1 -*- coding: utf-8 -*- 2Changes with Apache 2.2.25 3 4 *) SECURITY: CVE-2013-1862 (cve.mitre.org) 5 mod_rewrite: Ensure that client data written to the RewriteLog is 6 escaped to prevent terminal escape sequences from entering the 7 log file. [Eric Covener, Jeff Trawick, Joe Orton] 8 9 *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer 10 strings. The default limit for ap_pregsub() can be adjusted at compile 11 time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick] 12 13 *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization 14 on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun 15 <apache heilbrun.org>] 16 17 *) mod_setenvif: Log error on substitution overflow. 18 [Stefan Fritsch] 19 20 *) mod_ssl/proxy: enable the SNI extension for backend TLS connections 21 [Kaspar Brand] 22 23 *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when 24 forwarding to SSL backends. PR 53134. 25 [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem] 26 27 *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits 28 in the error log to debug level. [William Rowe] 29 30 *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs 31 with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. 32 [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand] 33 34 *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server 35 admin to configure an IO timeout as an error in the balancer. 36 [Daniel Ruggeri] 37 38 *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind 39 password. [Daniel Ruggeri] 40 41 *) htdigest: Fix buffer overflow when reading digest password file 42 with very long lines. PR 54893. [Rainer Jung] 43 44 *) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with 45 the source href (sent as part of the request body as XML) pointing to a 46 URI that is not configured for DAV will trigger a segfault. [Ben Reser 47 <ben reser.org>] 48 49 *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 50 [Timothy Wood <tjw omnigroup.com>] 51 52 *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, 53 we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>] 54 55 *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't 56 result in a 412 Precondition Failed for a COPY operation. PR54610 57 [Timothy Wood <tjw omnigroup.com>] 58 59 *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead 60 property on a resource for which there is no dead property in the same 61 namespace httpd segfaults. PR 52559 [Diego Santa Cruz 62 <diego.santaCruz spinetix.com>] 63 64 *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. 65 PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] 66 67 *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. 68 PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] 69 70Changes with Apache 2.2.24 71 72 *) SECURITY: CVE-2012-3499 (cve.mitre.org) 73 Various XSS flaws due to unescaped hostnames and URIs HTML output in 74 mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. 75 [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] 76 77 *) SECURITY: CVE-2012-4558 (cve.mitre.org) 78 XSS in mod_proxy_balancer manager interface. [Jim Jagielski, 79 Niels Heinen <heinenn google com>] 80 81 *) mod_rewrite: Stop merging RewriteBase down to subdirectories 82 unless new option 'RewriteOptions MergeBase' is configured. 83 Merging RewriteBase was unconditionally turned on in 2.2.23. 84 PR 53963. [Eric Covener] 85 86 *) mod_ssl: Send the error message for speaking http to an https port using 87 HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when 88 using SNI. PR 50823. [Stefan Fritsch] 89 90 *) mod_ssl: log revoked certificates at level INFO 91 instead of DEBUG. PR 52162. [Stefan Fritsch] 92 93 *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416. 94 [Rainer Jung] 95 96 *) mod_dir: Add support for the value 'disabled' in FallbackResource. 97 [Vincent Deffontaines] 98 99 *) mod_ldap: Fix regression in handling "server unavailable" errors on 100 Windows. PR 54140. [Eric Covener] 101 102 *) mod_ssl: fix a regression with the string rendering of the "UID" RDN 103 introduced in 2.2.15. PR 54510. [Kaspar Brand] 104 105 *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output 106 to more accurately report the negotiated protocol. PR 53916. 107 [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand] 108 109 *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial 110 Response if they so choose to do so. Previously an attempt to cache a 206 111 was arbitrarily allowed if the response contained an Expires or 112 Cache-Control header, and arbitrarily denied if both headers were missing. 113 Currently the disk and memory cache providers do not cache 206 Partial 114 Responses. [Graham Leggett] 115 116 *) core: Remove unintentional APR 1.3 dependency introduced with 117 Apache 2.2.22. [Eric Covener] 118 119 *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if 120 the chosen listener is configured for https. [Joe Orton] 121 122 *) mod_ssl: Add new directive SSLCompression to disable TLS-level 123 compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch] 124 125Changes with Apache 2.2.23 126 127 *) SECURITY: CVE-2012-0883 (cve.mitre.org) 128 envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the 129 current working directory to be searched for DSOs. [Stefan Fritsch] 130 131 *) SECURITY: CVE-2012-2687 (cve.mitre.org) 132 mod_negotiation: Escape filenames in variant list to prevent a 133 possible XSS for a site where untrusted users can upload files to 134 a location with MultiViews enabled. [Niels Heinen <heinenn google.com>] 135 136 *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 137 [Paul Wouters <pwouters redhat.com>, Joe Orton] 138 139 *) mod_ldap: Treat the "server unavailable" condition as a transient 140 error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>] 141 142 *) core: Add filesystem paths to access denied / access failed messages. 143 [Eric Covener] 144 145 *) core: Fix error handling in ap_scan_script_header_err_brigade() if there 146 is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch] 147 148 *) core: Prevent "httpd -k restart" from killing server in presence of 149 config error. [Joe Orton] 150 151 *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit 152 control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive, 153 adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'. 154 [Kaspar Brand, William Rowe] 155 156 *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". 157 PR 53104. [Greg Ames] 158 159 *) Unix MPMs: Fix small memory leak in parent process if connect() 160 failed when waking up children. [Joe Orton] 161 162 *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. 163 [Peter Pramberger <peter pramberger.at>, Jim Jagielski] 164 165 *) Added SSLProxyMachineCertificateChainFile directive so the proxy client 166 can select the proper client certificate when using a chain and the 167 remote server only lists the root CA as allowed. 168 169 *) mpm_event, mpm_worker: Remain active amidst prevalent child process 170 resource shortages. [Jeff Trawick] 171 172 *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] 173 174 *) mod_rewrite: Fix the RewriteEngine directive to work within a 175 location. Previously, once RewriteEngine was switched on globally, 176 it was impossible to switch off. [Graham Leggett] 177 178 *) mod_proxy_balancer: Restore balancing after a failed worker has 179 recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] 180 181 *) mod_dumpio: Properly handle errors from subsequent input filters. 182 PR 52914. [Stefan Fritsch] 183 184 *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child 185 process resource shortages. [Jeff Trawick] 186 187 *) mpm_prefork: Reduce spawn rate after a child process exits due to 188 unexpected poll or accept failure. [Jeff Trawick] 189 190 *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid 191 from logging bogus data in case of errors. [Stefan Fritsch] 192 193 *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the 194 response is a 206 Partial Content. This stops a reverse proxied partial 195 response from becoming cached, and then being served in subsequent 196 responses. PR 49113. [Graham Leggett] 197 198 *) configure: Fix usage with external apr and apu in non-default paths 199 and recent gcc versions >= 4.6. [Jean-Frederic Clere] 200 201 *) core: Fix building against PCRE 8.30 by switching from the obsolete 202 pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] 203 204 *) mod_proxy: Add the forcerecovery balancer parameter that determines if 205 recovery for balancer workers is enforced. [Ruediger Pluem] 206 207Changes with Apache 2.2.22 208 209 *) SECURITY: CVE-2011-3368 (cve.mitre.org) 210 Reject requests where the request-URI does not match the HTTP 211 specification, preventing unexpected expansion of target URLs in 212 some reverse proxy configurations. [Joe Orton] 213 214 *) SECURITY: CVE-2011-3607 (cve.mitre.org) 215 Fix integer overflow in ap_pregsub() which, when the mod_setenvif module 216 is enabled, could allow local users to gain privileges via a .htaccess 217 file. [Stefan Fritsch, Greg Ames] 218 219 *) SECURITY: CVE-2011-4317 (cve.mitre.org) 220 Resolve additional cases of URL rewriting with ProxyPassMatch or 221 RewriteRule, where particular request-URIs could result in undesired 222 backend network exposure in some configurations. 223 [Joe Orton] 224 225 *) SECURITY: CVE-2012-0021 (cve.mitre.org) 226 mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format 227 string is in use and a client sends a nameless, valueless cookie, causing 228 a denial of service. The issue existed since version 2.2.17. PR 52256. 229 [Rainer Canavan <rainer-apache 7val com>] 230 231 *) SECURITY: CVE-2012-0031 (cve.mitre.org) 232 Fix scoreboard issue which could allow an unprivileged child process 233 to cause the parent to crash at shutdown rather than terminate 234 cleanly. [Joe Orton] 235 236 *) SECURITY: CVE-2012-0053 (cve.mitre.org) 237 Fix an issue in error responses that could expose "httpOnly" cookies 238 when no custom ErrorDocument is specified for status code 400. 239 [Eric Covener] 240 241 *) SECURITY: CVE-2012-4557 (cve.mitre.org) 242 mod_proxy_ajp: Try to prevent a single long request from marking a worker 243 in error. [Jean-Frederic Clere] 244 245 *) config: Update the default mod_ssl configuration: Disable SSLv2, only 246 allow >= 128bit ciphers, add commented example for speed optimized cipher 247 list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] 248 249 *) core: Fix segfault in ap_send_interim_response(). PR 52315. 250 [Stefan Fritsch] 251 252 *) mod_log_config: Prevent segfault. PR 50861. [Torsten F�rtsch 253 <torsten.foertsch gmx.net>] 254 255 *) mod_win32: Invert logic for env var UTF-8 fixing. 256 Now we exclude a list of vars which we know for sure they dont hold UTF-8 257 chars; all other vars will be fixed. This has the benefit that now also 258 all vars from 3rd-party modules will be fixed. PR 13029 / 34985. 259 [Guenter Knauf] 260 261 *) core: Fix hook sorting for Perl modules, a regression introduced in 262 2.2.21. PR: 45076. [Torsten Foertsch <torsten foertsch gmx net>] 263 264 *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: 265 A range of '0-' will now return 206 instead of 200. PR 51878. 266 [Jim Jagielski] 267 268 *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead 269 of "0"). [Rainer Jung] 270 271 *) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung] 272 273Changes with Apache 2.2.21 274 275 *) SECURITY: CVE-2011-3348 (cve.mitre.org) 276 mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not 277 recognized. [Jean-Frederic Clere] 278 279 *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. 280 PR 51748. [<lowprio20 gmail.com>] 281 282 *) mod_filter: Instead of dropping the Accept-Ranges header when a filter 283 registered with AP_FILTER_PROTO_NO_BYTERANGE is present, 284 set the header value to "none". [Eric Covener, Ruediger Pluem] 285 286 *) mod_proxy_ajp: Ignore flushing if headers have not been sent. 287 PR 51608 [Ruediger Pluem] 288 289 *) mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751. 290 [Stefan Fritsch] 291 292 *) mod_alias: Adjust log severity of "incomplete redirection target" 293 message. PR 44020. 294 295 *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the 296 RewriteEngine is disabled in server context, avoiding a crash while 297 referencing the invalid int: map at runtime. PR 50994. 298 [Ben Noordhuis <info noordhuis nl>] 299 300 *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' 301 in the case Ranges are being ignored with MaxRanges none. 302 [Eric Covener] 303 304 *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. 305 [Rainer Jung] 306 307Changes with Apache 2.2.20 308 309 *) SECURITY: CVE-2011-3192 (cve.mitre.org) 310 core: Fix handling of byte-range requests to use less memory, to avoid 311 denial of service. If the sum of all ranges in a request is larger than 312 the original file, ignore the ranges and send the complete file. 313 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] 314 315 *) mod_authnz_ldap: If the LDAP server returns constraint violation, 316 don't treat this as an error but as "auth denied". [Stefan Fritsch] 317 318 *) mod_filter: Fix FilterProvider conditions of type "resp=" (response 319 headers) for CGI. [Joe Orton, Rainer Jung] 320 321 *) mod_reqtimeout: Fix a timed out connection going into the keep-alive 322 state after a timeout when discarding a request body. PR 51103. 323 [Stefan Fritsch] 324 325 *) core: Do the hook sorting earlier so that the hooks are properly sorted 326 for the pre_config hook and during parsing the config. [Stefan Fritsch] 327 328Changes with Apache 2.2.19 329 330 *) Revert ABI breakage in 2.2.18 caused by the function signature change 331 of ap_unescape_url_keep2f(). This release restores the signature from 332 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). 333 [Eric Covener] 334 335Changes with Apache 2.2.18 336 337 *) Log an error for failures to read a chunk-size, and return 408 instead 338 413 when this is due to a read timeout. This change also fixes some cases 339 of two error documents being sent in the response for the same scenario. 340 [Eric Covener] PR49167 341 342 *) core: Only log a 408 if it is no keepalive timeout. PR 39785 343 [Ruediger Pluem, Mark Montague <markmont umich.edu>] 344 345 *) core: Treat timeout reading request as 408 error, not 400. 346 Log 408 errors in access log as was done in Apache 1.3.x. 347 PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch, 348 Dan Poirier] 349 350 *) Core HTTP: disable keepalive when the Client has sent 351 Expect: 100-continue 352 but we respond directly with a non-100 response. Keepalive here led 353 to data from clients continuing being treated as a new request. 354 PR 47087. [Nick Kew] 355 356 *) htpasswd: Change the default algorithm for htpasswd to MD5 on all 357 platforms. Crypt with its 8 character limit is not useful anymore; 358 improve out of disk space handling (PR 30877); print a warning if 359 a password is truncated by crypt. [Stefan Fritsch] 360 361 *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. 362 Win32's cscript interpreter can only use a single quote as comment char. 363 [Guenter Knauf] 364 365 *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer 366 linkers. [Stefan Fritsch] 367 368 *) MinGW build improvements. PR 49535. [John Vandenberg 369 <jayvdb gmail.com>, Jeff Trawick] 370 371 *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. 372 [Stefan Fritsch] 373 374 *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes 375 in request URL path info but not decode them. PR 35256, 376 PR 46830. [Dan Poirier] 377 378 *) mod_rewrite: Allow to unset environment variables. PR 50746. 379 [Rainer Jung] 380 381 *) suEXEC: Add Suexec directive to disable suEXEC without renaming the 382 binary (Suexec Off), or force startup failure if suEXEC is required 383 but not supported (Suexec On). [Jeff Trawick] 384 385 *) mod_proxy: Put the worker in error state if the SSL handshake with the 386 backend fails. PR 50332. 387 [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] 388 389 *) prefork: Update MPM state in children during a graceful restart. 390 Allow the HTTP connection handling loop to terminate early 391 during a graceful restart. PR 41743. 