Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 37E04200CBD for ; Thu, 6 Jul 2017 21:28:53 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 366C31673C6; Thu, 6 Jul 2017 19:28:53 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D64C11673C2 for ; Thu, 6 Jul 2017 21:28:50 +0200 (CEST) Received: (qmail 51863 invoked by uid 500); 6 Jul 2017 19:28:50 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 51846 invoked by uid 99); 6 Jul 2017 19:28:49 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Jul 2017 19:28:49 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 9A3F83A24E7 for ; Thu, 6 Jul 2017 19:28:48 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r20352 [2/3] - /dev/httpd/ Date: Thu, 06 Jul 2017 19:28:46 -0000 To: cvs@httpd.apache.org From: wrowe@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170706192848.9A3F83A24E7@svn01-us-west.apache.org> archived-at: Thu, 06 Jul 2017 19:28:53 -0000 Modified: dev/httpd/CHANGES_2.2 ============================================================================== --- dev/httpd/CHANGES_2.2 (original) +++ dev/httpd/CHANGES_2.2 Thu Jul 6 19:28:45 2017 @@ -1,3459 +1,3464 @@ - -*- coding: utf-8 -*- -Changes with Apache 2.2.33 - - *) SECURITY: CVE-2017-7668 (cve.mitre.org) - The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a - bug in token list parsing, which allows ap_find_token() to search past - the end of its input string. By maliciously crafting a sequence of - request headers, an attacker may be able to cause a segmentation fault, - or to force ap_find_token() to return an incorrect value. - [Jacob Champion] - - *) SECURITY: CVE-2017-3169 (cve.mitre.org) - mod_ssl may dereference a NULL pointer when third-party modules call - ap_hook_process_connection() during an HTTP request to an HTTPS port. - [Yann Ylavic] - - *) SECURITY: CVE-2017-3167 (cve.mitre.org) - Use of the ap_get_basic_auth_pw() by third-party modules outside of the - authentication phase may lead to authentication requirements being - bypassed. - [Emmanuel Dreyfus , Jacob Champion, Eric Covener] - - *) SECURITY: CVE-2017-7679 (cve.mitre.org) - mod_mime can read one byte past the end of a buffer when sending a - malicious Content-Type response header. [Yann Ylavic] - - *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope. - [Joe Orton] - -Changes with Apache 2.2.32 - - *) SECURITY: CVE-2016-8743 (cve.mitre.org) - Enforce HTTP request grammar corresponding to RFC7230 for request lines - and request headers, to prevent response splitting and cache pollution by - malicious clients or downstream proxies. [William Rowe, Stefan Fritsch] - - *) Validate HTTP response header grammar defined by RFC7230, resulting - in a 500 error in the event that invalid response header contents are - detected when serving the response, to avoid response splitting and cache - pollution by malicious clients, upstream servers or faulty modules. - [Stefan Fritsch, Eric Covener, Yann Ylavic] - - *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues. - [Dominic Scheirlinck , Yann Ylavic] - - *) core: Avoid a possible truncation of the faulty header included in the - HTML response when LimitRequestFieldSize is reached. [Yann Ylavic] - - *) core: Enforce LimitRequestFieldSize after multiple headers with the same - name have been merged. [Stefan Fritsch] - - *) core: Drop Content-Length header and message-body from HTTP 204 responses. - PR 51350 [Luca Toscano] - - *) core: Permit unencoded ';' characters to appear in proxy requests and - Location: response headers. Corresponds to modern browser behavior. - [William Rowe] - - *) core: ap_rgetline_core now pulls from r->proto_input_filters. - - *) core: Correctly parse an IPv6 literal host specification in an absolute - URL in the request line. [Stefan Fritsch] - - *) core: New directive RegisterHttpMethod for registering non-standard - HTTP methods. [Stefan Fritsch] - - *) core: Limit to ten the number of tolerated empty lines between request. - [Yann Ylavic] - - *) core: reject NULLs in request line or request headers. - PR 43039 [Nick Kew] - - *) mod_proxy: Use the correct server name for SNI in case the backend - SSL connection itself is established via a proxy server. - PR 57139 [Szabolcs Gyurko ] - - *) Fix potential rejection of valid MaxMemFree and ThreadStackSize - directives. [Mike Rumph ] - - *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3. - [Kaspar Brand] - - *) mod_proxy: Correctly consider error response codes by the backend when - processing failonstatus. PR 59869 [Ruediger Pluem] - - *) mod_proxy: Play/restore the TLS-SNI on new backend connections which - had to be issued because the remote closed the previous/reusable one - during idle (keep-alive) time. [Yann Ylavic] - - *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params. - [Jan Kaluza, Yann Ylavic] - - *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to - use a different scoreboard slot then the original one. PR 58267. - [Ruediger Pluem] - - *) mod_proxy: Fix a race condition that caused a failed worker to be retried - before the retry period is over. [Ruediger Pluem] - - *) mod_proxy: don't recyle backend announced "Connection: close" connections - to avoid reusing it should the close be effective after some new request - is ready to be sent. [Yann Ylavic] - - *) mod_mem_cache: Fix concurrent removal of stale entries which could lead - to a crash. PR 43724. [Yann Ylavic] - - *) mime.types: add common extension "m4a" for MPEG 4 Audio. - PR 57895 [Dylan Millikin ] - - *) mod_substitute: Allow to configure the patterns merge order with the new - SubstituteInheritBefore on|off directive. PR 57641 - [Marc.Stern , Yann Ylavic, William Rowe] - - *) mod_mem_cache: Don't cache incomplete responses when the client - connection is aborted before the body is fully read. PR 45049. - [Nick Pace , Edward Lu, Yann Ylavic] - - *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve - failures under Visual Studio 2015 and other mismatched MSVCRT flavors. - PR59630 [Jan Ehrhardt ] - - *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. - PR 57167 [Edward Lu ] - -Changes with Apache 2.2.31 - - *) Correct win32 build issues for mod_proxy exports, OpenSSL 1.0.x headers. - [Yann Ylavic, Gregg Smith] - -Changes with Apache 2.2.30 (not released) - - *) SECURITY: CVE-2015-3183 (cve.mitre.org) - core: Fix chunk header parsing defect. - Remove apr_brigade_flatten(), buffering and duplicated code from - the HTTP_IN filter, parse chunks in a single pass with zero copy. - Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext - authorized characters. [Graham Leggett, Yann Ylavic] - - *) http: Fix LimitRequestBody checks when there is no more bytes to read. - [Michael Kaufmann ] - - *) core: Allow spaces after chunk-size for compatibility with implementations - using a pre-filled buffer. [Yann Ylavic, Jeff Trawick] - - *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: - no longer send warning-level unrecognized_name(112) alerts. PR 56241. - [Kaspar Brand] - - *) http: Make ap_die() robust against any HTTP error code and not modify - response status (finally logged) when nothing is to be done. PR 56035. - [Yann Ylavic] - - *) core, modules: Avoid error response/document handling by the core if some - handler or input filter already did it while reading the request (causing - a double response body). [Yann Ylavic] - - *) FreeBSD: Disable IPv4-mapped listening sockets by default for versions - 5+ instead of just for FreeBSD 5. PR 53824. [Jeff Trawick, - Olli Hauer ] - - *) mod_proxy: use the original (non absolute) form of the request-line's URI - for requests embedded in CONNECT payloads used to connect SSL backends via - a ProxyRemote forward-proxy. PR 55892. [Hendrik Harms , William Rowe, Yann Ylavic] - - *) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for - internationalization. [William Rowe] - - *) mod_log_config: Implement logging for sub second timestamps and - request end time. [Rainer Jung] - - *) mod_log_config: Ensure that time data is consistent if multiple - duration patterns are used in combination, e.g. %D and %{ms}T. - [Rainer Jung] - - *) mod_log_config: Add "%{UNIT}T" format to output request duration in - seconds, milliseconds or microseconds depending on UNIT ("s", "ms", "us"). - [Ben Reser, Rainer Jung] - - *) In alignment with RFC 7525, the default recommended SSLCipherSuite - and SSLProxyCipherSuite now exclude RC4 as well as MD5. Also, the - default recommended SSLProtocol and SSLProxyProtocol directives now - exclude SSLv3. Existing configurations must be adjusted by the - administrator. [William Rowe] - - *) core: Avoid potential use of uninitialized (NULL) request data in - request line error path. [Yann Ylavic] - - *) mod_proxy_http: Use the "Connection: close" header for requests to - backends not recycling connections (disablereuse), including the default - reverse and forward proxies. [Yann Ylavic] - - *) mod_proxy: Add ap_connection_reusable() for checking if a connection - is reusable as of this point in processing. [Jeff Trawick] - - *) mod_proxy: Reuse proxy/balancer workers' parameters and scores across - graceful restarts, even if new workers are added, old ones removed, or - the order changes. [Jan Kaluza, Yann Ylavic] - - *) mod_ssl: 'SSLProtocol ALL' was being ignored in virtual host context. - PR 57100. [Michael Kaufmann , - Yann Ylavic] - - *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by - allowing custom parameters to be configured via SSLCertificateFile, - and by adding standardized DH parameters for 1024/2048/3072/4096 bits. - Unless custom parameters are configured, the standardized parameters - are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] - - *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA - keys, and unconditionally disable aNULL, eNULL and EXP ciphers - (not overridable via SSLCipherSuite). [Kaspar Brand] - - *) mod_ssl: Add support for configuring persistent TLS session ticket - encryption/decryption keys (useful for clustered environments). - [Paul Querna, Kaspar Brand] - - *) SSLProtocol and SSLCipherSuite recommendations in the example/default - conf/extra/httpd-ssl.conf file are now global in scope, affecting all - VirtualHosts (matching 2.4 default configuration). [William Rowe] - - *) mod_authn_dbd: Fix lifetime of DB lookup entries independently of the - selected DB engine. PR 46421. [Jan Kaluza]. - - *) Turn static function get_server_name_for_url() into public - ap_get_server_name_for_url() and use it where appropriate. This - fixes mod_rewrite generating invalid URLs for redirects to IPv6 - literal addresses. PR 52831 [Stefan Fritsch] - - *) dav_validate_request: avoid validating locks and ETags when there are - no If headers providing them on a resource we aren't modifying. - [Ben Reser] - - *) mod_ssl: New directive SSLSessionTickets (On|Off). - The directive controls the use of TLS session tickets (RFC 5077), - default value is "On" (unchanged behavior). - Session ticket creation uses a random key created during web - server startup and recreated during restarts. No other key - recreation mechanism is available currently. Therefore using session - tickets without restarting the web server with an appropriate frequency - (e.g. daily) compromises perfect forward secrecy. [Rainer Jung] - - *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to - compile against APR-1.2.x (minimum required version). [Yann Ylavic] - - *) mod_reqtimeout: Don't let pipelining checks interfere with the timeouts - computed for subsequent requests. PR 56729. [Eric Covener] - -Changes with Apache 2.2.29 - - *) Corrected docs/manual pages for new MergeTrailers directive and other - out of date documentation. [William Rowe] - -Changes with Apache 2.2.28 (not released) - - *) SECURITY: CVE-2014-0118 (cve.mitre.org) - mod_deflate: The DEFLATE input filter (inflates request bodies) now - limits the length and compression ratio of inflated request bodies to avoid - denial of service via highly compressed bodies. See directives - DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, - and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] - - *) SECURITY: CVE-2014-0231 (cve.mitre.org) - mod_cgid: Fix a denial of service against CGI scripts that do - not consume stdin that could lead to lingering HTTPD child processes - filling up the scoreboard and eventually hanging the server. By - default, the client I/O timeout (Timeout directive) now applies to - communication with scripts. The CGIDScriptTimeout directive can be - used to set a different timeout for communication with scripts. - [Rainer Jung, Eric Covener, Yann Ylavic] - - *) SECURITY: CVE-2014-0226 (cve.mitre.org) - Fix a race condition in scoreboard handling, which could lead to - a heap buffer overflow. [Joe Orton, Eric Covener, Jeff Trawick] - - *) SECURITY: CVE-2013-5704 (cve.mitre.org) - core: HTTP trailers could be used to replace HTTP headers - late during request processing, potentially undoing or - otherwise confusing modules that examined or modified - request headers earlier. Adds "MergeTrailers" directive to restore - legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] - - *) core: Detect incomplete request and response bodies, log an error and - forward it to the underlying filters. PR 55475. [Yann Ylavic] - - *) mod_deflate: Handle Zlib header and validation bytes received in multiple - chunks. PR 46146. [Yann Ylavic] - - *) mod_proxy: Don't reuse a SSL backend connection whose requested SNI - differs. PR 55782. [Yann Ylavic] - - *) mod_deflate: Fix inflation of files larger than 4GB. PR 56062. - [Lukas Bezdicka ] - - *) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480. - [Ben Reser] - - *) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions - resumed by TLS session resumption (RFC 5077). [Rainer Jung] - - *) mod_proxy_ajp: Forward local IP address as a custom request attribute - like we already do for the remote port. [Rainer Jung] - - *) mod_deflate: Don't fail when flushing inflated data to the user-agent - and that coincides with the end of stream ("Zlib error flushing inflate - buffer"). PR 56196. [Christoph Fausak ] - - *) mod_cache, mod_disk_cache: With CacheLock enabled, responses with a Vary - header might not get the benefit of the thundering herd protection due to - an incorrect internal cache key. PR 50317. - [Ruediger Pluem, Jan Kaluza, Yann Ylavic] - - *) mod_rewrite: Support session cookies with the CO= flag when later - parameters are used. The doc for this implied the feature had been - backported for quite some time. PR56014 [Eric Covener] - - *) mod_cache: Don't remove stale cache entries that cannot be conditionally - revalidated. This prevents the thundering herd protection from serving - stale responses during a revalidation. PR 50317. - [Eric Covener, Jan Kaluza, Ruediger Pluem] - - *) core: Increase TCP_DEFER_ACCEPT socket option to from 1 to 30 seconds. - PR 41270. [Dean Gaudet ] - -Changes with Apache 2.2.27 - - *) SECURITY: CVE-2014-0098 (cve.mitre.org) - Clean up cookie logging with fewer redundant string parsing passes. - Log only cookies with a value assignment. Prevents segfaults when - logging truncated cookies. - [William Rowe, Ruediger Pluem, Jim Jagielski] - - *) SECURITY: CVE-2013-6438 (cve.mitre.org) - mod_dav: Keep track of length of cdata properly when removing - leading spaces. Eliminates a potential denial of service from - specifically crafted DAV WRITE requests - [Amin Tora ] - - *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding - TE/CL conflicts. [Yann Ylavic , Jim Jagielski] - - *) mod_proxy_http: Core dumped under high load. PR 50335. - [Jan Kaluza ] - - *) proxy_util: NULL terminate the right buffer in 'send_http_connect'. - [Christophe Jaillet] - - *) mod_proxy: Remove (never documented) syntax which - is equivalent to . [Christophe Jaillet] - - *) mod_ldap: Fix a potential memory leak or corruption. PR 54936. - [Zhenbo Xu ] - - *) mod_ssl: Do not perform SNI / Host header comparison in case of a - forward proxy request. [Ruediger Pluem] - - *) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows. - PR46679 [Bob Ionescu] - -Changes with Apache 2.2.26 - - *) mod_dav: dav_resource->uri treated as unencoded. This was an - unnecessary ABI changed introduced in 2.2.25 PR 55397. [Ben Reser] - - *) mod_dav: Do not validate locks against parent collection of COPY - source URI. PR 55304. [Ben Reser] - - *) mod_ssl: Check SNI hostname against Host header case-insensitively. - PR 49491. [Mayank Agrawal ] - - *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against - OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme, - Stefan Fritsch] - - *) mod_ssl: Change default for SSLCompression to off, as compression - causes security issues in most setups. (The so called "CRIME" attack). - [Stefan Fritsch] - - *) mod_ssl: Fix compilation error when OpenSSL does not contain - support for SSLv2. Problem was introduced in 2.2.25. PR 55194. - [Rainer Jung, Kaspar Brand] - - *) mod_dav: Fix double encoding of URIs in XML and Location header (caused - by unintential ABI change in 2.2.25). PR 55397. [Ben Reser] - -Changes with Apache 2.2.25 - - *) SECURITY: CVE-2013-1896 (cve.mitre.org) - mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with - the source href (sent as part of the request body as XML) pointing to a - URI that is not configured for DAV will trigger a segfault. [Ben Reser - ] - - *) SECURITY: CVE-2013-1862 (cve.mitre.org) - mod_rewrite: Ensure that client data written to the RewriteLog is - escaped to prevent terminal escape sequences from entering the - log file. [Eric Covener, Jeff Trawick, Joe Orton] - - *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer - strings. The default limit for ap_pregsub() can be adjusted at compile - time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick] - - *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization - on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun - ] - - *) mod_setenvif: Log error on substitution overflow. - [Stefan Fritsch] - - *) mod_ssl/proxy: enable the SNI extension for backend TLS connections - [Kaspar Brand] - - *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when - forwarding to SSL backends. PR 53134. - [Michael Weiser , Ruediger Pluem] - - *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits - in the error log to debug level. [William Rowe] - - *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs - with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. - [Keith Burdis , Joe Orton, Kaspar Brand] - - *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server - admin to configure an IO timeout as an error in the balancer. - [Daniel Ruggeri] - - *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind - password. [Daniel Ruggeri] - - *) htdigest: Fix buffer overflow when reading digest password file - with very long lines. PR 54893. [Rainer Jung] - - *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 - [Timothy Wood ] - - *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, - we compare unencoded paths. PR 53910 [Timothy Wood ] - - *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't - result in a 412 Precondition Failed for a COPY operation. PR54610 - [Timothy Wood ] - - *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead - property on a resource for which there is no dead property in the same - namespace httpd segfaults. PR 52559 [Diego Santa Cruz - ] - - *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. - PR 52559 [Diego Santa Cruz ] - - *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. - PR 52559 [Diego Santa Cruz ] - -Changes with Apache 2.2.24 - - *) SECURITY: CVE-2012-3499 (cve.mitre.org) - Various XSS flaws due to unescaped hostnames and URIs HTML output in - mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. - [Jim Jagielski, Stefan Fritsch, Niels Heinen ] - - *) SECURITY: CVE-2012-4558 (cve.mitre.org) - XSS in mod_proxy_balancer manager interface. [Jim Jagielski, - Niels Heinen ] - - *) mod_rewrite: Stop merging RewriteBase down to subdirectories - unless new option 'RewriteOptions MergeBase' is configured. - Merging RewriteBase was unconditionally turned on in 2.2.23. - PR 53963. [Eric Covener] - - *) mod_ssl: Send the error message for speaking http to an https port using - HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when - using SNI. PR 50823. [Stefan Fritsch] - - *) mod_ssl: log revoked certificates at level INFO - instead of DEBUG. PR 52162. [Stefan Fritsch] - - *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416. - [Rainer Jung] - - *) mod_dir: Add support for the value 'disabled' in FallbackResource. - [Vincent Deffontaines] - - *) mod_ldap: Fix regression in handling "server unavailable" errors on - Windows. PR 54140. [Eric Covener] - - *) mod_ssl: fix a regression with the string rendering of the "UID" RDN - introduced in 2.2.15. PR 54510. [Kaspar Brand] - - *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output - to more accurately report the negotiated protocol. PR 53916. - [Nicolás Pernas Maradei , Kaspar Brand] - - *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial - Response if they so choose to do so. Previously an attempt to cache a 206 - was arbitrarily allowed if the response contained an Expires or - Cache-Control header, and arbitrarily denied if both headers were missing. - Currently the disk and memory cache providers do not cache 206 Partial - Responses. [Graham Leggett] - - *) core: Remove unintentional APR 1.3 dependency introduced with - Apache 2.2.22. [Eric Covener] - - *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if - the chosen listener is configured for https. [Joe Orton] - - *) mod_ssl: Add new directive SSLCompression to disable TLS-level - compression. PR 53219. [Björn Jacke , Stefan Fritsch] - -Changes with Apache 2.2.23 - - *) SECURITY: CVE-2012-0883 (cve.mitre.org) - envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the - current working directory to be searched for DSOs. [Stefan Fritsch] - - *) SECURITY: CVE-2012-2687 (cve.mitre.org) - mod_negotiation: Escape filenames in variant list to prevent a - possible XSS for a site where untrusted users can upload files to - a location with MultiViews enabled. [Niels Heinen ] - - *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). - [Paul Wouters , Joe Orton] - - *) mod_ldap: Treat the "server unavailable" condition as a transient - error with all LDAP SDKs. [Filip Valder ] - - *) core: Add filesystem paths to access denied / access failed messages. - [Eric Covener] - - *) core: Fix error handling in ap_scan_script_header_err_brigade() if there - is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch] - - *) core: Prevent "httpd -k restart" from killing server in presence of - config error. [Joe Orton] - - *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit - control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive, - adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'. - [Kaspar Brand, William Rowe] - - *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". - PR 53104. [Greg Ames] - - *) Unix MPMs: Fix small memory leak in parent process if connect() - failed when waking up children. [Joe Orton] - - *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. - [Peter Pramberger , Jim Jagielski] - - *) Added SSLProxyMachineCertificateChainFile directive so the proxy client - can select the proper client certificate when using a chain and the - remote server only lists the root CA as allowed. - - *) mpm_event, mpm_worker: Remain active amidst prevalent child process - resource shortages. [Jeff Trawick] - - *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] - - *) mod_rewrite: Fix the RewriteEngine directive to work within a - location. Previously, once RewriteEngine was switched on globally, - it was impossible to switch off. [Graham Leggett] - - *) mod_proxy_balancer: Restore balancing after a failed worker has - recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] - - *) mod_dumpio: Properly handle errors from subsequent input filters. - PR 52914. [Stefan Fritsch] - - *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child - process resource shortages. [Jeff Trawick] - - *) mpm_prefork: Reduce spawn rate after a child process exits due to - unexpected poll or accept failure. [Jeff Trawick] - - *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid - from logging bogus data in case of errors. [Stefan Fritsch] - - *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the - response is a 206 Partial Content. This stops a reverse proxied partial - response from becoming cached, and then being served in subsequent - responses. PR 49113. [Graham Leggett] - - *) configure: Fix usage with external apr and apu in non-default paths - and recent gcc versions >= 4.6. [Jean-Frederic Clere] - - *) core: Fix building against PCRE 8.30 by switching from the obsolete - pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] - - *) mod_proxy: Add the forcerecovery balancer parameter that determines if - recovery for balancer workers is enforced. [Ruediger Pluem] - -Changes with Apache 2.2.22 - - *) SECURITY: CVE-2011-3368 (cve.mitre.org) - Reject requests where the request-URI does not match the HTTP - specification, preventing unexpected expansion of target URLs in - some reverse proxy configurations. [Joe Orton] - - *) SECURITY: CVE-2011-3607 (cve.mitre.org) - Fix integer overflow in ap_pregsub() which, when the mod_setenvif module - is enabled, could allow local users to gain privileges via a .htaccess - file. [Stefan Fritsch, Greg Ames] - - *) SECURITY: CVE-2011-4317 (cve.mitre.org) - Resolve additional cases of URL rewriting with ProxyPassMatch or - RewriteRule, where particular request-URIs could result in undesired - backend network exposure in some configurations. - [Joe Orton] - - *) SECURITY: CVE-2012-0021 (cve.mitre.org) - mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format - string is in use and a client sends a nameless, valueless cookie, causing - a denial of service. The issue existed since version 2.2.17. PR 52256. - [Rainer Canavan ] - - *) SECURITY: CVE-2012-0031 (cve.mitre.org) - Fix scoreboard issue which could allow an unprivileged child process - to cause the parent to crash at shutdown rather than terminate - cleanly. [Joe Orton] - - *) SECURITY: CVE-2012-0053 (cve.mitre.org) - Fix an issue in error responses that could expose "httpOnly" cookies - when no custom ErrorDocument is specified for status code 400. - [Eric Covener] - - *) SECURITY: CVE-2012-4557 (cve.mitre.org) - mod_proxy_ajp: Try to prevent a single long request from marking a worker - in error. [Jean-Frederic Clere] - - *) config: Update the default mod_ssl configuration: Disable SSLv2, only - allow >= 128bit ciphers, add commented example for speed optimized cipher - list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] - - *) core: Fix segfault in ap_send_interim_response(). PR 52315. - [Stefan Fritsch] - - *) mod_log_config: Prevent segfault. PR 50861. [Torsten F�rtsch - ] - - *) mod_win32: Invert logic for env var UTF-8 fixing. - Now we exclude a list of vars which we know for sure they dont hold UTF-8 - chars; all other vars will be fixed. This has the benefit that now also - all vars from 3rd-party modules will be fixed. PR 13029 / 34985. - [Guenter Knauf] - - *) core: Fix hook sorting for Perl modules, a regression introduced in - 2.2.21. PR: 45076. [Torsten Foertsch ] - - *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: - A range of '0-' will now return 206 instead of 200. PR 51878. - [Jim Jagielski] - - *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead - of "0"). [Rainer Jung] - - *) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung] - -Changes with Apache 2.2.21 - - *) SECURITY: CVE-2011-3348 (cve.mitre.org) - mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not - recognized. [Jean-Frederic Clere] - - *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. - PR 51748. [] - - *) mod_filter: Instead of dropping the Accept-Ranges header when a filter - registered with AP_FILTER_PROTO_NO_BYTERANGE is present, - set the header value to "none". [Eric Covener, Ruediger Pluem] - - *) mod_proxy_ajp: Ignore flushing if headers have not been sent. - PR 51608 [Ruediger Pluem] - - *) mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751. - [Stefan Fritsch] - - *) mod_alias: Adjust log severity of "incomplete redirection target" - message. PR 44020. - - *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the - RewriteEngine is disabled in server context, avoiding a crash while - referencing the invalid int: map at runtime. PR 50994. - [Ben Noordhuis ] - - *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' - in the case Ranges are being ignored with MaxRanges none. - [Eric Covener] - - *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. - [Rainer Jung] - -Changes with Apache 2.2.20 - - *) SECURITY: CVE-2011-3192 (cve.mitre.org) - core: Fix handling of byte-range requests to use less memory, to avoid - denial of service. If the sum of all ranges in a request is larger than - the original file, ignore the ranges and send the complete file. - PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] - - *) mod_authnz_ldap: If the LDAP server returns constraint violation, - don't treat this as an error but as "auth denied". [Stefan Fritsch] - - *) mod_filter: Fix FilterProvider conditions of type "resp=" (response - headers) for CGI. [Joe Orton, Rainer Jung] - - *) mod_reqtimeout: Fix a timed out connection going into the keep-alive - state after a timeout when discarding a request body. PR 51103. - [Stefan Fritsch] - - *) core: Do the hook sorting earlier so that the hooks are properly sorted - for the pre_config hook and during parsing the config. [Stefan Fritsch] - -Changes with Apache 2.2.19 - - *) Revert ABI breakage in 2.2.18 caused by the function signature change - of ap_unescape_url_keep2f(). This release restores the signature from - 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). - [Eric Covener] - -Changes with Apache 2.2.18 - - *) Log an error for failures to read a chunk-size, and return 408 instead - 413 when this is due to a read timeout. This change also fixes some cases - of two error documents being sent in the response for the same scenario. - [Eric Covener] PR49167 - - *) core: Only log a 408 if it is no keepalive timeout. PR 39785 - [Ruediger Pluem, Mark Montague ] - - *) core: Treat timeout reading request as 408 error, not 400. - Log 408 errors in access log as was done in Apache 1.3.x. - PR 39785 [Nobutaka Mantani , Stefan Fritsch, - Dan Poirier] - - *) Core HTTP: disable keepalive when the Client has sent - Expect: 100-continue - but we respond directly with a non-100 response. Keepalive here led - to data from clients continuing being treated as a new request. - PR 47087. [Nick Kew] - - *) htpasswd: Change the default algorithm for htpasswd to MD5 on all - platforms. Crypt with its 8 character limit is not useful anymore; - improve out of disk space handling (PR 30877); print a warning if - a password is truncated by crypt. [Stefan Fritsch] - - *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. - Win32's cscript interpreter can only use a single quote as comment char. - [Guenter Knauf] - - *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer - linkers. [Stefan Fritsch] - - *) MinGW build improvements. PR 49535. [John Vandenberg - , Jeff Trawick] - - *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. - [Stefan Fritsch] - - *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes - in request URL path info but not decode them. PR 35256, - PR 46830. [Dan Poirier] - - *) mod_rewrite: Allow to unset environment variables. PR 50746. - [Rainer Jung] - - *) suEXEC: Add Suexec directive to disable suEXEC without renaming the - binary (Suexec Off), or force startup failure if suEXEC is required - but not supported (Suexec On). [Jeff Trawick] - - *) mod_proxy: Put the worker in error state if the SSL handshake with the - backend fails. PR 50332. - [Daniel Ruggeri , Ruediger Pluem] - - *) prefork: Update MPM state in children during a graceful restart. - Allow the HTTP connection handling loop to terminate early - during a graceful restart. PR 41743. - [Andrew Punch ] - - *) mod_ssl: Correctly read full lines in input filter when the line is - incomplete during first read. PR 50481. [Ruediger Pluem] - - *) mod_autoindex: Merge IndexOptions from server to directory context when - the directory has no mod_autoindex directives. PR 47766. [Eric Covener] - - *) mod_cache: Make sure that we never allow a 304 Not Modified response - that we asked for to leak to the client should the 304 response be - uncacheable. PR45341 [Graham Leggett] - - *) mod_dav: Send 400 error if malformed Content-Range header is received for - a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] - - *) mod_userdir: Add merging of enable, disable, and filename arguments - to UserDir directive, leaving enable/disable of userlists unmerged. - PR 44076 [Eric Covener] - - *) core: Honor 'AcceptPathInfo OFF' during internal redirects, - such as per-directory mod_rewrite substitutions. PR 50349. - [Eric Covener] - - *) mod_cache: Check the request to determine whether we are allowed - to return cached content at all, and respect a "Cache-Control: - no-cache" header from a client. Previously, "no-cache" would - behave like "max-age=0". [Graham Leggett] - - *) mod_mem_cache: Add a debug msg when a streaming response exceeds - MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary - 'memory allocation failed' debug message. PR 49604. [Eric Covener] - - *) proxy_connect: Don't give up in the middle of a CONNECT tunnel - when the child process is starting to exit. PR50220. [Eric Covener] - -Changes with Apache 2.2.17 - - *) prefork MPM: Run cleanups for final request when process exits gracefully - to work around a flaw in apr-util. PR 43857. [Tom Donovan] - - *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend - connections and other protocol handlers (like mod_ftp). Enforce the - timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering - close time from 30 to 2 seconds. [Stefan Fritsch] - - *) Proxy balancer: support setting error status according to HTTP response - code from a backend. PR 48939. [Daniel Ruggeri ] - - *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the - password to UTF-8. PR 45318. - [Johannes Müller , Stefan Fritsch] - - *) core: check symlink ownership if both FollowSymlinks and - SymlinksIfOwnerMatch are set [Nick Kew] - - *) core: fix origin checking in SymlinksIfOwnerMatch - PR 36783 [Robert L Mathews ] - - *) mod_headers: Enable multi-match-and-replace edit option - PR 46594 [Nick Kew] - - *) mod_log_config: Make ${cookie}C correctly match whole cookie names - instead of substrings. PR 28037. [Dan Franklin , - Stefan Fritsch] - - *) mod_dir, mod_negotiation: Pass the output filter information - to newly created sub requests; as these are later on used - as true requests with an internal redirect. This allows for - mod_cache et.al. to trap the results of the redirect. - PR 17629, 43939 - [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem] - - *) rotatelogs: Fix possible buffer overflow if admin configures a - mongo log file path. [Jeff Trawick] - - *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] - - *) vhost: A purely-numeric Host: header should not be treated as a port. - PR 44979 [Nick Kew] - - *) core: (re)-introduce -T commandline option to suppress documentroot - check at startup. - PR 41887 [Jan van den Berg ] - -Changes with Apache 2.2.16 - - *) SECURITY: CVE-2010-1452 (cve.mitre.org) - mod_dav, mod_cache: Fix Handling of requests without a path segment. - PR: 49246 [Mark Drayton, Jeff Trawick] - - *) SECURITY: CVE-2010-2068 (cve.mitre.org) - mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection - for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] - - *) core: Filter init functions are now run strictly once per request - before handler invocation. The init functions are no longer run - for connection filters. PR 49328. [Joe Orton] - - *) mod_filter: enable it to act on non-200 responses. - PR 48377 [Nick Kew] - - *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns - title page only) when any mod_ldap directives were used in VirtualHost - context. [Eric Covener] - - *) mod_ssl: Fix segfault at startup if proxy client certs are shared - across multiple vhosts. PR 39915. [Joe Orton] - - *) mod_proxy_http: Log the port of the remote server in various messages. - PR 48812. [Igor Galić ] - - *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf - [Philip M. Gollucci] - - *) mod_dir: add FallbackResource directive, to enable admin to specify - an action to happen when a URL maps to no file, without resorting - to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] - - *) mod_rewrite: Allow to set environment variables without explicitly - giving a value. [Rainer Jung] - -Changes with Apache 2.2.15 - - *) SECURITY: CVE-2009-3555 (cve.mitre.org) - mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection - attack when compiled against OpenSSL version 0.9.8m or later. Introduces - the 'SSLInsecureRenegotiation' directive to reopen this vulnerability - and offer unsafe legacy renegotiation with clients which do not yet - support the new secure renegotiation protocol, RFC 5746. - [Joe Orton, and with thanks to the OpenSSL Team] - - *) SECURITY: CVE-2009-3555 (cve.mitre.org) - mod_ssl: A partial fix for the TLS renegotiation prefix injection attack - for OpenSSL versions prior to 0.9.8l; reject any client-initiated - renegotiations. Forcibly disable keepalive for the connection if there - is any buffered data readable. Any configuration which requires - renegotiation for per-directory/location access control is still - vulnerable, unless using openssl 0.9.8l or later. - [Joe Orton, Ruediger Pluem, Hartmut Keil ] - - *) SECURITY: CVE-2010-0408 (cve.mitre.org) - mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent - when request headers indicate a request body is incoming; not a case of - HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ] - - *) SECURITY: CVE-2010-0425 (cve.mitre.org) - mod_isapi: Do not unload an isapi .dll module until the request - processing is completed, avoiding orphaned callback pointers. - [Brett Gervasoni , Jeff Trawick] - - *) SECURITY: CVE-2010-0434 (cve.mitre.org) - Ensure each subrequest has a shallow copy of headers_in so that the - parent request headers are not corrupted. Eliminates a problematic - optimization in the case of no request body. PR 48359. - [Jake Scott, William Rowe, Ruediger Pluem] - - *) mod_reqtimeout: New module to set timeouts and minimum data rates for - receiving requests from the client. [Stefan Fritsch] - - *) mod_proxy_ajp: Really regard the operation a success, when the client - aborted the connection. In addition adjust the log message if the client - aborted the connection. [Ruediger Pluem] - - *) mod_negotiation: Preserve query string over multiviews negotiation. - This buglet was fixed for type maps in 2.2.6, but the same issue - affected multiviews and was overlooked. - PR 33112. [Joergen Thomsen ] - - *) mod_cache: Introduce the thundering herd lock, a mechanism to keep - the flood of requests at bay that strike a backend webserver as - a cached entity goes stale. [Graham Leggett] - - *) mod_proxy_http: Make sure that when an ErrorDocument is served - from a reverse proxied URL, that the subrequest respects the status - of the original request. This brings the behaviour of proxy_handler - in line with default_handler. PR 47106. [Graham Leggett] - - *) mod_log_config: Add the R option to log the handler used within the - request. [Christian Folini ] - - *) mod_include: Allow fine control over the removal of Last-Modified and - ETag headers within the INCLUDES filter, making it possible to cache - responses if desired. Fix the default value of the SSIAccessEnable - directive. [Graham Leggett] - - *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs - is configured for client cert auth. PR 46952. [Joe Orton] - - *) core: Fix potential memory leaks by making sure to not destroy - bucket brigades that have been created by earlier filters. - [Stefan Fritsch] - - *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to - try other providers in the case of an LDAP bind failure. - PR 46608. [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] - - *) mod_proxy, mod_proxy_http: Support remote https proxies - by using HTTP CONNECT. - PR 19188. [Philippe Dutrueux , Rainer Jung] - - *) worker: Don't report server has reached MaxClients until it has. - Add message when server gets within MinSpareThreads of MaxClients. - PR 46996. [Dan Poirier] - - *) mod_ssl: When extracting certificate subject/issuer names to the - SSL_*_DN_* variables, handle RDNs with duplicate tags by - exporting multiple varialables with an "_n" integer suffix. - PR 45875. [Joe Orton, Peter Sylvester ] - - *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user - password now result in an informational level log entry instead of - warning level. [Eric Covener] - - *) core: Preserve Port information over internal redirects - PR 35999. [Jonas Ringh ] - - *) mod_filter: fix FilterProvider matching where "dispatch" string - doesn't exist. - PR 48054. [] - - *) Build: fix --with-module to work as documented - PR 43881. [Gez Saunders ] - - *) mod_mime: Make RemoveType override the info from TypesConfig. - PR 38330. [Stefan Fritsch] - - *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, - rather than BAD_GATEWAY or (especially) NOT_FOUND. - PR 46971. [Evan Champion ] - - *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. - [Eric Covener] - - *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge - some cache entries and log a warning. Also increase the default - LDAPSharedCacheSize to 500000. This is a more realistic size suitable - for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. - PR 46749. [Stefan Fritsch] - - *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses, - per RFC 2616, 13.8. PR15866. [Dan Poirier] - - *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if - the request is a CONNECT request. PR 47928. - [Bill Zajac ] - - *) mod_cache: correctly consider s-maxage in cacheability - decisions. [Dan Poirier] - - *) core: Return APR_EOF if request body is shorter than the length announced - by the client. PR 33098. [Stefan Fritsch] - - *) mod_rewrite: Add scgi scheme detection. [André Malo] - - *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and - LocationMatch sections. PR 47754. [Dan Poirier] - - *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g. - [Guenter Knauf] - -Changes with Apache 2.2.14 - - *) SECURITY: CVE-2009-2699 (cve.mitre.org) - Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support - (Event Port backend) which could trigger hangs in the prefork and event - MPMs on that platform. PR 47645. [Jeff Trawick] - - *) SECURITY: CVE-2009-3095 (cve.mitre.org) - mod_proxy_ftp: sanity check authn credentials. - [Stefan Fritsch , Joe Orton] - - *) SECURITY: CVE-2009-3094 (cve.mitre.org) - mod_proxy_ftp: NULL pointer dereference on error paths. - [Stefan Fritsch , Joe Orton] - - *) mod_proxy_scgi: Backport from trunk. [André Malo] - - *) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL - has been defined at a very high level. PR 45946. [Eric Covener] - - *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] - - *) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries - usage() in synch with the manual and the implementation (0 and -1 - both disable the cache). [Eric Covener] - - *) mod_ssl: The error message when SSLCertificateFile is missing should - at least give the name or position of the problematic virtual host - definition. [Stefan Fritsch sf sfritsch.de] - - *) htdbm: Fix possible buffer overflow if dbm database has very - long values. PR 30586 [Dan Poirier] - - *) Add support for HTTP PUT to ab. [Jeff Barnes ] - - *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute - type. PR 45107. [Michael Ströder , - Peter Sylvester ] - - *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore - defined session identifiers encoded in the URL when caching. - [Ruediger Pluem] - - *) mod_mem_cache: fix seg fault under load due to pool concurrency problem - PR: 47672 [Dan Poirier ] - - *) mod_autoindex: Correctly create an empty cell if the description - for a file is missing. PR 47682 [Peter Poeml ] - -Changes with Apache 2.2.13 - - *) SECURITY: CVE-2009-2412 (cve.mitre.org) - Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow - in pools and rmm, where size alignment was taking place. - [Matt Lewis , Sander Striker] - - *) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report - warnings compiling mod_ssl against OpenSSL to the httpd developers. - [Guenter Knauf] - - *) mod_cgid: Do not add an empty argument when calling the CGI script. - PR 46380 [Ruediger Pluem] - - *) Fix potential segfaults with use of the legacy ap_rputs() etc - interfaces, in cases where an output filter fails. PR 36780. - [Joe Orton] - -Changes with Apache 2.2.12 - - *) SECURITY: CVE-2009-1891 (cve.mitre.org) - Fix a potential Denial-of-Service attack against mod_deflate or other - modules, by forcing the server to consume CPU time in compressing a - large file after a client disconnects. PR 39605. - [Joe Orton, Ruediger Pluem] - - *) SECURITY: CVE-2009-1195 (cve.mitre.org) - Prevent the "Includes" Option from being enabled in an .htaccess - file if the AllowOverride restrictions do not permit it. - [Jonathan Peatfield , Joe Orton, - Ruediger Pluem, Jeff Trawick] - - *) SECURITY: CVE-2009-1890 (cve.mitre.org) - Fix a potential Denial-of-Service attack against mod_proxy in a - reverse proxy configuration, where a remote attacker can force a - proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] - - *) SECURITY: CVE-2009-1191 (cve.mitre.org) - mod_proxy_ajp: Avoid delivering content from a previous request which - failed to send a request body. PR 46949 [Ruediger Pluem] - - *) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) - The bundled copy of the APR-util library has been updated, fixing three - different security issues which may affect particular configurations - and third-party modules. - - *) mod_headers: Make 'Header set Content-Type' effective on responses - that already have a Content-Type. [Issac Goldstand] - - *) mod_include: fix potential segfault when handling back references - on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] - - *) mod_alias: check sanity in Redirect arguments. - PR 44729 [Sönke Tesch , Jim Jagielski] - - *) mod_proxy_http: fix Host: header for literal IPv6 addresses. - PR 47177 [Carlos Garcia Braschi ] - - *) mod_rewrite: Remove locking for writing to the rewritelog. - PR 46942 - - *) mod_alias: Ensure Redirect emits HTTP-compliant URLs. - PR 44020 - - *) mod_proxy_http: fix case sensitivity checking transfer encoding - PR 47383 [Ryuzo Yamamoto ] - - *) mod_rewrite: Fix the error string returned by RewriteRule. - RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd - argument of RewriteRule was not started with "[" or not ended with "]". - PR 45082 [Vitaly Polonetsky ] - - *) mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; - BalancerMember balancer://alias http://example.com/foo - ProxyPassReverse /bash balancer://alias/bar - backend url http://example.com/foo/bar/that is now translated /bash/that - [William Rowe] - - *) New piped log syntax: Use "||process args" to launch the given process - without invoking the shell/command interpreter. Use "|$command line" - (the default behavior of "|command line" in 2.2) to invoke using shell, - consuming an additional shell process for the lifetime of the logging - pipe program but granting additional process invocation flexibility. - [William Rowe] - - *) mod_ssl: Add server name indication support (RFC 4366) and better - support for name based virtual hosts with SSL. PR 34607 - [Peter Sylvester , - Kaspar Brand , Guenter Knauf, Joe Orton, - Ruediger Pluem] - - *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid - HTML injections and HTTP response splitting. PR 46837. - [Geoff Keating ] - - *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains - including multiple INCLUDES filters. PR 39369 [Joe Orton] - - *) mod_rewrite: When evaluating a proxy rule in directory context, do - escape the filename by default. PR 46428 [Joe Orton] - - *) mod_proxy_ajp: Check more strictly that the backend follows the AJP - protocol. [Mladen Turk] - - *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives - to enable stricter checking of remote server certificates. - [Ruediger Pluem] - - *) mod_substitute: Fix a memory leak. PR 44948 - [Dan Poirier ] - - *) mod_proxy_ajp: Forward remote port information by default. - [Rainer Jung] - - *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders - directive to correctly remove headers before storing them. - [Lars Eilebrecht] - - *) mod_deflate: revert changes in 2.2.8 that caused an invalid - etag to be emitted for on-the-fly gzip content-encoding. - PR 39727 will require larger fixes and this fix was far more - harmful than the original code. PR 45023. [Roy T. Fielding] - - *) mod_disk_cache: The module now turns off sendfile support if - 'EnableSendfile off' is defined globally. PR 41218. - [Lars Eilebrecht, Issac Goldstand] - - *) prefork: Fix child process hang during graceful restart/stop in - configurations with multiple listening sockets. PR 42829. [Joe Orton, - Jeff Trawick] - - *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the - size of the buffer used for the request-body where necessary - during a per-dir renegotiation. PR 39243. [Joe Orton] - - *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome - way that per-directory rewrites append the previous notion of PATH_INFO - to each substitution before evaluating subsequent rules. - PR38642 [Eric Covener] - - *) mod_authnz_ldap: Reduce number of initialization debug messages and make - information more clear. PR 46342 [Dan Poirier] - - *) mod_cache: Introduce 'no-cache' per-request environment variable - to prevent the saving of an otherwise cacheable response. - [Eric Covener] - - *) core: Translate the status line to ASCII on EBCDIC platforms in - ap_send_interim_response() and for locally generated "100 Continue" - responses. [Eric Covener] - - *) CGI: return 504 (Gateway timeout) rather than 500 when a script - times out before returning status line/headers. - PR 42190 [Nick Kew] - - *) prefork: Log an error instead of segfaulting when child startup fails - due to pollset creation failures. PR 46467. [Jeff Trawick] - - *) mod_ext_filter: fix error handling when the filter prog fails to start, - and introduce an onfail configuration option to abort the request - or to remove the broken filter and continue. - PR 41120 [Nick Kew] - - *) mod_include: support generating non-ASCII characters as entities in SSI - PR 25202 [Nick Kew] - - *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII - chars [Nick Kew] - - *) mod_rewrite: fix "B" flag breakage by reverting r589343 - PR 45529 [Bob Ionescu ] - - *) mod_cgid: fix segfault problem on solaris. - PR 39332 [Masaoki Kobayashi , Jeff Trawick] - - *) mod_ldap: Avoid a segfault when result->rc is checked in - uldap_connection_init when result is NULL. This could happen if LDAP - initialization failed. PR 45994. [Dan Poirier ] - - *) Set Listen protocol to "https" if port is set to 443 and no proto is - specified (as documented but not implemented). PR 46066 - [Dan Poirier ] - - *) mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401 - [Dan Poirier ] - - *) Output -M and -S dumps (modules and vhosts) to stdout instead of stderr. - PR 42571 and PR 44266 (dup). [Dan Poirier ] - - *) mod_cache: When an explicit Expires or Cache-Control header is set, cache - normally non-cacheable response statuses. PR 46346. - [Alex Polvi ] - -Changes with Apache 2.2.11 - - *) core: When the ap_http_header_filter processes an error bucket, cleanup - the passed brigade before returning AP_FILTER_ERROR down the filter - chain. This unambiguously ensures the same error bucket isn't revisited - [Ruediger Pluem] - - *) core: Error responses set by filters were being coerced into 500 errors, - sometimes appended to the original error response. Log entry of: - 'Handler for (null) returned invalid result code -3' - [Eric Covener] - - *) configure: Don't reject libtool 2.x - PR 44817 [Arfrever Frehtes Taifersar Arahesis ] - - *) mod_autoindex: add configuration option to insert string - in HTML HEAD (IndexHeadInsert). [Nick Kew] - - *) Add new LogFormat parameter, %k, which logs the number of - keepalive requests on this connection for this request. - PR 45762 [Dan Poirier , Jim Jagielski] - - *) Export and install the mod_rewrite.h header to ensure the optional - rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are - available to third party modules. [Graham Leggett] - - *) mod_cache: Convert age of cached object to seconds before comparing it to - age supplied by the request when checking whether to send a Warning - header for a stale response. PR 39713. [Owen Taylor ] - - *) Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is - not available. PR 46018 [Ruediger Pluem] - - *) mod_proxy_ajp: Do not fail if response data is sent before all request - data is read. PR 45911 [Ruediger Pluem] - - *) mod_proxy_balancer: Add in forced recovery for balancer members if - all are in error state. [Mladen Turk] - - *) mod_proxy: Prevent segmentation faults by correctly adjusting the - lifetime of the buckets read from the proxy backend. PR 45792 - [Ruediger Pluem] - - *) mod_expires: Do not sets negative max-age / Expires header in the past. - PR 39774 [Jim Jagielski] - - *) mod_info: Was displaying the wrong value for the KeepAliveTimeout - value. [Jim Jagielski] - - *) mod_proxy_ajp: Fix wrongly formatted requests where client - sets Content-Length header, but doesn't provide a body. - Servlet container always expects that next packet is - body whenever C-L is present in the headers. This can lead - to wrong interpretation of the packets. In this case - send the empty body packet, so container can deal with - that. [Mladen Turk] - - *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem] - - *) mod_proxy: Add the possibility to set the worker parameters - connectiontimeout and ping in milliseconds. [Ruediger Pluem] - - *) Worker MPM: Crosscheck that idle workers are still available before using - them and thus preventing an overflow of the worker queue which causes - a SegFault. PR 45605 [Denis Ustimenko ] - - *) Windows: Always build the odbc dbd driver on windows, to be consistent - with the apr-util default. [Tom Donovan] - -Changes with Apache 2.2.10 - - *) SECURITY: CVE-2008-2939 (cve.mitre.org) - mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of - the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] - - *) mod_authz_host: Add support for env=!envvar [Jim Jagielski] - - *) Allow for smax to be 0 for balancer members so that all idle - connections are able to be dropped should they exceed ttl. - PR 43371 [Phil Endecott , - Jim Jagielski] - - *) mod_proxy_http: Don't trigger a retry by the client if a failure to - read the response line was the result of a timeout. - [Adam Woodworth ] - - *) Support chroot on Unix-family platforms - PR 43596 [Dimitar Pashev ] - - *) mod_ssl: implement dynamic mutex callbacks for the benefit of - OpenSSL. [Sander Temme] - - *) mod_proxy_balancer: Add 'bybusyness' load balance method. - [Joel Gluth , Jim Jagielski] - - *) mod_authn_alias: Detect during startup when AuthDigestProvider - is configured to use an incompatible provider via AuthnProviderAlias. - PR 45196 [Eric Covener] - - *) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be - used as a session path separator/delim PR 45158. [Jim Jagielski] - - *) mod_charset_lite: Avoid dropping error responses by handling meta buckets - correctly. PR 45687 [Dan Poirier ] - - *) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled - to avoid reusing pooled connections if the client connection is an - initial connection. PR 37770. [Ruediger Pluem] - - *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags. - PR 44799 [Christian Wenz ] - - *) mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101. - [Geoff Thorpe] - - *) mod_proxy: Add connectiontimeout parameter for proxy workers in order to - be able to set the timeout for connecting to the backend separately. - PR 45445. [Ruediger Pluem, rahul ] - - *) mod_dav_fs: Retrieve minimal system information about directory - entries when walking a DAV fs, resolving a performance degradation on - Windows. PR 45464. [Joe Orton, Jeff Trawick] - - *) mod_cgid: Pass along empty command line arguments from an ISINDEX - query that has consecutive '+' characters in the QUERY_STRING, - matching the behavior of mod_cgi. - [Eric Covener] - - *) mod_headers: Prevent Header edit from processing only the first header - of possibly multiple headers with the same name and deleting the - remaining ones. PR 45333. [Ruediger Pluem] - - *) mod_proxy_balancer: Move nonce field in the balancer manager page inside - the html form where it belongs. PR 45578. [Ruediger Pluem] - - *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to - known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. - [Ruediger Pluem] - - *) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247. - [Tom Donovan] - -Changes with Apache 2.2.9 - - *) SECURITY: CVE-2008-2364 (cve.mitre.org) - mod_proxy_http: Better handling of excessive interim responses - from origin server to prevent potential denial of service and high - memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, - Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2007-6420 (cve.mitre.org) - mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager - interface. [Joe Orton] - - *) core: Fix address-in-use startup failure on some platforms caused - by creating an IPv4 listener which overlaps with an existing IPv6 - listener. [Jeff Trawick] - - *) mod_proxy: Make all proxy modules nocanon aware and do not add the - query string again in this case. PR 44803. - [Jim Jagielski, Ruediger Pluem] - - *) mod_unique_id: Fix timestamp value in UNIQUE_ID. - PR 37064 [Kobayashi ] - - *) htpasswd: Fix salt generation weakness. PR 31440 - [Andreas Krennmair , Peter Watkins , - Paul Querna] - - *) core: Add the filename of the configuration file to the warning message - about the useless use of AllowOverride. PR 39992. - [Darryl Miles ] - - *) scoreboard: Remove unused proxy load balancer elements from scoreboard - image (not scoreboard memory itself). [Chris Darroch] - - *) mod_proxy: Support environment variable interpolation in reverse - proxying directives. [Nick Kew] - - *) suexec: When group is given as a numeric gid, validate it by looking up - the actual group name such that the name can be used in log entries. - PR 7862 [, Leif W ] - - *) Fix garbled TRACE response on EBCDIC platforms. - [David Jones ] - - *) ab: Include earlier if available since we may need - INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS. - PR 45024 [Ruediger Pluem] - - *) ab: Improve client performance by clearing connection pool instead - of destroying it. PR 40054 [Brad Roberts ] - - *) ab: Don't stop sending a request if EAGAIN is returned, which - will only happen if both the write and subsequent wait are - returning EAGAIN, and count posted bytes correctly when the initial - write of a request is not complete. PR 10038, 38861, 39679 - [Patrick McManus , - Stefan Fleiter , - Davanum Srinivas, Roy T. Fielding] - - *) ab: Overhaul stats collection and reporting to avoid integer - truncation and time divisions within the test loop, retain - native time resolution until output, remove unused data, - consistently round milliseconds, and generally avoid losing - accuracy of calculation due to type casts. PR 44878, 44931. - [Roy T. Fielding] - - *) ab: Add -r option to continue after socket receive errors. - [Filip Hanik ] - - *) core: Do not allow Options ALL if not all options are allowed to be - overwritten. PR 44262 [Michał Grzędzicki ] - - *) mod_cache: Handle If-Range correctly if the cached resource was stale. - PR 44579 [Ruediger Pluem] - - *) mod_proxy: Do not try a direct connection if the connection via a - remote proxy failed before and the request has a request body. - [Ruediger Pluem] - - *) mod_proxy_ajp: Do not retry request in the case that we either failed to - sent a part of the request body or if the request is not idempotent. - PR 44334 [Ruediger Pluem] - - *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early - enough. PR 44641 [Daniel Lescohier ] - - *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV - copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem] - - *) http_filters: Don't return 100-continue on redirects. PR 43711 - [Ruediger Pluem] - - *) mod_ssl: Fix a memory leak with connections that have zlib compression - turned on. PR 44975 [Joe Orton, Amund Elstad , - Dr Stephen Henson ] - - *) mod_proxy: Trigger a retry by the client in the case we fail to read the - response line from the backend by closing the connection to the client. - PR 37770 [Ruediger Pluem] - - *) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP. - PR 9727 [Ville Skytt ] - - *) core: reinstate location walk to fix config for subrequests - PR 41960 [Jose Kahan ] - - *) rotatelogs: Log the current file size and error code/description - when failing to write to the log file. [Jeff Trawick] - - *) rotatelogs: Added '-f' option to force rotatelogs to create the - logfile as soon as started, and not wait until it reads the - first entry. [Jim Jagielski] - - *) rotatelogs: Don't leak memory when reopening the logfile. - PR 40183 [Ruediger Pluem, Takashi Sato ] - - *) rotatelogs: Improve atomicity when using -l and cleaup code. - PR 44004 [Rainer Jung] - - *) mod_authn_dbd: Disambiguate and tidy database authentication - error messages. PR 43210. [Chris Darroch, Phil Endecott - ] - - *) mod_headers: Add 'merge' option to avoid duplicate values within - the same header. [Chris Darroch] - - *) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by - mod_cgid and request processing threads, for OS'es such as HPUX and AIX - that do not use umask for AF_UNIX socket permissions. - [Eric Covener, Jeff Trawick] - - *) mod_cgid: Don't try to restart the daemon if it fails to initialize - the socket. [Jeff Trawick] - - *) mod_log_config: Add format options for %p so that the actual local - or remote port can be logged. PR 43415. [Adam Hasselbalch Hansen - , Ruediger Pluem, Jeff Trawick] - - *) Added 'disablereuse' option for ProxyPass which, essentially, - disables connection pooling for the backend servers. - [Jim Jagielski] - - *) mod_speling: remove regression from 1.3/2.0 behavior and - drop dependency between mod_speling and AcceptPathInfo. - PR 43562 [Jose Kahan ] - - *) mod_substitute: The default is now flattening the buckets after - each substitution. The newly added 'q' flag allows for the - quicker, more efficient bucket-splitting if the user so - desires. [Jim Jagielski] - - *) http_filters: Don't spin if get an error when reading the - next chunk. PR 44381 [Ruediger Pluem] - - *) ab: Do not try to read non existing response bodies of HEAD requests. - PR 34275 [Takashi Sato ] - - *) ab: Use a 64 bit unsigned int instead of a signed long to count the - bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem] - - *) ProxyPassReverse is now balancer aware. [Jim Jagielski] - - *) mod_include: Correctly handle SSI directives split over multiple filter - passes. PR 44447 [Harald Niesche ] - - *) mod_cache: Revalidate cache entities which have Cache-Control: no-cache - set in their response headers. PR 44511 [Ruediger Pluem] - - *) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite - didn't pick up on updated sdbm maps due to this. - PR41190 [Niklas Edmundsson] - - *) mod_proxy: Lower memory consumption for short lived connections. - PR 44026. [Ruediger Pluem] - - *) mod_proxy: Keep connections to the backend persistent in the HTTPS case. - [Ruediger Pluem] - - *) Don't add bogus duplicate Content-Language entries - PR 11035 [Davi Arnaut] - - *) Worker / Event MPM: Fix race condition in pool recycling that leads to - segmentation faults under load. PR 44402 - [Basant Kumar Kukreja ] - - *) mod_proxy_ftp: Fix base for directory listings. - PR 27834 [Nick Kew] - - *) mod_logio: Provide optional function to allow modules to adjust the - bytes_in count [Eric Covener] - - *) http_filters: Don't return 100-continue on client error - PR 43711 [Chetan Reddy ] - - *) mod_charset_lite: Add TranslateAllMimeTypes sub-option to - CharsetOptions, allowing the administrator to skip the - mimetype checking that precedes translation. - PR 44458 [Eric Covener] - - *) mod_proxy_http: Fix processing of chunked responses if - Connection: Transfer-Encoding is set in the response of the proxied - system. PR 44311 [Ruediger Pluem] - - *) mod_proxy_http: Return HTTP status codes instead of apr_status_t - values for errors encountered while forwarding the request body - PR 44165 [Eric Covener] - - *) mod_rewrite: Don't canonicalise URLs with [P,NE] - PR 43319 [] - -Changes with Apache 2.2.8 - - *) core: Fix regression in 2.2.7 in chunk filtering with massively - chunked requests. [Ruediger Pluem, Nick Kew] - - *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout - to /Device/Nul as the server is starting up, mirroring unix MPM's. - PR: 43534 [Tom Donovan , William Rowe] - - *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform - by recreating the bucket allocator each time the trans pool is cleared. - PR: 11427 #16 (follow-on) [Tom Donovan ] - - *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. - PR 38034 [Paritosh Shah ] - -Changes with Apache 2.2.7 (not released) - - *) SECURITY: CVE-2007-6421 (cve.mitre.org) - mod_proxy_balancer: Correctly escape the worker route and the worker - redirect string in the HTML output of the balancer manager. - Reported by SecurityReason. [Ruediger Pluem] - - *) SECURITY: CVE-2007-6422 (cve.mitre.org) - Prevent crash in balancer manager if invalid balancer name is passed - as parameter. Reported by SecurityReason. [Ruediger Pluem] - - *) SECURITY: CVE-2007-6388 (cve.mitre.org) - mod_status: Ensure refresh parameter is numeric to prevent - a possible XSS attack caused by redirecting to other URLs. - Reported by SecurityReason. [Mark Cox, Joe Orton] - - *) SECURITY: CVE-2007-5000 (cve.mitre.org) - mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. - [Joe Orton] - - *) SECURITY: CVE-2008-0005 (cve.mitre.org) - Introduce the ProxyFtpDirCharset directive, allowing the administrator - to identify a default, or specific servers or paths which list their - contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem] - - *) mod_dav: Adjust etag generation to produce identical results on 32-bit - and 64-bit platforms and avoid a regression with conditional PUT's on - lock and etag. PR 44152. - [Michael Clark , Ruediger Pluem] - - *) mod_ssl: Fix handling of the buffered request body during a per-location - renegotiation, when an internal redirect occurs. PR 43738. - [Joe Orton] - - *) mod_ldap: Try to establish a new backend LDAP connection when the - Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the - LDAP server has closed the connection due to a timeout. - PR 39095 [Eric Covener] - - *) log.c: Ensure Win32 resurrects its lost robust logger processes. - [William Rowe] - - *) mod_disk_cache: Delete temporary files if they cannot be renamed to their - final name. [Davi Arnaut ] - - *) Add explicit charset to the output of various modules to work around - possible cross-site scripting flaws affecting web browsers that do not - derive the response character set as required by RFC2616. One of these - reported by SecurityReason [Joe Orton] - - *) http_protocol: Escape request method in 405 error reporting. - This has no security impact since the browser cannot be tricked - into sending arbitrary method strings. [Jeff Trawick] - - *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073. - [yl ] - - *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum - length we can squeeze inside the AJP message packet. - [Mladen Turk] - - *) core: Lower memory consumption of ap_r* functions by reusing the brigade - instead of recreating it during each filter pass. - [Stefan Fritsch ] - - *) core: Lower memory consumption in case that flush buckets are passed thru - the chunk filter as last bucket of a brigade. PR 23567. - [Stefan Fritsch ] - - *) core: Fix broken chunk filtering that causes all non blocking reads to be - converted into blocking reads. PR 19954, 41056. - [Jean-Frederic Clere, Jim Jagielski] - - *) mod_rewrite: Add the novary flag to RewriteCond. - [Ruediger Pluem] - - *) core: Change etag generation to produce identical results on - 32-bit and 64-bit platforms. PR 40064. [Joe Orton] - - *) http_protocol: Escape request method in 413 error reporting. - Determined to be not generally exploitable, but a flaw in any case. - PR 44014 [Victor Stinner ] - - *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage. - PR 43956 [Nick Kew, Ruediger Pluem] - - *) core: Handle unrecognised transfer-encodings. - PR 43882 [Nick Kew, Jeff Trawick] - - *) mod_include: Add an "if" directive syntax to test whether an URL - is accessible, and if so, conditionally display content. This - allows a webmaster to hide a link to a private page when the user - has no access to that page. [Graham Leggett] - - *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009 - [Christophe Jaillet ] - - *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx) - responses from the backend according to RFC2616. But make it - configurable in case something breaks on it. - PR 16518 [Nick Kew] - - *) mod_substitute: Added a new output filter, which performs - inline response content pattern matching (including regex) - and substitution. [Jim Jagielski, Ruediger Pluem] - - *) rotatelogs: Change command-line parsing to report more types - of errors. Allow local timestamps to be used when rotating based - on file size. [Jeff Trawick] - - *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to - ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also, - don't escape/unescape forward-proxied URLs. - PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski] - - *) mod_status: Add SeeRequestTail directive, which determines if - ExtendedStatus displays the 1st 63 characters of the request - or the last 63. Useful for those requests with large string - lengths and which only vary with the last several characters. - [Jim Jagielski] - - *) mod_ssl: Prevent memory corruption of version string. - PR 43865, 43334 [William Rowe, Joe Orton] - - *) core: Avoid some unexpected connection closes by telling the client - that the connection is not persistent if the MPM process handling - the request is already exiting when the response header is built. - [Jeff Trawick] - - *) mod_autoindex: Generate valid XHTML output by adding the xhtml - namespace. PR 43649 [Jose Kahan ] - - *) mod_ldap: Give callers a reference to data copied into the request - pool instead of references directly into the cache - PR 43786 [Eric Covener] - - *) mod_ldap: Stop passing a reference to pconf around for - (limited) use during request processing, avoiding possible - memory corruption and crashes. [Eric Covener] - - *) Event MPM: Add support for running under mod_ssl, by reverting to the - Worker MPM behaviors, when run under an input filter that buffers - its own data. [Paul Querna] - - *) mod_charset_lite: Don't crash when the request has no associated - filename. [Jeff Trawick] - - *) Core: fix possible crash at startup in case of nonexistent DocumentRoot. - PR 39722 [Adrian Buckley ] - - *) HTTP protocol: Add "DefaultType none" option. - PR 13986 and PR 16139 [Nick Kew] - - *) mod_rewrite: Add option to suppress URL unescaping - PR 34602 [Guenther Gsenger ] - - *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean - shutdown of the server when the MaxClients is higher then 257, - in a more responsive manner [Mladen Turk, William Rowe] - - *) mod_proxy_http: Remove Warning headers with wrong date - PR 16138 [Nick Kew] - - *) mod_proxy_http: Correctly parse all Connection headers in proxy. - PR 43509 [Nick Kew] - - *) mod_proxy_http: add Via header correctly (if enabled) to - response, even where other Via headers exist. - PR 19439 [Nick Kew] - - *) http_core: OPTIONS * no longer maps to local storage or URI - space. Note that unlike previous versions, OPTIONS * no - longer returns an Allow: header. PR 43519 [Jim Jagielski] - - *) mod_proxy_http: strip hop-by-hop response headers - PR 43455 [Nick Kew] - - *) mod_proxy: Don't by default violate RFC2616 by setting - Max-Forwards when the client didn't send it to us. - Leave that as a configuration option. - PR 16137 [Nick Kew] - - *) scoreboard: improve error message on apr_shm_create failure - PR 40037 [Nick Kew] - - *) proxy: Fix persistent backend connections. - PR 43472 [Ruediger Pluem] - - *) mod_deflate: initialise inflate-out filter correctly when the - first brigade contains no data buckets. - PR 43512 [Nick Kew] - - *) mod_proxy_ajp: Ignore any ajp13 flush packets received before - we send the response headers. See Tomcat PR 43478. - [Jim Jagielski] - - *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when - starting a new child. - PR 39907 [Vinicius Petrucci , Ruediger Pluem] - - *) mod_proxy_http: Propagate Proxy-Authorization header correctly. - PR 25947 [Nick Kew] - - *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD - requests. PR 43060 [Jim Jagielski] - - *) Don't send spurious "100 Continue" response lines. - PR 38014 [Basant Kumar Kukreja ] - - *) mod_proxy_ftp: Don't segfault on bad line in FTP listing - PR 40733 [Ulf Harnhammar ] - - *) mod_proxy: escape error-notes correctly - PR 40952 [Thijs Kinkhorst ] - - *) mod_proxy: check ProxyBlock for all blocked addresses - PR 36987 [Timo Viipuri ] - - *) mod_proxy: Don't lose bytes when a response line arrives in small chunks. - PR 40894 [Andrew Rucker Jones ] - -Changes with Apache 2.2.6 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson ] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset "detection". Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut ] - - *) mod_info: mod_info outputs invalid XHTML 1.0 transitional. - PR 42847 [Rici Lake ] - - *) mod_ssl: Fix spurious hostname mismatch warning for valid - wildcard certificates. PR 37911. [Nick Burch ] - - *) mod_mem_cache: Increase the minimum and default value for - MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not - make sense and leads to a division by zero. PR 40576. - [Xuekun Hu ] - - *) mod_cache: Remove expired content from cache that cannot be revalidated. - PR 30370. [Ruediger Pluem] - - *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous. - PR 43183 [Brian Rectanus , Vincent Bray] - - *) mod_proxy: Ensure that at least scheme://hostname[:port] matches between - worker and URL when searching for the best fitting worker for a given - URL. PR 40910 [Ruediger Pluem] - - *) mod_proxy: Improve network performance by setting APR_TCP_NODELAY - (disable Nagle algorithm) on sockets if implemented. - PR 42871 [Christian BOITEL , Jim Jagielski] - - *) core: Do not replace a Date header set by a proxied backend server. - PR 40232 [Ruediger Pluem] - - *) mod_proxy: Add a missing assignment in an error checking code path. - PR 40865 [Andrew Rucker Jones ] - - *) mod_proxy_connect: avoid segfault on DNS lookup failure. - PR 40756 [Trevin Beattie ] - - *) mod_proxy: enable Ignore Errors option on ProxyPass Status. - PR 43167 [Francisco Gimeno - - *) mod_proxy_http: Don't try to read body of a HEAD request before - responding. PR 41644 [Stuart Children ] - - *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when - LDAP authentication is configured but we haven't seen any - 'Require ldap-*' directives, allowing authorization to be passed to lower - level modules (e.g. Require valid-user) - PR 43281 [Eric Covener] - - *) mod_proxy: don't URLencode tilde in path component - PR 38448 [Stijn Hoop ] - - *) proxy/ajp_header.c: Fixed header token string comparisons - Matching of header tokens failed to include the trailing NIL byte - and could misinterpret a longer header token for a shorter. - Additionally, a "Content-Type" comparison was made case insensitive. - [Martin Kraemer] - - *) proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC - On EBCDIC machines, the status_line string was incorrectly converted - twice. [Jean-Frederic Clere, Martin Kraemer] - - *) mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts - Data had been incorrectly converted twice, resulting in - garbled log output. [Martin Kraemer] - - *) mod_autoindex: Add in Type and Charset options to IndexOptions - directive. This allows the admin to explicitly set the - content-type and charset of the generated page and is therefore - a viable workaround for buggy browsers affected by CVE-2007-4465 - (cve.mitre.org). [Jim Jagielski] - - *) log core: ensure we use a special pool for stderr logging, so that - the stderr channel remains valid from the time plog is destroyed, - until the time the open_logs hook is called again. [William Rowe] - - *) mod_negotiation: preserve Query String in resolving a type map - PR 33112 [Jørgen Thomsen , Nick Kew] - - *) mod_ssl: Version reporting update; displays 'compiled against' - Apache and build-time SSL Library versions at loglevel [info], - while reporting the run-time SSL Library version in the server - info tags. Helps to identify a mod_ssl built against one flavor - of OpenSSL but running against another (also adds SSL-C version - number reporting.) [William Rowe] - - *) mime.types: Many updates to sync with IANA registry and common - unregistered types that the owners refuse to register. Admins - are encouraged to update their installed mime.types file. - PR: 35550, 37798, 39317, 31483 [Roy T. Fielding] - - *) mod_expires: don't crash on bad configuration data - PR 43213 [Julien Perez ] - - *) mod_dbd: Introduce configuration groups to allow inheritance by virtual - hosts of database configurations from the main server. Determine the - minimal set of distinct configurations and share connection pools - whenever possible. Allow virtual hosts to override inherited SQL - statements. PR 41302. [Chris Darroch] - - *) mod_dbd: Create memory sub-pools for each DB connection and close - DB connections in a pool cleanup function. Ensure prepared statements - are destroyed before DB connection is closed. When using reslists, - prevent segfaults when child processes exit, and stop memory leakage - of ap_dbd_t structures. Avoid use of global s->process->pool, which - isn't destroyed by exiting child processes in most multi-process MPMs. - PR 39985. [Chris Darroch, Nick Kew] - - *) mod_dbd: Handle error conditions in dbd_construct() properly. - Simplify ap_dbd_open() and use correct arguments to apr_dbd_error() - when non-threaded. Register correct cleanup data in non-threaded - ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data - and merge function. Use ap_log_error() wherever possible. - [Chris Darroch, Nick Kew] - - *) mod_dbd: Stash DBD connections in request_config of initial request - only, or else sub-requests and internal redirections may cause [... 4916 lines stripped ...]