CHANGES revision ba217dc41cebc0976010ee177f8fedac782d1f6f
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync -*- coding: utf-8 -*-
deb4998ba50060c48cce222fd18a8eed053918d7vboxsyncChanges with Apache 2.3.3
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Stefan Fritsch <sf fritsch.de>, Joe Orton]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Stefan Fritsch <sf fritsch.de>, Joe Orton]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_dav: Allow other modules to add things to the DAV or Allow headers
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync of an OPTIONS request. [Brian France <brian brianfrance.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) core: Lower memory usage of core output filter.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Stefan Fritsch <sf sfritsch.de>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync LocationMatch sections. PR47754. [Dan Poirier]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_request: Make sure the KeptBodySize directive rejects values
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync that aren't valid numbers. [Graham Leggett]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_session_crypto: Sanity check should the potentially encrypted
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync session cookie be too short. [Graham Leggett]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_session.c: Prevent a segfault when session is added but not
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync configured. [Graham Leggett]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_auth_digest: Fail server start when nonce count checking
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync is configured without shared memory, or md5-sess algorithm is
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync configured. [Dan Poirier]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_proxy_connect: The connect method doesn't work if the client is
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync connecting to the apache proxy through an ssl socket. Fixed.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR29744. [Brad Boyer, Mark Cave-Ayland, Julian Gilbey, Fabrice Durand,
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync David Gence, Tim Dodge, Per Gunnar Hans, Emmanuel Elango,
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync Kevin Croft, Rudolf Cardinal]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_ssl: The error message when SSLCertificateFile is missing should
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync at least give the name or position of the problematic virtual host
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync definition. [Stefan Fritsch sf sfritsch.de]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_auth_digest: Fix null pointer when qop=none. [Dan Poirier]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_headers: generalise the envclause to support expression
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync evaluation with ap_expr parser [Nick Kew]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_cache: Introduce the thundering herd lock, a mechanism to keep
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync the flood of requests at bay that strike a backend webserver as
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync a cached entity goes stale. [Graham Leggett]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_auth_digest: Fix usage of shared memory and re-enable it.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 16057 [Dan Poirier]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Preserve Port information over internal redirects
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Proxy: unable to connect to a backend is SERVICE_UNAVAILABLE,
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync rather than BAD_GATEWAY or (especially) NOT_FOUND.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 46971 [evanc nortel.com]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Various modules: Do better checking of pollset operations in order to
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync avoid segmentation faults if they fail. PR 46467
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Stefan Fritsch <sf sfritsch.de>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_autoindex: Correctly create an empty cell if the description
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) ab: Fix broken error messages after resolver or connect() failures.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Jeff Trawick]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) SECURITY: CVE-2009-1890 (cve.mitre.org)
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync Fix a potential Denial-of-Service attack against mod_proxy in a
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync reverse proxy configuration, where a remote attacker can force a
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) SECURITY: CVE-2009-1191 (cve.mitre.org)
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync mod_proxy_ajp: Avoid delivering content from a previous request which
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync failed to send a request body. PR 46949 [Ruediger Pluem]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) htdbm: Fix possible buffer overflow if dbm database has very
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync long values. PR 30586 [Dan Poirier]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) core: Return APR_EOF if request body is shorter than the length announced
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync by the client. PR 33098 [ Stefan Fritsch <sf sfritsch.de>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_suexec: correctly set suexec_enabled when httpd is run by a
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync non-root user and may have insufficient permissions.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 42175 [Jim Radford <radford blackbean.org>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync type. PR 45107. [Michael Ströder <michael stroeder.com>,
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_proxy_http: fix case sensitivity checking transfer encoding
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_alias: ensure Redirect issues a valid URL.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 44020 [HĂ¥kon Stordahl <hakon stordahl.org>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_dir: add DefaultHandler directive, to enable admin to specify
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync an action to happen when a URL maps to no file, without resorting
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_cgid: Do not leak the listening Unix socket file descriptor to the
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync CGI process. PR 47335 [KornĂ©l PĂ¡l <kornelpal gmail.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_rewrite: Remove locking for writing to the rewritelog.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 46942 [Dan Poirier <poirier pobox.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_alias: check sanity in Redirect arguments.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_proxy_http: fix Host: header for literal IPv6 addresses.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync defined session identifiers encoded in the URL when caching.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Ruediger Pluem]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_rewrite: Fix the error string returned by RewriteRule.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync argument of RewriteRule was not started with "[" or not ended with "]".
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Windows: Fix usage message.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Rainer Jung]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) apachectl: When passing through arguments to httpd in
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync non-SysV mode, use the "$@" syntax to preserve arguments.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Eric Covener]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_dbd: add DBDInitSQL directive to enable SQL statements to
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync be run when a connection is opened. PR 46827
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Marko Kevac <mkevac gmail.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_cgid: Improve handling of long AF_UNIX socket names (ScriptSock).
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 47037. [Jeff Trawick]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync protocol. [Mladen Turk]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_proxy_ajp: Forward remote port information by default.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Rainer Jung]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Allow MPMs to be loaded dynamically, as with most other modules. This
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync required changes to the MPM interfaces. Removed: mpm.h, mpm_default.h
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync (as an installed header), APACHE_MPM_DIR, MPM_NAME, ap_threads_per_child,
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync ap_max_daemons_limit, ap_my_generation, etc. ap_mpm_query() can't be
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync called until after the register-hooks phase. [Jeff Trawick]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync to enable stricter checking of remote server certificates.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Ruediger Pluem]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) ab: Fix a 100% CPU loop on platforms where a failed non-blocking connect
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync returns EINPROGRESS and a subsequent poll() returns only POLLERR.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync Observed on HP-UX. [Eric Covener]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Remove broken support for BeOS, OS/2, TPF, and even older platforms such
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync as A/UX, Next, and Tandem. [Jeff Trawick]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_proxy_ftp: Add ProxyFtpListOnWildcard directive to allow files with
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync globbing characters to be retrieved instead of converted into a
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync directory listing. PR 46789 [Dan Poirier <poirier pobox.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Provide ap_retained_data_create()/ap_retained_data_get() for preservation
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync of module state across unload/load. [Jeff Trawick]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_substitute: Fix a memory leak. PR 44948
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Dan Poirier <poirier pobox.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsyncChanges with Apache 2.3.2
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_mime_magic: Fix detection of compressed content. [Rainer Jung]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync HTML injections and HTTP response splitting. PR 46837.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Geoff Keating <geoffk apple.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_ssl: add support for type-safe STACK constructs in OpenSSL
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync development HEAD. PR 45521. [Kaspar Brand, Sander Temme]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) ab: Fix maintenance of the pollset to resolve EALREADY errors
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync with kqueue (BSD/OS X) and excessive CPU with event ports (Solaris).
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 44584. Use APR_POLLSET_NOCOPY for better performance with some
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync pollset implementations. [Jeff Trawick]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_disk_cache: The module now turns off sendfile support if
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync 'EnableSendfile off' is defined globally. [Lars Eilebrecht]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_deflate: Adjust content metadata before bailing out on 304
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync responses so that the metadata does not differ from 200 response.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Roy T. Fielding]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_deflate: Fix creation of invalid Etag headers. We now make sure
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync that the Etag value is properly quoted when adding the gzip marker.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 39727, 45023. [Lars Eilebrecht, Roy T. Fielding]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Added 20x22 icons for ODF, SVG, and XML documents. PR 37185.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Peter Harlow]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) Disabled DefaultType directive and removed ap_default_type()
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync from core. We now exclude Content-Type from responses for which
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync a media type has not been configured via mime.types, AddType,
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync ForceType, or some other mechanism. PR 13986. [Roy T. Fielding]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) mod_rewrite: Add IPV6 variable to RewriteCond
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync [Ryan Phillips <ryan-apache trolocsis.com>]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) core: Enhance KeepAliveTimeout to support a value in milliseconds.
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync PR 46275. [Takashi Sato]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) rotatelogs: Allow size units B, K, M, G and combination of
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync time and size based rotation. [Rainer Jung]
deb4998ba50060c48cce222fd18a8eed053918d7vboxsync *) rotatelogs: Add flag for verbose (debug) output. [Rainer Jung]
[<tlhackque yahoo.com>]
*) prefork: Fix child process hang during graceful restart/stop in
*) core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
PR 45529 [Bob Ionescu <bobsiegen googlemail.com>]
times out before returning status line/headers.
PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>]
[Theo Schlossnagle <jesus omniti.com>, Paul Querna]
modules/proxy/balancers [Jim Jagielski]
privileges and Unix user/group IDs [Nick Kew]
logic replicate 2.2.x authz logic, and replace <Satisfy*>, Reject,
*) unixd: turn existing code into a module, and turn the set user/group
Suggested By André Warnier <aw ice-sa.com> [Eric Covener]
*) mod_ssl: Send Content-Type application/ocsp-request for POST requests to
OSCP responders. PR 46014 [Dr Stephen Henson <steve openssl.org>]
*) Export and install the mod_rewrite.h header to ensure the optional
*) New module mod_sed: filter Request/Response bodies through sed
null value. [David Shane Holden <dpejesh apache.org>]
*) ab: Make ab.c compile on VC6. PR 45024 [Ruediger Pluem]
*) configure: Don't reject libtool 2.x
overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>]
PR 44799 [Christian Wenz <christian wenz.org>]
both inside and outside the location/directory sections, as
form request with the type of application/x-www-form-urlencoded.
*) mod_authz_dbd: When redirecting after successful login/logout per
PR 44560 [Anders Kaseorg <anders kaseorg.com>]
mod_cache et.al. to trap the results of the redirect.
PR 34607. [Kaspar Brand <asfbugz velox.ch>]. A test configuration
can be created with test/make_sni.sh [Dirk-Willem van Gulik].
*) ApacheMonitor.exe: Introduce --kill argument for use by the
*) mod_ldap, mod_authnzldap: Add support for nested groups (i.e. the ability
[David Jones <oscaremma gmail.com>]
[David M. Lee <dmlee crossroads.com>]
[Niklas Edmundsson <nikke acc.umu.se>]
[Stijn Hoop <stijn sandcat.nl>]
[Niklas Edmundsson <nikke acc.umu.se>]
final name. [Davi Arnaut <davi haxent.com.br>]
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
[Chris Darroch <chrisd pearsoncmg.com>]
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
[Chris Darroch <chrisd pearsoncmg.com>]
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
Apache 2.2.xx tree as documented, and except as noted, below.]
Changes with Apache 2.2.x and later:
Changes with Apache 2.0.x and later:
Changes with Apache 1.3.x and later: