CHANGES revision 0ed19acadd3d3dd593759173d87d2243e97914e2
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering -*- coding: utf-8 -*-
12b42c76672a66c2d4ea7212c14f8f1b5a62b78dTom GundersenChanges with Apache 2.3.9
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering *) SECURITY: CVE-2010-1623 (cve.mitre.org)
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering Fix a denial of service attack against mod_reqtimeout.
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering [Stefan Fritsch]
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering *) mod_cache: Support the caching of HEAD requests. [Graham Leggett]
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering *) htcacheclean: Allow the option to round up file sizes to a given
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering block size, improving the accuracy of disk usage. [Graham Leggett]
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering *) mod_ssl: Add authz providers for use with mod_authz_core and its
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering 'ssl-verify-client' (for use with 'SSLVerifyClient optional'), and
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering 'ssl-require' (expressions with same syntax as SSLRequire).
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering [Stefan Fritsch]
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering *) mod_ssl: Make the ssl expression parser thread-safe. It now requires
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering bison instead of yacc. [Stefan Fritsch]
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering *) mod_disk_cache: Change on-disk header file format to support the
dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek link of the device/inode of the data file to the matching header
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek file, and to support the option of not writing a data file when
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek the data file is empty. [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core/mod_unique_id: Add generate_log_id hook to allow to use
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek the ID generated by mod_unique_id as error log ID for requests.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Make sure that we never allow a 304 Not Modified response
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek that we asked for to leak to the client should the 304 response be
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek uncacheable. PR45341 [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Add the cache_status hook to register the final cache
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek decision hit/miss/revalidate. Add optional support for an X-Cache
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek and/or an X-Cache-Detail header to add the cache status to the
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek response. PR48241 [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_authz_host: Add 'local' provider that matches connections originating
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek on the local host. PR 19938. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) Event MPM: Fix crash accessing pollset on worker thread when child
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek process is exiting. [Jeff Trawick]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: For process invocation (cgi, fcgid, piped loggers and so forth)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek pass the system library path (LD_LIBRARY_PATH or platform-specific
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek variables) along with the system PATH, by default. Both should be
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek overridden together as desired using PassEnv etc; see mod_env.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Introduce CacheStoreExpired, to allow administrators to
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek capture a stale backend response, perform If-Modified-Since requests
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek against the backend, and serving from the cache all 304 responses.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek This restores pre-2.2.4 cache behavior. [William Rowe]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_rewrite: Introduce <=, >= string comparison operators, and integer
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek comparators -lt, -le, -eq, -ge, and -gt. To help bash users and drop
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek the ambiguity of the symlink test "-ltest", introduce -h or -L as
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek symlink test operators. [William Rowe]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Give the cache provider the opportunity to choose to cache
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek or not cache based on the buckets present in the brigade, such as the
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek presence of a FILE bucket.
780fe62ecab08850cefd136b95f38c15cb31c0ecCharles Duffy [Graham Leggett]
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering *) mod_authz_core: Allow authz providers to check args while reading the
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering config and allow to cache parsed args. Move 'all' and 'env' authz
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering providers from mod_authz_host to mod_authz_core. Add 'method' authz
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering provider depending on the HTTP method. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_include: Move the request_rec within mod_include to be
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek exposed within include_ctx_t. [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_include: Reinstate support for UTF-8 character sets by allowing a
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek variable being echoed or set to be decoded and then encoded as separate
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek steps. PR47686 [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Add a discrete commit_entity() provider function within the
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_cache provider interface which is called to indicate to the
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek provider that caching is complete, giving the provider the opportunity
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek to commit temporary files permanently to the cache in an atomic
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek fashion. Replace the inconsistent use of error cleanups with a formal
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek set of pool cleanups attached to a subpool, which is destroyed on error.
b0f5a5105ba3e57c20528ee2c292cd1f7300da8fUmut Tezduyar Lindskog [Graham Leggett]
b0f5a5105ba3e57c20528ee2c292cd1f7300da8fUmut Tezduyar Lindskog *) mod_cache: Change the signature of the store_body() provider function
b0f5a5105ba3e57c20528ee2c292cd1f7300da8fUmut Tezduyar Lindskog within the mod_cache provider interface to support an "in" brigade
b0f5a5105ba3e57c20528ee2c292cd1f7300da8fUmut Tezduyar Lindskog and an "out" brigade instead of just a single input brigade. This
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek gives a cache provider the option to consume only part of the brigade
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek passed to it, rather than the whole brigade as was required before.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek This fixes an out of memory and a request timeout condition that would
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek occur when the original document was a large file. Introduce
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek CacheReadSize and CacheReadTime directives to mod_disk_cache to control
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek the amount of data to attempt to cache at a time. [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Add ErrorLogFormat to allow configuring error log format, including
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek additional information that is logged once per connection or request. Add
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek error log IDs for connections and request to allow correlating error log
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek lines and the corresponding access log entry. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Disable sendfile by default. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Check the request to determine whether we are allowed
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek to return cached content at all, and respect a "Cache-Control:
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek no-cache" header from a client. Previously, "no-cache" would
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering behave like "max-age=0". [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Use a proper filter context to hold filter data instead
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek of misusing the per-request configuration. Fixes a segfault on trunk
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek when the normal handler is used. [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cgid: Log a warning if the ScriptSock path is truncated because
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek it is too long. PR 49388. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering and non-* ports on NameVirtualHost, or multiple NameVirtualHost
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek directives for the same address:port, or NameVirtualHost
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek directives with no matching VirtualHosts, or multiple ip-based
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek VirtualHost sections for the same address:port. These were
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek previously accepted with a warning, but the behavior was
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering undefined. [Dan Poirier]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_remoteip: Fix a segfault when using mod_remoteip in conjunction with
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: DirectoryMatch can now match on the end of line character ($),
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek and sub-directories of matched directories are no longer implicitly
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering matched. PR49809 [Eric Covener]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) Regexps: introduce new higher-level regexp utility including parsing
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek and executing perl-style regexp ops (e.g s/foo/bar/i) and regexp memory
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-SzmekChanges with Apache 2.3.8
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) suexec: Support large log files. PR 45856. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Abort with sensible error message if no or more than one MPM is
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek loaded. [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_proxy: Rename erroronstatus to failonstatus.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek [Daniel Ruggeri <DRuggeri primary.net>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_dav_fs: Fix broken "creationdate" property.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek Regression in version 2.3.7. [Rainer Jung]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-SzmekChanges with Apache 2.3.7
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) SECURITY: CVE-2010-1452 (cve.mitre.org)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek segment. PR: 49246 [Mark Drayton, Jeff Trawick]
a2c9f63136775b128bdb9fb3e1b57f5ad977d5cbCharles Duffy *) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
a2c9f63136775b128bdb9fb3e1b57f5ad977d5cbCharles Duffy [Stefan Fritsch]
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt *) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
a2c9f63136775b128bdb9fb3e1b57f5ad977d5cbCharles Duffy [Stefan Fritsch]
a2c9f63136775b128bdb9fb3e1b57f5ad977d5cbCharles Duffy *) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
a2c9f63136775b128bdb9fb3e1b57f5ad977d5cbCharles Duffy via leveraging 100-Continue as the initial "request".
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering [Jim Jagielski]
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering *) core/mod_authz_core: Introduce new access_checker_ex hook that enables
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering mod_authz_core to bypass authentication if access should be allowed by
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering IP address/env var/... [Stefan Fritsch]
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering *) core: Introduce note_auth_failure hook to allow modules to add support
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering for additional auth types. This makes ap_note_auth_failure() work with
45d7a8bb6c0e0caa4dd2a1cf1108b7ba2c0ebac4Lennart Poettering mod_auth_digest again. PR 48807. [Stefan Fritsch]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_authn_cache: new module [Nick Kew]
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_rewrite: Allow to set environment variables without explicitly
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering giving a value. [Rainer Jung]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_include: recognise "text/html; parameters" as text/html
41ba8b6e69ad79b6c8e603ac970720665c88a363Lennart Poettering PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
41ba8b6e69ad79b6c8e603ac970720665c88a363Lennart Poettering *) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering PR 43906 [Nick Kew]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) Core: Extra robustness: don't try authz and segfault if authn
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt fails to set r->user. Log bug and return 500 instead.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering PR 42995 [Nick Kew]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) HTTP protocol filter: fix handling of longer chunk extensions
41ba8b6e69ad79b6c8e603ac970720665c88a363Lennart Poettering *) Update SSL cipher suite and add example for SSLHonorCipherOrder.
41ba8b6e69ad79b6c8e603ac970720665c88a363Lennart Poettering [Lars Eilebrecht, Rainer Jung]
3cb5beea0c484011fffbd50ae0aaaf71cc699eefLennart Poettering *) move AddOutputFilterByType from core to mod_filter. This should
3cb5beea0c484011fffbd50ae0aaaf71cc699eefLennart Poettering fix nasty side-effects that happen when content_type is set
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering more than once in processing a request, and make it fully
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering compatible with dynamic and proxied contents. [Nick Kew]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_log_config: Implement logging for sub second timestamps and
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt request end time. [Rainer Jung]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart PoetteringChanges with Apache 2.3.6
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) SECURITY: CVE-2009-3555 (cve.mitre.org)
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering attack when compiled against OpenSSL version 0.9.8m or later. Introduces
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
3cb5beea0c484011fffbd50ae0aaaf71cc699eefLennart Poettering and offer unsafe legacy renegotiation with clients which do not yet
3cb5beea0c484011fffbd50ae0aaaf71cc699eefLennart Poettering support the new secure renegotiation protocol, RFC 5746.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek [Joe Orton, and with thanks to the OpenSSL Team]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) SECURITY: CVE-2009-3555 (cve.mitre.org)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering by rejecting any client-initiated renegotiations. Forcibly disable
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering keepalive for the connection if there is any buffered data readable. Any
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering configuration which requires renegotiation for per-directory/location
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) SECURITY: CVE-2010-0408 (cve.mitre.org)
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek when request headers indicate a request body is incoming; not a case of
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) SECURITY: CVE-2010-0425 (cve.mitre.org)
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering mod_isapi: Do not unload an isapi .dll module until the request
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering processing is completed, avoiding orphaned callback pointers.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Filter init functions are now run strictly once per request
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek before handler invocation. The init functions are no longer run
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek for connection filters. PR 49328. [Joe Orton]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Adjust the output filter chain correctly in an internal
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek redirect from a subrequest, preserving filters from the main
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek request as necessary. PR 17629. [Joe Orton]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek Response if they so choose to do so. Previously an attempt to cache a 206
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek was arbitrarily allowed if the response contained an Expires or
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek Cache-Control header, and arbitrarily denied if both headers were missing.
96a6426f30dc9bf3c4dd1f61548c334fa12034dfEvgeny Vereshchagin [Graham Leggett]
96a6426f30dc9bf3c4dd1f61548c334fa12034dfEvgeny Vereshchagin *) core: Add microsecond timestamp fractions, process id and thread id
96a6426f30dc9bf3c4dd1f61548c334fa12034dfEvgeny Vereshchagin to the error log. [Rainer Jung]
96a6426f30dc9bf3c4dd1f61548c334fa12034dfEvgeny Vereshchagin *) configure: The "most" module set gets build by default. [Rainer Jung]
96a6426f30dc9bf3c4dd1f61548c334fa12034dfEvgeny Vereshchagin *) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) configure: Fix broken VPATH build when using included APR.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_session_crypto: Fix configure problem when building
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek with APR 2 and for VPATH builds with included APR.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_session_crypto: API compatibility with APR 2 crypto and
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek APR Util 1.x crypto. [Rainer Jung]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) ab: Fix memory leak with -v2 and SSL. PR 49383.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek [Pavel Kankovsky <peak argo troja mff cuni cz>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Add per-module and per-directory loglevel configuration.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering Add some more trace logging.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_ssl: Replace LogLevelDebugDump with trace log levels.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek mod_dumpio: Replace DumpIOLogLevel with trace log levels.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek title page only) when any mod_ldap directives were used in VirtualHost
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek context. [Eric Covener]
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering *) mod_disk_cache: Decline the opportunity to cache if the response is
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek a 206 Partial Content. This stops a reverse proxied partial response
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek from becoming cached, and then being served in subsequent responses.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek [Graham Leggett]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_deflate: avoid the risk of forwarding data before headers are set.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering PR 49369 [Matthew Steele <mdsteele google.com>]
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering *) mod_authnz_ldap: Ensure nested groups are checked when the
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering top-level group doesn't have any direct non-group members
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering of attributes in AuthLDAPGroupAttribute. [Eric Covener]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_authnz_ldap: Search or Comparison during authorization phase
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt can use the credentials from the authentication phase
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering PR 48340 [Domenico Rotiroti, Eric Covener]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_authnz_ldap: Allow the initial DN search during authentication
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek to use the HTTP username/pass instead of an anonymous or hard-coded
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering [Eric Covener]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering when this module is used for authorization. See AuthLDAPAuthorizePrefix.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering PR 45584 [Eric Covener]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) apxs -q: Stop filtering out ':' characters from the reported values.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek PR 45343. [Bill Cole]
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering *) prefork MPM: Run cleanups for final request when process exits gracefully.
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek PR 43857. [Tom Donovan]
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering [Bryn Dole <dole blekko.com>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) Log an error for failures to read a chunk-size, and return 408 instead of
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek 413 when this is due to a read timeout. This change also fixes some cases
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering of two error documents being sent in the response for the same scenario.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering [Eric Covener] PR49167
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering to control/set the nonce used in the balancer-manager application.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering [Jim Jagielski]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering [Stefan Fritsch]
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering *) Proxy balancer: support setting error status according to HTTP response
7fcfb7ee2f0c2562c0e102915cacbc3ec2c4b8f8Lennart Poettering code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) htcacheclean: Introduce the ability to clean specific URLs from the
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering cache, if provided as an optional parameter on the command line.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering [Graham Leggett]
7fcfb7ee2f0c2562c0e102915cacbc3ec2c4b8f8Lennart Poettering *) core: Introduce the IncludeStrict directive, which explicitly fails
7fcfb7ee2f0c2562c0e102915cacbc3ec2c4b8f8Lennart Poettering server startup if no files or directories match a wildcard path.
6d3eefd28e653c42bc4a6e0e58dfd9581b5c6e0aLennart Poettering [Graham Leggett]
7fcfb7ee2f0c2562c0e102915cacbc3ec2c4b8f8Lennart Poettering *) htcacheclean: Report additional statistics about entries deleted.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering PR 48944. [Mark Drayton mark markdrayton.info]
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering build of openssl is required for 'SSLFIPS on'. PR 46270.
03a7b521e3ffb7f5d153d90480ba5d4bc29d1e8fLennart Poettering [Dr Stephen Henson <steve openssl.org>, William Rowe]
7fcfb7ee2f0c2562c0e102915cacbc3ec2c4b8f8Lennart Poettering *) mod_proxy_http: Log the port of the remote server in various messages.
7fcfb7ee2f0c2562c0e102915cacbc3ec2c4b8f8Lennart Poettering PR 48812. [Igor Galić <i galic brainsware org>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_proxy_ajp: Really regard the operation a success, when the client
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek aborted the connection. In addition adjust the log message if the client
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek aborted the connection. [Ruediger Pluem]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek allows insecure renegotiation with clients which do not yet
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek support the secure renegotiation protocol. [Joe Orton]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek is configured for client cert auth. PR 46952. [Joe Orton]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) core: Only log a 408 if it is no keepalive timeout. PR 39785
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek [Ruediger Pluem, Mark Montague <markmont umich.edu>]
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek *) support/rotatelogs: Add -L option to create a link to the current
798d3a524ea57aaf40cb53858aaa45ec702f012dZbigniew Jędrzejewski-Szmek log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
caa94887002de8596c69f578dbdb684dfb368240Lennart Poettering *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
*) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
PR 33112 [Joergen Thomsen <apache jth.net>]
*) support/rotatelogs: Support the simplest log rotation case, log
*) support/htcacheclean: Teach it how to write a pid file (modelled on
[Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
request. [Christian Folini <christian.folini netnea com>]
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
*) SECURITY: CVE-2010-0434 (cve.mitre.org)
[Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
PR 41887 [Jan van den Berg <janvdberg gmail.com>]
PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
[Dr Stephen Henson <shenson oss-institute.org>]
PR 47178. [Philipp Hagemeister <oss phihag.de>]
Brian France <brian brianfrance.com>]
modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
*) mod_logio/core: Report more accurate byte counts in mod_status if
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
[Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
Stefan Fritsch <sf fritsch.de>, Dan Poirier]
Brian France <brian brianfrance.com>]
Brian France <brian brianfrance.com>]
[Stefan Fritsch <sf sfritsch.de>]
*) mod_session.c: Prevent a segfault when session is added but not
definition. [Stefan Fritsch sf sfritsch.de]
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
PR 46971 [evanc nortel.com]
[Stefan Fritsch <sf sfritsch.de>]
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
*) SECURITY: CVE-2009-1890 (cve.mitre.org)
*) SECURITY: CVE-2009-1191 (cve.mitre.org)
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
PR 42175 [Jim Radford <radford blackbean.org>]
type. PR 45107. [Michael Ströder <michael stroeder.com>,
PR 44020 [Håkon Stordahl <hakon stordahl.org>]
CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
PR 46942 [Dan Poirier <poirier pobox.com>]
PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
[Marko Kevac <mkevac gmail.com>]
as A/UX, Next, and Tandem. [Jeff Trawick]
directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
of module state across unload/load. [Jeff Trawick]
[Dan Poirier <poirier pobox.com>]
[Geoff Keating <geoffk apple.com>]
with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
a media type has not been configured via mime.types, AddType,
[Ryan Phillips <ryan-apache trolocsis.com>]
[<tlhackque yahoo.com>]
*) prefork: Fix child process hang during graceful restart/stop in
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
times out before returning status line/headers.
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
modules/proxy/balancers [Jim Jagielski]
privileges and Unix user/group IDs [Nick Kew]
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
*) unixd: turn existing code into a module, and turn the set user/group
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
*) New module mod_sed: filter Request/Response bodies through sed
null value. [David Shane Holden <dpejesh apache.org>]
both inside and outside the location/directory sections, as
form request with the type of application/x-www-form-urlencoded.
*) mod_authz_dbd: When redirecting after successful login/logout per
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
mod_cache et.al. to trap the results of the redirect.
*) ApacheMonitor.exe: Introduce --kill argument for use by the
*) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
[David M. Lee <dmlee crossroads.com>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
[Chris Darroch <chrisd pearsoncmg.com>]
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
[Chris Darroch <chrisd pearsoncmg.com>]
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
Changes with Apache 2.0.x and later:
Changes with Apache 1.3.x and later: