe Orton]
-
-  *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
-     protocol. [Mladen Turk]
-
-  *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
-     to enable stricter checking of remote server certificates.
-     [Ruediger Pluem]
-
-  *) mod_substitute: Fix a memory leak. PR 44948
-     [Dan Poirier <poirier pobox.com>]
-
-  *) mod_proxy_ajp: Forward remote port information by default.
-     [Rainer Jung]
-
-  *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
-     directive to correctly remove headers before storing them.
-     [Lars Eilebrecht]
-
-  *) mod_deflate: revert changes in 2.2.8 that caused an invalid
-     etag to be emitted for on-the-fly gzip content-encoding.
-     PR 39727 will require larger fixes and this fix was far more
-     harmful than the original code. PR 45023. [Roy T. Fielding]
-
-  *) mod_disk_cache: The module now turns off sendfile support if
-     'EnableSendfile off' is defined globally. PR 41218.
-     [Lars Eilebrecht, Issac Goldstand]
-
-  *) prefork: Fix child process hang during graceful restart/stop in
-     configurations with multiple listening sockets.  PR 42829.  [Joe Orton,
-     Jeff Trawick]
-
-  *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
-     size of the buffer used for the request-body where necessary
-     during a per-dir renegotiation.  PR 39243.  [Joe Orton]
-
-  *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
-     way that per-directory rewrites append the previous notion of PATH_INFO
-     to each substitution before evaluating subsequent rules.
-     PR38642 [Eric Covener]
-
-  *) mod_authnz_ldap: Reduce number of initialization debug messages and make
-     information more clear. PR 46342 [Dan Poirier]
-
-  *) mod_cache: Introduce 'no-cache' per-request environment variable
-     to prevent the saving of an otherwise cacheable response.
-     [Eric Covener]
-
-  *) core: Translate the status line to ASCII on EBCDIC platforms in
-     ap_send_interim_response() and for locally generated "100 Continue"
-     responses.  [Eric Covener]
-
-  *) CGI: return 504 (Gateway timeout) rather than 500 when a script
-     times out before returning status line/headers.
-     PR 42190 [Nick Kew]
-
-  *) prefork: Log an error instead of segfaulting when child startup fails
-     due to pollset creation failures.  PR 46467.  [Jeff Trawick]
-
-  *) mod_ext_filter: fix error handling when the filter prog fails to start,
-     and introduce an onfail configuration option to abort the request
-     or to remove the broken filter and continue.
-     PR 41120 [Nick Kew]
-
-  *) mod_include: support generating non-ASCII characters as entities in SSI
-     PR 25202 [Nick Kew]
-
-  *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII
-     chars [Nick Kew]
-
-  *) mod_rewrite: fix "B" flag breakage by reverting r589343
-     PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
-
-  *) mod_cgid: fix segfault problem on solaris.
-     PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>, Jeff Trawick]
-
-  *) mod_ldap: Avoid a segfault when result->rc is checked in
-     uldap_connection_init when result is NULL. This could happen if LDAP
-     initialization failed.  PR 45994. [Dan Poirier <poirier pobox.com>]
-
-  *) Set Listen protocol to "https" if port is set to 443 and no proto is
-     specified (as documented but not implemented). PR 46066
-     [Dan Poirier <poirier pobox.com>]
-
-  *) mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401
-     [Dan Poirier <poirier pobox.com>]
-
-  *) Output -M and -S dumps (modules and vhosts) to stdout instead of stderr.
-     PR 42571 and PR 44266 (dup).  [Dan Poirier <poirier pobox.com>]
-
-  *) mod_cache: When an explicit Expires or Cache-Control header is set, cache
-     normally non-cacheable response statuses. PR 46346.
-     [Alex Polvi <alex polvi.net>]
-
-Changes with Apache 2.2.11
-
-  *) core: When the ap_http_header_filter processes an error bucket, cleanup
-     the passed brigade before returning AP_FILTER_ERROR down the filter
-     chain. This unambiguously ensures the same error bucket isn't revisited
-     [Ruediger Pluem]
-
-  *) core: Error responses set by filters were being coerced into 500 errors,
-     sometimes appended to the original error response. Log entry of:
-     'Handler for (null) returned invalid result code -3'
-     [Eric Covener]
-
-  *) configure: Don't reject libtool 2.x
-     PR 44817 [Arfrever Frehtes Taifersar Arahesis <Arfrever.FTA gmail.com>]
-
-  *) mod_autoindex: add configuration option to insert string
-     in HTML HEAD (IndexHeadInsert). [Nick Kew]
-
-  *) Add new LogFormat parameter, %k, which logs the number of
-     keepalive requests on this connection for this request.
-     PR 45762 [Dan Poirier <poirier pobox.com>, Jim Jagielski]
-
-  *) Export and install the mod_rewrite.h header to ensure the optional
-     rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are
-     available to third party modules. [Graham Leggett]
-
-  *) mod_cache: Convert age of cached object to seconds before comparing it to
-     age supplied by the request when checking whether to send a Warning
-     header for a stale response. PR 39713. [Owen Taylor <otaylor redhat.com>]
-
-  *) Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is
-     not available. PR 46018 [Ruediger Pluem]
-
-  *) mod_proxy_ajp: Do not fail if response data is sent before all request
-     data is read. PR 45911 [Ruediger Pluem]
-
-  *) mod_proxy_balancer: Add in forced recovery for balancer members if
-     all are in error state. [Mladen Turk]
-
-  *) mod_proxy: Prevent segmentation faults by correctly adjusting the
-     lifetime of the buckets read from the proxy backend. PR 45792
-     [Ruediger Pluem]
-
-  *) mod_expires: Do not sets negative max-age / Expires header in the past.
-     PR 39774 [Jim Jagielski]
-
-  *) mod_info: Was displaying the wrong value for the KeepAliveTimeout
-     value. [Jim Jagielski]
-
-  *) mod_proxy_ajp: Fix wrongly formatted requests where client
-     sets Content-Length header, but doesn't provide a body.
-     Servlet container always expects that next packet is
-     body whenever C-L is present in the headers. This can lead
-     to wrong interpretation of the packets. In this case
-     send the empty body packet, so container can deal with
-     that. [Mladen Turk]
-
-  *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem]
-
-  *) mod_proxy: Add the possibility to set the worker parameters
-     connectiontimeout and ping in milliseconds. [Ruediger Pluem]
-
-  *) Worker MPM: Crosscheck that idle workers are still available before using
-     them and thus preventing an overflow of the worker queue which causes
-     a SegFault. PR 45605 [Denis Ustimenko <denusk gmail.com>]
-
-  *) Windows: Always build the odbc dbd driver on windows, to be consistent
-     with the apr-util default. [Tom Donovan]
-
-Changes with Apache 2.2.10
-
-  *) SECURITY: CVE-2008-2939 (cve.mitre.org)
-     mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
-     the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
-
-  *) mod_authz_host: Add support for env=!envvar [Jim Jagielski]
-
-  *) Allow for smax to be 0 for balancer members so that all idle
-     connections are able to be dropped should they exceed ttl.
-     PR 43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
-     Jim Jagielski]
-
-  *) mod_proxy_http: Don't trigger a retry by the client if a failure to
-     read the response line was the result of a timeout.
-     [Adam Woodworth <mirkperl gmail.com>]
-
-  *) Support chroot on Unix-family platforms
-     PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>]
-
-  *) mod_ssl: implement dynamic mutex callbacks for the benefit of
-     OpenSSL.  [Sander Temme]
-
-  *) mod_proxy_balancer: Add 'bybusyness' load balance method.
-     [Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
-
-  *) mod_authn_alias: Detect during startup when AuthDigestProvider
-     is configured to use an incompatible provider via AuthnProviderAlias.
-     PR 45196 [Eric Covener]
-
-  *) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
-     used as a session path separator/delim  PR 45158. [Jim Jagielski]
-
-  *) mod_charset_lite: Avoid dropping error responses by handling meta buckets
-     correctly. PR 45687 [Dan Poirier <poirier pobox.com>]
-
-  *) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled
-     to avoid reusing pooled connections if the client connection is an
-     initial connection. PR 37770. [Ruediger Pluem]
-
-  *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
-     PR 44799 [Christian Wenz <christian wenz.org>]
-
-  *) mod_ssl: Rewrite shmcb to avoid memory alignment issues.  PR 42101.
-     [Geoff Thorpe]
-
-  *) mod_proxy: Add connectiontimeout parameter for proxy workers in order to
-     be able to set the timeout for connecting to the backend separately.
-     PR 45445. [Ruediger Pluem, rahul <rahul sun.com>]
-
-  *) mod_dav_fs: Retrieve minimal system information about directory
-     entries when walking a DAV fs, resolving a performance degradation on
-     Windows.  PR 45464.  [Joe Orton, Jeff Trawick]
-
-  *) mod_cgid: Pass along empty command line arguments from an ISINDEX
-     query that has consecutive '+' characters in the QUERY_STRING,
-     matching the behavior of mod_cgi.
-     [Eric Covener]
-
-  *) mod_headers: Prevent Header edit from processing only the first header
-     of possibly multiple headers with the same name and deleting the
-     remaining ones. PR 45333.  [Ruediger Pluem]
-
-  *) mod_proxy_balancer: Move nonce field in the balancer manager page inside
-     the html form where it belongs. PR 45578. [Ruediger Pluem]
-
-  *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
-     known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
-     [Ruediger Pluem]
-
-  *) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247.
-     [Tom Donovan]
-
-Changes with Apache 2.2.9
-
-  *) SECURITY: CVE-2008-2364 (cve.mitre.org)
-     mod_proxy_http: Better handling of excessive interim responses
-     from origin server to prevent potential denial of service and high
-     memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem,
-     Joe Orton, Jim Jagielski]
-
-  *) SECURITY: CVE-2007-6420 (cve.mitre.org)
-     mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager
-     interface.  [Joe Orton]
-
-  *) core: Fix address-in-use startup failure on some platforms caused
-     by creating an IPv4 listener which overlaps with an existing IPv6
-     listener.  [Jeff Trawick]
-
-  *) mod_proxy: Make all proxy modules nocanon aware and do not add the
-     query string again in this case. PR 44803.
-     [Jim Jagielski, Ruediger Pluem]
-
-  *) mod_unique_id: Fix timestamp value in UNIQUE_ID.
-     PR 37064 [Kobayashi <kobayashi firstserver.co.jp>]
-
-  *) htpasswd: Fix salt generation weakness. PR 31440
-     [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>,
-     Paul Querna]
-
-  *) core: Add the filename of the configuration file to the warning message
-     about the useless use of AllowOverride. PR 39992.
-     [Darryl Miles <darryl darrylmiles.org>]
-
-  *) scoreboard: Remove unused proxy load balancer elements from scoreboard
-     image (not scoreboard memory itself).  [Chris Darroch]
-
-  *) mod_proxy: Support environment variable interpolation in reverse
-     proxying directives. [Nick Kew]
-
-  *) suexec: When group is given as a numeric gid, validate it by looking up
-     the actual group name such that the name can be used in log entries.
-     PR 7862 [<y-koga apache.or.jp>, Leif W <warp-9.9 usa.net>]
-
-  *) Fix garbled TRACE response on EBCDIC platforms.
-     [David Jones <oscaremma gmail.com>]
-
-  *) ab: Include <limits.h> earlier if available since we may need
-     INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.
-     PR 45024 [Ruediger Pluem]
-
-  *) ab: Improve client performance by clearing connection pool instead
-     of destroying it. PR 40054 [Brad Roberts <braddr puremagic.com>]
-
-  *) ab: Don't stop sending a request if EAGAIN is returned, which
-     will only happen if both the write and subsequent wait are
-     returning EAGAIN, and count posted bytes correctly when the initial
-     write of a request is not complete. PR 10038, 38861, 39679
-     [Patrick McManus <mcmanus datapower.com>,
-      Stefan Fleiter <stefan.fleiter web.de>,
-      Davanum Srinivas, Roy T. Fielding]
-
-  *) ab: Overhaul stats collection and reporting to avoid integer
-     truncation and time divisions within the test loop, retain
-     native time resolution until output, remove unused data,
-     consistently round milliseconds, and generally avoid losing
-     accuracy of calculation due to type casts. PR 44878, 44931.
-     [Roy T. Fielding]
-
-  *) ab: Add -r option to continue after socket receive errors.
-     [Filip Hanik <devlist hanik.com>]
-
-  *) core: Do not allow Options ALL if not all options are allowed to be
-     overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>]
-
-  *) mod_cache: Handle If-Range correctly if the cached resource was stale.
-     PR 44579 [Ruediger Pluem]
-
-  *) mod_proxy: Do not try a direct connection if the connection via a
-     remote proxy failed before and the request has a request body.
-     [Ruediger Pluem]
-
-  *) mod_proxy_ajp: Do not retry request in the case that we either failed to
-     sent a part of the request body or if the request is not idempotent.
-     PR 44334 [Ruediger Pluem]
-
-  *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early
-     enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>]
-
-  *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV
-     copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem]
-
-  *) http_filters: Don't return 100-continue on redirects. PR 43711
-     [Ruediger Pluem]
-
-  *) mod_ssl: Fix a memory leak with connections that have zlib compression
-     turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>,
-     Dr Stephen Henson <steve openssl.org>]
-
-  *) mod_proxy: Trigger a retry by the client in the case we fail to read the
-     response line from the backend by closing the connection to the client.
-     PR 37770 [Ruediger Pluem]
-
-  *) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP.
-     PR 9727 [Ville Skytt <ville.skytta iki.fi>]
-
-  *) core: reinstate location walk to fix config for subrequests
-     PR 41960 [Jose Kahan <jose w3.org>]
-
-  *) rotatelogs: Log the current file size and error code/description
-     when failing to write to the log file.  [Jeff Trawick]
-
-  *) rotatelogs: Added '-f' option to force rotatelogs to create the
-     logfile as soon as started, and not wait until it reads the
-     first entry. [Jim Jagielski]
-
-  *) rotatelogs: Don't leak memory when reopening the logfile.
-     PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>]
-
-  *) rotatelogs: Improve atomicity when using -l and cleaup code.
-     PR 44004 [Rainer Jung]
-
-  *) mod_authn_dbd: Disambiguate and tidy database authentication
-     error messages.  PR 43210.  [Chris Darroch, Phil Endecott
-     <spam_from_apache_bugzilla chezphil.org>]
-
-  *) mod_headers: Add 'merge' option to avoid duplicate values within
-     the same header. [Chris Darroch]
-
-  *) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by
-     mod_cgid and request processing threads, for OS'es such as HPUX and AIX
-     that do not use umask for AF_UNIX socket permissions.
-     [Eric Covener, Jeff Trawick]
-
-  *) mod_cgid: Don't try to restart the daemon if it fails to initialize
-     the socket.  [Jeff Trawick]
-
-  *) mod_log_config: Add format options for %p so that the actual local
-     or remote port can be logged.  PR 43415.  [Adam Hasselbalch Hansen
-     <ahh@one.com>, Ruediger Pluem, Jeff Trawick]
-
-  *) Added 'disablereuse' option for ProxyPass which, essentially,
-     disables connection pooling for the backend servers.
-     [Jim Jagielski]
-
-  *) mod_speling: remove regression from 1.3/2.0 behavior and
-     drop dependency between mod_speling and AcceptPathInfo.
-     PR 43562 [Jose Kahan <jose w3.org>]
-
-  *) mod_substitute: The default is now flattening the buckets after
-     each substitution. The newly added 'q' flag allows for the
-     quicker, more efficient bucket-splitting if the user so
-     desires. [Jim Jagielski]
-
-  *) http_filters: Don't spin if get an error when reading the
-     next chunk. PR 44381 [Ruediger Pluem]
-
-  *) ab: Do not try to read non existing response bodies of HEAD requests.
-     PR 34275 [Takashi Sato <serai lans-tv.com>]
-
-  *) ab: Use a 64 bit unsigned int instead of a signed long to count the
-     bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem]
-
-  *) ProxyPassReverse is now balancer aware. [Jim Jagielski]
-
-  *) mod_include: Correctly handle SSI directives split over multiple filter
-     passes.  PR 44447 [Harald Niesche <harald brokenerror.de>]
-
-  *) mod_cache: Revalidate cache entities which have Cache-Control: no-cache
-     set in their response headers. PR 44511 [Ruediger Pluem]
-
-  *) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite
-     didn't pick up on updated sdbm maps due to this.
-     PR41190 [Niklas Edmundsson]
-
-  *) mod_proxy: Lower memory consumption for short lived connections.
-     PR 44026. [Ruediger Pluem]
-
-  *) mod_proxy: Keep connections to the backend persistent in the HTTPS case.
-     [Ruediger Pluem]
-
-  *) Don't add bogus duplicate Content-Language entries
-     PR 11035 [Davi Arnaut]
-
-  *) Worker / Event MPM: Fix race condition in pool recycling that leads to
-     segmentation faults under load.  PR 44402
-     [Basant Kumar Kukreja <basant.kukreja sun.com>]
-
-  *) mod_proxy_ftp: Fix base for directory listings.
-     PR 27834 [Nick Kew]
-
-  *) mod_logio: Provide optional function to allow modules to adjust the
-     bytes_in count [Eric Covener]
-
-  *) http_filters: Don't return 100-continue on client error
-     PR 43711 [Chetan Reddy <chetanreddy gmail.com>]
-
-  *) mod_charset_lite: Add TranslateAllMimeTypes sub-option to
-     CharsetOptions, allowing the administrator to skip the
-     mimetype checking that precedes translation.
-     PR 44458 [Eric Covener]
-
-  *) mod_proxy_http: Fix processing of chunked responses if
-     Connection: Transfer-Encoding is set in the response of the proxied
-     system. PR 44311 [Ruediger Pluem]
-
-  *) mod_proxy_http: Return HTTP status codes instead of apr_status_t
-     values for errors encountered while forwarding the request body
-     PR 44165 [Eric Covener]
-
-  *) mod_rewrite: Don't canonicalise URLs with [P,NE]
-     PR 43319 [<rahul sun.com>]
-
-Changes with Apache 2.2.8
-
-  *) core: Fix regression in 2.2.7 in chunk filtering with massively
-     chunked requests.  [Ruediger Pluem, Nick Kew]
-
-  *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout
-     to /Device/Nul as the server is starting up, mirroring unix MPM's.
-     PR: 43534  [Tom Donovan <Tom.Donovan acm.org>, William Rowe]
-
-  *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform
-     by recreating the bucket allocator each time the trans pool is cleared.
-     PR: 11427 #16 (follow-on)  [Tom Donovan <Tom.Donovan acm.org>]
-
-  *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals.
-     PR 38034 [Paritosh Shah <shah.paritosh gmail.com>]
-
-Changes with Apache 2.2.7 (not released)
-
-  *) SECURITY: CVE-2007-6421 (cve.mitre.org)
-     mod_proxy_balancer: Correctly escape the worker route and the worker
-     redirect string in the HTML output of the balancer manager.
-     Reported by SecurityReason. [Ruediger Pluem]
-
-  *) SECURITY: CVE-2007-6422 (cve.mitre.org)
-     Prevent crash in balancer manager if invalid balancer name is passed
-     as parameter. Reported by SecurityReason. [Ruediger Pluem]
-
-  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
-     mod_status: Ensure refresh parameter is numeric to prevent
-     a possible XSS attack caused by redirecting to other URLs.
-     Reported by SecurityReason.  [Mark Cox, Joe Orton]
-
-  *) SECURITY: CVE-2007-5000 (cve.mitre.org)
-     mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.
-     [Joe Orton]
-
-  *) SECURITY: CVE-2008-0005 (cve.mitre.org)
-     Introduce the ProxyFtpDirCharset directive, allowing the administrator
-     to identify a default, or specific servers or paths which list their
-     contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem]
-
-  *) mod_dav: Adjust etag generation to produce identical results on 32-bit
-     and 64-bit platforms and avoid a regression with conditional PUT's on
-     lock and etag. PR 44152.
-     [Michael Clark <michael metaparadigm.com>, Ruediger Pluem]
-
-  *) mod_ssl: Fix handling of the buffered request body during a per-location
-     renegotiation, when an internal redirect occurs.  PR 43738.
-     [Joe Orton]
-
-  *) mod_ldap: Try to establish a new backend LDAP connection when the
-     Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the
-     LDAP server has closed the connection due to a timeout.
-     PR 39095 [Eric Covener]
-
-  *) log.c: Ensure Win32 resurrects its lost robust logger processes.
-     [William Rowe]
-
-  *) mod_disk_cache: Delete temporary files if they cannot be renamed to their
-     final name. [Davi Arnaut <davi haxent.com.br>]
-
-  *) Add explicit charset to the output of various modules to work around
-     possible cross-site scripting flaws affecting web browsers that do not
-     derive the response character set as required by  RFC2616.  One of these
-     reported by SecurityReason [Joe Orton]
-
-  *) http_protocol: Escape request method in 405 error reporting.
-     This has no security impact since the browser cannot be tricked
-     into sending arbitrary method strings.  [Jeff Trawick]
-
-  *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073.
-     [yl <yl bee-ware.net>]
-
-  *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum
-     length we can squeeze inside the AJP message packet.
-     [Mladen Turk]
-
-  *) core: Lower memory consumption of ap_r* functions by reusing the brigade
-     instead of recreating it during each filter pass.
-     [Stefan Fritsch <sf sfritsch.de>]
-
-  *) core: Lower memory consumption in case that flush buckets are passed thru
-     the chunk filter as last bucket of a brigade. PR 23567.
-     [Stefan Fritsch <sf sfritsch.de>]
-
-  *) core: Fix broken chunk filtering that causes all non blocking reads to be
-     converted into blocking reads.  PR 19954, 41056.
-     [Jean-Frederic Clere, Jim Jagielski]
-
-  *) mod_rewrite: Add the novary flag to RewriteCond.
-     [Ruediger Pluem]
-
-  *) core: Change etag generation to produce identical results on
-     32-bit and 64-bit platforms.  PR 40064.  [Joe Orton]
-
-  *) http_protocol: Escape request method in 413 error reporting.
-     Determined to be not generally exploitable, but a flaw in any case.
-     PR 44014 [Victor Stinner <victor.stinner inl.fr>]
-
-  *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage.
-     PR 43956 [Nick Kew, Ruediger Pluem]
-
-  *) core: Handle unrecognised transfer-encodings.
-     PR 43882 [Nick Kew, Jeff Trawick]
-
-  *) mod_include: Add an "if" directive syntax to test whether an URL
-     is accessible, and if so, conditionally display content. This
-     allows a webmaster to hide a link to a private page when the user
-     has no access to that page. [Graham Leggett]
-
-  *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
-     [Christophe Jaillet <christophe.jaillet wanadoo.fr>]
-
-  *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx)
-     responses from the backend according to RFC2616.  But make it
-     configurable in case something breaks on it.
-     PR 16518 [Nick Kew]
-
-  *) mod_substitute: Added a new output filter, which performs
-     inline response content pattern matching (including regex)
-     and substitution.  [Jim Jagielski, Ruediger Pluem]
-
-  *) rotatelogs: Change command-line parsing to report more types
-     of errors.  Allow local timestamps to be used when rotating based
-     on file size.  [Jeff Trawick]
-
-  *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to
-     ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,
-     don't escape/unescape forward-proxied URLs.
-     PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski]
-
-  *) mod_status: Add SeeRequestTail directive, which determines if
-     ExtendedStatus displays the 1st 63 characters of the request
-     or the last 63. Useful for those requests with large string
-     lengths and which only vary with the last several characters.
-     [Jim Jagielski]
-
-  *) mod_ssl: Prevent memory corruption of version string.
-     PR 43865, 43334 [William Rowe, Joe Orton]
-
-  *) core: Avoid some unexpected connection closes by telling the client
-     that the connection is not persistent if the MPM process handling
-     the request is already exiting when the response header is built.
-     [Jeff Trawick]
-
-  *) mod_autoindex: Generate valid XHTML output by adding the xhtml
-     namespace. PR 43649 [Jose Kahan <jose w3.org>]
-
-  *) mod_ldap: Give callers a reference to data copied into the request
-     pool instead of references directly into the cache
-     PR 43786 [Eric Covener]
-
-  *) mod_ldap: Stop passing a reference to pconf around for
-     (limited) use during request processing, avoiding possible
-     memory corruption and crashes.  [Eric Covener]
-
-  *) Event MPM: Add support for running under mod_ssl, by reverting to the
-     Worker MPM behaviors, when run under an input filter that buffers
-     its own data. [Paul Querna]
-
-  *) mod_charset_lite: Don't crash when the request has no associated
-     filename.  [Jeff Trawick]
-
-  *) Core: fix possible crash at startup in case of nonexistent DocumentRoot.
-     PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>]
-
-  *) HTTP protocol: Add "DefaultType none" option.
-     PR 13986 and PR 16139 [Nick Kew]
-
-  *) mod_rewrite: Add option to suppress URL unescaping
-     PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>]
-
-  *) mpm_winnt: Eliminate wait_for_many_objects.  Allows the clean
-     shutdown of the server when the MaxClients is higher then 257,
-     in a more responsive manner [Mladen Turk, William Rowe]
-
-  *) mod_proxy_http: Remove Warning headers with wrong date
-     PR 16138 [Nick Kew]
-
-  *) mod_proxy_http: Correctly parse all Connection headers in proxy.
-     PR 43509 [Nick Kew]
-
-  *) mod_proxy_http: add Via header correctly (if enabled) to
-     response, even where other Via headers exist.
-     PR 19439 [Nick Kew]
-
-  *) http_core: OPTIONS * no longer maps to local storage or URI
-     space. Note that unlike previous versions, OPTIONS * no
-     longer returns an Allow: header. PR 43519 [Jim Jagielski]
-
-  *) mod_proxy_http: strip hop-by-hop response headers
-     PR 43455 [Nick Kew]
-
-  *) mod_proxy: Don't by default violate RFC2616 by setting
-     Max-Forwards when the client didn't send it to us.
-     Leave that as a configuration option.
-     PR 16137 [Nick Kew]
-
-  *) scoreboard: improve error message on apr_shm_create failure
-     PR 40037 [Nick Kew]
-
-  *) proxy: Fix persistent backend connections.
-     PR 43472 [Ruediger Pluem]
-
-  *) mod_deflate: initialise inflate-out filter correctly when the
-     first brigade contains no data buckets.
-     PR 43512 [Nick Kew]
-
-  *) mod_proxy_ajp: Ignore any ajp13 flush packets received before
-     we send the response headers. See Tomcat PR 43478.
-     [Jim Jagielski]
-
-  *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when
-     starting a new child.
-     PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem]
-
-  *) mod_proxy_http: Propagate Proxy-Authorization header correctly.
-     PR 25947 [Nick Kew]
-
-  *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD
-     requests. PR 43060 [Jim Jagielski]
-
-  *) Don't send spurious "100 Continue" response lines.
-     PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>]
-
-  *) mod_proxy_ftp: Don't segfault on bad line in FTP listing
-     PR 40733 [Ulf Harnhammar <metaur telia.com>]
-
-  *) mod_proxy: escape error-notes correctly
-     PR 40952 [Thijs Kinkhorst <thijs debian.org>]
-
-  *) mod_proxy: check ProxyBlock for all blocked addresses
-     PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>]
-
-  *) mod_proxy: Don't lose bytes when a response line arrives in small chunks.
-     PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
-
-Changes with Apache 2.2.6
-
-  *) SECURITY: CVE-2007-3847 (cve.mitre.org)
-     mod_proxy: Prevent reading past the end of a buffer when parsing
-     date-related headers.  PR 41144.
-     [Davi Arnaut, Nick Kew]
-
-  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
-     mod_cache: Prevent a segmentation fault if attributes are listed in a
-     Cache-Control header without any value.
-     [Niklas Edmundsson <nikke acc.umu.se>]
-
-  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
-     prefork, worker, event MPMs: Ensure that the parent process cannot
-     be forced to kill processes outside its process group.
-     [Joe Orton, Jim Jagielski]
-
-  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
-     mod_status: Fix a possible XSS attack against a site with a public
-     server-status page and ExtendedStatus enabled, for browsers which
-     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
-
-  *) SECURITY: CVE-2007-1862 (cve.mitre.org)
-     mod_mem_cache: Copy headers into longer lived storage; header names and
-     values could previously point to cleaned up storage.  PR 41551.
-     [Davi Arnaut <davi haxent.com.br>]
-
-  *) mod_info: mod_info outputs invalid XHTML 1.0 transitional.
-     PR 42847 [Rici Lake <rici ricilake.net>]
-
-  *) mod_ssl: Fix spurious hostname mismatch warning for valid
-     wildcard certificates.  PR 37911.  [Nick Burch <nick torchbox.com>]
-
-  *) mod_mem_cache: Increase the minimum and default value for
-     MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not
-     make sense and leads to a division by zero.  PR 40576.
-     [Xuekun Hu <xuekun.hu gmail.com>]
-
-  *) mod_cache: Remove expired content from cache that cannot be revalidated.
-     PR 30370. [Ruediger Pluem]
-
-  *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous.
-     PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray]
-
-  *) mod_proxy: Ensure that at least scheme://hostname[:port] matches between
-     worker and URL when searching for the best fitting worker for a given
-     URL.  PR 40910 [Ruediger Pluem]
-
-  *) mod_proxy: Improve network performance by setting APR_TCP_NODELAY
-     (disable Nagle algorithm) on sockets if implemented.
-     PR 42871 [Christian BOITEL <christian_boitel yahoo.fr>, Jim Jagielski]
-
-  *) core: Do not replace a Date header set by a proxied backend server.
-     PR 40232 [Ruediger Pluem]
-
-  *) mod_proxy: Add a missing assignment in an error checking code path.
-     PR 40865 [Andrew Rucker Jones <arjones simultan.dyndns.org>]
-
-  *) mod_proxy_connect: avoid segfault on DNS lookup failure.
-     PR 40756 [Trevin Beattie <tbeattie boingo.com>]
-
-  *) mod_proxy: enable Ignore Errors option on ProxyPass Status.
-     PR 43167 [Francisco Gimeno <kikov kikov.org>
-
-  *) mod_proxy_http: Don't try to read body of a HEAD request before
-     responding.  PR 41644 [Stuart Children <stuart terminus.co.uk>]
-
-  *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when
-     LDAP authentication is configured but we haven't seen any
-     'Require ldap-*' directives, allowing authorization to be passed to lower
-     level modules (e.g. Require valid-user)
-     PR 43281 [Eric Covener]
-
-  *) mod_proxy: don't URLencode tilde in path component
-     PR 38448 [Stijn Hoop <stijn sandcat.nl>]
-
-  *) proxy/ajp_header.c: Fixed header token string comparisons
-     Matching of header tokens failed to include the trailing NIL byte
-     and could misinterpret a longer header token for a shorter.
-     Additionally, a "Content-Type" comparison was made case insensitive.
-     [Martin Kraemer]
-
-  *) proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC
-     On EBCDIC machines, the status_line string was incorrectly converted
-     twice. [Jean-Frederic Clere, Martin Kraemer]
-
-  *) mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts
-     Data had been incorrectly converted twice, resulting in
-     garbled log output. [Martin Kraemer]
-
-  *) mod_autoindex: Add in Type and Charset options to IndexOptions
-     directive. This allows the admin to explicitly set the
-     content-type and charset of the generated page and is therefore
-     a viable workaround for buggy browsers affected by CVE-2007-4465
-     (cve.mitre.org). [Jim Jagielski]
-
-  *) log core: ensure we use a special pool for stderr logging, so that
-     the stderr channel remains valid from the time plog is destroyed,
-     until the time the open_logs hook is called again.  [William Rowe]
-
-  *) mod_negotiation: preserve Query String in resolving a type map
-     PR 33112 [Jørgen Thomsen <apache jth.net>, Nick Kew]
-
-  *) mod_ssl: Version reporting update; displays 'compiled against'
-     Apache and build-time SSL Library versions at loglevel [info],
-     while reporting the run-time SSL Library version in the server
-     info tags.  Helps to identify a mod_ssl built against one flavor
-     of OpenSSL but running against another (also adds SSL-C version
-     number reporting.)  [William Rowe]
-
-  *) mime.types: Many updates to sync with IANA registry and common
-     unregistered types that the owners refuse to register.  Admins
-     are encouraged to update their installed mime.types file.
-     PR: 35550, 37798, 39317, 31483 [Roy T. Fielding]
-
-  *) mod_expires: don't crash on bad configuration data
-     PR 43213 [Julien Perez <julien.perez epsylonia.net>]
-
-  *) mod_dbd: Introduce configuration groups to allow inheritance by virtual
-     hosts of database configurations from the main server.  Determine the
-     minimal set of distinct configurations and share connection pools
-     whenever possible.  Allow virtual hosts to override inherited SQL
-     statements.  PR 41302.  [Chris Darroch]
-
-  *) mod_dbd: Create memory sub-pools for each DB connection and close
-     DB connections in a pool cleanup function.  Ensure prepared statements
-     are destroyed before DB connection is closed.  When using reslists,
-     prevent segfaults when child processes exit, and stop memory leakage
-     of ap_dbd_t structures.  Avoid use of global s->process->pool, which
-     isn't destroyed by exiting child processes in most multi-process MPMs.
-     PR 39985.  [Chris Darroch, Nick Kew]
-
-  *) mod_dbd: Handle error conditions in dbd_construct() properly.
-     Simplify ap_dbd_open() and use correct arguments to apr_dbd_error()
-     when non-threaded.  Register correct cleanup data in non-threaded
-     ap_dbd_acquire() and ap_dbd_cacquire().  Clean up configuration data
-     and merge function.  Use ap_log_error() wherever possible.
-     [Chris Darroch, Nick Kew]
-
-  *) mod_dbd: Stash DBD connections in request_config of initial request
-     only, or else sub-requests and internal redirections may cause

[... 4916 lines stripped ...]


Mime
View raw message