392 [Andrew Punch <andrew.punch 247realmedia.com>] 393 394 *) mod_ssl: Correctly read full lines in input filter when the line is 395 incomplete during first read. PR 50481. [Ruediger Pluem] 396 397 *) mod_autoindex: Merge IndexOptions from server to directory context when 398 the directory has no mod_autoindex directives. PR 47766. [Eric Covener] 399 400 *) mod_cache: Make sure that we never allow a 304 Not Modified response 401 that we asked for to leak to the client should the 304 response be 402 uncacheable. PR45341 [Graham Leggett] 403 404 *) mod_dav: Send 400 error if malformed Content-Range header is received for 405 a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] 406 407 *) mod_userdir: Add merging of enable, disable, and filename arguments 408 to UserDir directive, leaving enable/disable of userlists unmerged. 409 PR 44076 [Eric Covener] 410 411 *) core: Honor 'AcceptPathInfo OFF' during internal redirects, 412 such as per-directory mod_rewrite substitutions. PR 50349. 413 [Eric Covener] 414 415 *) mod_cache: Check the request to determine whether we are allowed 416 to return cached content at all, and respect a "Cache-Control: 417 no-cache" header from a client. Previously, "no-cache" would 418 behave like "max-age=0". [Graham Leggett] 419 420 *) mod_mem_cache: Add a debug msg when a streaming response exceeds 421 MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary 422 'memory allocation failed' debug message. PR 49604. [Eric Covener] 423 424 *) proxy_connect: Don't give up in the middle of a CONNECT tunnel 425 when the child process is starting to exit. PR50220. [Eric Covener] 426 427Changes with Apache 2.2.17 428 429 *) prefork MPM: Run cleanups for final request when process exits gracefully 430 to work around a flaw in apr-util. PR 43857. [Tom Donovan] 431 432 *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend 433 connections and other protocol handlers (like mod_ftp). Enforce the 434 timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering 435 close time from 30 to 2 seconds. [Stefan Fritsch] 436 437 *) Proxy balancer: support setting error status according to HTTP response 438 code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>] 439 440 *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the 441 password to UTF-8. PR 45318. 442 [Johannes Müller <joh_m gmx.de>, Stefan Fritsch] 443 444 *) core: check symlink ownership if both FollowSymlinks and 445 SymlinksIfOwnerMatch are set [Nick Kew] 446 447 *) core: fix origin checking in SymlinksIfOwnerMatch 448 PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>] 449 450 *) mod_headers: Enable multi-match-and-replace edit option 451 PR 46594 [Nick Kew] 452 453 *) mod_log_config: Make ${cookie}C correctly match whole cookie names 454 instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>, 455 Stefan Fritsch] 456 457 *) mod_dir, mod_negotiation: Pass the output filter information 458 to newly created sub requests; as these are later on used 459 as true requests with an internal redirect. This allows for 460 mod_cache et.al. to trap the results of the redirect. 461 PR 17629, 43939 462 [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem] 463 464 *) rotatelogs: Fix possible buffer overflow if admin configures a 465 mongo log file path. [Jeff Trawick] 466 467 *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] 468 469 *) vhost: A purely-numeric Host: header should not be treated as a port. 470 PR 44979 [Nick Kew] 471 472 *) core: (re)-introduce -T commandline option to suppress documentroot 473 check at startup. 474 PR 41887 [Jan van den Berg <janvdberg gmail.com>] 475 476Changes with Apache 2.2.16 477 478 *) SECURITY: CVE-2010-1452 (cve.mitre.org) 479 mod_dav, mod_cache: Fix Handling of requests without a path segment. 480 PR: 49246 [Mark Drayton, Jeff Trawick] 481 482 *) SECURITY: CVE-2010-2068 (cve.mitre.org) 483 mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection 484 for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] 485 486 *) core: Filter init functions are now run strictly once per request 487 before handler invocation. The init functions are no longer run 488 for connection filters. PR 49328. [Joe Orton] 489 490 *) mod_filter: enable it to act on non-200 responses. 491 PR 48377 [Nick Kew] 492 493 *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns 494 title page only) when any mod_ldap directives were used in VirtualHost 495 context. [Eric Covener] 496 497 *) mod_ssl: Fix segfault at startup if proxy client certs are shared 498 across multiple vhosts. PR 39915. [Joe Orton] 499 500 *) mod_proxy_http: Log the port of the remote server in various messages. 501 PR 48812. [Igor Galić <i galic brainsware org>] 502 503 *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf 504 [Philip M. Gollucci] 505 506 *) mod_dir: add FallbackResource directive, to enable admin to specify 507 an action to happen when a URL maps to no file, without resorting 508 to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] 509 510 *) mod_rewrite: Allow to set environment variables without explicitly 511 giving a value. [Rainer Jung] 512 513 514Changes with Apache 2.2.15 515 516 *) SECURITY: CVE-2009-3555 (cve.mitre.org) 517 mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection 518 attack when compiled against OpenSSL version 0.9.8m or later. Introduces 519 the 'SSLInsecureRenegotiation' directive to reopen this vulnerability 520 and offer unsafe legacy renegotiation with clients which do not yet 521 support the new secure renegotiation protocol, RFC 5746. 522 [Joe Orton, and with thanks to the OpenSSL Team] 523 524 *) SECURITY: CVE-2009-3555 (cve.mitre.org) 525 mod_ssl: A partial fix for the TLS renegotiation prefix injection attack 526 for OpenSSL versions prior to 0.9.8l; reject any client-initiated 527 renegotiations. Forcibly disable keepalive for the connection if there 528 is any buffered data readable. Any configuration which requires 529 renegotiation for per-directory/location access control is still 530 vulnerable, unless using openssl 0.9.8l or later. 531 [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] 532 533 *) SECURITY: CVE-2010-0408 (cve.mitre.org) 534 mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent 535 when request headers indicate a request body is incoming; not a case of 536 HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>] 537 538 *) SECURITY: CVE-2010-0425 (cve.mitre.org) 539 mod_isapi: Do not unload an isapi .dll module until the request 540 processing is completed, avoiding orphaned callback pointers. 541 [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] 542 543 *) SECURITY: CVE-2010-0434 (cve.mitre.org) 544 Ensure each subrequest has a shallow copy of headers_in so that the 545 parent request headers are not corrupted. Eliminates a problematic 546 optimization in the case of no request body. PR 48359. 547 [Jake Scott, William Rowe, Ruediger Pluem] 548 549 *) mod_reqtimeout: New module to set timeouts and minimum data rates for 550 receiving requests from the client. [Stefan Fritsch] 551 552 *) mod_proxy_ajp: Really regard the operation a success, when the client 553 aborted the connection. In addition adjust the log message if the client 554 aborted the connection. [Ruediger Pluem] 555 556 *) mod_negotiation: Preserve query string over multiviews negotiation. 557 This buglet was fixed for type maps in 2.2.6, but the same issue 558 affected multiviews and was overlooked. 559 PR 33112. [Joergen Thomsen <apache jth.net>] 560 561 *) mod_cache: Introduce the thundering herd lock, a mechanism to keep 562 the flood of requests at bay that strike a backend webserver as 563 a cached entity goes stale. [Graham Leggett] 564 565 *) mod_proxy_http: Make sure that when an ErrorDocument is served 566 from a reverse proxied URL, that the subrequest respects the status 567 of the original request. This brings the behaviour of proxy_handler 568 in line with default_handler. PR 47106. [Graham Leggett] 569 570 *) mod_log_config: Add the R option to log the handler used within the 571 request. [Christian Folini <christian.folini netnea com>] 572 573 *) mod_include: Allow fine control over the removal of Last-Modified and 574 ETag headers within the INCLUDES filter, making it possible to cache 575 responses if desired. Fix the default value of the SSIAccessEnable 576 directive. [Graham Leggett] 577 578 *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs 579 is configured for client cert auth. PR 46952. [Joe Orton] 580 581 *) core: Fix potential memory leaks by making sure to not destroy 582 bucket brigades that have been created by earlier filters. 583 [Stefan Fritsch] 584 585 *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to 586 try other providers in the case of an LDAP bind failure. 587 PR 46608. [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] 588 589 *) mod_proxy, mod_proxy_http: Support remote https proxies 590 by using HTTP CONNECT. 591 PR 19188. [Philippe Dutrueux <lilas evidian.com>, Rainer Jung] 592 593 *) worker: Don't report server has reached MaxClients until it has. 594 Add message when server gets within MinSpareThreads of MaxClients. 595 PR 46996. [Dan Poirier] 596 597 *) mod_ssl: When extracting certificate subject/issuer names to the 598 SSL_*_DN_* variables, handle RDNs with duplicate tags by 599 exporting multiple varialables with an "_n" integer suffix. 600 PR 45875. [Joe Orton, Peter Sylvester <peter.sylvester edelweb.fr>] 601 602 *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user 603 password now result in an informational level log entry instead of 604 warning level. [Eric Covener] 605 606 *) core: Preserve Port information over internal redirects 607 PR 35999. [Jonas Ringh <jonas.ringh cixit.se>] 608 609 *) mod_filter: fix FilterProvider matching where "dispatch" string 610 doesn't exist. 611 PR 48054. [<tietew gmail.com>] 612 613 *) Build: fix --with-module to work as documented 614 PR 43881. [Gez Saunders <gez.saunders virgin.net>] 615 616 *) mod_mime: Make RemoveType override the info from TypesConfig. 617 PR 38330. [Stefan Fritsch] 618 619 *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, 620 rather than BAD_GATEWAY or (especially) NOT_FOUND. 621 PR 46971. [Evan Champion <evanc nortel.com>] 622 623 *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. 624 [Eric Covener] 625 626 *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge 627 some cache entries and log a warning. Also increase the default 628 LDAPSharedCacheSize to 500000. This is a more realistic size suitable 629 for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. 630 PR 46749. [Stefan Fritsch] 631 632 *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses, 633 per RFC 2616, 13.8. PR15866. [Dan Poirier] 634 635 *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if 636 the request is a CONNECT request. PR 47928. 637 [Bill Zajac <billz consultla.com>] 638 639 *) mod_cache: correctly consider s-maxage in cacheability 640 decisions. [Dan Poirier] 641 642 *) core: Return APR_EOF if request body is shorter than the length announced 643 by the client. PR 33098. [Stefan Fritsch] 644 645 *) mod_rewrite: Add scgi scheme detection. [André Malo] 646 647 *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and 648 LocationMatch sections. PR 47754. [Dan Poirier] 649 650 *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g. 651 [Guenter Knauf] 652 653Changes with Apache 2.2.14 654 655 *) SECURITY: CVE-2009-2699 (cve.mitre.org) 656 Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support 657 (Event Port backend) which could trigger hangs in the prefork and event 658 MPMs on that platform. PR 47645. [Jeff Trawick] 659 660 *) SECURITY: CVE-2009-3095 (cve.mitre.org) 661 mod_proxy_ftp: sanity check authn credentials. 662 [Stefan Fritsch <sf fritsch.de>, Joe Orton] 663 664 *) SECURITY: CVE-2009-3094 (cve.mitre.org) 665 mod_proxy_ftp: NULL pointer dereference on error paths. 666 [Stefan Fritsch <sf fritsch.de>, Joe Orton] 667 668 *) mod_proxy_scgi: Backport from trunk. [André Malo] 669 670 *) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL 671 has been defined at a very high level. PR 45946. [Eric Covener] 672 673 *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] 674 675 *) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries 676 usage() in synch with the manual and the implementation (0 and -1 677 both disable the cache). [Eric Covener] 678 679 *) mod_ssl: The error message when SSLCertificateFile is missing should 680 at least give the name or position of the problematic virtual host 681 definition. [Stefan Fritsch sf sfritsch.de] 682 683 *) htdbm: Fix possible buffer overflow if dbm database has very 684 long values. PR 30586 [Dan Poirier] 685 686 *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>] 687 688 *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute 689 type. PR 45107. [Michael Ströder <michael stroeder.com>, 690 Peter Sylvester <peter.sylvester edelweb.fr>] 691 692 *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore 693 defined session identifiers encoded in the URL when caching. 694 [Ruediger Pluem] 695 696 *) mod_mem_cache: fix seg fault under load due to pool concurrency problem 697 PR: 47672 [Dan Poirier <poirier pobox.com>] 698 699 *) mod_autoindex: Correctly create an empty cell if the description 700 for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>] 701 702Changes with Apache 2.2.13 703 704 *) SECURITY: CVE-2009-2412 (cve.mitre.org) 705 Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow 706 in pools and rmm, where size alignment was taking place. 707 [Matt Lewis <mattlewis@google.com>, Sander Striker] 708 709 *) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report 710 warnings compiling mod_ssl against OpenSSL to the httpd developers. 711 [Guenter Knauf] 712 713 *) mod_cgid: Do not add an empty argument when calling the CGI script. 714 PR 46380 [Ruediger Pluem] 715 716 *) Fix potential segfaults with use of the legacy ap_rputs() etc 717 interfaces, in cases where an output filter fails. PR 36780. 718 [Joe Orton] 719 720Changes with Apache 2.2.12 721 722 *) SECURITY: CVE-2009-1891 (cve.mitre.org) 723 Fix a potential Denial-of-Service attack against mod_deflate or other 724 modules, by forcing the server to consume CPU time in compressing a 725 large file after a client disconnects. PR 39605. 726 [Joe Orton, Ruediger Pluem] 727 728 *) SECURITY: CVE-2009-1195 (cve.mitre.org) 729 Prevent the "Includes" Option from being enabled in an .htaccess 730 file if the AllowOverride restrictions do not permit it. 731 [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton, 732 Ruediger Pluem, Jeff Trawick] 733 734 *) SECURITY: CVE-2009-1890 (cve.mitre.org) 735 Fix a potential Denial-of-Service attack against mod_proxy in a 736 reverse proxy configuration, where a remote attacker can force a 737 proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] 738 739 *) SECURITY: CVE-2009-1191 (cve.mitre.org) 740 mod_proxy_ajp: Avoid delivering content from a previous request which 741 failed to send a request body. PR 46949 [Ruediger Pluem] 742 743 *) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) 744 The bundled copy of the APR-util library has been updated, fixing three 745 different security issues which may affect particular configurations 746 and third-party modules. 747 748 *) mod_headers: Make 'Header set Content-Type' effective on responses 749 that already have a Content-Type. [Issac Goldstand] 750 751 *) mod_include: fix potential segfault when handling back references 752 on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] 753 754 *) mod_alias: check sanity in Redirect arguments. 755 PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski] 756 757 *) mod_proxy_http: fix Host: header for literal IPv6 addresses. 758 PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>] 759 760 *) mod_rewrite: Remove locking for writing to the rewritelog. 761 PR 46942 762 763 *) mod_alias: Ensure Redirect emits HTTP-compliant URLs. 764 PR 44020 765 766 *) mod_proxy_http: fix case sensitivity checking transfer encoding 767 PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>] 768 769 *) mod_rewrite: Fix the error string returned by RewriteRule. 770 RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd 771 argument of RewriteRule was not started with "[" or not ended with "]". 772 PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>] 773 774 *) mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; 775 BalancerMember balancer://alias http://example.com/foo 776 ProxyPassReverse /bash balancer://alias/bar 777 backend url http://example.com/foo/bar/that is now translated /bash/that 778 [William Rowe] 779 780 *) New piped log syntax: Use "||process args" to launch the given process 781 without invoking the shell/command interpreter. Use "|$command line" 782 (the default behavior of "|command line" in 2.2) to invoke using shell, 783 consuming an additional shell process for the lifetime of the logging 784 pipe program but granting additional process invocation flexibility. 785 [William Rowe] 786 787 *) mod_ssl: Add server name indication support (RFC 4366) and better 788 support for name based virtual hosts with SSL. PR 34607 789 [Peter Sylvester <peter.sylvester edelweb.fr>, 790 Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton, 791 Ruediger Pluem] 792 793 *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid 794 HTML injections and HTTP response splitting. PR 46837. 795 [Geoff Keating <geoffk apple.com>] 796 797 *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains 798 including multiple INCLUDES filters. PR 39369 [Joe Orton] 799 800 *) mod_rewrite: When evaluating a proxy rule in directory context, do 801 escape the filename by default. PR 46428 [Joe Orton] 802 803 *) mod_proxy_ajp: Check more strictly that the backend follows the AJP 804 protocol. [Mladen Turk] 805 806 *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives 807 to enable stricter checking of remote server certificates. 808 [Ruediger Pluem] 809 810 *) mod_substitute: Fix a memory leak. PR 44948 811 [Dan Poirier <poirier pobox.com>] 812 813 *) mod_proxy_ajp: Forward remote port information by default. 814 [Rainer Jung] 815 816 *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders 817 directive to correctly remove headers before storing them. 818 [Lars Eilebrecht] 819 820 *) mod_deflate: revert changes in 2.2.8 that caused an invalid 821 etag to be emitted for on-the-fly gzip content-encoding. 822 PR 39727 will require larger fixes and this fix was far more 823 harmful than the original code. PR 45023. [Roy T. Fielding] 824 825 *) mod_disk_cache: The module now turns off sendfile support if 826 'EnableSendfile off' is defined globally. PR 41218. 827 [Lars Eilebrecht, Issac Goldstand] 828 829 *) prefork: Fix child process hang during graceful restart/stop in 830 configurations with multiple listening sockets. PR 42829. [Joe Orton, 831 Jeff Trawick] 832 833 *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the 834 size of the buffer used for the request-body where necessary 835 during a per-dir renegotiation. PR 39243. [Joe Orton] 836 837 *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome 838 way that per-directory rewrites append the previous notion of PATH_INFO 839 to each substitution before evaluating subsequent rules. 840 PR38642 [Eric Covener] 841 842 *) mod_authnz_ldap: Reduce number of initialization debug messages and make 843 information more clear. PR 46342 [Dan Poirier] 844 845 *) mod_cache: Introduce 'no-cache' per-request environment variable 846 to prevent the saving of an otherwise cacheable response. 847 [Eric Covener] 848 849 *) core: Translate the status line to ASCII on EBCDIC platforms in 850 ap_send_interim_response() and for locally generated "100 Continue" 851 responses. [Eric Covener] 852 853 *) CGI: return 504 (Gateway timeout) rather than 500 when a script 854 times out before returning status line/headers. 855 PR 42190 [Nick Kew] 856 857 *) prefork: Log an error instead of segfaulting when child startup fails 858 due to pollset creation failures. PR 46467. [Jeff Trawick] 859 860 *) mod_ext_filter: fix error handling when the filter prog fails to start, 861 and introduce an onfail configuration option to abort the request 862 or to remove the broken filter and continue. 863 PR 41120 [Nick Kew] 864 865 *) mod_include: support generating non-ASCII characters as entities in SSI 866 PR 25202 [Nick Kew] 867 868 *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII 869 chars [Nick Kew] 870 871 *) mod_rewrite: fix "B" flag breakage by reverting r589343 872 PR 45529 [Bob Ionescu <bobsiegen googlemail.com>] 873 874 *) mod_cgid: fix segfault problem on solaris. 875 PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>, Jeff Trawick] 876 877 *) mod_ldap: Avoid a segfault when result->rc is checked in 878 uldap_connection_init when result is NULL. This could happen if LDAP 879 initialization failed. PR 45994. [Dan Poirier <poirier pobox.com>] 880 881 *) Set Listen protocol to "https" if port is set to 443 and no proto is 882 specified (as documented but not implemented). PR 46066 883 [Dan Poirier <poirier pobox.com>] 884 885 *) mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401 886 [Dan Poirier <poirier pobox.com>] 887 888 *) Output -M and -S dumps (modules and vhosts) to stdout instead of stderr. 889 PR 42571 and PR 44266 (dup). [Dan Poirier <poirier pobox.com>] 890 891 *) mod_cache: When an explicit Expires or Cache-Control header is set, cache 892 normally non-cacheable response statuses. PR 46346. 893 [Alex Polvi <alex polvi.net>] 894 895Changes with Apache 2.2.11 896 897 *) core: When the ap_http_header_filter processes an error bucket, cleanup 898 the passed brigade before returning AP_FILTER_ERROR down the filter 899 chain. This unambiguously ensures the same error bucket isn't revisited 900 [Ruediger Pluem] 901 902 *) core: Error responses set by filters were being coerced into 500 errors, 903 sometimes appended to the original error response. Log entry of: 904 'Handler for (null) returned invalid result code -3' 905 [Eric Covener] 906 907 *) configure: Don't reject libtool 2.x 908 PR 44817 [Arfrever Frehtes Taifersar Arahesis <Arfrever.FTA gmail.com>] 909 910 *) mod_autoindex: add configuration option to insert string 911 in HTML HEAD (IndexHeadInsert). [Nick Kew] 912 913 *) Add new LogFormat parameter, %k, which logs the number of 914 keepalive requests on this connection for this request. 915 PR 45762 [Dan Poirier <poirier pobox.com>, Jim Jagielski] 916 917 *) Export and install the mod_rewrite.h header to ensure the optional 918 rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are 919 available to third party modules. [Graham Leggett] 920 921 *) mod_cache: Convert age of cached object to seconds before comparing it to 922 age supplied by the request when checking whether to send a Warning 923 header for a stale response. PR 39713. [Owen Taylor <otaylor redhat.com>] 924 925 *) Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is 926 not available. PR 46018 [Ruediger Pluem] 927 928 *) mod_proxy_ajp: Do not fail if response data is sent before all request 929 data is read. PR 45911 [Ruediger Pluem] 930 931 *) mod_proxy_balancer: Add in forced recovery for balancer members if 932 all are in error state. [Mladen Turk] 933 934 *) mod_proxy: Prevent segmentation faults by correctly adjusting the 935 lifetime of the buckets read from the proxy backend. PR 45792 936 [Ruediger Pluem] 937 938 *) mod_expires: Do not sets negative max-age / Expires header in the past. 939 PR 39774 [Jim Jagielski] 940 941 *) mod_info: Was displaying the wrong value for the KeepAliveTimeout 942 value. [Jim Jagielski] 943 944 *) mod_proxy_ajp: Fix wrongly formatted requests where client 945 sets Content-Length header, but doesn't provide a body. 946 Servlet container always expects that next packet is 947 body whenever C-L is present in the headers. This can lead 948 to wrong interpretation of the packets. In this case 949 send the empty body packet, so container can deal with 950 that. [Mladen Turk] 951 952 *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem] 953 954 *) mod_proxy: Add the possibility to set the worker parameters 955 connectiontimeout and ping in milliseconds. [Ruediger Pluem] 956 957 *) Worker MPM: Crosscheck that idle workers are still available before using 958 them and thus preventing an overflow of the worker queue which causes 959 a SegFault. PR 45605 [Denis Ustimenko <denusk gmail.com>] 960 961 *) Windows: Always build the odbc dbd driver on windows, to be consistent 962 with the apr-util default. [Tom Donovan] 963 964Changes with Apache 2.2.10 965 966 *) SECURITY: CVE-2008-2939 (cve.mitre.org) 967 mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of 968 the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] 969 970 *) Allow for smax to be 0 for balancer members so that all idle 971 connections are able to be dropped should they exceed ttl. 972 PR 43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>, 973 Jim Jagielski] 974 975 *) mod_proxy_http: Don't trigger a retry by the client if a failure to 976 read the response line was the result of a timeout. 977 [Adam Woodworth <mirkperl gmail.com>] 978 979 *) Support chroot on Unix-family platforms 980 PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>] 981 982 *) mod_ssl: implement dynamic mutex callbacks for the benefit of 983 OpenSSL. [Sander Temme] 984 985 *) mod_proxy_balancer: Add 'bybusyness' load balance method. 986 [Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski] 987 988 *) mod_authn_alias: Detect during startup when AuthDigestProvider 989 is configured to use an incompatible provider via AuthnProviderAlias. 990 PR 45196 [Eric Covener] 991 992 *) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be 993 used as a session path separator/delim PR 45158. [Jim Jagielski] 994 995 *) mod_charset_lite: Avoid dropping error responses by handling meta buckets 996 correctly. PR 45687 [Dan Poirier <poirier pobox.com>] 997 998 *) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled 999 to avoid reusing pooled connections if the client connection is an 1000 initial connection. PR 37770. [Ruediger Pluem] 1001 1002 *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags. 1003 PR 44799 [Christian Wenz <christian wenz.org>] 1004 1005 *) mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101. 1006 [Geoff Thorpe] 1007 1008 *) mod_proxy: Add connectiontimeout parameter for proxy workers in order to 1009 be able to set the timeout for connecting to the backend separately. 1010 PR 45445. [Ruediger Pluem, rahul <rahul sun.com>] 1011 1012 *) mod_dav_fs: Retrieve minimal system information about directory 1013 entries when walking a DAV fs, resolving a performance degradation on 1014 Windows. PR 45464. [Joe Orton, Jeff Trawick] 1015 1016 *) mod_cgid: Pass along empty command line arguments from an ISINDEX 1017 query that has consecutive '+' characters in the QUERY_STRING, 1018 matching the behavior of mod_cgi. 1019 [Eric Covener] 1020 1021 *) mod_headers: Prevent Header edit from processing only the first header 1022 of possibly multiple headers with the same name and deleting the 1023 remaining ones. PR 45333. [Ruediger Pluem] 1024 1025 *) mod_proxy_balancer: Move nonce field in the balancer manager page inside 1026 the html form where it belongs. PR 45578. [Ruediger Pluem] 1027 1028 *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to 1029 known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. 1030 [Ruediger Pluem] 1031 1032 *) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247. 1033 [Tom Donovan] 1034 1035Changes with Apache 2.2.9 1036 1037 *) SECURITY: CVE-2008-2364 (cve.mitre.org) 1038 mod_proxy_http: Better handling of excessive interim responses 1039 from origin server to prevent potential denial of service and high 1040 memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, 1041 Joe Orton, Jim Jagielski] 1042 1043 *) SECURITY: CVE-2007-6420 (cve.mitre.org) 1044 mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager 1045 interface. [Joe Orton] 1046 1047 *) core: Fix address-in-use startup failure on some platforms caused 1048 by creating an IPv4 listener which overlaps with an existing IPv6 1049 listener. [Jeff Trawick] 1050 1051 *) mod_proxy: Make all proxy modules nocanon aware and do not add the 1052 query string again in this case. PR 44803. 1053 [Jim Jagielski, Ruediger Pluem] 1054 1055 *) mod_unique_id: Fix timestamp value in UNIQUE_ID. 1056 PR 37064 [Kobayashi <kobayashi firstserver.co.jp>] 1057 1058 *) htpasswd: Fix salt generation weakness. PR 31440 1059 [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>, 1060 Paul Querna] 1061 1062 *) core: Add the filename of the configuration file to the warning message 1063 about the useless use of AllowOverride. PR 39992. 1064 [Darryl Miles <darryl darrylmiles.org>] 1065 1066 *) scoreboard: Remove unused proxy load balancer elements from scoreboard 1067 image (not scoreboard memory itself). [Chris Darroch] 1068 1069 *) mod_proxy: Support environment variable interpolation in reverse 1070 proxying directives. [Nick Kew] 1071 1072 *) suexec: When group is given as a numeric gid, validate it by looking up 1073 the actual group name such that the name can be used in log entries. 1074 PR 7862 [<y-koga apache.or.jp>, Leif W <warp-9.9 usa.net>] 1075 1076 *) Fix garbled TRACE response on EBCDIC platforms. 1077 [David Jones <oscaremma gmail.com>] 1078 1079 *) ab: Include <limits.h> earlier if available since we may need 1080 INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS. 1081 PR 45024 [Ruediger Pluem] 1082 1083 *) ab: Improve client performance by clearing connection pool instead 1084 of destroying it. PR 40054 [Brad Roberts <braddr puremagic.com>] 1085 1086 *) ab: Don't stop sending a request if EAGAIN is returned, which 1087 will only happen if both the write and subsequent wait are 1088 returning EAGAIN, and count posted bytes correctly when the initial 1089 write of a request is not complete. PR 10038, 38861, 39679 1090 [Patrick McManus <mcmanus datapower.com>, 1091 Stefan Fleiter <stefan.fleiter web.de>, 1092 Davanum Srinivas, Roy T. Fielding] 1093 1094 *) ab: Overhaul stats collection and reporting to avoid integer 1095 truncation and time divisions within the test loop, retain 1096 native time resolution until output, remove unused data, 1097 consistently round milliseconds, and generally avoid losing 1098 accuracy of calculation due to type casts. PR 44878, 44931. 1099 [Roy T. Fielding] 1100 1101 *) ab: Add -r option to continue after socket receive errors. 1102 [Filip Hanik <devlist hanik.com>] 1103 1104 *) core: Do not allow Options ALL if not all options are allowed to be 1105 overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>] 1106 1107 *) mod_cache: Handle If-Range correctly if the cached resource was stale. 1108 PR 44579 [Ruediger Pluem] 1109 1110 *) mod_proxy: Do not try a direct connection if the connection via a 1111 remote proxy failed before and the request has a request body. 1112 [Ruediger Pluem] 1113 1114 *) mod_proxy_ajp: Do not retry request in the case that we either failed to 1115 sent a part of the request body or if the request is not idempotent. 1116 PR 44334 [Ruediger Pluem] 1117 1118 *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early 1119 enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>] 1120 1121 *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV 1122 copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem] 1123 1124 *) http_filters: Don't return 100-continue on redirects. PR 43711 1125 [Ruediger Pluem] 1126 1127 *) mod_ssl: Fix a memory leak with connections that have zlib compression 1128 turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>, 1129 Dr Stephen Henson <steve openssl.org>] 1130 1131 *) mod_proxy: Trigger a retry by the client in the case we fail to read the 1132 response line from the backend by closing the connection to the client. 1133 PR 37770 [Ruediger Pluem] 1134 1135 *) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP. 1136 PR 9727 [Ville Skytt <ville.skytta iki.fi>] 1137 1138 *) core: reinstate location walk to fix config for subrequests 1139 PR 41960 [Jose Kahan <jose w3.org>] 1140 1141 *) rotatelogs: Log the current file size and error code/description 1142 when failing to write to the log file. [Jeff Trawick] 1143 1144 *) rotatelogs: Added '-f' option to force rotatelogs to create the 1145 logfile as soon as started, and not wait until it reads the 1146 first entry. [Jim Jagielski] 1147 1148 *) rotatelogs: Don't leak memory when reopening the logfile. 1149 PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>] 1150 1151 *) rotatelogs: Improve atomicity when using -l and cleaup code. 1152 PR 44004 [Rainer Jung] 1153 1154 *) mod_authn_dbd: Disambiguate and tidy database authentication 1155 error messages. PR 43210. [Chris Darroch, Phil Endecott 1156 <spam_from_apache_bugzilla chezphil.org>] 1157 1158 *) mod_headers: Add 'merge' option to avoid duplicate values within 1159 the same header. [Chris Darroch] 1160 1161 *) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by 1162 mod_cgid and request processing threads, for OS'es such as HPUX and AIX 1163 that do not use umask for AF_UNIX socket permissions. 1164 [Eric Covener, Jeff Trawick] 1165 1166 *) mod_cgid: Don't try to restart the daemon if it fails to initialize 1167 the socket. [Jeff Trawick] 1168 1169 *) mod_log_config: Add format options for %p so that the actual local 1170 or remote port can be logged. PR 43415. [Adam Hasselbalch Hansen 1171 <ahh@one.com>, Ruediger Pluem, Jeff Trawick] 1172 1173 *) Added 'disablereuse' option for ProxyPass which, essentially, 1174 disables connection pooling for the backend servers. 1175 [Jim Jagielski] 1176 1177 *) mod_speling: remove regression from 1.3/2.0 behavior and 1178 drop dependency between mod_speling and AcceptPathInfo. 1179 PR 43562 [Jose Kahan <jose w3.org>] 1180 1181 *) mod_substitute: The default is now flattening the buckets after 1182 each substitution. The newly added 'q' flag allows for the 1183 quicker, more efficient bucket-splitting if the user so 1184 desires. [Jim Jagielski] 1185 1186 *) http_filters: Don't spin if get an error when reading the 1187 next chunk. PR 44381 [Ruediger Pluem] 1188 1189 *) ab: Do not try to read non existing response bodies of HEAD requests. 1190 PR 34275 [Takashi Sato <serai lans-tv.com>] 1191 1192 *) ab: Use a 64 bit unsigned int instead of a signed long to count the 1193 bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem] 1194 1195 *) ProxyPassReverse is now balancer aware. [Jim Jagielski] 1196 1197 *) mod_include: Correctly handle SSI directives split over multiple filter 1198 passes. PR 44447 [Harald Niesche <harald brokenerror.de>] 1199 1200 *) mod_cache: Revalidate cache entities which have Cache-Control: no-cache 1201 set in their response headers. PR 44511 [Ruediger Pluem] 1202 1203 *) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite 1204 didn't pick up on updated sdbm maps due to this. 1205 PR41190 [Niklas Edmundsson] 1206 1207 *) mod_proxy: Lower memory consumption for short lived connections. 1208 PR 44026. [Ruediger Pluem] 1209 1210 *) mod_proxy: Keep connections to the backend persistent in the HTTPS case. 1211 [Ruediger Pluem] 1212 1213 *) Don't add bogus duplicate Content-Language entries 1214 PR 11035 [Davi Arnaut] 1215 1216 *) Worker / Event MPM: Fix race condition in pool recycling that leads to 1217 segmentation faults under load. PR 44402 1218 [Basant Kumar Kukreja <basant.kukreja sun.com>] 1219 1220 *) mod_proxy_ftp: Fix base for directory listings. 1221 PR 27834 [Nick Kew] 1222 1223 *) mod_logio: Provide optional function to allow modules to adjust the 1224 bytes_in count [Eric Covener] 1225 1226 *) http_filters: Don't return 100-continue on client error 1227 PR 43711 [Chetan Reddy <chetanreddy gmail.com>] 1228 1229 *) mod_charset_lite: Add TranslateAllMimeTypes sub-option to 1230 CharsetOptions, allowing the administrator to skip the 1231 mimetype checking that precedes translation. 1232 PR 44458 [Eric Covener] 1233 1234 *) mod_proxy_http: Fix processing of chunked responses if 1235 Connection: Transfer-Encoding is set in the response of the proxied 1236 system. PR 44311 [Ruediger Pluem] 1237 1238 *) mod_proxy_http: Return HTTP status codes instead of apr_status_t 1239 values for errors encountered while forwarding the request body 1240 PR 44165 [Eric Covener] 1241 1242 *) mod_rewrite: Don't canonicalise URLs with [P,NE] 1243 PR 43319 [<rahul sun.com>] 1244 1245Changes with Apache 2.2.8 1246 1247 *) core: Fix regression in 2.2.7 in chunk filtering with massively 1248 chunked requests. [Ruediger Pluem, Nick Kew] 1249 1250 *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout 1251 to /Device/Nul as the server is starting up, mirroring unix MPM's. 1252 PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe] 1253 1254 *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform 1255 by recreating the bucket allocator each time the trans pool is cleared. 1256 PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>] 1257 1258 *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. 1259 PR 38034 [Paritosh Shah <shah.paritosh gmail.com>] 1260 1261Changes with Apache 2.2.7 (not released) 1262 1263 *) SECURITY: CVE-2007-6421 (cve.mitre.org) 1264 mod_proxy_balancer: Correctly escape the worker route and the worker 1265 redirect string in the HTML output of the balancer manager. 1266 Reported by SecurityReason. [Ruediger Pluem] 1267 1268 *) SECURITY: CVE-2007-6422 (cve.mitre.org) 1269 Prevent crash in balancer manager if invalid balancer name is passed 1270 as parameter. Reported by SecurityReason. [Ruediger Pluem] 1271 1272 *) SECURITY: CVE-2007-6388 (cve.mitre.org) 1273 mod_status: Ensure refresh parameter is numeric to prevent 1274 a possible XSS attack caused by redirecting to other URLs. 1275 Reported by SecurityReason. [Mark Cox, Joe Orton] 1276 1277 *) SECURITY: CVE-2007-5000 (cve.mitre.org) 1278 mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. 1279 [Joe Orton] 1280 1281 *) SECURITY: CVE-2008-0005 (cve.mitre.org) 1282 Introduce the ProxyFtpDirCharset directive, allowing the administrator 1283 to identify a default, or specific servers or paths which list their 1284 contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem] 1285 1286 *) mod_dav: Adjust etag generation to produce identical results on 32-bit 1287 and 64-bit platforms and avoid a regression with conditional PUT's on 1288 lock and etag. PR 44152. 1289 [Michael Clark <michael metaparadigm.com>, Ruediger Pluem] 1290 1291 *) mod_ssl: Fix handling of the buffered request body during a per-location 1292 renegotiation, when an internal redirect occurs. PR 43738. 1293 [Joe Orton] 1294 1295 *) mod_ldap: Try to establish a new backend LDAP connection when the 1296 Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the 1297 LDAP server has closed the connection due to a timeout. 1298 PR 39095 [Eric Covener] 1299 1300 *) log.c: Ensure Win32 resurrects its lost robust logger processes. 1301 [William Rowe] 1302 1303 *) mod_disk_cache: Delete temporary files if they cannot be renamed to their 1304 final name. [Davi Arnaut <davi haxent.com.br>] 1305 1306 *) Add explicit charset to the output of various modules to work around 1307 possible cross-site scripting flaws affecting web browsers that do not 1308 derive the response character set as required by RFC2616. One of these 1309 reported by SecurityReason [Joe Orton] 1310 1311 *) http_protocol: Escape request method in 405 error reporting. 1312 This has no security impact since the browser cannot be tricked 1313 into sending arbitrary method strings. [Jeff Trawick] 1314 1315 *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073. 1316 [yl <yl bee-ware.net>] 1317 1318 *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum 1319 length we can squeeze inside the AJP message packet. 1320 [Mladen Turk] 1321 1322 *) core: Lower memory consumption of ap_r* functions by reusing the brigade 1323 instead of recreating it during each filter pass. 1324 [Stefan Fritsch <sf sfritsch.de>] 1325 1326 *) core: Lower memory consumption in case that flush buckets are passed thru 1327 the chunk filter as last bucket of a brigade. PR 23567. 1328 [Stefan Fritsch <sf sfritsch.de>] 1329 1330 *) core: Fix broken chunk filtering that causes all non blocking reads to be 1331 converted into blocking reads. PR 19954, 41056. 1332 [Jean-Frederic Clere, Jim Jagielski] 1333 1334 *) mod_rewrite: Add the novary flag to RewriteCond. 1335 [Ruediger Pluem] 1336 1337 *) core: Change etag generation to produce identical results on 1338 32-bit and 64-bit platforms. PR 40064. [Joe Orton] 1339 1340 *) http_protocol: Escape request method in 413 error reporting. 1341 Determined to be not generally exploitable, but a flaw in any case. 1342 PR 44014 [Victor Stinner <victor.stinner inl.fr>] 1343 1344 *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage. 1345 PR 43956 [Nick Kew, Ruediger Pluem] 1346 1347 *) core: Handle unrecognised transfer-encodings. 1348 PR 43882 [Nick Kew, Jeff Trawick] 1349 1350 *) mod_include: Add an "if" directive syntax to test whether an URL 1351 is accessible, and if so, conditionally display content. This 1352 allows a webmaster to hide a link to a private page when the user 1353 has no access to that page. [Graham Leggett] 1354 1355 *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009 1356 [Christophe Jaillet <christophe.jaillet wanadoo.fr>] 1357 1358 *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx) 1359 responses from the backend according to RFC2616. But make it 1360 configurable in case something breaks on it. 1361 PR 16518 [Nick Kew] 1362 1363 *) mod_substitute: Added a new output filter, which performs 1364 inline response content pattern matching (including regex) 1365 and substitution. [Jim Jagielski, Ruediger Pluem] 1366 1367 *) rotatelogs: Change command-line parsing to report more types 1368 of errors. Allow local timestamps to be used when rotating based 1369 on file size. [Jeff Trawick] 1370 1371 *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to 1372 ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also, 1373 don't escape/unescape forward-proxied URLs. 1374 PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski] 1375 1376 *) mod_status: Add SeeRequestTail directive, which determines if 1377 ExtendedStatus displays the 1st 63 characters of the request 1378 or the last 63. Useful for those requests with large string 1379 lengths and which only vary with the last several characters. 1380 [Jim Jagielski] 1381 1382 *) mod_ssl: Prevent memory corruption of version string. 1383 PR 43865, 43334 [William Rowe, Joe Orton] 1384 1385 *) core: Avoid some unexpected connection closes by telling the client 1386 that the connection is not persistent if the MPM process handling 1387 the request is already exiting when the response header is built. 1388 [Jeff Trawick] 1389 1390 *) mod_autoindex: Generate valid XHTML output by adding the xhtml 1391 namespace. PR 43649 [Jose Kahan <jose w3.org>] 1392 1393 *) mod_ldap: Give callers a reference to data copied into the request 1394 pool instead of references directly into the cache 1395 PR 43786 [Eric Covener] 1396 1397 *) mod_ldap: Stop passing a reference to pconf around for 1398 (limited) use during request processing, avoiding possible 1399 memory corruption and crashes. [Eric Covener] 1400 1401 *) Event MPM: Add support for running under mod_ssl, by reverting to the 1402 Worker MPM behaviors, when run under an input filter that buffers 1403 its own data. [Paul Querna] 1404 1405 *) mod_charset_lite: Don't crash when the request has no associated 1406 filename. [Jeff Trawick] 1407 1408 *) Core: fix possible crash at startup in case of nonexistent DocumentRoot. 1409 PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>] 1410 1411 *) HTTP protocol: Add "DefaultType none" option. 1412 PR 13986 and PR 16139 [Nick Kew] 1413 1414 *) mod_rewrite: Add option to suppress URL unescaping 1415 PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>] 1416 1417 *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean 1418 shutdown of the server when the MaxClients is higher then 257, 1419 in a more responsive manner [Mladen Turk, William Rowe] 1420 1421 *) mod_proxy_http: Remove Warning headers with wrong date 1422 PR 16138 [Nick Kew] 1423 1424 *) mod_proxy_http: Correctly parse all Connection headers in proxy. 1425 PR 43509 [Nick Kew] 1426 1427 *) mod_proxy_http: add Via header correctly (if enabled) to 1428 response, even where other Via headers exist. 1429 PR 19439 [Nick Kew] 1430 1431 *) http_core: OPTIONS * no longer maps to local storage or URI 1432 space. Note that unlike previous versions, OPTIONS * no 1433 longer returns an Allow: header. PR 43519 [Jim Jagielski] 1434 1435 *) mod_proxy_http: strip hop-by-hop response headers 1436 PR 43455 [Nick Kew] 1437 1438 *) mod_proxy: Don't by default violate RFC2616 by setting 1439 Max-Forwards when the client didn't send it to us. 1440 Leave that as a configuration option. 1441 PR 16137 [Nick Kew] 1442 1443 *) scoreboard: improve error message on apr_shm_create failure 1444 PR 40037 [Nick Kew] 1445 1446 *) proxy: Fix persistent backend connections. 1447 PR 43472 [Ruediger Pluem] 1448 1449 *) mod_deflate: initialise inflate-out filter correctly when the 1450 first brigade contains no data buckets. 1451 PR 43512 [Nick Kew] 1452 1453 *) mod_proxy_ajp: Ignore any ajp13 flush packets received before 1454 we send the response headers. See Tomcat PR 43478. 1455 [Jim Jagielski] 1456 1457 *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when 1458 starting a new child. 1459 PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem] 1460 1461 *) mod_proxy_http: Propagate Proxy-Authorization header correctly. 1462 PR 25947 [Nick Kew] 1463 1464 *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD 1465 requests. PR 43060 [Jim Jagielski] 1466 1467 *) Don't send spurious "100 Continue" response lines. 1468 PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>] 1469 1470 *) mod_proxy_ftp: Don't segfault on bad line in FTP listing 1471 PR 40733 [Ulf Harnhammar <metaur telia.com>] 1472 1473 *) mod_proxy: escape error-notes correctly 1474 PR 40952 [Thijs Kinkhorst <thijs debian.org>] 1475 1476 *) mod_proxy: check ProxyBlock for all blocked addresses 1477 PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>] 1478 1479 *) mod_proxy: Don't lose bytes when a response line arrives in small chunks. 1480 PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>] 1481 1482Changes with Apache 2.2.6 1483 1484 *) SECURITY: CVE-2007-3847 (cve.mitre.org) 1485 mod_proxy: Prevent reading past the end of a buffer when parsing 1486 date-related headers. PR 41144. 1487 [Davi Arnaut, Nick Kew] 1488 1489 *) SECURITY: CVE-2007-1863 (cve.mitre.org) 1490 mod_cache: Prevent a segmentation fault if attributes are listed in a 1491 Cache-Control header without any value. 1492 [Niklas Edmundsson <nikke acc.umu.se>] 1493 1494 *) SECURITY: CVE-2007-3304 (cve.mitre.org) 1495 prefork, worker, event MPMs: Ensure that the parent process cannot 1496 be forced to kill processes outside its process group. 1497 [Joe Orton, Jim Jagielski] 1498 1499 *) SECURITY: CVE-2006-5752 (cve.mitre.org) 1500 mod_status: Fix a possible XSS attack against a site with a public 1501 server-status page and ExtendedStatus enabled, for browsers which 1502 perform charset "detection". Reported by Stefan Esser. [Joe Orton] 1503 1504 *) SECURITY: CVE-2007-1862 (cve.mitre.org) 1505 mod_mem_cache: Copy headers into longer lived storage; header names and 1506 values could previously point to cleaned up storage. PR 41551. 1507 [Davi Arnaut <davi haxent.com.br>] 1508 1509 *) mod_info: mod_info outputs invalid XHTML 1.0 transitional. 1510 PR 42847 [Rici Lake <rici ricilake.net>] 1511 1512 *) mod_ssl: Fix spurious hostname mismatch warning for valid 1513 wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>] 1514 1515 *) mod_mem_cache: Increase the minimum and default value for 1516 MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not 1517 make sense and leads to a division by zero. PR 40576. 1518 [Xuekun Hu <xuekun.hu gmail.com>] 1519 1520 *) mod_cache: Remove expired content from cache that cannot be revalidated. 1521 PR 30370. [Ruediger Pluem] 1522 1523 *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous. 1524 PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray] 1525 1526 *) mod_proxy: Ensure that at least scheme://hostname[:port] matches between 1527 worker and URL when searching for the best fitting worker for a given 1528 URL. PR 40910 [Ruediger Pluem] 1529 1530 *) mod_proxy: Improve network performance by setting APR_TCP_NODELAY 1531 (disable Nagle algorithm) on sockets if implemented. 1532 PR 42871 [Christian BOITEL <christian_boitel yahoo.fr>, Jim Jagielski] 1533 1534 *) core: Do not replace a Date header set by a proxied backend server. 1535 PR 40232 [Ruediger Pluem] 1536 1537 *) mod_proxy: Add a missing assignment in an error checking code path. 1538 PR 40865 [Andrew Rucker Jones <arjones simultan.dyndns.org>] 1539 1540 *) mod_proxy_connect: avoid segfault on DNS lookup failure. 1541 PR 40756 [Trevin Beattie <tbeattie boingo.com>] 1542 1543 *) mod_proxy: enable Ignore Errors option on ProxyPass Status. 1544 PR 43167 [Francisco Gimeno <kikov kikov.org> 1545 1546 *) mod_proxy_http: Don't try to read body of a HEAD request before 1547 responding. PR 41644 [Stuart Children <stuart terminus.co.uk>] 1548 1549 *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when 1550 LDAP authentication is configured but we haven't seen any 1551 'Require ldap-*' directives, allowing authorization to be passed to lower 1552 level modules (e.g. Require valid-user) 1553 PR 43281 [Eric Covener] 1554 1555 *) mod_proxy: don't URLencode tilde in path component 1556 PR 38448 [Stijn Hoop <stijn sandcat.nl>] 1557 1558 *) proxy/ajp_header.c: Fixed header token string comparisons 1559 Matching of header tokens failed to include the trailing NIL byte 1560 and could misinterpret a longer header token for a shorter. 1561 Additionally, a "Content-Type" comparison was made case insensitive. 1562 [Martin Kraemer] 1563 1564 *) proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC 1565 On EBCDIC machines, the status_line string was incorrectly converted 1566 twice. [Jean-Frederic Clere, Martin Kraemer] 1567 1568 *) mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts 1569 Data had been incorrectly converted twice, resulting in 1570 garbled log output. [Martin Kraemer] 1571 1572 *) mod_autoindex: Add in Type and Charset options to IndexOptions 1573 directive. This allows the admin to explicitly set the 1574 content-type and charset of the generated page and is therefore 1575 a viable workaround for buggy browsers affected by CVE-2007-4465 1576 (cve.mitre.org). [Jim Jagielski] 1577 1578 *) log core: ensure we use a special pool for stderr logging, so that 1579 the stderr channel remains valid from the time plog is destroyed, 1580 until the time the open_logs hook is called again. [William Rowe] 1581 1582 *) mod_negotiation: preserve Query String in resolving a type map 1583 PR 33112 [Jørgen Thomsen <apache jth.net>, Nick Kew] 1584 1585 *) mod_ssl: Version reporting update; displays 'compiled against' 1586 Apache and build-time SSL Library versions at loglevel [info], 1587 while reporting the run-time SSL Library version in the server 1588 info tags. Helps to identify a mod_ssl built against one flavor 1589 of OpenSSL but running against another (also adds SSL-C version 1590 number reporting.) [William Rowe] 1591 1592 *) mime.types: Many updates to sync with IANA registry and common 1593 unregistered types that the owners refuse to register. Admins 1594 are encouraged to update their installed mime.types file. 1595 PR: 35550, 37798, 39317, 31483 [Roy T. Fielding] 1596 1597 *) mod_expires: don't crash on bad configuration data 1598 PR 43213 [Julien Perez <julien.perez epsylonia.net>] 1599 1600 *) mod_dbd: Introduce configuration groups to allow inheritance by virtual 1601 hosts of database configurations from the main server. Determine the 1602 minimal set of distinct configurations and share connection pools 1603 whenever possible. Allow virtual hosts to override inherited SQL 1604 statements. PR 41302. [Chris Darroch] 1605 1606 *) mod_dbd: Create memory sub-pools for each DB connection and close 1607 DB connections in a pool cleanup function. Ensure prepared statements 1608 are destroyed before DB connection is closed. When using reslists, 1609 prevent segfaults when child processes exit, and stop memory leakage 1610 of ap_dbd_t structures. Avoid use of global s->process->pool, which 1611 isn't destroyed by exiting child processes in most multi-process MPMs. 1612 PR 39985. [Chris Darroch, Nick Kew] 1613 1614 *) mod_dbd: Handle error conditions in dbd_construct() properly. 1615 Simplify ap_dbd_open() and use correct arguments to apr_dbd_error() 1616 when non-threaded. Register correct cleanup data in non-threaded 1617 ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data 1618 and merge function. Use ap_log_error() wherever possible. 1619 [Chris Darroch, Nick Kew] 1620 1621 *) mod_dbd: Stash DBD connections in request_config of initial request 1622 only, or else sub-requests and internal redirections may cause 1623 entire DBD pool to be stashed in a single HTTP request. [Chris Darroch] 1624 1625 *) main core: Emit errors during the initial apr_app_initialize() 1626 or apr_pool_create() (when apr-based error reporting is not ready). 1627 [William Rowe, Jeff Trawick] 1628 1629 *) log core: fix the new piped logger case where we couldn't connect 1630 the replacement stderr logger's stderr to the NULL stdout stream. 1631 Continue in this case, since the previous alternative of no error 1632 logging at all (/dev/null) is far worse. [William Rowe] 1633 1634 *) mpm_winnt: Prevent the parent-child pipe from leaking into other 1635 spawned processes, and ensure we have a /Device/null handle for 1636 stdout when running as-a-service. [William Rowe] 1637 1638 *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to 1639 improper merging of the cache lock in vhost config 1640 PR 43164 [Eric Covener] 1641 1642 *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] 1643 1644 *) mod_deflate: fix protocol handling in deflate input filter 1645 PR 23287 [Nick Kew] 1646 1647 *) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329) 1648 PR 40299 [Dave Hodder <dmh dmh.org.uk>] 1649 1650 *) mod_filter: fix integer comparisons in dispatch rules 1651 PR 41835 [Nick Kew] 1652 1653 *) mod_filter: fix merging of ! and = in FilterChain 1654 PR 42186 [Issac Goldstand <margol beamartyr.net>] 1655 1656 *) mod_deflate: don't try to process metadata buckets as data. what should 1657 have been a 413 error was logged as a 500 and a blank screen appeared 1658 at the browser. 1659 [Greg Ames, Ruediger Pluem] 1660 1661 *) mod_cgi, mod_cgid: Fix use of CGI scripts as ErrorDocuments. 1662 PR 39710. [Paul Querna, Ruediger Pluem] 1663 1664 *) mod_proxy: Allow to use different values for sessionid 1665 in url encoded id and cookies. PR 41897. [Jean-Frederic Clere] 1666 1667 *) mod_proxy: Fix the 503 returned when session route does 1668 not match any of the balancer members. [Mladen Turk] 1669 1670 *) mod_proxy: Added ProxyPassMatch directive, which is similar 1671 to ProxyPass but takes a regex local path prefix. [Jim Jagielski] 1672 1673 *) mod_cache: Do not set Date or Expires when they are missing from 1674 the original response or are invalid. [Justin Erenkrantz] 1675 1676 *) mod_cache: Correctly handle HEAD requests on expired cache content. 1677 PR 41230. [Niklas Edmundsson <nikke acc.umu.se>] 1678 1679 *) mod_cache: Let Cache-Control max-age set the expiration of the cached 1680 representation if Expires is not set. [Justin Erenkrantz] 1681 1682 *) mod_cache: Allow caching of requests with query arguments when 1683 Cache-Control max-age is explicitly specified. [Justin Erenkrantz] 1684 1685 *) mod_disk_cache: Allow Vary'd responses to be refreshed properly. 1686 [Justin Erenkrantz] 1687 1688 *) mod_proxy: Print the correct error message for erroneous configured 1689 ProxyPass directives. PR 40439. [Takashi Sato <serai lans-tv.com>] 1690 1691 *) mod_so: Provide more helpful LoadModule feedback when an error occurs. 1692 [William Rowe] 1693 1694 *) mod_alias: Accept path components (URL part) in Redirects. PR 35314. 1695 [Nick Kew] 1696 1697 *) mod_headers: Allow % at the end of a Header value. PR 36609. 1698 [Nick Kew, Ruediger Pluem] 1699 1700 *) mod_cache: Use the same cache key throughout the whole request processing 1701 to handle escaped URLs correctly. PR 41475. [Ruediger Pluem] 1702 1703 *) mod_cache: Add CacheIgnoreQueryString directive. PR 41484. 1704 [Fredrik Widlund <fredrik.widlund qbrick.com>] 1705 1706 *) mod_cache: While serving a cached entity ensure that filters that have 1707 been applied to this cached entity before saving it to the cache are not 1708 applied again. PR 40090. [Ruediger Pluem] 1709 1710 *) mod_cache: Correctly cache objects whose URL query string has been 1711 modified by mod_rewrite. PR 40805. [Ruediger Pluem] 1712 1713 *) HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses alone. Only 1714 processing of error responses (4xx, 5xx) will be altered. PR 39245. 1715 [Jeff Trawick, Bart van der Schans <schans hippo.nl>] 1716 1717 *) htdbm: Enable crypt support on platforms with crypt() but not 1718 <crypt.h>, such as z/OS. [David Jones <oscaremma gmail.com>] 1719 1720 *) mod_ssl: initialize thread locks before initializing the hardware 1721 acceleration library, so the latter can make use of the former. 1722 PR 20951. [<adunn at ncipher.com>] 1723 1724 *) ab.c: Correct behavior of HTTP request headers sent by ab 1725 in presence of -H command-line overrides. PR 31268, 26554. 1726 [Arvind Srinivasan <arvind.srinivasan sun.com>] 1727 1728 *) ab.c: The apr_port_t type is unsigned, but ab was using a 1729 signed format code in its reports. PR 42070. 1730 [Takashi Sato <serai lans-tv.com>] 1731 1732 *) mod_ldap: Remove the hardcoded size limit parameter for 1733 ldap_search_ext_s and replace it with an APR_ defined value that 1734 is set according to the LDAP SDK being used, resolving a problem 1735 with SDKs that define LDAP_NO_LIMIT to something other than -1. 1736 [David Jones <oscaremma gmail com>] 1737 1738 *) core: Correct a regression since 2.0.x in the handling of AllowOverride 1739 Options. PR 41829. [Torsten Förtsch <torsten.foertsch gmx.net>] 1740 1741 *) mod_proxy_http: Handle request bodies larger than 2 GB by converting 1742 the Content-Length header of the request correctly. PR 40883. 1743 [Ruediger Pluem, toadie <toadie643 gmail.com>] 1744 1745 *) mod_proxy: Fix some proxy setting inheritance problems (eg: 1746 ProxyTimeout). PR 11540. [Stuart Children <stuart terminus.co.uk>] 1747 1748 *) Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory 1749 can work after that terminating signal. 1750 [Eric Covener] 1751 1752 *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005) 1753 including embedding the .manifest information into each binary. 1754 [William Rowe] 1755 1756There was no Apache 2.2.5 1757 1758Changes with Apache 2.2.4 1759 1760 *) mod_isapi: Correctly present SERVER_PORT_SECURE. 1761 PR: 40573. [Matt Eaton <asf divinehawk.com>] 1762 1763 *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util 1764 statically like the older support programs. 1765 [Eric Covener <covener gmail.com>] 1766 1767 *) core: Fix NONBLOCK status of listening sockets on restart/graceful 1768 PR 37680. [Darius Davis <darius-abz free-range.com.au>] 1769 1770 *) mod_deflate: Rework inflate output and deflate output filter to fix 1771 several issues: Incorrect handling of flush buckets, potential memory 1772 leaks, excessive memory usage in inflate output filter for large 1773 compressed content. PR 39854. 1774 [Ruediger Pluem, Nick Kew, Justin Erenkrantz] 1775 1776 *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer. 1777 [Davi Arnaut <davi haxent.com.br>] 1778 1779 *) Allow mod_dumpio to log at other than DEBUG levels via 1780 the new DumpIOLogLevel directive. [Jim Jagielski] 1781 1782 *) rotatelogs: Improve error message for open failures. PR 39487. 1783 [Joe Orton] 1784 1785 *) mod_dbd: share per-request database handles across subrequests 1786 and internal redirects [Chris Darroch] 1787 1788 *) mod_dbd: key connection pools to virtual hosts correctly even when 1789 ServerName is unset/unavailable [Graham Leggett] 1790 1791 *) Better detection and clean up of ldap connection that has been 1792 terminated by the ldap server. PR 40878. 1793 [Rob Baily <rbaily servicebench com>] 1794 1795 *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions 1796 by creating a root pool for object persistence across requests. This 1797 also eliminates the need for custom serialization code. 1798 [Davi Arnaut <davi haxent.com.br>] 1799 1800 *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If 1801 set, REMOTE_USER will be set to this attribute, rather than the 1802 username supplied by the user. Useful for example when you want users 1803 to log in using an email address, but need to supply a userid instead 1804 to the backend. [Graham Leggett] 1805 1806 *) mod_cgi and mod_cgid: Don't use apr_status_t error return 1807 from input filters as HTTP return value from the handler. 1808 PR 31759. [Nick Kew] 1809 1810 *) mod_cache: Eliminate a bogus error in the log when a filter returns 1811 AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>] 1812 1813 *) core: Fix issue which could cause piped loggers to be orphaned and never 1814 terminate after a graceful restart. PR 40651. 1815 [Joe Orton, Ruediger Pluem] 1816 1817 *) core: Fix address-in-use startup failure caused by corruption of the list 1818 of listen sockets in some configurations with multiple generic Listen 1819 directives. [Jeff Trawick] 1820 1821 *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew] 1822 1823 *) mod_proxy: Add explicit flushing feature. When Servlet container sends 1824 AJP body message with size 0, this means that Servlet container has asked 1825 for an explicit flush. Create flush bucket in that case. This feature has 1826 been added to the recent Tomcat versions without breaking the AJP 1827 protocol. [Mladen Turk] 1828 1829 *) mod_proxy_balancer: Set the new environment variable 1830 BALANCER_ROUTE_CHANGED if a worker with a route different from the one 1831 supplied by the client had been chosen or if the client supplied no 1832 routing information for a balancer with sticky sessions. 1833 [Ruediger Pluem] 1834 1835 *) mod_proxy_balancer: Add information about the route, the sticky session 1836 and the worker used during a request as environment variables. PR 39806. 1837 [Brian <brectanu gmail.com>] 1838 1839 *) mod_proxy: Don't try to use dead backend connection. PR 37770. 1840 [Olivier BOEL <ob dorrboel.com>] 1841 1842 *) mod_proxy_balancer: Extract stickysession routing information contained 1843 as parameter in the URL correctly. PR 40400. 1844 [Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>] 1845 1846 *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol. 1847 A new worker directive ping=timeout will cause CPING packet 1848 to be send expecting CPONG packet within defined timeout. 1849 In case the backend is too busy this will fail instead 1850 sending the full header. [Mladen Turk] 1851 1852 *) mod_disk_cache: Make sure that only positive integers are accepted 1853 for the CacheMaxFileSize and CacheMinFileSize parameters in the 1854 config file. PR39380. [Niklas Edmundsson <nikke acc.umu.se>] 1855 1856 *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an 1857 authority component and an empty path, the empty path is to be equivalent 1858 to "/". It explicitly cites the following four URIs as equivalents: 1859 http://example.com 1860 http://example.com/ 1861 http://example.com:/ 1862 http://example.com:80/ 1863 [Davi Arnaut <davi haxent.com.br>] 1864 1865 *) mod_cache: Don't cache requests with a expires date in the past; 1866 otherwise mod_cache will always try to cache the URL. This bug 1867 might lead to numerous rename() errors on win32 if the URL was 1868 previously cached. [Davi Arnaut <davi haxent.com.br>] 1869 1870 *) core: Deal with the widespread use of apr_status_t return values 1871 as HTTP status codes, as documented in PR#31759 (a bug shared by 1872 the default handler, mod_cgi, mod_cgid, mod_proxy, and probably 1873 others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] 1874 1875 *) mod_ext_filter: Handle filter names which include capital letters. 1876 PR 40323. [Jeff Trawick] 1877 1878 *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH 1879 support. Also corrects the slashes for Windows. 1880 PR 15993. [William Rowe] 1881 1882 *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the 1883 token parser worked while the resulting length was misinterpreted. 1884 PR 29098. [Brock Bland <bbland serena.com>] 1885 1886 *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade 1887 attempts to stream the response at the client. Log these as well. 1888 PR 30022, 40470. [William Rowe, Matt Eaton <asf divinehawk.com>] 1889 1890 *) mod_isapi: Ensure we walk through all the methods the developer may have 1891 employed to report their HTTP status result code. PR 16637 30033 28089 1892 [Matt Lewandowsky <matt iamcode.net>, William Rowe] 1893 1894 *) mod_echo: Fix precedence problem in if statement. PR 40658. 1895 [Larry Cipriani <lvc lucent.com>] 1896 1897 *) mod_mime_magic: Fix precedence problem in if statement. PR 40656. 1898 [Larry Cipriani <lvc lucent.com>] 1899 1900 *) The full server version information is now included in the error log at 1901 startup as well as server status reports, irrespective of the setting 1902 of the ServerTokens directive. ap_get_server_version() is now 1903 deprecated, and is replaced by ap_get_server_banner() and 1904 ap_get_server_description(). [Jeff Trawick] 1905 1906 *) mod_proxy_balancer: Workers can now be defined as part of 1907 a balancer cluster "set" in which members of a lower-numbered set 1908 are preferred over higher numbered ones. [Jim Jagielski] 1909 1910 *) mod_proxy_balancer: Workers can now be defined as "hot standby" which 1911 will only be used if all other workers are unusable (eg: in 1912 error or disabled). Also, the balancer-manager displays the election 1913 count and I/O counts of all workers. [Jim Jagielski] 1914 1915 *) mod_proxy_ajp: Close connection to backend if reading of request body 1916 fails. PR 40310. [Ian Abel <ianabel mxtelecom.com>] 1917 1918 *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if 1919 it is in error state before sending "Service Temporarily Unavailable". 1920 PR 38962. [Christian Boitel <cboitel lfdj.com>] 1921 1922Changes with Apache 2.2.3 1923 1924 *) SECURITY: CVE-2006-3747 (cve.mitre.org) 1925 mod_rewrite: Fix an off-by-one security problem in the ldap scheme 1926 handling. For some RewriteRules this could lead to a pointer being 1927 written out of bounds. Reported by Mark Dowd of McAfee. 1928 [Mark Cox] 1929 1930 *) Win32: Minor fixes to build more cleanly under Visual Studio 2005 1931 with command line builds. [William Rowe] 1932 1933 *) mod_authn_alias: Add a check to make sure that the base provider and the 1934 alias names are different and also that the alias has not been registered 1935 before. PR 40051. [Brad Nicholes] 1936 1937 *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP 1938 client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529. 1939 [Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>] 1940 1941 *) mod_cache: Do not overwrite the Content-Type in the cache, for 1942 successfully revalidated cached objects. PR 39647. [Ruediger Pluem] 1943 1944 *) mod_speling: Add directive to deal with case corrections only 1945 and ignore other misspellings [Olivier Thereaux <ot w3.org>] 1946 1947 *) mod_dbd: Fix dependence on virtualhost configuration in 1948 defining prepared statements (possible segfault at startup 1949 in user modules such as mod_authn_dbd). [Nick Kew] 1950 1951 *) Add optional 'scheme://' prefix to ServerName directive, 1952 allowing correct determination of the canonical server URL 1953 for use behind a proxy or offload device handling SSL; fixing 1954 redirect generation in those cases. PR 33398. [Sander Temme] 1955 1956 *) Added server_scheme field to server_rec for above. Minor MMN bump. 1957 [Sander Temme] 1958 1959 *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593. 1960 [Ruediger Pluem, Joe Orton] 1961 1962 *) Worker MPM: On graceless shutdown or restart, send signals to 1963 each worker thread to wake them up if they're polling on a 1964 Keep-Alive connection. PR 38737. [Chris Darroch] 1965 1966 *) worker and event MPMs: fix excessive forking if fork() or child_init 1967 take a long time. PR 39275. 1968 [Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ] 1969 1970 *) configure: Add "--with-included-apr" flag to force use of the 1971 bundled version of APR at build time. [Joe Orton] 1972 1973 *) Respect GracefulShutdownTimeout in the worker and event MPMs. 1974 [Chris Darroch, Garrett Rooney] 1975 1976 *) mod_mem_cache: Set content type correctly when delivering data from 1977 cache. PR 39266. [Ruediger Pluem] 1978 1979 *) mod_autoindex: Fix filename escaping with FancyIndexing disabled. 1980 PR 38910. [Robby Griffin <rmg terc.edu>] 1981 1982 *) mod_charset_lite: Bypass translation when the source and dest charsets 1983 are the same. [Jeff Trawick] 1984 1985Changes with Apache 2.2.2 1986 1987 *) mod_deflate: work correctly in an internal redirect 1988 [Brian J. France <list firehawksystems com>] 1989 1990 *) mod_proxy_balancer: Initialize members of a balancer correctly. 1991 PR 38227. [James A. Robinson <jim.robinson stanford.edu>] 1992 1993 *) mod_proxy: Do not release connections from connection pool twice. 1994 PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>] 1995 1996 *) core: Prevent reading uninitialized memory while reading a line of 1997 protocol input. PR 39282. [Davi Arnaut <davi haxent com br>] 1998 1999 *) mod_dbd: Update defaults, improve error reporting. 2000 [Chris Darroch <chrisd pearsoncmg com>, Nick Kew] 2001 2002 *) mod_dbd: Create own pool and mutex to avoid problem use of 2003 process pool in request processing. 2004 [Chris Darroch <chrisd pearsoncmg com>] 2005 2006 *) HTML-escape the Expect error message. Not classed as security as 2007 an attacker has no way to influence the Expect header a victim will 2008 send to a target site. Reported by Thiago Zaninotti 2009 <thiango nstalker.com>. [Mark Cox] 2010 2011 *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX. 2012 [Jeff Trawick] 2013 2014 *) htdbm: Warn the user when adding a plaintext password on a platform 2015 where it wouldn't work with the server (i.e., anywhere that has 2016 crypt()). [Jeff Trawick] 2017 2018 *) mod_proxy: don't reuse a connection that may be to the wrong backend 2019 PR 39253 [Ruediger Pluem] 2020 2021 *) Default handler: Don't return output filter apr_status_t values. 2022 PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] 2023 2024Changes with Apache 2.2.1 2025 2026 *) SECURITY: CVE-2005-3357 (cve.mitre.org) 2027 mod_ssl: Fix a possible crash during access control checks if a 2028 non-SSL request is processed for an SSL vhost (such as the 2029 "HTTP request received on SSL port" error message when an 400 2030 ErrorDocument is configured, or if using "SSLEngine optional"). 2031 PR 37791. [Rüdiger Plüm, Joe Orton] 2032 2033 *) SECURITY: CVE-2005-3352 (cve.mitre.org) 2034 mod_imagemap: Escape untrusted referer header before outputting 2035 in HTML to avoid potential cross-site scripting. Change also 2036 made to ap_escape_html so we escape quotes. Reported by JPCERT. 2037 [Mark Cox] 2038 2039 *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now 2040 configurable at runtime via the 'flushpackets' and 'flushwait' worker 2041 params. Minor MMN bump. [Jim Jagielski] 2042 2043 *) mod_proxy: Fix incorrect usage of local and shared worker init. 2044 PR 38403. [Jim Jagielski] 2045 2046 *) mod_isapi: Fix compiler errors on Unix platforms. 2047 [William Rowe] 2048 2049 *) mod_proxy_http: Do send keep-alive header if the client sent 2050 connection: keep-alive and do not close backend connection if the client 2051 sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton] 2052 2053 *) mod_disk_cache: Return the correct error codes from bucket read 2054 failures, instead of APR_EGENERAL. 2055 [Brian Akins <brian.akins turner.com>] 2056 2057 *) Add APR/APR-Util Compiled and Runtime Version numbers to the 2058 output of 'httpd -V'. [William Rowe] 2059 2060 *) http: If a connection is aborted while waiting for a chunked line, 2061 flag the connection as errored out. [Justin Erenkrantz] 2062 2063 *) core: Reject invalid Expect header immediately. PR 38123. 2064 [Ruediger Pluem] 2065 2066 *) Fix mis-shifted 32 bit scope, masked to 64 bits as a method. 2067 [Will Rowe, Joe Orton] 2068 2069 *) mod_proxy: Fix KeepAlives not being allowed and set to 2070 backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski] 2071 2072 *) Fix instdso.sh "sed syntax error" installation issue on some 2073 platforms. PR 38108. [Masaoki Kobayashi <masaoki techfirm.co.jp>] 2074 2075 *) mod_ssl: Fix possible crashes in shmcb with gcc 4 on platforms 2076 requiring word-aligned pointers. PR 38838. [Joe Orton] 2077 2078 *) mod_proxy: If we get an error reading the upstream response, 2079 close the connection. [Justin Erenkrantz, Roy T. Fielding, 2080 Jim Jagielski, Ruediger Pluem] 2081 2082 *) mod_proxy_ajp: Support common headers of the AJP protocol in responses. 2083 PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>] 2084 2085 *) mod_proxy_balancer: Do not overwrite the status of initialized workers 2086 and respect the configured status of uninitilized workers when creating 2087 a new child process. [Ruediger Pluem] 2088 2089 *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of 2090 the ajp message to prevent mod_proxy_ajp from reading beyond the buffer 2091 boundaries and thus revealing possibly sensitive memory contents to the 2092 client. [Ruediger Pluem] 2093 2094 *) Ensure that the proper status line is written to the client, fixing 2095 incorrect status lines caused by filters which modify r->status without 2096 resetting r->status_line, such as the built-in byterange filter. 2097 [Jeff Trawick] 2098 2099 *) mod_speling: Stop crashing with certain non-file requests. 2100 [Jeff Trawick] 2101 2102 *) mod_cache: Make caching of reverse proxies possible again. PR 38017. 2103 [Ruediger Pluem] 2104 2105 *) Modify apr[util] .h detection to avoid breakage on VPATH builds 2106 using Solaris make (amoung others) and avoid breakage in ./buildconf 2107 when srclib/apr[-util] are symlinks rather than directories proper. 2108 [William Rowe] 2109 2110 *) Avoid Server-driven negotiation when a script has emitted an 2111 explicit Status: header. PR 38070. [Nick Kew] 2112 2113 *) Fix to avoid feeding C99 to C++ compilers. [Joe Orton] 2114 2115 *) Chunk filter: Fix chunk filter to create correct chunks in the case that 2116 a flush bucket is surrounded by data buckets. [Ruediger Pluem] 2117 2118 *) Fix syntax error in httpd.h with strict compilers. PR 37840. 2119 [Per Olausson <pao darkheim.freeserve.co.uk>] 2120 2121 *) Fix recursive ErrorDocument handling. PR 36090. 2122 [Chris Darroch <chrisd pearsoncmg.com>] 2123 2124 *) Don't hang on error return from post_read_request. PR 37790. 2125 [Nick Kew] 2126 2127 *) Fix off-by-one error in proxy_balancer. PR 37753. 2128 [Kazuhiro Osawa <ko yappo ne jp>] 2129 2130Changes with Apache 2.2.0 2131 2132 *) mod_negotiation: Minor performance tweak by reusing already calculated 2133 strlen. 2134 [Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>] 2135 2136 *) Remove support for 'On' and 'Off' for AuthBasicProvider and 2137 AuthDigestProvider. [Joshua Slive, Justin Erenkrantz] 2138 2139 *) Add in new UseCanonicalPhysicalPort directive, which controls 2140 whether or not Apache will ever use the actual physical port 2141 when constructing the canonical port number. [Jim Jagielski] 2142 2143 *) mod_dav: Fix a null pointer dereference in an error code path during the 2144 handling of MKCOL. 2145 [Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>] 2146 2147 *) mod_proxy_balancer: When finding best worker, use case insensitive 2148 match for scheme and host, but case sensitive for the rest of 2149 the path. [Jim Jagielski, Ruediger Pluem] 2150 2151 *) Require use of APR >= 1.2.0 and APR-util >= 1.2.0 when configured 2152 to use external copies of the libraries. [Joe Orton] 2153 2154 *) Fix DESTDIR=... installation when using bundled copy of APR. 2155 [Torsten Foertsch <torsten.foertsch gmx.net>] 2156 2157 *) mod_dav: Fix handling of unknown state tokens in If: headers. 2158 PR: 37288. [Joe Orton] 2159 2160 *) Strip out Experimental MPMs that have gone nowhere since 2.0 2161 (perchild, threadpool, leader). [Nick Kew] 2162 2163Changes with Apache 2.1.9 2164 2165 *) Add mod_authn_dbd (SQL-based authentication) [Nick Kew] 2166 2167 *) mod_proxy_ajp: Do not spool the entire response from AJP backend before 2168 sending it up the filter chain. PR 37100. [Ruediger Pluem] 2169 2170 *) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which 2171 only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that 2172 subrequests to non-local resources work again. [Ruediger Pluem] 2173 2174 *) mod_proxy: Do not lowercase the entire worker name of a BalancerMember 2175 since this breaks case sensitive URI's. PR 36906. [Ruediger Pluem] 2176 2177 *) core: AddOutputFilterByType is ignored for proxied requests. PR 31226. 2178 [Joe Orton, Ruediger Pluem] 2179 2180 *) mod_proxy_http: Prevent data corruption of POST request bodies when 2181 client accesses proxied resources with SSL. PR 37145. 2182 [Ruediger Pluem, William Rowe] 2183 2184 *) mod_ssl: Fix issue which could cause spurious warnings about use 2185 of name-based vhosts. PR 37051. [Joe Orton] 2186 2187 *) ab: Fix to ensure that only the expected number of requests are run. 2188 PR 36966. [Joe Orton] 2189 2190 *) mod_proxy_balancer: BalancerManager and proxies correctly handle 2191 member workers with paths. PR 36816. [Ruediger Pluem, Jim Jagielski] 2192 2193 *) mod_log_config: %{hextid}P will log the thread id in hex with APR 2194 versions 1.2.0 or higher. [Jeff Trawick] 2195 2196 *) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as 2197 in 1.3. [Jeff Trawick] 2198 2199 *) Support dbd connection tied to conn_rec in mod_dbd. [Nick Kew] 2200 2201 *) Fix use of pools in mod_dbd. [Brian J France, Nick Kew] 2202 2203 *) Promote modules from "experimental": mod_dbd, mod_filter, 2204 mod_charset_lite. [Nick Kew] 2205 2206 *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL 2207 connections. PR 36883. 2208 [William Barker <william.barker wilshire.com>, Ruediger Pluem] 2209 2210 *) Eliminated the NET_TIME filter, restructuring the timeout logic. 2211 This provides a working mod_echo on all platforms, and ensures any 2212 custom protocol module is at least given an initial timeout value 2213 based on the <VirtualHost > context's Timeout directive. 2214 [William Rowe] 2215 2216 *) mod_proxy: Run the request_status hook also if there are no free workers 2217 or all workers are in error state. 2218 [Ruediger Pluem, Brian Akins <brian.akins turner.com>] 2219 2220 *) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which 2221 trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951. 2222 [Jeff Trawick, Ruediger Pluem] 2223 2224 *) mod_proxy_balancer: Fix handling of sticky sessions with Tomcat. 2225 PR 36507. [Ruediger Pluem] 2226 2227 *) SECURITY: CVE-2005-2970 (cve.mitre.org) 2228 worker MPM: Fix a memory leak which can occur after an aborted 2229 connection in some limited circumstances. [Greg Ames] 2230 2231 *) Doxygen fixups. [Neale Ranns <neale ranns.org>, Ian Holsman] 2232 2233 *) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing 2234 mod_dir from serving indexes correctly with mod_cache enabled. 2235 [Colm MacCarthaigh] 2236 2237Changes with Apache 2.1.8 2238 2239 *) Fix lingering close implementation to match 1.3.x behaviour. 2240 PR 35292. [Joe Orton] 2241 2242 *) mod_ssl: Support limited buffering of request bodies to allow 2243 per-location renegotiation to proceed. PR 12355. [Joe Orton] 2244 2245 *) Fix regression since 2.0.x in AllowOverride Options handling. 2246 PR 35330. [kabe <kabe sra-tohoku.co.jp>] 2247 2248 *) mod_ssl: Fix memory leak in ssl_util_algotypeof(). 2249 PR 25659. [David Blake <dblake hp com>, Martin Kraemer] 2250 2251 *) prefork, worker and event MPMs: Support a graceful-stop procedure: 2252 Server will wait until existing requests are finished or until 2253 "GracefulShutdownTimeout" number of seconds before exiting. 2254 [Colm MacCarthaigh, Ken Coar, Bill Stoddard] 2255 2256 *) prefork, worker and event MPMs: Prevent children from holding open 2257 listening ports upon graceful restart or stop. PR 28167. 2258 [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>] 2259 2260 *) SECURITY: CVE-2005-2700 (cve.mitre.org) 2261 mod_ssl: Fix a security issue where "SSLVerifyClient" was not 2262 enforced in per-location context if "SSLVerifyClient optional" 2263 was configured in the vhost configuration. [Joe Orton] 2264 2265 *) mod_ssl: Catch parse errors from misconfigured or malformed 2266 CRLs. PR 36438. [Joe Orton] 2267 2268 *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as 2269 providers. Prevent problems when no Vhost containers were 2270 configured with proxy balancers. [Jim Jagielski] 2271 2272 *) New provider function to list all available provider names in a 2273 specific group and version (ap_list_provider_names). [Jim Jagielski] 2274 2275 *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a 2276 per-protocol, per-host and per-path basis. Intended for proxy 2277 configurations. [Colm MacCarthaigh] 2278 2279 *) mod_disk_cache: Canonicalise the storage key, for improved hit/miss 2280 ratio. [Colm MacCarthaigh] 2281 2282 *) mod_cgid: Append .PID to the script socket filename and remove the 2283 script socket on exit. [Colm MacCarthaigh, Jim Jagielski] 2284 2285 *) mod_cgid: run the get_suexec_identity hook within the request-handler 2286 instead of within cgid. PR 36410. [Colm MacCarthaigh] 2287 2288 *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use 2289 of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh] 2290 2291Changes with Apache 2.1.7 2292 2293 *) SECURITY: CVE-2005-2491 (cve.mitre.org): 2294 Fix integer overflows in PCRE in quantifier parsing which could 2295 be triggered by a local user through use of a carefully-crafted 2296 regex in an .htaccess file. [Philip Hazel] 2297 2298 *) mod_proxy/mod_proxy_balancer: Provide a simple, functional 2299 interface to add additional balancer lb selection methods 2300 without requiring code changes to mod_proxy/mod_proxy_balancer; 2301 these can be implemented via sub-modules now. [Jim Jagielski] 2302 2303 *) mod_cache: Fix incorrectly served 304 responses when expired cache 2304 entity is valid, but cache is unwritable and headers cannot be 2305 updated. [Colm MacCarthaigh <colm stdlib.net>] 2306 2307 *) mod_cache: Remove entities from the cache when re-validation 2308 receives a 404 or other content-no-longer-present error. 2309 [Rüdiger Plüm ruediger.pluem vodafone.com] 2310 2311 *) mod_disk_cache: Properly remove files from cache when needed. 2312 [Rüdiger Plüm ruediger.pluem vodafone.com] 2313 2314 *) mod_disk_cache: Support htcacheclean removing directories. 2315 [Andreas Steinmetz] 2316 2317 *) htcacheclean: Add -t option to remove empty directories. 2318 [Colm MacCarthaigh <colm stdlib.net>] 2319 2320 *) Remove the base href tag from mod_proxy_ftp, as it breaks relative 2321 links for clients not using an Authorization header. [Graham Leggett, 2322 Jon Snow <jsnow27 gatesec.net>] 2323 2324 *) mod_cache: Restore the HTTP status of cached responses. 2325 [Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>] 2326 2327 *) mod_cache: Store varied contents all in the same prefix for a varied URI. 2328 [Paul Querna] 2329 2330 *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content 2331 filters. [Paul Querna] 2332 2333 *) mod_negotiation: Correctly report 404 instead of 403 for missing files. 2334 [Paul Querna] 2335 2336 *) new hook (request_status) that gets ran in proxy_handler just before 2337 the final return. This gives modules an opportunity to do something 2338 based on the proxy status. (minor MMN bump) 2339 [Brian Akins <bakins turner.com>, Ian Holsman] 2340 2341 *) Add additional SSLSessionCache option, 'nonenotnull', which is 2342 similar to 'none' (disabling any external shared cache) but forces 2343 OpenSSL to provide a non-null session ID. [Jim Jagielski] 2344 2345 *) Add httxt2dbm to support/ for creating RewriteMap DBM Files. 2346 [Paul Querna] 2347 2348 *) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note 2349 the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>] 2350 2351 *) Fixed complaints about unpackaged files within the RPM build 2352 after changes to the config files. [Graham Leggett] 2353 2354 *) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of 2355 just closing the socket, a HTTP request is made, to make sure the child is 2356 always awakened. [Paul Querna] 2357 2358Changes with Apache 2.1.6 2359 2360 *) Fix htdbm password validation for records which included comments. 2361 [Eric Covener <covener gmail.com>] 2362 2363 *) mod_cgid: Fix buffer overflow processing ScriptSock directive. 2364 [Steve Kemp <steve steve.org.uk>] 2365 2366Changes with Apache 2.1.5 2367 2368 *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 2369 'SSLEngine on' command. [Paul Querna] 2370 2371 *) core: Refactor the mapping of Accept Filters to Sockets. Add the 2372 AcceptFilter and Protocol directives to aid in mapping filter types. 2373 Extend the Listen directive to optionally take a protocol name. 2374 [Paul Querna] 2375 2376 *) mod_disk_cache: Support storing multiple variations of one URL. PR 35211. 2377 [Paul Querna] 2378 2379 *) mod_disk_cache: Atomically create the header data file. [Paul Querna] 2380 2381 *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125. 2382 [Paul Querna] 2383 2384 *) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'. 2385 [Paul Querna] 2386 2387 *) mod_mime_magic: Handle CRLF-format magic files so that it works with 2388 the default installation on Windows. [Jeff Trawick] 2389 2390 *) core: Allow multiple modules to register interest in a single 2391 configuration command. [Paul Querna] 2392 2393 *) authn_provider_alias: Adds the configuration block tag 2394 <AuthnProviderAlias baseProvider Alias> 2395 Authentication directives contained within this block can be 2396 referenced as a new authProvider using the AuthBasicProvider or 2397 AuthDigestProvider directive. These directives will be merged in to 2398 the per_dir configuration just before the base provider is called. 2399 [Brad Nicholes] 2400 2401 *) ap_getword_conf: Fix backslashes at the end of configuration directives. 2402 PR 34834. [Timo Viipuri <viipuri dlc.fi>] 2403 2404 *) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml 2405 Provide module hooks for apr_dbd; optimise for httpd 2406 threaded and non-threaded arch [Nick Kew] 2407 2408 *) ab: SSL support rewritten, improved, and enabled if SSL is enabled 2409 during the build; -f and -Z arguments added to specify SSL protocol 2410 options. [Masaoki Kobayashi <masaoki techfirm.co.jp>] 2411 2412 *) mod_info: Show the Quick Handler [Paul Querna] 2413 2414 *) mod_ldap: Add the directive LDAPVerifyServerCert to specify 2415 whether to force verification of the server certificate when 2416 establishing an SSL connection to the LDAP server. 2417 [Brad Nicholes] 2418 2419 *) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name 2420 hook. [Paul Querna] 2421 2422 *) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump) 2423 [Paul Querna] 2424 2425 *) ap_get_local_host() rewritten for APR. [Jim Jagielski] 2426 2427 *) Add the ap_vhost_iterate_given_conn function to expose the information 2428 used in Name Based Virtual Hosting. (minor MMN bump) 2429 [Paul Querna] 2430 2431 *) Remove the never working ap_method_list_do and ap_method_list_vdo. 2432 [Paul Querna] 2433 2434 *) Added makefile and doc for building mod_ssl on the NetWare 2435 platform. [Guenter Knauf, Brad Nicholes] 2436 2437 *) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes 2438 applications that send the Vary Header themselves, and also apply 2439 mod_deflate as an output filter. [Paul Querna] 2440 2441 *) Change the default (when not present in the config file) setting 2442 for UseCanonicalName to Off. 2443 [Joshua Slive] 2444 2445 *) mod_userdir: The module no longer does any remapping unless the 2446 UserDir directive is present in the config file. 2447 [Joshua Slive] 2448 2449 *) Massively simplify the distributed httpd.conf by removing 2450 many features and many directives that are at their default 2451 setting. Add a selection of example config excerpts for adding 2452 extra features in the conf/extra/ directory. Install the 2453 distributed config and the extra config examples in the 2454 conf/original/ directory during make install. 2455 [Joshua Slive, Justin Erenkrantz] 2456 2457 *) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap, 2458 mod_userdir and mod_autoindex as shared modules rather than 2459 built-in modules within the NetWare build. 2460 [Brad Nicholes] 2461 2462 *) Rename mod_imap to mod_imagemap. 2463 [Paul Querna] 2464 2465 *) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap 2466 by changing the mod_ldap exported functions to optional functions. 2467 [Brad Nicholes] 2468 2469Changes with Apache 2.1.4 2470 2471 *) Don't let a subrequest inherit headers describing the original request's 2472 body. [Greg Ames] 2473 2474 *) Fix Windows CompContext buff size miscalculation 2475 [Allan Edwards] 2476 2477 *) Add ReceiveBufferSize directive to control the TCP receive buffer. 2478 [Eric Covener <covener gmail.com>] 2479 2480 *) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the 2481 end of the request body to work with really old HTTP servers. 2482 [Justin Erenkrantz] 2483 2484 *) util_ldap: Keep track of the number of attributes retrieved from 2485 LDAP so that all the values can be properly cached even if the 2486 value is NULL. PR 33901 [Brad Nicholes] 2487 2488 *) mod_cache: Fix error where incoming Cache-Control would be ignored. 2489 [Justin Erenkrantz] 2490 2491 *) mod_cache: Correctly handle originally conditional requests. 2492 [Sander Striker] 2493 2494 *) mod_disk_cache: Correctly update cached headers on revalidated responses. 2495 [Sander Striker, Justin Erenkrantz] 2496 2497 *) worker MPM/mod_status: Support per-worker tracking of pid and 2498 generation in the scoreboard so that mod_status can accurately 2499 represent workers in processes which are gracefully terminating. 2500 (major MMN bump) 2501 [Jeff Trawick] 2502 2503 *) Correctly export all mod_dav public functions. 2504 [Branko Čibej <brane xbc.nu>] 2505 2506Changes with Apache 2.1.3 2507 2508 *) mod_ssl: Add ssl_ext_lookup optional function for accessing 2509 certificate extensions. [David Reid, Joe Orton] 2510 2511 *) Add support for use of an external PCRE library; pass the 2512 --with-pcre flag to configure. PR 27550. [Joe Orton, 2513 Andres Salomon <dilinger voxel.net>] 2514 2515 *) Renamed regex interfaces to be namespace-safe, and moved from 2516 pcreposix.h header to ap_regex.h: regex_t->ap_regex_t, 2517 regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions 2518 reg*->ap_reg*. PR 27550. [Andres Salomon <dilinger voxel.net>, 2519 Joe Orton] 2520 2521 *) Only recompile buildmark.c when we have to relink httpd. 2522 [Justin Erenkrantz] 2523 2524 *) mod_cache: Fix up handling of revalidated responses. 2525 [Justin Erenkrantz] 2526 2527 *) mod_disk_cache: Properly load cached ETag from on-disk structures. 2528 [Justin Erenkrantz] 2529 2530 *) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL 2531 to allow it to override the connection type set in mod_ldap. This 2532 parameter can be set to NONE, SSL or TLS | STARTTLS. 2533 [Brad Nicholes] 2534 2535 *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740. 2536 [Max Bowsher <maxb ukf.net>] 2537 2538 *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170. 2539 [Rici Lake <rici ricilake.net>] 2540 2541 *) mod_proxy: Fix ap_proxy_canonenc API. 2542 PR 32459. [Jim Jagielski] 2543 2544 *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive. 2545 [Justin Erenkrantz] 2546 2547 *) Add --enable-pie flag to configure, to build httpd as a Position 2548 Independent Executable where supported (GCC/binutils). 2549 [Joe Orton] 2550 2551 *) proxy_balancer: Add in load-balancing via weighted traffic 2552 byte count. [Jim Jagielski] 2553 2554 *) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI 2555 scripts to be properly cached. [Justin Erenkrantz, Sander Striker] 2556 2557 *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option() 2558 API for the setting of server and client SSL certificates. Replaced 2559 LDAPTrustedCA directive with LDAPTrustedGlobalCert and 2560 LDAPTrustedClientCert directives to correctly support global certs 2561 (CA certs / Netware client certs) and per connection client certs 2562 as supported by Netware, OpenLDAP and Netscape/Mozilla. 2563 [Graham Leggett] 2564 2565 *) mod_cache: Remove unimplemented CacheForceCompletion directive. 2566 [Justin Erenkrantz] 2567 2568 *) support/check_forensic: Fix temp file usage 2569 [Javier Fernandez-Sanguino Pen~a <jfs computer.org>] 2570 2571 *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives 2572 which can be used to configure a specific list of CA names to send 2573 in a client certificate request. PR 32848. 2574 [Tim Taylor <tim.taylor dfas.mil>] 2575 2576 *) --with-module can now take more than one module to be statically 2577 linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,... 2578 If the <modtype>-subdirectory doesn't exist it will be created and 2579 populated with a standard Makefile.in. [Erik Abele] 2580 2581 *) Remove some compiler warnings within the LDAP modules [Graham Leggett] 2582 2583 *) Add a build script to create a solaris package. [Graham Leggett] 2584 2585 *) ap_http_scheme() replaced with ap_http_method() - this function 2586 returns the scheme (http v.s. https). 2587 [William Rowe] 2588 2589 *) mod_proxy: Fix a request corruption problem and a buffering problem 2590 which sometimes prevented proxy-sendchunks from working. 2591 [Jeff Trawick] 2592 2593 *) Fix the RPM spec file so that an RPM build now works. An RPM 2594 build now requires system installations of APR and APR-util. 2595 [Graham Leggett] 2596 2597 *) Significantly simplify the load balancer scheduling algorithm 2598 for the proxy BalancerMember weighting. loadfactors (lbfactors) 2599 are now normalized with respect to each other. [Jim Jagielski] 2600 2601 *) mod_dumpio: Added to the available module suite; it is an 2602 I/O logging/dumping module. Placed in the (new) debug module 2603 subdirectory. mod_bucketeer moved to that directory as well. 2604 [Jim Jagielski] 2605 2606 *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting 2607 of a connection until data is available. 2608 [Paul Querna] 2609 2610Changes with Apache 2.1.2 2611 2612 *) mod_proxy: Respect errors reported by pre_connection hooks. 2613 [Jeff Trawick] 2614 2615 *) core: Error out on sections that are missing an argument instead of 2616 silently consuming the section. PR 25460. 2617 [Geoffrey Young, Paul Querna] 2618 2619 *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental. 2620 2621 *) Upgraded PCRE to version 5.0. [Brian Pane] 2622 2623 *) mod_cgid: Catch configuration problem where two web server instances 2624 share same ServerRoot but admin forgot to use ScriptSock. 2625 [Jeff Trawick] 2626 2627 *) mod_cgi: Ensure that all stderr is logged for a script which returns 2628 a Location header to generate a non-local redirect. PR 20111. 2629 [Joe Orton] 2630 2631 *) Added the Event MPM to more efficiently handle clients during a 2632 Keep Alive request. 2633 [Paul Querna, Greg Ames] 2634 2635Changes with Apache 2.1.1 2636 2637 *) mod_proxy_http: Stream content better - always flush buffered data to 2638 the client before blocking waiting for new data. PR 19954. 2639 [Joe Orton] 2640 2641 *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which 2642 will dump the filenames of all configured SSL certificates to stdout. 2643 [Joe Orton] 2644 2645 *) mod_disk_cache: Remove a bunch of non-implemented garbage collection 2646 and cache size directives that are now available through htcacheclean. 2647 [Justin Erenkrantz] 2648 2649 *) Add htcacheclean to support/ for assistance with mod_disk_cache. 2650 [Andreas Steinmetz] 2651 2652 *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that 2653 allows the module to authorize a user based on a complex LDAP 2654 search filter. [Brad Nicholes] 2655 2656 *) mod_usertrack: Run the fixups hook before other modules. 2657 PR 29755. [Paul Querna] 2658 2659 *) Allow mod_authnz_ldap authorization functionality to be used 2660 without requiring the user to also be authenticated through 2661 mod_authnz_ldap. This allows other authentication modules to 2662 take advantage of LDAP authorization only [PR 28253] 2663 [Jari Ahonen jah progress.com, Brad Nicholes] 2664 2665 *) Log the client IP address when an error occurs disabling nagle on a 2666 connection, but log at a severity of debug since this error 2667 generally means that the connection was dropped before data was 2668 sent. Log the client IP address when reporting errors in the core 2669 output filter. [Jeff Trawick] 2670 2671 *) core: Add a warning message if the request line read fails. 2672 [Paul Querna] 2673 2674 *) mod_rewrite: Removed the MaxRedirects option in favor of the 2675 core LimitInternalRecursion directive. [André Malo] 2676 2677 *) mod_info: Added listing of the Request Hooks and added more build 2678 information like 'httpd -V' contains. Changed output to XHTML. 2679 [Paul Querna] 2680 2681 *) mod_info: Rewrote config tree walk using a recursive function. 2682 Added ?config option. Added printout of config filename and line numbers. 2683 [Rici Lake <rici ricilake.net>, Paul Querna] 2684 2685 *) mod_proxy: Fix type error that prevents proxy-sendchunks from working. 2686 [Justin Erenkrantz] 2687 2688 *) mod_proxy: Fix data corruption by properly setting aside buckets. 2689 [Justin Erenkrantz] 2690 2691 *) mod_proxy: If a request has a blank body and has a 0 Content-Length 2692 headers, pass that to the proxy. [Justin Erenkrantz] 2693 2694 *) Recognize QSA flag in mod_rewrite again. 2695 [Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>] 2696 2697 *) Restructured mod_auth_ldap to fit the new authentication model. 2698 The module is now called authnz_ldap and has been moved out of 2699 the modules/experimental area and into modules/aaa with the other 2700 auth modules. Both the authn_ldap provider and the authz_ldap 2701 handler are contained within the authnz_ldap module. The 2702 authz_ldap handler introduces 3 new "requires" values for handling 2703 authorization. These handlers are ldap-user, ldap-group and 2704 ldap-dn. [Brad Nicholes] 2705 2706 *) Fix some compiler warnings in proxy 2707 [Geoffrey Young <geoff@modperlcookbook.org>] 2708 2709 *) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the 2710 number of days until the client cert expires. [Joe Orton] 2711 2712 *) Add test_config hook, run only if httpd is invoked using -t. 2713 [Joe Orton] 2714 2715 *) Improve error handling for corrupted pid files. [Jeff Trawick] 2716 2717 *) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD 2718 (for backwards compatibility): 2719 Avoids mod_ssl.h (not included in 2.0-HEAD) and 2720 use apr_socket_create_ex for 0.9.x 2721 [Mladen Turk] 2722 2723 *) Added proxy_ajp.c module for proxy support to ajp:// backends. 2724 [Jean Frederic Clere] 2725 2726 *) Fixes the build of proxy on Windows. Since the proxy_module is declared 2727 as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there 2728 is a LNK2001 error when building proxy_http. [Mladen Turk] 2729 2730 *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap. 2731 [Graham Leggett] 2732 2733 *) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz] 2734 2735 *) perchild MPM: Fix thread safety problem in the use of longjmp(). 2736 [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>] 2737 2738 *) Add load balancer support to the scoreboard in preparation for 2739 load balancing support in mod_proxy. [Mladen Turk] 2740 2741 *) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to 2742 allow a non-secure connection to be upgraded to secure connections 2743 [Brad Nicholes] 2744 2745 *) core: Add Options= syntax to AllowOverride to specify which options 2746 may be overridden in .htaccess files. PR 29310. 2747 [Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna] 2748 2749 *) ab: Handle long URLs with an error instead of an buffer overflow. 2750 PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna] 2751 2752 *) mod_so, core: Add new command line options to print all loaded 2753 modules. '-t -D DUMP_MODULES' and '-M' will show all static 2754 and shared modules as loaded from the configuration file. 2755 [Paul Querna] 2756 2757 *) mod_autoindex: Add ShowForbidden to IndexOptions to list files 2758 that are not shown because the subrequest returned 401 or 403. 2759 PR 10575. [Paul Querna] 2760 2761 *) mod_headers: implement "Early" processing option in post_read_request 2762 to enable Header and RequestHeader directives to be used to set up 2763 testcases for pre-fixups request phases [Nick Kew] 2764 2765 *) mod_proxy: multiple bugfixes, principally support cookies in 2766 ProxyPassReverse, and don't canonicalise URL passed to backend. 2767 Documentation correspondingly updated. [Nick Kew <nick webthing.com>] 2768 2769 *) mod_deflate: support gzip flags in inflate_out_filter 2770 [Nick Kew <nick webthing.com>] 2771 2772 *) Drop the ErrorHeader directive which turned out to be a misnomer. 2773 Instead there's a new optional flag for the Header directive 2774 ('always'), which keeps the former ErrorHeader functionality. 2775 [André Malo] 2776 2777 *) mod_deflate: Don't deflate responses with zero length 2778 e.g. proxied 304's [Allan Edwards] 2779 2780 *) <IfModule> now recognizes the module identifier in addition to the 2781 file name. PR 29003. [Edward Rudd <eddie omegaware.com>, André Malo] 2782 2783 *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the 2784 OpenSSL 0.9.7 flag which uses the server's cipher order rather 2785 than the client's. PR 28665. 2786 [Jim Schneider <jschneid netilla.com>] 2787 2788 *) mod_ssl: Drop support for the CompatEnvVars argument to 2789 SSLOptions, which was never actually implemented in 2.0. 2790 [Joe Orton] 2791 2792 *) Fix bug in mod_deflate that unconditionally sent deflate'd output 2793 even when Accept-Encoding is not present. [Justin Erenkrantz] 2794 2795 *) Pass environment variables through to piped loggers and start 2796 them via the shell, resolving regressions since 1.3. PR 28815 2797 [Ken Coar, Jeff Trawick] 2798 2799 *) External rewrite map responses are no longer limited to 2048 2800 bytes. [André Malo] 2801 2802 *) Proxy server was deleting cookies that Apache had already 2803 assigned if the origin server had set any cookies. PR 27023. 2804 [Jim Jagielski] 2805 2806 *) Removed old and unmaintained ap_add_named_module API and changed 2807 the following APIs to return an error instead of hard exiting: 2808 ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules, 2809 and ap_process_resource_config. [André Malo] 2810 2811 *) mod_headers: Allow %% in header values to represent a literal %. 2812 [André Malo] 2813 2814 *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions. 2815 [André Malo] 2816 2817 *) mod_headers: Allow 'echo' also for ErrorHeaders. [André Malo] 2818 2819 *) mod_deflate: New option for DEFLATE output file (force-gzip), 2820 new output filter 'INFLATE' for uncompressing responses. 2821 [Nick Kew <Nick at WebThing dot com>, Ian Holsman] 2822 2823 *) Added new module mod_version, which provides version dependent 2824 configuration containers. [André Malo] 2825 2826 *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o 2827 format is used. PR 27787. [André Malo] 2828 2829 *) Allow Digest providers to return AUTH_DENIED to propagate a 401 2830 status and terminate the provider chain prior to checking the password. 2831 [Geoffrey Young] 2832 2833 *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost; 2834 Don't place script socket inside default server root instead of 2835 actual server root. PR 27886. [Jeff Trawick] 2836 2837 *) mod_proxy: Fix handling of non-200 success status codes when 2838 "ProxyErrorOverride On" is configured. PR 20183. 2839 [Marcus Janson <marcus.janson tre.se>, Joe Orton] 2840 2841 *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize 2842 directive (previously NetWare-only) to override default thread 2843 stack size for threads which handle client connections. Required 2844 for some third-party modules on platforms with small default 2845 thread stack size. [Jeff Trawick] 2846 2847 *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic 2848 now populates r->user with the (possibly unauthenticated) user, 2849 and mod_auth_digest returns 500 when a provider returns 2850 AUTH_GENERAL_ERROR. 2851 [Geoffrey Young] 2852 2853 *) The whole codebase was relicensed and is now available under 2854 the Apache License, Version 2.0 (http://www.apache.org/licenses). 2855 [Apache Software Foundation] 2856 2857 *) Delete some make-generated files in the server directory during 2858 "make clean" processing. PR 26552. [Jeff Trawick] 2859 2860 *) Add core version query function (ap_get_server_revision) and 2861 accompanying ap_version_t structure (minor MMN bump). 2862 [André Malo] 2863 2864 *) mod_rewrite: EOLs sent by external rewritemaps are now consumed 2865 as whole. That way, on systems with more than one EOL character 2866 rewritemap programs no longer need to switch stdout to binary 2867 mode. PR 25635. [André Malo] 2868 2869 *) mod_rewrite: Introduce the ability to force a content handler via 2870 the [handler=...] flag. [André Malo] 2871 2872 *) mod_rewrite: Introduce the RewriteCond -x check, which returns 2873 true if the pattern is a file with execution permissions. 2874 [André Malo] 2875 2876 *) mod_rewrite: Allow proxying and RewriteRules in directory context 2877 for subrequests. PR 14648, 15114. [André Malo] 2878 2879 *) mod_rewrite: Allow setting of any valid HTTP response code. 2880 PR 25917. [André Malo] 2881 2882 *) mod_rewrite: Cookie creation now works locale independent. 2883 [André Malo] 2884 2885 *) mod_ssl: Add support for distributed session cache using 'distcache'. 2886 [Geoff Thorpe <geoff geoffthorpe.net>] 2887 2888 *) mod_dav: Disallow requests with an unescaped hash character in 2889 the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>] 2890 2891 *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration 2892 attaches a body to the 302 response and a wrong Content-Length header. 2893 PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de] 2894 2895 *) Bring ErrorHeader concept forward from 1.3, so that response 2896 header fields can be set for return even on errors or external 2897 redirects. [Ken Coar] 2898 2899 *) Fix <Limit> and <LimitExcept> parsing to require a closing '>' 2900 in the initial container. PR 25414. 2901 [Geoffrey Young <geoff apache.org>] 2902 2903 *) Clean up httpd -V output: Instead of displaying the MPM source 2904 directory, display the MPM name and some MPM properties. 2905 [Geoffrey Young <geoff apache.org>] 2906 2907 *) mod_ssl/mod_status: Re-enable support for output of SSL session 2908 cache information in server-status page. [Joe Orton] 2909 2910 *) mod_ssl: Remove the shmht session cache, shmcb should be used 2911 instead. [Joe Orton] 2912 2913 *) mod_logio: Account for some bytes handed to the network layer prior to 2914 dropped connections. [Jeff Trawick] 2915 2916 *) mod_autoindex: new directive IndexStyleSheet 2917 [Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>] 2918 2919 *) Fix uninitialized gprof directory name in prefork MPM. PR 24450. 2920 [Chris Knight <Christopher.D.Knight nasa.gov>] 2921 2922 *) Log an error when requests for URIs which fail to map to a valid 2923 filesystem name are rejected with 403. [Jeff Trawick] 2924 2925 *) Switch to APR 1.0 API. 2926 2927 *) Major overhaul of mod_include's filter parser. The new parser code 2928 is expected to be more robust and should catch all of the edge cases 2929 that were not handled by the previous one. This includes a binary 2930 incompatible change of mod_include's external API. [André Malo] 2931 2932 *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded. 2933 PR 14223. [André Malo] 2934 2935 *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously 2936 the current rewrite state was just used as lookup path, which lead to 2937 strange and often useless results. Related to PR 8493. [André Malo] 2938 2939 *) Change Listen directive to bind to all addresses when a hostname is 2940 not specified. [Justin Erenkrantz] 2941 2942 *) Correct failure with Listen directives on machines with IPv6 enabled. 2943 [Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz] 2944 2945 *) Fix a link failure in mod_ssl when the OpenSSL libraries contain 2946 the ENGINE functions but the engine header files are missing. 2947 [Cliff Woolley] 2948 2949 *) mod_rewrite: RewriteRules in server context using the force 2950 type feature [T=...] no longer disable MultiViews. [André Malo] 2951 2952 *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot. 2953 [André Malo] 2954 2955 *) mod_authz_groupfile: Strip trailing spaces of group names. This 2956 hopefully saves some hours of searching for typos. PR 12863. 2957 [André Malo] 2958 2959 *) mod_actions: Propagate the handler name to the action script via 2960 the REDIRECT_HANDLER environment variable. [André Malo] 2961 2962 *) mod_actions: Introduce the "virtual" modifier to the Action directive, 2963 which allows the use of handlers for virtual locations. PR 8431. 2964 [André Malo] 2965 2966 *) mod_speling: Recognize AcceptPathInfo setting for the particular 2967 location. Default is to reject path information. PR 21059. 2968 [André Malo] 2969 2970 *) mod_ext_filter: Add the ability to filter request bodies. 2971 [Philipp Reisner <philipp.reisner linbit.com>] 2972 2973 *) Fix some broken log messages in WinNT MPM. 2974 [Juan Rivera <Juan.Rivera citrix.com>] 2975 2976 *) prefork MPM: Use the right permissions for the directory created 2977 for gprof support. [Jim Carlson <jcarlson jnous.com>] 2978 2979 *) Fix a compile failure with recent OpenSSL and picky compilers 2980 (e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick] 2981 2982 *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on 2983 the INCLUDE path to be defined properly. 2984 PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>] 2985 2986 *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli] 2987 2988 *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using 2989 autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). 2990 [Geoff Thorpe <geoff geoffthorpe.net>] 2991 2992 *) change directive name from 'compressionlevel' to 'deflatecompressionlevel' 2993 [Ian Holsman, André Malo] 2994 2995 *) mod_negotiation: quality values are now parsed independent from 2996 the current locale. level values are now really parsed as integers. 2997 PR 17564. [André Malo] 2998 2999 *) Extend mod_negotiation to evaluate the environment variables 3000 no-gzip and gzip-only-text/html the same way as mod_deflate does. 3001 [André Malo] 3002 3003 *) mod_rewrite: Fix some problems reporting errors with mapping 3004 programs (RewriteMap prg:/something). [Jeff Trawick] 3005 3006 *) Return 413 if chunk-ext-header is too long rather than reading from 3007 the truncated line. PR 15857. [Justin Erenkrantz] 3008 3009 *) Allow restart of httpd to occur even with syntax errors in the config 3010 file. PR 16813. [Justin Erenkrantz] 3011 3012 *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679. 3013 [Justin Erenkrantz] 3014 3015 *) Remove files on 'make distclean' that should be. PR 15592. 3016 [Justin Erenkrantz] 3017 3018 *) Allow apachectl to perform status with links and elinks as well. 3019 [Justin Erenkrantz] 3020 3021 *) mod_log_config change optional hook to return previous handler 3022 [Ian Holsman] 3023 3024 *) Forward port of mod_actions' ability to handle arbitrary methods 3025 with the Script directive. [André Malo] 3026 3027 *) Let suexec send a message to stderr, if it failed or its policy 3028 was violated. This message appears in the error log and allows 3029 for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo] 3030 3031 *) Modify buildconf to copy all required files into httpd's tree. 3032 [Thom May <thom planetarytramp.net>] 3033 3034 *) Allow mod_dav to do weak entity comparison functions. 3035 [Justin Erenkrantz] 3036 3037 *) Move RFC 1413 ident requests from core to new module mod_ident. 3038 [André Malo] 3039 3040 *) Add mod_authz_owner - a forward port of "Require file-owner" 3041 and "Require file-group", which was already present in version 3042 1.3.21. [André Malo] 3043 3044 *) Add mod_dav_lock - a generic subset of the DAV locking implementation. 3045 [Justin Erenkrantz] 3046 3047 *) Replace some of the mutex locking in the worker MPM with 3048 atomic operations for higher concurrency. [Brian Pane] 3049 3050 *) Allow 'make depend' to work with non-GCC compilers. 3051 [Justin Erenkrantz] 3052 3053 *) If an httpd.conf has commented out AddModule directives, 3054 apxs -i -a will add an un-commented AddModule directive for 3055 the new module, which breaks the config. 3056 PR: 11212 [Joe Orton] 3057 3058 *) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz] 3059 3060 *) Move the check of the Expect request header field after the hook 3061 for ap_post_read_request, since that is the only opportunity for 3062 modules to handle Expect extensions. [Justin Erenkrantz] 3063 3064 *) Rewrite of aaa modules to an authn/authz model. 3065 [Dirk-Willem van Gulik, Justin Erenkrantz] 3066 3067 [Apache 2.1.0-dev includes those bug fixes and changes with the 3068 Apache 2.0.xx tree as documented, and except as noted, below.] 3069 3070Changes with Apache 2.0.x and later: 3071 3072 *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup 3073