CHANGES revision b5e45168970cefb8b2d0bea709ea69790f3eab96
a67d2c414677a2a830d09cafaab1817dcc9a1bc5vboxsync -*- coding: utf-8 -*-
a67d2c414677a2a830d09cafaab1817dcc9a1bc5vboxsyncChanges with Apache 2.3.7
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_authn_cache: new module [Nick Kew]
e64031e20c39650a7bc902a3e1aba613b9415deevboxsync *) core: Try to proceed with authorization even if authentication failed.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync This allows e.g. to authorize by user _or_ ip address. [Stefan Fritsch]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsyncChanges with Apache 2.3.6
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) SECURITY: CVE-2009-3555 (cve.mitre.org)
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync attack when compiled against OpenSSL version 0.9.8m or later. Introduces
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync and offer unsafe legacy renegotiation with clients which do not yet
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync support the new secure renegotiation protocol, RFC 5746.
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync [Joe Orton, and with thanks to the OpenSSL Team]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) SECURITY: CVE-2009-3555 (cve.mitre.org)
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync by rejecting any client-initiated renegotiations. Forcibly disable
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync keepalive for the connection if there is any buffered data readable. Any
23179f1443b03947d85eccc81cbc6b5153a4abf3vboxsync configuration which requires renegotiation for per-directory/location
07bf154df97af02974bb89d4f1ad36afa2b45443vboxsync access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) SECURITY: CVE-2010-0408 (cve.mitre.org)
80def5623c7adf0483e142b2ffc1cb9812a9a917vboxsync mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync when request headers indicate a request body is incoming; not a case of
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) SECURITY: CVE-2010-0425 (cve.mitre.org)
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync mod_isapi: Do not unload an isapi .dll module until the request
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync processing is completed, avoiding orphaned callback pointers.
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) core: Filter init functions are now run strictly once per request
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync before handler invocation. The init functions are no longer run
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync for connection filters. PR 49328. [Joe Orton]
2c6282ca450ac89f08d14dd5b61082a3e5a42770vboxsync *) core: Adjust the output filter chain correctly in an internal
2c6282ca450ac89f08d14dd5b61082a3e5a42770vboxsync redirect from a subrequest, preserving filters from the main
2c6282ca450ac89f08d14dd5b61082a3e5a42770vboxsync request as necessary. PR 17629. [Joe Orton]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync Response if they so choose to do so. Previously an attempt to cache a 206
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync was arbitrarily allowed if the response contained an Expires or
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync Cache-Control header, and arbitrarily denied if both headers were missing.
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync [Graham Leggett]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) core: Add microsecond timestamp fractions, process id and thread id
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync to the error log. [Rainer Jung]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) configure: The "most" module set gets build by default. [Rainer Jung]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
b5e852fe286f938722f7d8eb6ab96cced98237e4vboxsync *) configure: Fix broken VPATH build when using included APR.
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync [Rainer Jung]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_session_crypto: Fix configure problem when building
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync with APR 2 and for VPATH builds with included APR.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Rainer Jung]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_session_crypto: API compatibility with APR 2 crypto and
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync APR Util 1.x crypto. [Rainer Jung]
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync *) ab: Fix memory leak with -v2 and SSL. PR 49383.
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync [Pavel Kankovsky <peak argo troja mff cuni cz>]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) core: Add per-module and per-directory loglevel configuration.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync Add some more trace logging.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync mod_ssl: Replace LogLevelDebugDump with trace log levels.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync mod_dumpio: Replace DumpIOLogLevel with trace log levels.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Stefan Fritsch]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync title page only) when any mod_ldap directives were used in VirtualHost
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync context. [Eric Covener]
d673f6fddc07fb2f4fb54552598a56ca52d5f06fvboxsync *) mod_disk_cache: Decline the opportunity to cache if the response is
f409459bdd4c15cdb8d7fb6c6d54338cce9ac814vboxsync a 206 Partial Content. This stops a reverse proxied partial response
fb4b0f4ca593a27c7fbec391aa8fce062a75b9c7vboxsync from becoming cached, and then being served in subsequent responses.
fb4b0f4ca593a27c7fbec391aa8fce062a75b9c7vboxsync [Graham Leggett]
fb4b0f4ca593a27c7fbec391aa8fce062a75b9c7vboxsync *) mod_deflate: avoid the risk of forwarding data before headers are set.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync PR 49369 [Matthew Steele <mdsteele google.com>]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_authnz_ldap: Ensure nested groups are checked when the
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync top-level group doesn't have any direct non-group members
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync of attributes in AuthLDAPGroupAttribute. [Eric Covener]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_authnz_ldap: Search or Comparison during authorization phase
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync can use the credentials from the authentication phase
a97f26ece82a85f69a131fb74b057774c85db9c8vboxsync (AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
c829b606c5535f37e00ffee381cca0815a57f319vboxsync PR 48340 [Domenico Rotiroti, Eric Covener]
c829b606c5535f37e00ffee381cca0815a57f319vboxsync *) mod_authnz_ldap: Allow the initial DN search during authentication
c829b606c5535f37e00ffee381cca0815a57f319vboxsync to use the HTTP username/pass instead of an anonymous or hard-coded
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Eric Covener]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync when this module is used for authorization. See AuthLDAPAuthorizePrefix.
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync PR 45584 [Eric Covener]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) apxs -q: Stop filtering out ':' characters from the reported values.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync PR 45343. [Bill Cole]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) prefork MPM: Run cleanups for final request when process exits gracefully.
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync PR 43857. [Tom Donovan]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Bryn Dole <dole blekko.com>]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) Log an error for failures to read a chunk-size, and return 408 instead of
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync 413 when this is due to a read timeout. This change also fixes some cases
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync of two error documents being sent in the response for the same scenario.
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync [Eric Covener] PR49167
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync to control/set the nonce used in the balancer-manager application.
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync [Jim Jagielski]
697b8309e21216b853769cc2bca8b8138ce6a6d6vboxsync *) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Stefan Fritsch]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) Proxy balancer: support setting error status according to HTTP response
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) htcacheclean: Introduce the ability to clean specific URLs from the
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync cache, if provided as an optional parameter on the command line.
b59bd0ad4449e3e8a9a524775d8f9c4245baf2e8vboxsync [Graham Leggett]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) core: Introduce the IncludeStrict directive, which explicitly fails
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync server startup if no files or directories match a wildcard path.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Graham Leggett]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) htcacheclean: Report additional statistics about entries deleted.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync PR 48944. [Mark Drayton mark markdrayton.info]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync build of openssl is required for 'SSLFIPS on'. PR 46270.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Dr Stephen Henson <steve openssl.org>, William Rowe]
547708d1dc29118b67d74fadfe9f95b8c222dba2vboxsync *) mod_proxy_http: Log the port of the remote server in various messages.
41fe74bfddeea77c30fd06f43d3efee4dc82fcccvboxsync PR 48812. [Igor Galić <i galic brainsware org>]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
41fe74bfddeea77c30fd06f43d3efee4dc82fcccvboxsync connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
8651f4b9ac6fb6d85c9a231bfba6fee8653727cbvboxsync *) mod_proxy_ajp: Really regard the operation a success, when the client
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync aborted the connection. In addition adjust the log message if the client
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync aborted the connection. [Ruediger Pluem]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
41fe74bfddeea77c30fd06f43d3efee4dc82fcccvboxsync allows insecure renegotiation with clients which do not yet
41fe74bfddeea77c30fd06f43d3efee4dc82fcccvboxsync support the secure renegotiation protocol. [Joe Orton]
41fe74bfddeea77c30fd06f43d3efee4dc82fcccvboxsync *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync is configured for client cert auth. PR 46952. [Joe Orton]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) core: Only log a 408 if it is no keepalive timeout. PR 39785
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Ruediger Pluem, Mark Montague <markmont umich.edu>]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) support/rotatelogs: Add -L option to create a link to the current
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync setting only, matching most of the documentation and examples.
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync PR 46541 [Paul Reder, Eric Covener]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) mod_negotiation: Preserve query string over multiviews negotiation.
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync This buglet was fixed for type maps in 2.2.6, but the same issue
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync affected multiviews and was overlooked.
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync PR 33112 [Joergen Thomsen <apache jth.net>]
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync *) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync when some are not password-protected. [Eric Covener]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) Fix startup segfault when the Mutex directive is used but no loaded
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync modules use httpd mutexes. PR 48787. [Jeff Trawick]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) Proxy: get the headers right in a HEAD request with
f8de2e769c01c00943aba0847cc65cc0c194d043vboxsync ProxyErrorOverride, by checking for an overridden error
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync before not after going into a catch-all code path.
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync PR 41646. [Nick Kew, Stuart Children]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) support/rotatelogs: Support the simplest log rotation case, log
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync truncation. Useful when the log is being processed in real time
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync using a command like tail. [Graham Leggett]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) support/htcacheclean: Teach it how to write a pid file (modelled on
57b49c1557a310ee615bc0ee79dd2a2e92319a1bvboxsync httpd's writing of a pid file) so that it becomes possible to run
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync more than one instance of htcacheclean on the same machine.
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync [Graham Leggett]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) Log command line on startup, so there's a record of command line
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync arguments like -f. PR 48752. [Dan Poirier]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) Introduce mod_reflector, a handler capable of reflecting POSTed
d673f6fddc07fb2f4fb54552598a56ca52d5f06fvboxsync request bodies back within the response through the output filter
f409459bdd4c15cdb8d7fb6c6d54338cce9ac814vboxsync stack. Can be used to turn an output filter into a web service.
fb4b0f4ca593a27c7fbec391aa8fce062a75b9c7vboxsync [Graham Leggett]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) mod_proxy_http: Make sure that when an ErrorDocument is served
fb4b0f4ca593a27c7fbec391aa8fce062a75b9c7vboxsync from a reverse proxied URL, that the subrequest respects the status
194a8ad893b721dfc22ac5f955671f09db015a3fvboxsync of the original request. This brings the behaviour of proxy_handler
194a8ad893b721dfc22ac5f955671f09db015a3fvboxsync in line with default_handler. PR 47106. [Graham Leggett]
194a8ad893b721dfc22ac5f955671f09db015a3fvboxsync *) Support wildcards in both the directory and file components of
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync the path specified by the Include directive. [Graham Leggett]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) mod_proxy, mod_proxy_http: Support remote https proxies
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync by using HTTP CONNECT. PR 19188.
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync [Philippe Dutrueux <lilas evidian.com>, Rainer Jung]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync [Philip M. Gollucci]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) worker: Don't report server has reached MaxClients until it has.
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync Add message when server gets within MinSpareThreads of MaxClients.
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync PR 46996. [Dan Poirier]
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync *) mod_session: Session expiry was being initialised, but not updated
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync on each session save, resulting in timed out sessions when there
d5afba4eec453049d8164029471d2d1df0b394e0vboxsync should not have been. Fixed. [Graham Leggett]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_log_config: Add the R option to log the handler used within the
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync request. [Christian Folini <christian.folini netnea com>]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_include: Allow fine control over the removal of Last-Modified and
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync ETag headers within the INCLUDES filter, making it possible to cache
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync responses if desired. Fix the default value of the SSIAccessEnable
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync directive. [Graham Leggett]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) Add new UnDefine directive to undefine a variable. PR 35350.
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync [Stefan Fritsch]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) Make ap_pregsub(), used by AliasMatch and friends, use the same syntax
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync for regex backreferences as mod_rewrite and mod_include: Remove the use
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync of '&' as an alias for '$0' and allow to escape any character with a
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync backslash. PR 48351. [Stefan Fritsch]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync password to UTF-8. PR 45318.
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync [Johannes Müller <joh_m gmx.de>, Stefan Fritsch]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) ab: Fix calculation of requests per second in HTML output. PR 48594.
57b49c1557a310ee615bc0ee79dd2a2e92319a1bvboxsync [Stefan Fritsch]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync password now result in an informational level log entry instead of
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync warning level. [Eric Covener]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsyncChanges with Apache 2.3.5
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) SECURITY: CVE-2010-0434 (cve.mitre.org)
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync Ensure each subrequest has a shallow copy of headers_in so that the
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync parent request headers are not corrupted. Eliminates a problematic
ea5fccddae90a8c2dd31216288ab6d01a0778d07vboxsync optimization in the case of no request body. PR 48359
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync [Jake Scott, William Rowe, Ruediger Pluem]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) Turn static function get_server_name_for_url() into public
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync ap_get_server_name_for_url() and use it where appropriate. This
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync fixes mod_rewrite generating invalid URLs for redirects to IPv6
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync literal addresses. [Stefan Fritsch]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) mod_ldap: Introduce new config option LDAPTimeout to set the timeout
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync for LDAP operations like bind and search. [Stefan Fritsch]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_proxy, mod_proxy_ftp: Move ProxyFtpDirCharset from mod_proxy to
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync mod_proxy_ftp. [Takashi Sato]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync mod_proxy_connect. [Takashi Sato]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) mod_cache: Do an exact match of the keys defined by
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync CacheIgnoreURLSessionIdentifiers against the querystring instead of
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync a partial match. PR 48401.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync [Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) Core HTTP: disable keepalive when the Client has sent
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync Expect: 100-continue
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync but we respond directly with a non-100 response.
ce51c287b3c3b5258c1f9ac8b6f7cf5b92989836vboxsync Keepalive here led to data from clients continuing being treated as
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync a new request.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync PR 47087 [Nick Kew]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) Core: reject NULLs in request line or request headers.
e068173f9bda68028616505394979a074bfe3a64vboxsync PR 43039 [Nick Kew]
e068173f9bda68028616505394979a074bfe3a64vboxsync *) Core: (re)-introduce -T commandline option to suppress documentroot
e068173f9bda68028616505394979a074bfe3a64vboxsync check at startup.
e068173f9bda68028616505394979a074bfe3a64vboxsync PR 41887 [Jan van den Berg <janvdberg gmail.com>]
e068173f9bda68028616505394979a074bfe3a64vboxsync *) mod_autoindex: support XHTML as equivalent to HTML in IndexOptions,
e068173f9bda68028616505394979a074bfe3a64vboxsync ScanHTMLTitles, ReadmeName, HeaderName
e068173f9bda68028616505394979a074bfe3a64vboxsync PR 48416 [Dmitry Bakshaev <dab18 izhnet.ru>, Nick Kew]
898e2046a1c301b8dbf5a2edb6e107334effd50bvboxsync *) Proxy: Fix ProxyPassReverse with relative URL
e068173f9bda68028616505394979a074bfe3a64vboxsync Derived (slightly erroneously) from PR 38864 [Nick Kew]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) mod_headers: align Header Edit with Header Set when used on Content-Type
2d769706aa54126933779403cbd658513f39bea9vboxsync PR 48422 [Cyril Bonté <cyril.bonte free.fr>, Nick Kew>]
e068173f9bda68028616505394979a074bfe3a64vboxsync *) mod_headers: Enable multi-match-and-replace edit option
2d769706aa54126933779403cbd658513f39bea9vboxsync PR 47066 [Nick Kew]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) mod_filter: enable it to act on non-200 responses.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync PR 48377 [Nick Kew]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsyncChanges with Apache 2.3.4
4dc0ba0d0ea0a32ca9827aaeb1bc0449f8d686d4vboxsync *) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync and WatchdogMutexPath with a single Mutex directive. Add APIs to
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync simplify setup and user customization of APR proc and global mutexes.
2d769706aa54126933779403cbd658513f39bea9vboxsync (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) http_core: KeepAlive no longer accepts other than On|Off.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync [Takashi Sato]
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync *) mod_dav: Remove errno from dav_error interface. Calls to dav_new_error()
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync and dav_new_error_tag() must be adjusted to add an apr_status_t parameter.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync [Jeff Trawick]
eefdbb59e1d1963e09e7924e2121f2cfb03f1432vboxsync *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync try other providers in the case of an LDAP bind failure.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson]
eefdbb59e1d1963e09e7924e2121f2cfb03f1432vboxsync *) Build: fix --with-module to work as documented
e68e633900f5ad204dd97237d0f4576756b7532fvboxsyncChanges with Apache 2.3.3
e068173f9bda68028616505394979a074bfe3a64vboxsync *) SECURITY: CVE-2009-3095 (cve.mitre.org)
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync mod_proxy_ftp: sanity check authn credentials.
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync [Stefan Fritsch <sf fritsch.de>, Joe Orton]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) SECURITY: CVE-2009-3094 (cve.mitre.org)
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync mod_proxy_ftp: NULL pointer dereference on error paths.
e68e633900f5ad204dd97237d0f4576756b7532fvboxsync [Stefan Fritsch <sf fritsch.de>, Joe Orton]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync OpenSSL 1.0.0b3. [Vipul Gupta <vipul.gupta sun.com>, Sander Temme]
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync *) mod_dav: Include uri when logging a PUT error due to connection abort.
788efbc10d2ab4252b5e73ca20f82d63e19fe578vboxsync PR 38149. [Stefan Fritsch]
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent
7f19e3bb0f6a1b698a37f163e77b7f8084b7f7d5vboxsync resource does not exist or is not a collection. PR 43465. [Stefan Fritsch]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync (a COPY request where the parent of the destination resource does not
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync exist). PR 39299. [Stefan Fritsch]
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed.
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync PR 42896. [Stefan Fritsch]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) mod_dav_fs: Make PUT create files atomically and no longer destroy the
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync creating files. On systems with inode numbers, this is a format change of
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync the DavLockDB. The old DavLockDB must be deleted on upgrade.
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync [Stefan Fritsch]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) mod_log_config: Make ${cookie}C correctly match whole cookie names
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>,
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync Stefan Fritsch]
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync *) vhost: A purely-numeric Host: header should not be treated as a port.
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync PR 44979 [Nick Kew]
4b34a2a15d6421e86cd192dfe63b817d1dab38a1vboxsync *) mod_ldap: Avoid 500 errors with "Unable to set LDAP_OPT_REFHOPLIMIT option to 5"
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync when built against openldap by using SDK LDAP_OPT_REFHOPLIMIT defaults unless
a18c323c2fdfe8f00c8f927dc13561e0186be513vboxsync LDAPReferralHopLimit is explicitly configured.
c7f70672ae8d9989596a3cf0395cae3f64b5ac01vboxsync [Eric Covener]
[Dr Stephen Henson <shenson oss-institute.org>]
PR 47178. [Philipp Hagemeister <oss phihag.de>]
Brian France <brian brianfrance.com>]
modules to avoid segmentation fault. PR 47951. [hirose31 gmail.com]
*) mod_logio/core: Report more accurate byte counts in mod_status if
for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries.
the request is a CONNECT request. [Bill Zajac <billz consultla.com>]
[Peter Grandi <pg_asf asf.for.sabi.co.uk>, Graham Leggett]
Log 408 errors in access log as was done in Apache 1.3.x.
PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>,
Stefan Fritsch <sf fritsch.de>, Dan Poirier]
Brian France <brian brianfrance.com>]
Brian France <brian brianfrance.com>]
[Stefan Fritsch <sf sfritsch.de>]
*) mod_session.c: Prevent a segfault when session is added but not
definition. [Stefan Fritsch sf sfritsch.de]
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
PR 46971 [evanc nortel.com]
[Stefan Fritsch <sf sfritsch.de>]
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
*) SECURITY: CVE-2009-1890 (cve.mitre.org)
*) SECURITY: CVE-2009-1191 (cve.mitre.org)
by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
PR 42175 [Jim Radford <radford blackbean.org>]
type. PR 45107. [Michael Ströder <michael stroeder.com>,
PR 44020 [HÃ¥kon Stordahl <hakon stordahl.org>]
CGI process. PR 47335 [Kornél Pál <kornelpal gmail.com>]
PR 46942 [Dan Poirier <poirier pobox.com>]
PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
[Marko Kevac <mkevac gmail.com>]
as A/UX, Next, and Tandem. [Jeff Trawick]
directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
of module state across unload/load. [Jeff Trawick]
[Dan Poirier <poirier pobox.com>]
[Geoff Keating <geoffk apple.com>]
with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
a media type has not been configured via mime.types, AddType,
[Ryan Phillips <ryan-apache trolocsis.com>]
[<tlhackque yahoo.com>]
*) prefork: Fix child process hang during graceful restart/stop in
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
times out before returning status line/headers.
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
modules/proxy/balancers [Jim Jagielski]
privileges and Unix user/group IDs [Nick Kew]
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
*) unixd: turn existing code into a module, and turn the set user/group
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
*) New module mod_sed: filter Request/Response bodies through sed
null value. [David Shane Holden <dpejesh apache.org>]
both inside and outside the location/directory sections, as
form request with the type of application/x-www-form-urlencoded.
*) mod_authz_dbd: When redirecting after successful login/logout per
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
mod_cache et.al. to trap the results of the redirect.
*) ApacheMonitor.exe: Introduce --kill argument for use by the
*) mod_ldap, mod_authnz_ldap: Add support for nested groups (i.e. the ability
[David M. Lee <dmlee crossroads.com>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
[Chris Darroch <chrisd pearsoncmg.com>]
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
[Chris Darroch <chrisd pearsoncmg.com>]
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
Changes with Apache 2.0.x and later:
Changes with Apache 1.3.x and later: