CHANGES revision 9fb3d1792a78003c60a8f0fdbef30a372b39452e
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele -*- coding: utf-8 -*-
4ab980a06412fd86f52a6d054fb7e26de155c530erikabeleChanges with Apache 2.3.15
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd *) SECURITY: CVE-2011-3348 (cve.mitre.org)
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
1aa933455fcd538b1ee573f4566e1a78a89fce77nd recognized. [Jean-Frederic Clere]
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding *) SECURITY: CVE-2011-3192 (cve.mitre.org)
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding core: Fix handling of byte-range requests to use less memory, to avoid
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding denial of service. If the sum of all ranges in a request is larger than
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding the original file, ignore the ranges and send the complete file.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
1aa933455fcd538b1ee573f4566e1a78a89fce77nd <lowprio20 gmail.com>]
1aa933455fcd538b1ee573f4566e1a78a89fce77nd *) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
1aa933455fcd538b1ee573f4566e1a78a89fce77nd usage. PR 51618. [Cristian Rodr�guez <crrodriguez opensuse org>,
1aa933455fcd538b1ee573f4566e1a78a89fce77nd Stefan Fritsch]
1aa933455fcd538b1ee573f4566e1a78a89fce77nd *) mod_ssl: At startup, when checking a server certificate whether it
1aa933455fcd538b1ee573f4566e1a78a89fce77nd matches the configured ServerName, also take dNSName entries in the
1aa933455fcd538b1ee573f4566e1a78a89fce77nd subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
7db9f691a00ead175b03335457ca296a33ddf31bnd *) mod_substitute: Reduce memory usage and copying of data. PR 50559.
3577f1d38e53397f6b431c02011f875316b2f070nd [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Kaspar Brand]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) Add wrappers for malloc, calloc, realloc that check for out of memory
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele situations and use them in many places. PR 51568, PR 51569, PR 51571.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Stefan Fritsch]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive false but RLIMIT_* are defined. PR51371. [Eric Covener]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) core: Correctly obey ServerName / ServerAlias if the Host header from the
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive request matches the VirtualHost address.
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive PR 51709. [Micha Lenk <micha lenk.info>]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) mod_unique_id: Use random number generator to initialize counter.
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive PR 45110. [Stefan Fritsch]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) core: Add convenience API for apr_random. [Stefan Fritsch]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive the number of overlapping and reversing ranges (respectively) permitted
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive before returning the entire resource, with a default limit of 20.
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive [Jim Jagielski]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive if called from a virtual host with mod_ldap directives in it. Did not
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive *) mod_filter: Instead of dropping the Accept-Ranges header when a filter
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive set the header value to "none". [Eric Covener, Ruediger Pluem]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
06d77ae37da42a6f8bbea25b7d7f8b6629245629slive in the case Ranges are being ignored with MaxRanges none.
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive [Eric Covener]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_ssl: revamp CRL-based revocation checking when validating
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive certificates of clients or proxied servers. Completely delegate
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
c6f41bc69d643835804e7e831776d3d46c6f5962slive directive for controlling the revocation checking mode. [Kaspar Brand]
c6f41bc69d643835804e7e831776d3d46c6f5962slive *) core: Add MaxRanges directive to control the number of ranges permitted
c6f41bc69d643835804e7e831776d3d46c6f5962slive before returning the entire resource, with a default limit of 200.
d7604f90897d9b08b227c127ff5392393178911crpluem [Eric Covener]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_cache: Ensure that CacheDisable can correctly appear within
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive a LocationMatch. [Graham Leggett]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_cache: Fix the moving of the CACHE filter, which erroneously
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive stood down if the original filter was not added by configuration.
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive [Graham Leggett]
d7604f90897d9b08b227c127ff5392393178911crpluem *) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
d7604f90897d9b08b227c127ff5392393178911crpluem *) mod_authz_groupfile: Increase length limit of lines in the group file to
d7604f90897d9b08b227c127ff5392393178911crpluem 16MB. PR 43084. [Stefan Fritsch]
d7604f90897d9b08b227c127ff5392393178911crpluem *) core: Increase length limit of lines in the configuration file to 16MB.
d7604f90897d9b08b227c127ff5392393178911crpluem PR 45888. PR 50824. [Stefan Fritsch]
d7604f90897d9b08b227c127ff5392393178911crpluem *) core: Add API for resizable buffers. [Stefan Fritsch]
d7604f90897d9b08b227c127ff5392393178911crpluem *) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
d7604f90897d9b08b227c127ff5392393178911crpluem LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
d7604f90897d9b08b227c127ff5392393178911crpluem as Tivoli Directory Server 6.3 and later. [Eric Covener]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_ldap: Change default number of retries from 10 to 3, and add
c6f41bc69d643835804e7e831776d3d46c6f5962slive an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
06d77ae37da42a6f8bbea25b7d7f8b6629245629slive *) mod_authnz_ldap: Don't retry during authentication, because this just
c6f41bc69d643835804e7e831776d3d46c6f5962slive multiplies the ample retries already being done by mod_ldap. [Eric Covener]
c6f41bc69d643835804e7e831776d3d46c6f5962slive *) configure: Allow to explicitly disable modules even with module selection
c6f41bc69d643835804e7e831776d3d46c6f5962slive 'reallyall'. [Stefan Fritsch]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
c6f41bc69d643835804e7e831776d3d46c6f5962slive RewriteEngine is disabled in server context, avoiding a crash while
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive referencing the invalid int: map at runtime. PR 50994.
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive [Ben Noordhuis <info noordhuis nl>]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive [Kaspar Brand]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive cookie is set when modules such as mod_rewrite trigger a redirect. Also
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive use r->err_headers_out for the cookie, for the same reason. PR29755.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
d7604f90897d9b08b227c127ff5392393178911crpluem 'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) configure: Enable ldap modules in 'all' and 'most' selections if ldap
d7604f90897d9b08b227c127ff5392393178911crpluem is compiled into apr-util. [Stefan Fritsch]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) core: Add ap_check_cmd_context()-check if a command is executed in
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive .htaccess file. [Stefan Fritsch]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive [Torsten Foertsch <torsten foertsch gmx net>]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8sliveChanges with Apache 2.3.14
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Rainer Jung]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun e.g. to reverse proxy "Location: https://other-internal-server/login"
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) prefork, worker, event: Make sure crashes are logged to the error log if
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun httpd has already detached from the console. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) prefork, worker, event: Reduce period during startup/restart where a
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_allowmethods: Correct Merging of "reset" and do not allow an
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun empty parameter list for the AllowMethods directive. [Rainer Jung]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) configure: Update selection of modules for 'all' and 'most'. 'all' will
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele now enable all modules except for example and test modules. Make the
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele selection for 'most' more useful (including ssl and proxy). Both 'all'
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele and 'most' will now disable modules if dependencies are missing instead
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele of aborting. If a specific module is requested with --enable-XXX=yes,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele missing dependencies will still cause configure to exit with an error.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun in 2.3.13. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) core: For '*' or '_default_' vhosts, use a wildcard address of any
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun address family, rather than IPv4 only. [Joe Orton]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele PR 26005. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Nagae Hidetake <nagae eagan jp>]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) core: Add more logging to ap_scan_script_header_err* functions. Add
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele ap_scan_script_header_err*_ex functions that take a module index for
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun new functions in order to make logging configurable per-module.
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd [Stefan Fritsch]
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd *) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun the proper index. [Eric Covener]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_deflate: Don't try to compress requests with a zero sized body.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele PR 51350. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Fix startup on IP6-only systems. PR 50592. [Joe Orton,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <root linkage white-void net>]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_log_debug: New module that allows to log custom messages at various
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun phases in the request processing. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_ssl: Add some debug logging when loading server certificates.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun PR 37912. [Nick Burch <nick burch alfresco com>]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) configure: Support reallyall option also for --enable-mods-static.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_socache_dc: add --with-distcache to configure for choosing
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun the distcache installation directory. [Rainer Jung]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_lua, mod_deflate: respect platform specific runpath linker
10a304fc5348d394375b98ae10ca9b137fd10cafkess flag. [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) configure: Only link the httpd binary against PCRE. No other support
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun binary needs PCRE. [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) configure: tolerate dependency checking failures for modules if
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun they have been enabled implicitely. [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) configure: Allow to specify module specific custom linker flags via
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele the MOD_XXX_LDADD variables. [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgunChanges with Apache 2.3.13
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) ab: Support specifying the local address to use. PR 48930.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Peter Schuller <scode spotify com>]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Add support to ErrorLogFormat for logging the system unique
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun thread id under Linux. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) event: New AsyncRequestWorkerFactor directive to influence how many
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele connections will be accepted per process. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun describes more accurately what it does. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) rotatelogs: Add -p argument to specify custom program to invoke
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele PR 48215. [Kaspar Brand]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_status: Display information about asynchronous connections in the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun server-status. PR 44377. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mpm_event: If the number of connections of a process is very high, or if
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele all workers are busy, don't accept new connections in that process.
a3388213b2b4d46b356be205e38204e67b4304d8rbowen [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mpm_event: Process lingering close asynchronously instead of tying up
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele worker threads. [Jeff Trawick, Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive around. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mpm_event: Fix graceful restart aborting connections. PR 43359.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Takashi Sato <takashi lans-tv com>]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Rob Stradling <rob comodo com>]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Introduce new function ap_get_conn_socket() to access the socket of
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun a connection. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) core: Allow to override document_root on a per-request basis. Introduce
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun new context_document_root and context_prefix which provide information
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele about non-global URI-to-directory mappings (from e.g. mod_userdir or
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun mod_alias) to scripts. PR 49705. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Add <ElseIf> and <Else> to complement <If> sections.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Stefan Fritsch]
a3388213b2b4d46b356be205e38204e67b4304d8rbowen *) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
a3388213b2b4d46b356be205e38204e67b4304d8rbowen [Stefan Fritsch]
a3388213b2b4d46b356be205e38204e67b4304d8rbowen *) mod_include: Make the "#if expr" element use the new "ap_expr" expression
a3388213b2b4d46b356be205e38204e67b4304d8rbowen parser. The old parser can still be used by setting the new directive
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun SSILegacyExprParser. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) core: Add some features to ap_expr for use by mod_include: a restricted
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun mode that does not allow to bypass request access restrictions; new
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
a3388213b2b4d46b356be205e38204e67b4304d8rbowen the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
a3388213b2b4d46b356be205e38204e67b4304d8rbowen data entry. [Stefan Fritsch]
df321386f1d9ed17a3e5e6468807996a12890d50gryzor *) mod_include: Merge directory configs instead of one SSI* config directive
df321386f1d9ed17a3e5e6468807996a12890d50gryzor causing all other per-directory SSI* config directives to be reset.
df321386f1d9ed17a3e5e6468807996a12890d50gryzor [Stefan Fritsch]
df321386f1d9ed17a3e5e6468807996a12890d50gryzor *) mod_charset_lite: Remove DebugLevel option in favour of per-module
df321386f1d9ed17a3e5e6468807996a12890d50gryzor loglevel. [Stefan Fritsch]
df321386f1d9ed17a3e5e6468807996a12890d50gryzor *) core: Add ap_regexec_len() function that works with non-null-terminated
df321386f1d9ed17a3e5e6468807996a12890d50gryzor strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
df321386f1d9ed17a3e5e6468807996a12890d50gryzor *) mod_authnz_ldap: If the LDAP server returns constraint violation,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor don't treat this as an error but as "auth denied". [Stefan Fritsch]
df321386f1d9ed17a3e5e6468807996a12890d50gryzor *) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
df321386f1d9ed17a3e5e6468807996a12890d50gryzor for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor Jim Jagielski]
df321386f1d9ed17a3e5e6468807996a12890d50gryzor *) mod_cache: When content is served stale, and there is no means to
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele revalidate the content using ETag or Last-Modified, and we have
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun mandated no stale-on-error behaviour, stand down and don't cache.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Saves a cache write that will never be read.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Graham Leggett]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_reqtimeout: Fix a timed out connection going into the keep-alive
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun state after a timeout when discarding a request body. PR 51103.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) core: Add various file existance test operators to ap_expr.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_proxy_express: New mass reverse-proxy switch extension for
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele mod_proxy. [Jim Jagielski]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) configure: Fix script error when configuring module set "reallyall".
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Rainer Jung]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgunChanges with Apache 2.3.12
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) configure, core: Provide easier support for APR's hook probe
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele capability. [Jim Jagielski, Jeff Trawick]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) Silence autoconf 2.68 warnings. [Rainer Jung]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Scott Hill <shill genscape.com>]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) support: Make sure check_forensic works with mod_unique_id loaded
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Joe Schaefer]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) Add child_status hook for tracking creation/termination of MPM child
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele processes. Add end_generation hook for notification when the last
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun MPM child of a generation exits. [Jeff Trawick]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele process as opposed to disabling caching completely. This allows to use
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele the non-shared-memory cache as a workaround for the shared memory cache
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun not being available during graceful restarts. PR 48958. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele necessary if a module (like mod_perl) registers additional modules late
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun in the startup phase. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Torsten Förtsch <torsten foertsch gmx net>]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) MinGW build improvements. PR 49535. [John Vandenberg
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <jayvdb gmail.com>, Jeff Trawick]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Support module names with colons in loglevel configuration.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Torsten Förtsch <torsten foertsch gmx net>]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Abort if the MPM is changed across restart. [Jeff Trawick]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Peter Pramberger <peter pramberger.at>, Jim Jagielski]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Mark Montague <mark catseye.org>, Jim Jagielski]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun error code. Abort with a nice error message if a config line is too long.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Partial fix for PR 50824. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele specified. PR 31956. [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun helper function ap_remove_pid() added. [Jeff Trawick]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun in request URL path info but not decode them. Change behavior of option
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele "On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun PR 46830. [Dan Poirier]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_ssl: Check SNI hostname against Host header case-insensitively.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
2c44e52ec852d7d8392068fd13a1d8d8a4e830c1kess *) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun of bound backend LDAP connections. PR47634 [Eric Covener]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_cache: Make CacheEnable and CacheDisable configurable per
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele directory in addition to per server, making them work from within
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele a LocationMatch. [Graham Leggett]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) worker, event, prefork: Correct several issues when built as
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun DSOs; most notably, the scoreboard was reinitialized during graceful
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele restart, such that processes of the previous generation were not
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun observable. [Jeff Trawick]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabeleChanges with Apache 2.3.11
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun Win32's cscript interpreter can only use a single quote as comment char.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Guenter Knauf]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_proxy: balancer-manager now uses POST instead of GET.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Jim Jagielski]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: new util function: ap_parse_form_data(). Previously,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun this capability was tucked away in mod_request. [Jim Jagielski]
e8811b6d38f756b325446ded5d96857d13856511takashi *) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_cache: When a request other than GET or HEAD arrives, we must
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun invalidate existing cache entities as per RFC2616 13.10. PR 15868.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Graham Leggett]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) modules: Fix many modules that were not correctly initializing if they
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele were not active during server startup but got enabled later during a
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele graceful restart. [Stefan Fritsch]
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele *) core: Create new ap_state_query function that allows modules to determine
0ed10f46135a337e6779d6895d80b43a3471dc70pquerna if the current configuration run is the initial one at server startup,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele and if the server is started for testing/config dumping only.
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Stefan Fritsch]
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun *) mod_proxy: Runtime configuration of many parameters for existing
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele balancers via the balancer-manager. [Jim Jagielski]
[Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
PR 50735 [Mark Montague <mark catseye.org>]
[Kaspar Brand <httpd-dev.2011 velox.ch>]
and using slotmem. Create foundation for dynamic growth/changes of
[Sönke Tesch <st kino-fahrplan.de>]
*) core: Overlapping virtual host address/port combinations now implicitly
to UserDir directive, leaving enable/disable of userlists unmerged.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) SECURITY: CVE-2010-1623 (cve.mitre.org)
*) prefork/worker/event MPMS: default value (when no directive is present)
of MaxConnectionsPerChild/MaxRequestsPerChild is changed to 0 from 10000
interfering with authentication/authorization. [Paul Querna,
CacheMinExpire and CacheMaxExpire can be set per directory/location.
CacheReadTime can be set per directory/location. [Graham Leggett]
RequireAny/RequireAll containers: 'ssl' (equivalent to SSLRequireSSL),
link of the device/inode of the data file to the matching header
*) core/mod_unique_id: Add generate_log_id hook to allow to use
decision hit/miss/revalidate. Add optional support for an X-Cache
and/or an X-Cache-Detail header to add the cache status to the
<dan listening-station.net; trunk version Nick Kew]
[Daniel Ruggeri <DRuggeri primary.net>]
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
*) core/mod_authz_core: Introduce new access_checker_ex hook that enables
IP address/env var/... [Stefan Fritsch]
PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
configuration which requires renegotiation for per-directory/location
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
APR Util 1.x crypto. [Rainer Jung]
mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
PR 49369 [Matthew Steele <mdsteele google.com>]
to use the HTTP username/pass instead of an anonymous or hard-coded
[Bryn Dole <dole blekko.com>]
to control/set the nonce used in the balancer-manager application.
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
PR 48944. [Mark Drayton mark markdrayton.info]
[Dr Stephen Henson <steve openssl.org>, William Rowe]
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
*) support/rotatelogs: Add -L option to create a link to the current
log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
*) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
PR 33112 [Joergen Thomsen <apache jth.net>]
*) support/rotatelogs: Support the simplest log rotation case, log
*) support/htcacheclean: Teach it how to write a pid file (modelled on
[Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
request. [Christian Folini <christian.folini netnea com>]
[Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
*) SECURITY: CVE-2010-0434 (cve.mitre.org)
[Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
PR 41887 [Jan van den Berg <janvdberg gmail.com>]
PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
(See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
[Dr Stephen Henson <shenson oss-institute.org>]
PR 47178. [Philipp Hagemeister <oss phihag.de>]
Brian France <brian brianfrance.com>]
modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
*) mod_logio/core: Report more accurate byte counts in mod_status if
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
[Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
Stefan Fritsch <sf fritsch.de>, Dan Poirier]
Brian France <brian brianfrance.com>]
Brian France <brian brianfrance.com>]
[Stefan Fritsch <sf sfritsch.de>]
*) mod_session.c: Prevent a segfault when session is added but not
definition. [Stefan Fritsch sf sfritsch.de]
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
PR 46971 [evanc nortel.com]
[Stefan Fritsch <sf sfritsch.de>]
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
*) SECURITY: CVE-2009-1890 (cve.mitre.org)
*) SECURITY: CVE-2009-1191 (cve.mitre.org)
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
PR 42175 [Jim Radford <radford blackbean.org>]
type. PR 45107. [Michael Ströder <michael stroeder.com>,
PR 44020 [HÃ¥kon Stordahl <hakon stordahl.org>]
CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
PR 46942 [Dan Poirier <poirier pobox.com>]
PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
[Marko Kevac <mkevac gmail.com>]
as A/UX, Next, and Tandem. [Jeff Trawick]
directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
of module state across unload/load. [Jeff Trawick]
[Dan Poirier <poirier pobox.com>]
[Geoff Keating <geoffk apple.com>]
with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
a media type has not been configured via mime.types, AddType,
[Ryan Phillips <ryan-apache trolocsis.com>]
[<tlhackque yahoo.com>]
*) prefork: Fix child process hang during graceful restart/stop in
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
times out before returning status line/headers.
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
modules/proxy/balancers [Jim Jagielski]
privileges and Unix user/group IDs [Nick Kew]
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
*) unixd: turn existing code into a module, and turn the set user/group
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
*) New module mod_sed: filter Request/Response bodies through sed
null value. [David Shane Holden <dpejesh apache.org>]
both inside and outside the location/directory sections, as
form request with the type of application/x-www-form-urlencoded.
*) mod_authz_dbd: When redirecting after successful login/logout per
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
mod_cache et.al. to trap the results of the redirect.
*) ApacheMonitor.exe: Introduce --kill argument for use by the
*) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
[David M. Lee <dmlee crossroads.com>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
[Chris Darroch <chrisd pearsoncmg.com>]
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
[Chris Darroch <chrisd pearsoncmg.com>]
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
Changes with Apache 2.0.x and later: