CHANGES revision 03aa31ad82759363ba1a55589e517b16308ef635
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch -*- coding: utf-8 -*-
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan BoschChanges with Apache 2.3.7
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) SECURITY: CVE-2009-3555 (cve.mitre.org)
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
833bed942977673526c72e79bccc09314fc57104Phil Carmody attack when compiled against OpenSSL version 0.9.8m or later. Introduces
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch and offer unsafe legacy renegotiation with clients which do not yet
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch support the new secure renegotiation protocol, RFC 5746.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Joe Orton, and with thanks to the OpenSSL Team]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) SECURITY: CVE-2009-3555 (cve.mitre.org)
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch by rejecting any client-initiated renegotiations. Forcibly disable
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch keepalive for the connection if there is any buffered data readable. Any
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch configuration which requires renegotiation for per-directory/location
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) SECURITY: CVE-2010-0408 (cve.mitre.org)
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch when request headers indicate a request body is incoming; not a case of
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) SECURITY: CVE-2010-0425 (cve.mitre.org)
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch mod_isapi: Do not unload an isapi .dll module until the request
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch processing is completed, avoiding orphaned callback pointers.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) core: Introduce the IncludeStrict directive, which explicitly fails
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch server startup if no files or directories match a wildcard path.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) htcacheclean: Report additional statistics about entries deleted.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 48944. [Mark Drayton mark markdrayton.info]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch build of openssl is required for 'SSLFIPS on'. PR 46270.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Dr Stephen Henson <steve openssl.org>, William Rowe]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy_http: Log the port of the remote server in various messages.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 48812. [Igor Galić <i galic brainsware org>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy_ajp: Really regard the operation a success, when the client
564e117d86ce5b659f9b9570edddc566f9ebb5dfStephan Bosch aborted the connection. In addition adjust the log message if the client
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch aborted the connection. [Ruediger Pluem]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch allows insecure renegotiation with clients which do not yet
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch support the secure renegotiation protocol. [Joe Orton]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch is configured for client cert auth. PR 46952. [Joe Orton]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) core: Only log a 408 if it is no keepalive timeout. PR 39785
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Ruediger Pluem, Mark Montague <markmont umich.edu>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) support/rotatelogs: Add -L option to create a link to the current
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch setting only, matching most of the documentation and examples.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 46541 [Paul Reder, Eric Covener]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_negotiation: Preserve query string over multiviews negotiation.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch This buglet was fixed for type maps in 2.2.6, but the same issue
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch affected multiviews and was overlooked.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 33112 [Joergen Thomsen <apache jth.net>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch when some are not password-protected. [Eric Covener]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Fix startup segfault when the Mutex directive is used but no loaded
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch modules use httpd mutexes. PR 48787. [Jeff Trawick]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Proxy: get the headers right in a HEAD request with
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch ProxyErrorOverride, by checking for an overridden error
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch before not after going into a catch-all code path.
14bd2410de3a0261d9c53c6120915027262216bdTimo Sirainen PR 41646. [Nick Kew, Stuart Children]
b37e11d37fb1ebf50511eef5d9d96d1205818458Stephan Bosch *) support/rotatelogs: Support the simplest log rotation case, log
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch truncation. Useful when the log is being processed in real time
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch using a command like tail. [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) support/htcacheclean: Teach it how to write a pid file (modelled on
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch httpd's writing of a pid file) so that it becomes possible to run
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch more than one instance of htcacheclean on the same machine.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Log command line on startup, so there's a record of command line
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch arguments like -f. PR 48752. [Dan Poirier]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Introduce mod_reflector, a handler capable of reflecting POSTed
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch request bodies back within the response through the output filter
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch stack. Can be used to turn an output filter into a web service.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy_http: Make sure that when an ErrorDocument is served
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch from a reverse proxied URL, that the subrequest respects the status
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch of the original request. This brings the behaviour of proxy_handler
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch in line with default_handler. PR 47106. [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Support wildcards in both the directory and file components of
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch the path specified by the Include directive. [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy, mod_proxy_http: Support remote https proxies
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch by using HTTP CONNECT. PR 19188.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan BoschChanges with Apache 2.3.6
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) worker: Don't report server has reached MaxClients until it has.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch Add message when server gets within MinSpareThreads of MaxClients.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 46996. [Dan Poirier]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_session: Session expiry was being initialised, but not updated
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch on each session save, resulting in timed out sessions when there
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch should not have been. Fixed. [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_log_config: Add the R option to log the handler used within the
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch request. [Christian Folini <christian.folini netnea com>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_include: Allow fine control over the removal of Last-Modified and
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch ETag headers within the INCLUDES filter, making it possible to cache
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch responses if desired. Fix the default value of the SSIAccessEnable
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch directive. [Graham Leggett]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Add new UnDefine directive to undefine a variable. PR 35350.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch for regex backreferences as mod_rewrite and mod_include: Remove the use
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch of '&' as an alias for '$0' and allow to escape any character with a
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch backslash. PR 48351. [Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch password to UTF-8. PR 45318.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) ab: Fix calculation of requests per second in HTML output. PR 48594.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch password now result in an informational level log entry instead of
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch warning level. [Eric Covener]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan BoschChanges with Apache 2.3.5
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) SECURITY: CVE-2010-0434 (cve.mitre.org)
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch Ensure each subrequest has a shallow copy of headers_in so that the
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch parent request headers are not corrupted. Eliminates a problematic
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch optimization in the case of no request body. PR 48359
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Jake Scott, William Rowe, Ruediger Pluem]
faa8995f1d300e7a8917407a52bbd1b98e10bf25Timo Sirainen *) Turn static function get_server_name_for_url() into public
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch ap_get_server_name_for_url() and use it where appropriate. This
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch fixes mod_rewrite generating invalid URLs for redirects to IPv6
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch literal addresses. [Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch for LDAP operations like bind and search. [Stefan Fritsch]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch mod_proxy_ftp. [Takashi Sato]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch mod_proxy_connect. [Takashi Sato]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_cache: Do an exact match of the keys defined by
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch CacheIgnoreURLSessionIdentifiers against the querystring instead of
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch a partial match. PR 48401.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Core HTTP: disable keepalive when the Client has sent
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch Expect: 100-continue
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch but we respond directly with a non-100 response.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch Keepalive here led to data from clients continuing being treated as
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch a new request.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 47087 [Nick Kew]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Core: reject NULLs in request line or request headers.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 43039 [Nick Kew]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Core: (re)-introduce -T commandline option to suppress documentroot
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch check at startup.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch PR 41887 [Jan van den Berg <janvdberg gmail.com>]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
711e8e4c5c5d702dfa062f42a1ede5de14c151c9Stephan Bosch ScanHTMLTitles, ReadmeName, HeaderName
711e8e4c5c5d702dfa062f42a1ede5de14c151c9Stephan Bosch PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) Proxy: Fix ProxyPassReverse with relative URL
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch Derived (slightly erroneously) from PR 38864 [Nick Kew]
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch *) mod_headers: align Header Edit with Header Set when used on Content-Type
833bed942977673526c72e79bccc09314fc57104Phil Carmody PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
833bed942977673526c72e79bccc09314fc57104Phil Carmody *) mod_headers: Enable multi-match-and-replace edit option
833bed942977673526c72e79bccc09314fc57104Phil Carmody PR 47066 [Nick Kew]
833bed942977673526c72e79bccc09314fc57104Phil Carmody *) mod_filter: enable it to act on non-200 responses.
833bed942977673526c72e79bccc09314fc57104Phil Carmody PR 48377 [Nick Kew]
833bed942977673526c72e79bccc09314fc57104Phil CarmodyChanges with Apache 2.3.4
833bed942977673526c72e79bccc09314fc57104Phil Carmody *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
833bed942977673526c72e79bccc09314fc57104Phil Carmody and WatchdogMutexPath with a single Mutex directive. Add APIs to
833bed942977673526c72e79bccc09314fc57104Phil Carmody simplify setup and user customization of APR proc and global mutexes.
3fcb3d2d1f3583025ff62bae95ec706920f398b1Stephan Bosch (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
[Dr Stephen Henson <shenson oss-institute.org>]
PR 47178. [Philipp Hagemeister <oss phihag.de>]
Brian France <brian brianfrance.com>]
modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
*) mod_logio/core: Report more accurate byte counts in mod_status if
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
[Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
Stefan Fritsch <sf fritsch.de>, Dan Poirier]
Brian France <brian brianfrance.com>]
Brian France <brian brianfrance.com>]
[Stefan Fritsch <sf sfritsch.de>]
*) mod_session.c: Prevent a segfault when session is added but not
definition. [Stefan Fritsch sf sfritsch.de]
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
PR 46971 [evanc nortel.com]
[Stefan Fritsch <sf sfritsch.de>]
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
*) SECURITY: CVE-2009-1890 (cve.mitre.org)
*) SECURITY: CVE-2009-1191 (cve.mitre.org)
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
PR 42175 [Jim Radford <radford blackbean.org>]
type. PR 45107. [Michael Ströder <michael stroeder.com>,
PR 44020 [HÃ¥kon Stordahl <hakon stordahl.org>]
CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
PR 46942 [Dan Poirier <poirier pobox.com>]
PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
[Marko Kevac <mkevac gmail.com>]
as A/UX, Next, and Tandem. [Jeff Trawick]
directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
of module state across unload/load. [Jeff Trawick]
[Dan Poirier <poirier pobox.com>]
[Geoff Keating <geoffk apple.com>]
with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
a media type has not been configured via mime.types, AddType,
[Ryan Phillips <ryan-apache trolocsis.com>]
[<tlhackque yahoo.com>]
*) prefork: Fix child process hang during graceful restart/stop in
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
times out before returning status line/headers.
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
modules/proxy/balancers [Jim Jagielski]
privileges and Unix user/group IDs [Nick Kew]
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
*) unixd: turn existing code into a module, and turn the set user/group
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
*) Export and install the mod_rewrite.h header to ensure the optional
*) New module mod_sed: filter Request/Response bodies through sed
null value. [David Shane Holden <dpejesh apache.org>]
*) ab: Make ab.c compile on VC6. PR 45024 [Ruediger Pluem]
*) configure: Don't reject libtool 2.x
overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>]
PR 44799 [Christian Wenz <christian wenz.org>]
both inside and outside the location/directory sections, as
form request with the type of application/x-www-form-urlencoded.
*) mod_authz_dbd: When redirecting after successful login/logout per
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
mod_cache et.al. to trap the results of the redirect.
PR 34607. [Kaspar Brand <asfbugz velox.ch>]. A test configuration
can be created with test/make_sni.sh [Dirk-Willem van Gulik].
*) ApacheMonitor.exe: Introduce --kill argument for use by the
*) mod_ldap, mod_authnzldap: Add support for nested groups (i.e. the ability
[David Jones <oscaremma gmail.com>]
[David M. Lee <dmlee crossroads.com>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Stijn Hoop <stijn sandcat.nl>]
[Niklas Edmundsson <nikke acc.umu.se>]
final name. [Davi Arnaut <davi haxent.com.br>]
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
[Chris Darroch <chrisd pearsoncmg.com>]
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
[Chris Darroch <chrisd pearsoncmg.com>]
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
Changes with Apache 2.0.x and later:
Changes with Apache 1.3.x and later: