CHANGES revision 298eb744831be682f749ffe1c01c88d82adf215e
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder -*- coding: utf-8 -*-
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederChanges with Apache 2.3.6
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) SECURITY: CVE-2009-3555 (cve.mitre.org)
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder attack when compiled against OpenSSL version 0.9.8m or later. Introduces
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder and offer unsafe legacy renegotiation with clients which do not yet
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder support the new secure renegotiation protocol, RFC 5746.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Joe Orton, and with thanks to the OpenSSL Team]
f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder *) SECURITY: CVE-2009-3555 (cve.mitre.org)
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder by rejecting any client-initiated renegotiations. Forcibly disable
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder keepalive for the connection if there is any buffered data readable. Any
d27ad22f77ca7399742b54e9dce2cdceed12d5e0Christian Maeder configuration which requires renegotiation for per-directory/location
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) SECURITY: CVE-2010-0408 (cve.mitre.org)
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder when request headers indicate a request body is incoming; not a case of
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
ce8b15da31cd181b7e90593cbbca98f47eda29d6Till Mossakowski *) SECURITY: CVE-2010-0425 (cve.mitre.org)
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder mod_isapi: Do not unload an isapi .dll module until the request
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder processing is completed, avoiding orphaned callback pointers.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder *) core: Add per-module and per-directory loglevel configuration.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Add some more trace logging.
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder mod_ssl: Replace LogLevelDebugDump with trace log levels.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder mod_dumpio: Replace DumpIOLogLevel with trace log levels.
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder [Stefan Fritsch]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder title page only) when any mod_ldap directives were used in VirtualHost
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich context. [Eric Covener]
4d56f2fa72e4aec20eb827c11ed49c8cbb7014bdChristian Maeder *) mod_disk_cache: Decline the opportunity to cache if the response is
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder a 206 Partial Content. This stops a reverse proxied partial response
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder from becoming cached, and then being served in subsequent responses.
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder [Graham Leggett]
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder *) mod_deflate: avoid the risk of forwarding data before headers are set.
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder PR 49369 [Matthew Steele <mdsteele google.com>]
d4892fa7401ceef014ea59d2d900773eaf88fcbdChristian Maeder *) mod_authnz_ldap: Ensure nested groups are checked when the
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder top-level group doesn't have any direct non-group members
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder of attributes in AuthLDAPGroupAttribute. [Eric Covener]
eee4b2ee739f163e09d6af6e45c025681e6c01a0Christian Maeder *) mod_authnz_ldap: Search or Comparison during authorization phase
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich can use the credentials from the authentication phase
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder PR 48340 [Domenico Rotiroti, Eric Covener]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_authnz_ldap: Allow the initial DN search during authentication
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder to use the HTTP username/pass instead of an anonymous or hard-coded
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
e593b89bfd4952698dc37feced21cefe869d87a2Christian Maeder [Eric Covener]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder when this module is used for authorization. See AuthLDAPAuthorizePrefix.
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder PR 45584 [Eric Covener]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) apxs -q: Stop filtering out ':' characters from the reported values.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder PR 45343. [Bill Cole]
c6fcd42c6d6d9dae8c7835c24fcb7ce8531a9050Christian Maeder *) prefork MPM: Run cleanups for final request when process exits gracefully.
31c49f2fa23d4ac089f35145d80a224deb6ea7e4Till Mossakowski PR 43857. [Tom Donovan]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder [Bryn Dole <dole blekko.com>]
8cacad2a09782249243b80985f28e9387019fe40Christian Maeder *) Log an error for failures to read a chunk-size, and return 408 instead of
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder 413 when this is due to a read timeout. This change also fixes some cases
d3ae0072823e2ef0d41d4431fcc768e66489c20eChristian Maeder of two error documents being sent in the response for the same scenario.
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder [Eric Covener] PR49167
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder to control/set the nonce used in the balancer-manager application.
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder [Jim Jagielski]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder [Stefan Fritsch]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) Proxy balancer: support setting error status according to HTTP response
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder *) htcacheclean: Introduce the ability to clean specific URLs from the
c9acb8681bcc512245b4f0d1a9f2b189c60e10d4Christian Maeder cache, if provided as an optional parameter on the command line.
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder [Graham Leggett]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) core: Introduce the IncludeStrict directive, which explicitly fails
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder server startup if no files or directories match a wildcard path.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder [Graham Leggett]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) htcacheclean: Report additional statistics about entries deleted.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder PR 48944. [Mark Drayton mark markdrayton.info]
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder build of openssl is required for 'SSLFIPS on'. PR 46270.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder [Dr Stephen Henson <steve openssl.org>, William Rowe]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_proxy_http: Log the port of the remote server in various messages.
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder PR 48812. [Igor Galić <i galic brainsware org>]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder *) mod_proxy_ajp: Really regard the operation a success, when the client
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder aborted the connection. In addition adjust the log message if the client
6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder aborted the connection. [Ruediger Pluem]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder allows insecure renegotiation with clients which do not yet
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder support the secure renegotiation protocol. [Joe Orton]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder is configured for client cert auth. PR 46952. [Joe Orton]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) core: Only log a 408 if it is no keepalive timeout. PR 39785
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder [Ruediger Pluem, Mark Montague <markmont umich.edu>]
a3c6d8e0670bf2aa71bc8e2a3b1f45d56dd65e4cChristian Maeder *) support/rotatelogs: Add -L option to create a link to the current
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder setting only, matching most of the documentation and examples.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder PR 46541 [Paul Reder, Eric Covener]
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder *) mod_negotiation: Preserve query string over multiviews negotiation.
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder This buglet was fixed for type maps in 2.2.6, but the same issue
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder affected multiviews and was overlooked.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder PR 33112 [Joergen Thomsen <apache jth.net>]
f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder when some are not password-protected. [Eric Covener]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) Fix startup segfault when the Mutex directive is used but no loaded
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder modules use httpd mutexes. PR 48787. [Jeff Trawick]
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder *) Proxy: get the headers right in a HEAD request with
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder ProxyErrorOverride, by checking for an overridden error
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder before not after going into a catch-all code path.
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder PR 41646. [Nick Kew, Stuart Children]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) support/rotatelogs: Support the simplest log rotation case, log
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder truncation. Useful when the log is being processed in real time
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder using a command like tail. [Graham Leggett]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) support/htcacheclean: Teach it how to write a pid file (modelled on
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder httpd's writing of a pid file) so that it becomes possible to run
f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich more than one instance of htcacheclean on the same machine.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Graham Leggett]
f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich *) Log command line on startup, so there's a record of command line
f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich arguments like -f. PR 48752. [Dan Poirier]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) Introduce mod_reflector, a handler capable of reflecting POSTed
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder request bodies back within the response through the output filter
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder stack. Can be used to turn an output filter into a web service.
c9acb8681bcc512245b4f0d1a9f2b189c60e10d4Christian Maeder [Graham Leggett]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_proxy_http: Make sure that when an ErrorDocument is served
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder from a reverse proxied URL, that the subrequest respects the status
0c355dd0b739631ee472f9a656e266be27fa4e64Christian Maeder of the original request. This brings the behaviour of proxy_handler
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder in line with default_handler. PR 47106. [Graham Leggett]
0cfef6179a1bfec4f07f460686dd629a27b4b778Christian Maeder *) Support wildcards in both the directory and file components of
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder the path specified by the Include directive. [Graham Leggett]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_proxy, mod_proxy_http: Support remote https proxies
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder by using HTTP CONNECT. PR 19188.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder [Philip M. Gollucci]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) worker: Don't report server has reached MaxClients until it has.
9df11f85fd7f8c4745d64464876e84ec4e263692Christian Maeder Add message when server gets within MinSpareThreads of MaxClients.
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers PR 46996. [Dan Poirier]
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich *) mod_session: Session expiry was being initialised, but not updated
5b818f10e11fc79def1fdd5c8a080d64a6438d87Christian Maeder on each session save, resulting in timed out sessions when there
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers should not have been. Fixed. [Graham Leggett]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_log_config: Add the R option to log the handler used within the
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder request. [Christian Folini <christian.folini netnea com>]
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers *) mod_include: Allow fine control over the removal of Last-Modified and
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder ETag headers within the INCLUDES filter, making it possible to cache
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder responses if desired. Fix the default value of the SSIAccessEnable
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder directive. [Graham Leggett]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) Add new UnDefine directive to undefine a variable. PR 35350.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder [Stefan Fritsch]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder for regex backreferences as mod_rewrite and mod_include: Remove the use
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder of '&' as an alias for '$0' and allow to escape any character with a
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder backslash. PR 48351. [Stefan Fritsch]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder password to UTF-8. PR 45318.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) ab: Fix calculation of requests per second in HTML output. PR 48594.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder [Stefan Fritsch]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
e220b2051a2342a9291721e6c7f408860bed01b7Jorina Freya Gerken password now result in an informational level log entry instead of
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder warning level. [Eric Covener]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian MaederChanges with Apache 2.3.5
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) SECURITY: CVE-2010-0434 (cve.mitre.org)
11280087fb7891a39bae5305886e76c0cc30886cChristian Maeder Ensure each subrequest has a shallow copy of headers_in so that the
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder parent request headers are not corrupted. Eliminates a problematic
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder optimization in the case of no request body. PR 48359
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder [Jake Scott, William Rowe, Ruediger Pluem]
31db599cbcd9285c3734d16279bc7d88cbc20dc6Christian Maeder *) Turn static function get_server_name_for_url() into public
6fe9628743562678acf97d6730ebcfee5e9e50c2Christian Maeder ap_get_server_name_for_url() and use it where appropriate. This
6fe9628743562678acf97d6730ebcfee5e9e50c2Christian Maeder fixes mod_rewrite generating invalid URLs for redirects to IPv6
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder literal addresses. [Stefan Fritsch]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder for LDAP operations like bind and search. [Stefan Fritsch]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich mod_proxy_ftp. [Takashi Sato]
e96a0bf4040fd789339958c01f145c5057d26db6René Wagner *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
e96a0bf4040fd789339958c01f145c5057d26db6René Wagner mod_proxy_connect. [Takashi Sato]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) mod_cache: Do an exact match of the keys defined by
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder CacheIgnoreURLSessionIdentifiers against the querystring instead of
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers a partial match. PR 48401.
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder *) Core HTTP: disable keepalive when the Client has sent
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Expect: 100-continue
fdb2d618144159395f7bf8ce3327b3c112a17dd3Till Mossakowski but we respond directly with a non-100 response.
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder Keepalive here led to data from clients continuing being treated as
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder a new request.
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder PR 47087 [Nick Kew]
c9acb8681bcc512245b4f0d1a9f2b189c60e10d4Christian Maeder *) Core: reject NULLs in request line or request headers.
38352346eb1a67ba0f4eab8ad6f718528cf0cde0Christian Maeder PR 43039 [Nick Kew]
dbdc36fbd5c60438009d36c830549738be7afd01Christian Maeder *) Core: (re)-introduce -T commandline option to suppress documentroot
e2d849b4152a234bc0afaa2ab3a7c17d28de7565Christian Maeder check at startup.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder PR 41887 [Jan van den Berg <janvdberg gmail.com>]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder ScanHTMLTitles, ReadmeName, HeaderName
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) Proxy: Fix ProxyPassReverse with relative URL
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Derived (slightly erroneously) from PR 38864 [Nick Kew]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_headers: align Header Edit with Header Set when used on Content-Type
6bf24e5eb644064ad650eb3fd9774483fccbf601Christian Maeder PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_headers: Enable multi-match-and-replace edit option
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder PR 47066 [Nick Kew]
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder *) mod_filter: enable it to act on non-200 responses.
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder PR 48377 [Nick Kew]
6bf24e5eb644064ad650eb3fd9774483fccbf601Christian MaederChanges with Apache 2.3.4
53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder and WatchdogMutexPath with a single Mutex directive. Add APIs to
53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke simplify setup and user customization of APR proc and global mutexes.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) http_core: KeepAlive no longer accepts other than On|Off.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Takashi Sato]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error()
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder and dav_new_error_tag() must be adjusted to add an apr_status_t parameter.
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder [Jeff Trawick]
fdb2d618144159395f7bf8ce3327b3c112a17dd3Till Mossakowski *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
7c99e334446bb97120e30e967baeeddfdd1278deKlaus Luettich try other providers in the case of an LDAP bind failure.
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
d8c71aacc9f1c8cd40a8ad8dcdad9be8854b849fChristian Maeder *) Build: fix --with-module to work as documented
0c355dd0b739631ee472f9a656e266be27fa4e64Christian Maeder PR 43881 [Gez Saunders <gez.saunders virgin.net>]
9e748851c150e1022fb952bab3315e869aaf0214Christian MaederChanges with Apache 2.3.3
33d042fe6a9eb27a4c48f840b80838f3e7d98e34Christian Maeder *) SECURITY: CVE-2009-3095 (cve.mitre.org)
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder mod_proxy_ftp: sanity check authn credentials.
fa21fba9ceb1ddf7b3efd54731a12ed8750191d8Christian Maeder [Stefan Fritsch <sf fritsch.de>, Joe Orton]
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder *) SECURITY: CVE-2009-3094 (cve.mitre.org)
0c355dd0b739631ee472f9a656e266be27fa4e64Christian Maeder mod_proxy_ftp: NULL pointer dereference on error paths.
ed9207cf24e96b0d6f59985822054ae28cb69b2eChristian Maeder [Stefan Fritsch <sf fritsch.de>, Joe Orton]
fa21fba9ceb1ddf7b3efd54731a12ed8750191d8Christian Maeder *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
b49276c9f50038e0bd499ad49f7bd6444566a834Christian Maeder OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme]
b49276c9f50038e0bd499ad49f7bd6444566a834Christian Maeder *) mod_dav: Include uri when logging a PUT error due to connection abort.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR 38149. [Stefan Fritsch]
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
5c69cef4668bbd959d721668313a779126014d1eKlaus Luettich *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll
b905126bab9454b89041f92b3c50bb9efc85e427Klaus Luettich (a COPY request where the parent of the destination resource does not
08e5741dd8b6bf9b7419e89298e384e18bc57f64Christian Maeder exist). PR 39299. [Stefan Fritsch]
53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR 42896. [Stefan Fritsch]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_dav_fs: Make PUT create files atomically and no longer destroy the
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder creating files. On systems with inode numbers, this is a format change of
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder the DavLockDB. The old DavLockDB must be deleted on upgrade.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder [Stefan Fritsch]
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich *) mod_log_config: Make ${cookie}C correctly match whole cookie names
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich Stefan Fritsch]
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich *) vhost: A purely-numeric Host: header should not be treated as a port.
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich PR 44979 [Nick Kew]
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5"
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich LDAPReferralHopLimit is explicitly configured.
c4ef79587a902327f36277c45a8d91d1e67bd6d5Klaus Luettich [Eric Covener]
b905126bab9454b89041f92b3c50bb9efc85e427Klaus Luettich *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'.
b905126bab9454b89041f92b3c50bb9efc85e427Klaus Luettich [Eric Covener]
b905126bab9454b89041f92b3c50bb9efc85e427Klaus Luettich *) mod_ssl: Add support for OCSP Stapling. PR 43822.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Dr Stephen Henson <shenson oss-institute.org>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_socache_shmcb: Allow parens in file name if cache size is given.
dbe752ee940baae7f9f231f29c62284bb0f90a25Christian Maeder Fixes SSLSessionCache directive mis-parsing parens in pathname.
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder PR 47945. [Stefan Fritsch]
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder *) htpasswd: Improve out of disk space handling. PR 30877. [Stefan Fritsch]
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder *) mod_sed: Reduce memory consumption when processing very long lines.
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
3a7788e09dd23b364a46c9488cbd1522369113dbChristian Maeder *) ab: Fix segfault in case the argument for -n is a very large number.
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder PR 47178. [Philipp Hagemeister <oss phihag.de>]
dbe752ee940baae7f9f231f29c62284bb0f90a25Christian Maeder *) Allow ProxyPreserveHost to work in <Proxy> sections. PR 34901.
ef67402074be14deb95e4ff564737d5593144130Klaus Luettich [Stefan Fritsch]
c9e197862d9d8ef2585270dd08f5194b3aed4a9dKlaus Luettich *) configure: Fix THREADED_MPMS so that mod_cgid is enabled again
e7e1ab2ac3f1fded8611bb92ae00e8f3b8c693fbKlaus Luettich for worker MPM. [Takashi Sato]
1323eba62fc519b068f5aaec4f9d2be05ffabea9Klaus Luettich *) mod_dav: Provide a mechanism to obtain the request_rec and pathname
a80c28bb8b7a23ccdf7e08d0fe216fc19cc97273Klaus Luettich from the dav_resource. [Jari Urpalainen <jari.urpalainen nokia.com>,
d784803f9c752667b4fcf7393d698002bedf3f89Klaus Luettich Brian France <brian brianfrance.com>]
1323eba62fc519b068f5aaec4f9d2be05ffabea9Klaus Luettich *) Build: Use install instead of cp if available on installing
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
462d9dc583444aab82732e14a75610684d2dc7e9Christian Maeder *) mod_cache: correctly consider s-maxage in cacheability
5d39c60274aaa76506292d2d9e885fccd27e1eabChristian Maeder decisions. [Dan Poirier]
462d9dc583444aab82732e14a75610684d2dc7e9Christian Maeder *) mod_logio/core: Report more accurate byte counts in mod_status if
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder mod_logio is loaded. PR 25656. [Stefan Fritsch]
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder some cache entries and log a warning. Also increase the default
1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder LDAPSharedCacheSize to 500000. This is a more realistic size suitable
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich PR 46749. [Stefan Fritsch]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder *) mod_cache: Teach CacheEnable and CacheDisable to work from within a
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Location section, in line with how ProxyPass works. [Graham Leggett]
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder *) mod_reqtimeout: New module to set timeouts and minimum data rates for
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder receiving requests from the client. [Stefan Fritsch]
43bb71dfe7ec405f563864d57c1cacdaa8ce9a80Christian Maeder *) core: Fix potential memory leaks by making sure to not destroy
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder bucket brigades that have been created by earlier filters.
340706b6c0c6e3dbacdd7003e20e9cab7f9aa765Christian Maeder [Stefan Fritsch]
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder *) core, mod_deflate, mod_sed: Reduce memory usage by reusing bucket
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder brigades in several places. [Stefan Fritsch]
9c3edf2b283c09d33b2820696886d1ed32fcadc8Christian Maeder *) mod_cache: Fix uri_meets_conditions() so that CacheEnable will
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder match by scheme, or by a wildcarded hostname. PR 40169
c22d75ec3ea1306219d1c09a5b3e8ff04f753ad6Christian Maeder [Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
c22d75ec3ea1306219d1c09a5b3e8ff04f753ad6Christian Maeder *) suxec: Allow to log an error if exec fails by setting FD_CLOEXEC
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder on the log file instead of closing it. PR 10744. [Nicolas Rachinsky]
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder *) mod_mime: Make RemoveType override the info from TypesConfig.
5bb7eeaca10ea76595229375f907a5a388b7c882Christian Maeder PR 38330. [Stefan Fritsch]
5bb7eeaca10ea76595229375f907a5a388b7c882Christian Maeder *) mod_cache: Introduce the option to run the cache from within the
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder normal request handler, and to allow fine grained control over
5bb7eeaca10ea76595229375f907a5a388b7c882Christian Maeder where in the filter chain content is cached. [Graham Leggett]
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder *) core: Treat timeout reading request as 408 error, not 400.
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder Log 408 errors in access log as was done in Apache 1.3.x.
ddc9315cc0b1f5dd3d8f99a77f1c75064db33b48Christian Maeder PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
ddc9315cc0b1f5dd3d8f99a77f1c75064db33b48Christian Maeder Stefan Fritsch <sf fritsch.de>, Dan Poirier]
5d522dff4d0fabf57dd476d4c3de15d354a89f62Christian Maeder *) mod_ssl: Reintroduce SSL_CLIENT_S_DN, SSL_CLIENT_I_DN, SSL_SERVER_S_DN,
5d522dff4d0fabf57dd476d4c3de15d354a89f62Christian Maeder SSL_SERVER_I_DN back to the environment variables to be set by mod_ssl.
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder [Peter Sylvester <peter.sylvester edelweb.fr>]
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder *) mod_disk_cache: don't cache incomplete responses, per RFC 2616, 13.8.
ac43fa22d2d3f91a17674ac164cba3cf39a17795Klaus Luettich PR15866. [Dan Poirier]
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers *) ab: ab segfaults in verbose mode on https sites
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder PR46393. [Ryan Niebur]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_dav: Allow other modules to become providers and add resource types
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder to the DAV response. [Jari Urpalainen <jari.urpalainen nokia.com>,
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder Brian France <brian brianfrance.com>]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_dav: Allow other modules to add things to the DAV or Allow headers
6fe9628743562678acf97d6730ebcfee5e9e50c2Christian Maeder of an OPTIONS request. [Jari Urpalainen <jari.urpalainen nokia.com>,
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder Brian France <brian brianfrance.com>]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) core: Lower memory usage of core output filter.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder [Stefan Fritsch <sf sfritsch.de>]
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder LocationMatch sections. PR47754. [Dan Poirier]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) mod_request: Make sure the KeptBodySize directive rejects values
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder that aren't valid numbers. [Graham Leggett]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) mod_session_crypto: Sanity check should the potentially encrypted
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder session cookie be too short. [Graham Leggett]
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers *) mod_session.c: Prevent a segfault when session is added but not
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder configured. [Graham Leggett]
e96a0bf4040fd789339958c01f145c5057d26db6René Wagner *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_auth_digest: Fail server start when nonce count checking
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers is configured without shared memory, or md5-sess algorithm is
ba0ec5e897ef99d420c8c14c2374e0f32b7043dbKlaus Luettich configured. [Dan Poirier]
8555737bcc9bf1d0afb6624e4d8668f070bcaba1Christian Maeder *) mod_proxy_connect: The connect method doesn't work if the client is
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers connecting to the apache proxy through an ssl socket. Fixed.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand,
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango,
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder Kevin Croft, Rudolf Cardinal]
a80c28bb8b7a23ccdf7e08d0fe216fc19cc97273Klaus Luettich *) mod_ssl: The error message when SSLCertificateFile is missing should
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder at least give the name or position of the problematic virtual host
a80c28bb8b7a23ccdf7e08d0fe216fc19cc97273Klaus Luettich definition. [Stefan Fritsch sf sfritsch.de]
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
b9625461755578f3eed04676d42a63fd2caebd0cChristian Maeder *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_headers: generalise the envclause to support expression
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers evaluation with ap_expr parser [Nick Kew]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
d67a33b40578beef2e255a274f89bb9c34aaf056Christian Maeder the flood of requests at bay that strike a backend webserver as
8b4c68db8b465107cabef8b9cd5b6bc216e1b156Till Mossakowski a cached entity goes stale. [Graham Leggett]
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder *) mod_auth_digest: Fix usage of shared memory and re-enable it.
26f228bf3a3fea810223396e5794c217a79a8d5bChristian Maeder PR 16057 [Dan Poirier]
26f228bf3a3fea810223396e5794c217a79a8d5bChristian Maeder *) Preserve Port information over internal redirects
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder PR 35999 [Jonas Ringh <jonas.ringh cixit.se>]
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
6ae5607d2def114f998fd49bac4eef12a2620fafChristian Maeder rather than BAD_GATEWAY or (especially) NOT_FOUND.
6ae5607d2def114f998fd49bac4eef12a2620fafChristian Maeder PR 46971 [evanc nortel.com]
08e5741dd8b6bf9b7419e89298e384e18bc57f64Christian Maeder *) Various modules: Do better checking of pollset operations in order to
08e5741dd8b6bf9b7419e89298e384e18bc57f64Christian Maeder avoid segmentation faults if they fail. PR 46467
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Stefan Fritsch <sf sfritsch.de>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_autoindex: Correctly create an empty cell if the description
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder *) ab: Fix broken error messages after resolver or connect() failures.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Jeff Trawick]
08e5741dd8b6bf9b7419e89298e384e18bc57f64Christian Maeder *) SECURITY: CVE-2009-1890 (cve.mitre.org)
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder Fix a potential Denial-of-Service attack against mod_proxy in a
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder reverse proxy configuration, where a remote attacker can force a
b9625461755578f3eed04676d42a63fd2caebd0cChristian Maeder proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder *) SECURITY: CVE-2009-1191 (cve.mitre.org)
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder mod_proxy_ajp: Avoid delivering content from a previous request which
83394c6b6e6de128e71b67c9251ed7a84485d082Christian Maeder failed to send a request body. PR 46949 [Ruediger Pluem]
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder *) htdbm: Fix possible buffer overflow if dbm database has very
340706b6c0c6e3dbacdd7003e20e9cab7f9aa765Christian Maeder long values. PR 30586 [Dan Poirier]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) core: Return APR_EOF if request body is shorter than the length announced
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_suexec: correctly set suexec_enabled when httpd is run by a
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder non-root user and may have insufficient permissions.
470ca7a2797069ae4b27c34c1b71419f67be1f84Christian Maeder PR 42175 [Jim Radford <radford blackbean.org>]
470ca7a2797069ae4b27c34c1b71419f67be1f84Christian Maeder *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder type. PR 45107. [Michael Ströder <michael stroeder.com>,
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder Peter Sylvester <peter.sylvester edelweb.fr>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_proxy_http: fix case sensitivity checking transfer encoding
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_alias: ensure Redirect issues a valid URL.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR 44020 [HÃ¥kon Stordahl <hakon stordahl.org>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_dir: add FallbackResource directive, to enable admin to specify
481d4fe351800ab00fd323db8974559431227305Christian Maeder an action to happen when a URL maps to no file, without resorting
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_cgid: Do not leak the listening Unix socket file descriptor to the
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
481d4fe351800ab00fd323db8974559431227305Christian Maeder *) mod_rewrite: Remove locking for writing to the rewritelog.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR 46942 [Dan Poirier <poirier pobox.com>]
8b4c68db8b465107cabef8b9cd5b6bc216e1b156Till Mossakowski *) mod_alias: check sanity in Redirect arguments.
8b4c68db8b465107cabef8b9cd5b6bc216e1b156Till Mossakowski PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
c72c1e75a969ff4c336e77481c2a8e42603f13eeChristian Maeder *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
bcaf979d9babe6346aa343687aa7d596e2894cccPaolo Torrini *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
bcaf979d9babe6346aa343687aa7d596e2894cccPaolo Torrini defined session identifiers encoded in the URL when caching.
bcaf979d9babe6346aa343687aa7d596e2894cccPaolo Torrini [Ruediger Pluem]
bcaf979d9babe6346aa343687aa7d596e2894cccPaolo Torrini *) mod_rewrite: Fix the error string returned by RewriteRule.
bcaf979d9babe6346aa343687aa7d596e2894cccPaolo Torrini RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder argument of RewriteRule was not started with "[" or not ended with "]".
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
23ab8855c58adfbd03a0730584b917b24c603901Christian Maeder *) Windows: Fix usage message.
8b4c68db8b465107cabef8b9cd5b6bc216e1b156Till Mossakowski [Rainer Jung]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) apachectl: When passing through arguments to httpd in
b49276c9f50038e0bd499ad49f7bd6444566a834Christian Maeder non-SysV mode, use the "$@" syntax to preserve arguments.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Eric Covener]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_dbd: add DBDInitSQL directive to enable SQL statements to
b49276c9f50038e0bd499ad49f7bd6444566a834Christian Maeder be run when a connection is opened. PR 46827
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Marko Kevac <mkevac gmail.com>]
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers PR 47037. [Jeff Trawick]
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder protocol. [Mladen Turk]
c55a0f77be7e88d3620b419ec8961f4379a586e3Klaus Luettich *) mod_proxy_ajp: Forward remote port information by default.
c55a0f77be7e88d3620b419ec8961f4379a586e3Klaus Luettich [Rainer Jung]
6da66254a8cff186a1e550b4ace23fb7bcac0d90Christian Maeder *) Allow MPMs to be loaded dynamically, as with most other modules. Use
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder --enable-mpms-shared={list|"all"} to enable. This required changes to
d6c6ad132dcecc84fe71dbeeab6dba0e21483393Klaus Luettich the MPM interfaces. Removed: mpm.h, mpm_default.h (as an installed
d6c6ad132dcecc84fe71dbeeab6dba0e21483393Klaus Luettich header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child,
d6c6ad132dcecc84fe71dbeeab6dba0e21483393Klaus Luettich ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be
d6c6ad132dcecc84fe71dbeeab6dba0e21483393Klaus Luettich called until after the register-hooks phase. [Jeff Trawick]
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich to enable stricter checking of remote server certificates.
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich [Ruediger Pluem]
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect
fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich returns EINPROGRESS and a subsequent poll() returns only POLLERR.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder Observed on HP-UX. [Eric Covener]
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder *) Remove broken support for BeOS, OS/2, TPF, and even older platforms such
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder as A/UX, Next, and Tandem. [Jeff Trawick]
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder globbing characters to be retrieved instead of converted into a
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder of module state across unload/load. [Jeff Trawick]
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder *) mod_substitute: Fix a memory leak. PR 44948
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder [Dan Poirier <poirier pobox.com>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian MaederChanges with Apache 2.3.2
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder HTML injections and HTTP response splitting. PR 46837.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder [Geoff Keating <geoffk apple.com>]
c72c1e75a969ff4c336e77481c2a8e42603f13eeChristian Maeder *) mod_ssl: add support for type-safe STACK constructs in OpenSSL
c72c1e75a969ff4c336e77481c2a8e42603f13eeChristian Maeder development HEAD. PR 45521. [Kaspar Brand, Sander Temme]
6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder *) ab: Fix maintenance of the pollset to resolve EALREADY errors
6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder PR 44584. Use APR_POLLSET_NOCOPY for better performance with some
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder pollset implementations. [Jeff Trawick]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_disk_cache: The module now turns off sendfile support if
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder 'EnableSendfile off' is defined globally. [Lars Eilebrecht]
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder *) mod_deflate: Adjust content metadata before bailing out on 304
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder responses so that the metadata does not differ from 200 response.
fdb2d618144159395f7bf8ce3327b3c112a17dd3Till Mossakowski [Roy T. Fielding]
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder *) mod_deflate: Fix creation of invalid Etag headers. We now make sure
bf76f4fcf07abaebea587df8135de8356c26a363Till Mossakowski that the Etag value is properly quoted when adding the gzip marker.
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding]
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185.
6e049108aa87dc46bcff96fae50a4625df1d9648Klaus Luettich [Peter Harlow]
6e049108aa87dc46bcff96fae50a4625df1d9648Klaus Luettich *) Disabled DefaultType directive and removed ap_default_type()
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder from core. We now exclude Content-Type from responses for which
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder a media type has not been configured via mime.types, AddType,
f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich ForceType, or some other mechanism. PR 13986. [Roy T. Fielding]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) mod_rewrite: Add IPV6 variable to RewriteCond
f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich [Ryan Phillips <ryan-apache trolocsis.com>]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) core: Enhance KeepAliveTimeout to support a value in milliseconds.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder PR 46275. [Takashi Sato]
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder *) rotatelogs: Allow size units B, K, M, G and combination of
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder time and size based rotation. [Rainer Jung]
1a6464613c59e35072b90ca296ae402cbe956144Christian Maeder *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung]
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder *) mod_ssl: Fix merging of SSLRenegBufferSize directive. PR 46508
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder *) core: Translate the the status line to ASCII on EBCDIC platforms in
438f9bd974c8e668203e636b0f2bc80c589af043Klaus Luettich ap_send_interim_response() and for locally generated "100 Continue"
88318aafc287e92931dceffbb943d58a9310001dChristian Maeder responses. [Eric Covener]
*) prefork: Fix child process hang during graceful restart/stop in
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
times out before returning status line/headers.
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
modules/proxy/balancers [Jim Jagielski]
privileges and Unix user/group IDs [Nick Kew]
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
*) unixd: turn existing code into a module, and turn the set user/group
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
*) Export and install the mod_rewrite.h header to ensure the optional
*) New module mod_sed: filter Request/Response bodies through sed
null value. [David Shane Holden <dpejesh apache.org>]
*) ab: Make ab.c compile on VC6. PR 45024 [Ruediger Pluem]
*) configure: Don't reject libtool 2.x
overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>]
PR 44799 [Christian Wenz <christian wenz.org>]
both inside and outside the location/directory sections, as
form request with the type of application/x-www-form-urlencoded.
*) mod_authz_dbd: When redirecting after successful login/logout per
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
mod_cache et.al. to trap the results of the redirect.
PR 34607. [Kaspar Brand <asfbugz velox.ch>]. A test configuration
can be created with test/make_sni.sh [Dirk-Willem van Gulik].
*) ApacheMonitor.exe: Introduce --kill argument for use by the
*) mod_ldap, mod_authnzldap: Add support for nested groups (i.e. the ability
[David Jones <oscaremma gmail.com>]
[David M. Lee <dmlee crossroads.com>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Stijn Hoop <stijn sandcat.nl>]
[Niklas Edmundsson <nikke acc.umu.se>]
final name. [Davi Arnaut <davi haxent.com.br>]
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
[Chris Darroch <chrisd pearsoncmg.com>]
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
[Chris Darroch <chrisd pearsoncmg.com>]
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
Changes with Apache 2.0.x and later:
Changes with Apache 1.3.x and later: