1 -*- coding: utf-8 -*- 2Changes with Apache 2.2.26 3 4 *) mod_dav: dav_resource->uri treated as unencoded. This was an 5 unnecessary ABI changed introduced in 2.2.25 PR 55397. [Ben Reser] 6 7 *) mod_dav: Do not validate locks against parent collection of COPY 8 source URI. PR 55304. [Ben Reser] 9 10 *) mod_ssl: Check SNI hostname against Host header case-insensitively. 11 PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>] 12 13 *) mod_ssl: enable support for ECC keys and ECDH ciphers. Tested against 14 OpenSSL 1.0.0b3. [Vipul Gupta vipul.gupta sun.com, Sander Temme, 15 Stefan Fritsch] 16 17 *) mod_ssl: Change default for SSLCompression to off, as compression 18 causes security issues in most setups. (The so called "CRIME" attack). 19 [Stefan Fritsch] 20 21 *) mod_ssl: Fix compilation error when OpenSSL does not contain 22 support for SSLv2. Problem was introduced in 2.2.25. PR 55194. 23 [Rainer Jung, Kaspar Brand] 24 25 *) mod_dav: Fix double encoding of URIs in XML and Location header (caused 26 by unintential ABI change in 2.2.25). PR 55397. [Ben Reser] 27 28Changes with Apache 2.2.25 29 30 *) SECURITY: CVE-2013-1896 (cve.mitre.org) 31 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with 32 the source href (sent as part of the request body as XML) pointing to a 33 URI that is not configured for DAV will trigger a segfault. [Ben Reser 34 <ben reser.org>] 35 36 *) SECURITY: CVE-2013-1862 (cve.mitre.org) 37 mod_rewrite: Ensure that client data written to the RewriteLog is 38 escaped to prevent terminal escape sequences from entering the 39 log file. [Eric Covener, Jeff Trawick, Joe Orton] 40 41 *) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer 42 strings. The default limit for ap_pregsub() can be adjusted at compile 43 time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick] 44 45 *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization 46 on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun 47 <apache heilbrun.org>] 48 49 *) mod_setenvif: Log error on substitution overflow. 50 [Stefan Fritsch] 51 52 *) mod_ssl/proxy: enable the SNI extension for backend TLS connections 53 [Kaspar Brand] 54 55 *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when 56 forwarding to SSL backends. PR 53134. 57 [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem] 58 59 *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits 60 in the error log to debug level. [William Rowe] 61 62 *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs 63 with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. 64 [Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand] 65 66 *) mod_proxy_balancer: Added balancer parameter failontimeout to allow server 67 admin to configure an IO timeout as an error in the balancer. 68 [Daniel Ruggeri] 69 70 *) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind 71 password. [Daniel Ruggeri] 72 73 *) htdigest: Fix buffer overflow when reading digest password file 74 with very long lines. PR 54893. [Rainer Jung] 75 76 *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611 77 [Timothy Wood <tjw omnigroup.com>] 78 79 *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, 80 we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>] 81 82 *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't 83 result in a 412 Precondition Failed for a COPY operation. PR54610 84 [Timothy Wood <tjw omnigroup.com>] 85 86 *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead 87 property on a resource for which there is no dead property in the same 88 namespace httpd segfaults. PR 52559 [Diego Santa Cruz 89 <diego.santaCruz spinetix.com>] 90 91 *) mod_dav: Do not fail PROPPATCH when prop namespace is not known. 92 PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] 93 94 *) mod_dav: Do not segfault on PROPFIND with a zero length DBM. 95 PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>] 96 97Changes with Apache 2.2.24 98 99 *) SECURITY: CVE-2012-3499 (cve.mitre.org) 100 Various XSS flaws due to unescaped hostnames and URIs HTML output in 101 mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. 102 [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] 103 104 *) SECURITY: CVE-2012-4558 (cve.mitre.org) 105 XSS in mod_proxy_balancer manager interface. [Jim Jagielski, 106 Niels Heinen <heinenn google com>] 107 108 *) mod_rewrite: Stop merging RewriteBase down to subdirectories 109 unless new option 'RewriteOptions MergeBase' is configured. 110 Merging RewriteBase was unconditionally turned on in 2.2.23. 111 PR 53963. [Eric Covener] 112 113 *) mod_ssl: Send the error message for speaking http to an https port using 114 HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when 115 using SNI. PR 50823. [Stefan Fritsch] 116 117 *) mod_ssl: log revoked certificates at level INFO 118 instead of DEBUG. PR 52162. [Stefan Fritsch] 119 120 *) mod_proxy_ajp: Support unknown HTTP methods. PR 54416. 121 [Rainer Jung] 122 123 *) mod_dir: Add support for the value 'disabled' in FallbackResource. 124 [Vincent Deffontaines] 125 126 *) mod_ldap: Fix regression in handling "server unavailable" errors on 127 Windows. PR 54140. [Eric Covener] 128 129 *) mod_ssl: fix a regression with the string rendering of the "UID" RDN 130 introduced in 2.2.15. PR 54510. [Kaspar Brand] 131 132 *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output 133 to more accurately report the negotiated protocol. PR 53916. 134 [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand] 135 136 *) mod_cache: Explicitly allow cache implementations to cache a 206 Partial 137 Response if they so choose to do so. Previously an attempt to cache a 206 138 was arbitrarily allowed if the response contained an Expires or 139 Cache-Control header, and arbitrarily denied if both headers were missing. 140 Currently the disk and memory cache providers do not cache 206 Partial 141 Responses. [Graham Leggett] 142 143 *) core: Remove unintentional APR 1.3 dependency introduced with 144 Apache 2.2.22. [Eric Covener] 145 146 *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if 147 the chosen listener is configured for https. [Joe Orton] 148 149 *) mod_ssl: Add new directive SSLCompression to disable TLS-level 150 compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch] 151 152Changes with Apache 2.2.23 153 154 *) SECURITY: CVE-2012-0883 (cve.mitre.org) 155 envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the 156 current working directory to be searched for DSOs. [Stefan Fritsch] 157 158 *) SECURITY: CVE-2012-2687 (cve.mitre.org) 159 mod_negotiation: Escape filenames in variant list to prevent a 160 possible XSS for a site where untrusted users can upload files to 161 a location with MultiViews enabled. [Niels Heinen <heinenn google.com>] 162 163 *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled). 164 [Paul Wouters <pwouters redhat.com>, Joe Orton] 165 166 *) mod_ldap: Treat the "server unavailable" condition as a transient 167 error with all LDAP SDKs. [Filip Valder <filip.valder vsb.cz>] 168 169 *) core: Add filesystem paths to access denied / access failed messages. 170 [Eric Covener] 171 172 *) core: Fix error handling in ap_scan_script_header_err_brigade() if there 173 is no EOS bucket in the brigade. PR 48272. [Stefan Fritsch] 174 175 *) core: Prevent "httpd -k restart" from killing server in presence of 176 config error. [Joe Orton] 177 178 *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit 179 control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive, 180 adding TLSv1.1 and TLSv1.2 support by default given 'SSLProtocol All'. 181 [Kaspar Brand, William Rowe] 182 183 *) mod_log_config: Fix %{abc}C truncating cookie values at first "=". 184 PR 53104. [Greg Ames] 185 186 *) Unix MPMs: Fix small memory leak in parent process if connect() 187 failed when waking up children. [Joe Orton] 188 189 *) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945. 190 [Peter Pramberger <peter pramberger.at>, Jim Jagielski] 191 192 *) Added SSLProxyMachineCertificateChainFile directive so the proxy client 193 can select the proper client certificate when using a chain and the 194 remote server only lists the root CA as allowed. 195 196 *) mpm_event, mpm_worker: Remain active amidst prevalent child process 197 resource shortages. [Jeff Trawick] 198 199 *) mod_rewrite: Add "AllowAnyURI" option. PR 52774. [Joe Orton] 200 201 *) mod_rewrite: Fix the RewriteEngine directive to work within a 202 location. Previously, once RewriteEngine was switched on globally, 203 it was impossible to switch off. [Graham Leggett] 204 205 *) mod_proxy_balancer: Restore balancing after a failed worker has 206 recovered when using lbmethod_bybusyness. PR 48735. [Jeff Trawick] 207 208 *) mod_dumpio: Properly handle errors from subsequent input filters. 209 PR 52914. [Stefan Fritsch] 210 211 *) mpm_worker: Fix cases where the spawn rate wasn't reduced after child 212 process resource shortages. [Jeff Trawick] 213 214 *) mpm_prefork: Reduce spawn rate after a child process exits due to 215 unexpected poll or accept failure. [Jeff Trawick] 216 217 *) core: Adjust ap_scan_script_header_err*() to prevent mod_cgi and mod_cgid 218 from logging bogus data in case of errors. [Stefan Fritsch] 219 220 *) mod_disk_cache, mod_mem_cache: Decline the opportunity to cache if the 221 response is a 206 Partial Content. This stops a reverse proxied partial 222 response from becoming cached, and then being served in subsequent 223 responses. PR 49113. [Graham Leggett] 224 225 *) configure: Fix usage with external apr and apu in non-default paths 226 and recent gcc versions >= 4.6. [Jean-Frederic Clere] 227 228 *) core: Fix building against PCRE 8.30 by switching from the obsolete 229 pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung] 230 231 *) mod_proxy: Add the forcerecovery balancer parameter that determines if 232 recovery for balancer workers is enforced. [Ruediger Pluem] 233 234Changes with Apache 2.2.22 235 236 *) SECURITY: CVE-2011-3368 (cve.mitre.org) 237 Reject requests where the request-URI does not match the HTTP 238 specification, preventing unexpected expansion of target URLs in 239 some reverse proxy configurations. [Joe Orton] 240 241 *) SECURITY: CVE-2011-3607 (cve.mitre.org) 242 Fix integer overflow in ap_pregsub() which, when the mod_setenvif module 243 is enabled, could allow local users to gain privileges via a .htaccess 244 file. [Stefan Fritsch, Greg Ames] 245 246 *) SECURITY: CVE-2011-4317 (cve.mitre.org) 247 Resolve additional cases of URL rewriting with ProxyPassMatch or 248 RewriteRule, where particular request-URIs could result in undesired 249 backend network exposure in some configurations. 250 [Joe Orton] 251 252 *) SECURITY: CVE-2012-0021 (cve.mitre.org) 253 mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format 254 string is in use and a client sends a nameless, valueless cookie, causing 255 a denial of service. The issue existed since version 2.2.17. PR 52256. 256 [Rainer Canavan <rainer-apache 7val com>] 257 258 *) SECURITY: CVE-2012-0031 (cve.mitre.org) 259 Fix scoreboard issue which could allow an unprivileged child process 260 to cause the parent to crash at shutdown rather than terminate 261 cleanly. [Joe Orton] 262 263 *) SECURITY: CVE-2012-0053 (cve.mitre.org) 264 Fix an issue in error responses that could expose "httpOnly" cookies 265 when no custom ErrorDocument is specified for status code 400. 266 [Eric Covener] 267 268 *) SECURITY: CVE-2012-4557 (cve.mitre.org) 269 mod_proxy_ajp: Try to prevent a single long request from marking a worker 270 in error. [Jean-Frederic Clere] 271 272 *) config: Update the default mod_ssl configuration: Disable SSLv2, only 273 allow >= 128bit ciphers, add commented example for speed optimized cipher 274 list, limit MSIE workaround to MSIE <= 5. [Kaspar Brand] 275 276 *) core: Fix segfault in ap_send_interim_response(). PR 52315. 277 [Stefan Fritsch] 278 279 *) mod_log_config: Prevent segfault. PR 50861. [Torsten F�rtsch 280 <torsten.foertsch gmx.net>] 281 282 *) mod_win32: Invert logic for env var UTF-8 fixing. 283 Now we exclude a list of vars which we know for sure they dont hold UTF-8 284 chars; all other vars will be fixed. This has the benefit that now also 285 all vars from 3rd-party modules will be fixed. PR 13029 / 34985. 286 [Guenter Knauf] 287 288 *) core: Fix hook sorting for Perl modules, a regression introduced in 289 2.2.21. PR: 45076. [Torsten Foertsch <torsten foertsch gmx net>] 290 291 *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: 292 A range of '0-' will now return 206 instead of 200. PR 51878. 293 [Jim Jagielski] 294 295 *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead 296 of "0"). [Rainer Jung] 297 298 *) mod_substitute: Fix buffer overrun. [Ruediger Pluem, Rainer Jung] 299 300Changes with Apache 2.2.21 301 302 *) SECURITY: CVE-2011-3348 (cve.mitre.org) 303 mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not 304 recognized. [Jean-Frederic Clere] 305 306 *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20. 307 PR 51748. [<lowprio20 gmail.com>] 308 309 *) mod_filter: Instead of dropping the Accept-Ranges header when a filter 310 registered with AP_FILTER_PROTO_NO_BYTERANGE is present, 311 set the header value to "none". [Eric Covener, Ruediger Pluem] 312 313 *) mod_proxy_ajp: Ignore flushing if headers have not been sent. 314 PR 51608 [Ruediger Pluem] 315 316 *) mod_dav_fs: Fix segfault if apr DBM driver cannot be loaded. PR 51751. 317 [Stefan Fritsch] 318 319 *) mod_alias: Adjust log severity of "incomplete redirection target" 320 message. PR 44020. 321 322 *) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the 323 RewriteEngine is disabled in server context, avoiding a crash while 324 referencing the invalid int: map at runtime. PR 50994. 325 [Ben Noordhuis <info noordhuis nl>] 326 327 *) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none' 328 in the case Ranges are being ignored with MaxRanges none. 329 [Eric Covener] 330 331 *) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets. 332 [Rainer Jung] 333 334Changes with Apache 2.2.20 335 336 *) SECURITY: CVE-2011-3192 (cve.mitre.org) 337 core: Fix handling of byte-range requests to use less memory, to avoid 338 denial of service. If the sum of all ranges in a request is larger than 339 the original file, ignore the ranges and send the complete file. 340 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] 341 342 *) mod_authnz_ldap: If the LDAP server returns constraint violation, 343 don't treat this as an error but as "auth denied". [Stefan Fritsch] 344 345 *) mod_filter: Fix FilterProvider conditions of type "resp=" (response 346 headers) for CGI. [Joe Orton, Rainer Jung] 347 348 *) mod_reqtimeout: Fix a timed out connection going into the keep-alive 349 state after a timeout when discarding a request body. PR 51103. 350 [Stefan Fritsch] 351 352 *) core: Do the hook sorting earlier so that the hooks are properly sorted 353 for the pre_config hook and during parsing the config. [Stefan Fritsch] 354 355Changes with Apache 2.2.19 356 357 *) Revert ABI breakage in 2.2.18 caused by the function signature change 358 of ap_unescape_url_keep2f(). This release restores the signature from 359 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). 360 [Eric Covener] 361 362Changes with Apache 2.2.18 363 364 *) Log an error for failures to read a chunk-size, and return 408 instead 365 413 when this is due to a read timeout. This change also fixes some cases 366 of two error documents being sent in the response for the same scenario. 367 [Eric Covener] PR49167 368 369 *) core: Only log a 408 if it is no keepalive timeout. PR 39785 370 [Ruediger Pluem, Mark Montague <markmont umich.edu>] 371 372 *) core: Treat timeout reading request as 408 error, not 400. 373 Log 408 errors in access log as was done in Apache 1.3.x. 374 PR 39785 [Nobutaka Mantani <nobutaka nobutaka.org>, Stefan Fritsch, 375 Dan Poirier] 376 377 *) Core HTTP: disable keepalive when the Client has sent 378 Expect: 100-continue 379 but we respond directly with a non-100 response. Keepalive here led 380 to data from clients continuing being treated as a new request. 381 PR 47087. [Nick Kew] 382 383 *) htpasswd: Change the default algorithm for htpasswd to MD5 on all 384 platforms. Crypt with its 8 character limit is not useful anymore; 385 improve out of disk space handling (PR 30877); print a warning if 386 a password is truncated by crypt. [Stefan Fritsch] 387 388 *) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI. 389 Win32's cscript interpreter can only use a single quote as comment char. 390 [Guenter Knauf] 391 392 *) configure: Fix htpasswd/htdbm libcrypt link errors with some newer 393 linkers. [Stefan Fritsch] 394 395 *) MinGW build improvements. PR 49535. [John Vandenberg 396 <jayvdb gmail.com>, Jeff Trawick] 397 398 *) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. 399 [Stefan Fritsch] 400 401 *) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes 402 in request URL path info but not decode them. PR 35256, 403 PR 46830. [Dan Poirier] 404 405 *) mod_rewrite: Allow to unset environment variables. PR 50746. 406 [Rainer Jung] 407 408 *) suEXEC: Add Suexec directive to disable suEXEC without renaming the 409 binary (Suexec Off), or force startup failure if suEXEC is required 410 but not supported (Suexec On). [Jeff Trawick] 411 412 *) mod_proxy: Put the worker in error state if the SSL handshake with the 413 backend fails. PR 50332. 414 [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem] 415 416 *) prefork: Update MPM state in children during a graceful restart. 417 Allow the HTTP connection handling loop to terminate early 418 during a graceful restart. PR 41743. 419 [Andrew Punch <andrew.punch 247realmedia.com>] 420 421 *) mod_ssl: Correctly read full lines in input filter when the line is 422 incomplete during first read. PR 50481. [Ruediger Pluem] 423 424 *) mod_autoindex: Merge IndexOptions from server to directory context when 425 the directory has no mod_autoindex directives. PR 47766. [Eric Covener] 426 427 *) mod_cache: Make sure that we never allow a 304 Not Modified response 428 that we asked for to leak to the client should the 304 response be 429 uncacheable. PR45341 [Graham Leggett] 430 431 *) mod_dav: Send 400 error if malformed Content-Range header is received for 432 a put request (RFC 2616 14.16). PR 49825. [Stefan Fritsch] 433 434 *) mod_userdir: Add merging of enable, disable, and filename arguments 435 to UserDir directive, leaving enable/disable of userlists unmerged. 436 PR 44076 [Eric Covener] 437 438 *) core: Honor 'AcceptPathInfo OFF' during internal redirects, 439 such as per-directory mod_rewrite substitutions. PR 50349. 440 [Eric Covener] 441 442 *) mod_cache: Check the request to determine whether we are allowed 443 to return cached content at all, and respect a "Cache-Control: 444 no-cache" header from a client. Previously, "no-cache" would 445 behave like "max-age=0". [Graham Leggett] 446 447 *) mod_mem_cache: Add a debug msg when a streaming response exceeds 448 MCacheMaxStreamingBuffer, since mod_cache will follow up with a scary 449 'memory allocation failed' debug message. PR 49604. [Eric Covener] 450 451 *) proxy_connect: Don't give up in the middle of a CONNECT tunnel 452 when the child process is starting to exit. PR50220. [Eric Covener] 453 454Changes with Apache 2.2.17 455 456 *) prefork MPM: Run cleanups for final request when process exits gracefully 457 to work around a flaw in apr-util. PR 43857. [Tom Donovan] 458 459 *) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend 460 connections and other protocol handlers (like mod_ftp). Enforce the 461 timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering 462 close time from 30 to 2 seconds. [Stefan Fritsch] 463 464 *) Proxy balancer: support setting error status according to HTTP response 465 code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>] 466 467 *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the 468 password to UTF-8. PR 45318. 469 [Johannes Müller <joh_m gmx.de>, Stefan Fritsch] 470 471 *) core: check symlink ownership if both FollowSymlinks and 472 SymlinksIfOwnerMatch are set [Nick Kew] 473 474 *) core: fix origin checking in SymlinksIfOwnerMatch 475 PR 36783 [Robert L Mathews <rob-apache.org.bugs tigertech.net>] 476 477 *) mod_headers: Enable multi-match-and-replace edit option 478 PR 46594 [Nick Kew] 479 480 *) mod_log_config: Make ${cookie}C correctly match whole cookie names 481 instead of substrings. PR 28037. [Dan Franklin <dan dan-franklin.com>, 482 Stefan Fritsch] 483 484 *) mod_dir, mod_negotiation: Pass the output filter information 485 to newly created sub requests; as these are later on used 486 as true requests with an internal redirect. This allows for 487 mod_cache et.al. to trap the results of the redirect. 488 PR 17629, 43939 489 [Dirk-Willem van Gulik, Jim Jagielski, Joe Orton, Ruediger Pluem] 490 491 *) rotatelogs: Fix possible buffer overflow if admin configures a 492 mongo log file path. [Jeff Trawick] 493 494 *) mod_ssl: Do not do overlapping memcpy. PR 45444 [Joe Orton] 495 496 *) vhost: A purely-numeric Host: header should not be treated as a port. 497 PR 44979 [Nick Kew] 498 499 *) core: (re)-introduce -T commandline option to suppress documentroot 500 check at startup. 501 PR 41887 [Jan van den Berg <janvdberg gmail.com>] 502 503Changes with Apache 2.2.16 504 505 *) SECURITY: CVE-2010-1452 (cve.mitre.org) 506 mod_dav, mod_cache: Fix Handling of requests without a path segment. 507 PR: 49246 [Mark Drayton, Jeff Trawick] 508 509 *) SECURITY: CVE-2010-2068 (cve.mitre.org) 510 mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection 511 for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] 512 513 *) core: Filter init functions are now run strictly once per request 514 before handler invocation. The init functions are no longer run 515 for connection filters. PR 49328. [Joe Orton] 516 517 *) mod_filter: enable it to act on non-200 responses. 518 PR 48377 [Nick Kew] 519 520 *) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns 521 title page only) when any mod_ldap directives were used in VirtualHost 522 context. [Eric Covener] 523 524 *) mod_ssl: Fix segfault at startup if proxy client certs are shared 525 across multiple vhosts. PR 39915. [Joe Orton] 526 527 *) mod_proxy_http: Log the port of the remote server in various messages. 528 PR 48812. [Igor Galić <i galic brainsware org>] 529 530 *) apxs: Fix -A and -a options to ignore whitespace in httpd.conf 531 [Philip M. Gollucci] 532 533 *) mod_dir: add FallbackResource directive, to enable admin to specify 534 an action to happen when a URL maps to no file, without resorting 535 to ErrorDocument or mod_rewrite. PR 47184 [Nick Kew] 536 537 *) mod_rewrite: Allow to set environment variables without explicitly 538 giving a value. [Rainer Jung] 539 540 541Changes with Apache 2.2.15 542 543 *) SECURITY: CVE-2009-3555 (cve.mitre.org) 544 mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection 545 attack when compiled against OpenSSL version 0.9.8m or later. Introduces 546 the 'SSLInsecureRenegotiation' directive to reopen this vulnerability 547 and offer unsafe legacy renegotiation with clients which do not yet 548 support the new secure renegotiation protocol, RFC 5746. 549 [Joe Orton, and with thanks to the OpenSSL Team] 550 551 *) SECURITY: CVE-2009-3555 (cve.mitre.org) 552 mod_ssl: A partial fix for the TLS renegotiation prefix injection attack 553 for OpenSSL versions prior to 0.9.8l; reject any client-initiated 554 renegotiations. Forcibly disable keepalive for the connection if there 555 is any buffered data readable. Any configuration which requires 556 renegotiation for per-directory/location access control is still 557 vulnerable, unless using openssl 0.9.8l or later. 558 [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>] 559 560 *) SECURITY: CVE-2010-0408 (cve.mitre.org) 561 mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent 562 when request headers indicate a request body is incoming; not a case of 563 HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>] 564 565 *) SECURITY: CVE-2010-0425 (cve.mitre.org) 566 mod_isapi: Do not unload an isapi .dll module until the request 567 processing is completed, avoiding orphaned callback pointers. 568 [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick] 569 570 *) SECURITY: CVE-2010-0434 (cve.mitre.org) 571 Ensure each subrequest has a shallow copy of headers_in so that the 572 parent request headers are not corrupted. Eliminates a problematic 573 optimization in the case of no request body. PR 48359. 574 [Jake Scott, William Rowe, Ruediger Pluem] 575 576 *) mod_reqtimeout: New module to set timeouts and minimum data rates for 577 receiving requests from the client. [Stefan Fritsch] 578 579 *) mod_proxy_ajp: Really regard the operation a success, when the client 580 aborted the connection. In addition adjust the log message if the client 581 aborted the connection. [Ruediger Pluem] 582 583 *) mod_negotiation: Preserve query string over multiviews negotiation. 584 This buglet was fixed for type maps in 2.2.6, but the same issue 585 affected multiviews and was overlooked. 586 PR 33112. [Joergen Thomsen <apache jth.net>] 587 588 *) mod_cache: Introduce the thundering herd lock, a mechanism to keep 589 the flood of requests at bay that strike a backend webserver as 590 a cached entity goes stale. [Graham Leggett] 591 592 *) mod_proxy_http: Make sure that when an ErrorDocument is served 593 from a reverse proxied URL, that the subrequest respects the status 594 of the original request. This brings the behaviour of proxy_handler 595 in line with default_handler. PR 47106. [Graham Leggett] 596 597 *) mod_log_config: Add the R option to log the handler used within the 598 request. [Christian Folini <christian.folini netnea com>] 599 600 *) mod_include: Allow fine control over the removal of Last-Modified and 601 ETag headers within the INCLUDES filter, making it possible to cache 602 responses if desired. Fix the default value of the SSIAccessEnable 603 directive. [Graham Leggett] 604 605 *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs 606 is configured for client cert auth. PR 46952. [Joe Orton] 607 608 *) core: Fix potential memory leaks by making sure to not destroy 609 bucket brigades that have been created by earlier filters. 610 [Stefan Fritsch] 611 612 *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to 613 try other providers in the case of an LDAP bind failure. 614 PR 46608. [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] 615 616 *) mod_proxy, mod_proxy_http: Support remote https proxies 617 by using HTTP CONNECT. 618 PR 19188. [Philippe Dutrueux <lilas evidian.com>, Rainer Jung] 619 620 *) worker: Don't report server has reached MaxClients until it has. 621 Add message when server gets within MinSpareThreads of MaxClients. 622 PR 46996. [Dan Poirier] 623 624 *) mod_ssl: When extracting certificate subject/issuer names to the 625 SSL_*_DN_* variables, handle RDNs with duplicate tags by 626 exporting multiple varialables with an "_n" integer suffix. 627 PR 45875. [Joe Orton, Peter Sylvester <peter.sylvester edelweb.fr>] 628 629 *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user 630 password now result in an informational level log entry instead of 631 warning level. [Eric Covener] 632 633 *) core: Preserve Port information over internal redirects 634 PR 35999. [Jonas Ringh <jonas.ringh cixit.se>] 635 636 *) mod_filter: fix FilterProvider matching where "dispatch" string 637 doesn't exist. 638 PR 48054. [<tietew gmail.com>] 639 640 *) Build: fix --with-module to work as documented 641 PR 43881. [Gez Saunders <gez.saunders virgin.net>] 642 643 *) mod_mime: Make RemoveType override the info from TypesConfig. 644 PR 38330. [Stefan Fritsch] 645 646 *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, 647 rather than BAD_GATEWAY or (especially) NOT_FOUND. 648 PR 46971. [Evan Champion <evanc nortel.com>] 649 650 *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. 651 [Eric Covener] 652 653 *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge 654 some cache entries and log a warning. Also increase the default 655 LDAPSharedCacheSize to 500000. This is a more realistic size suitable 656 for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. 657 PR 46749. [Stefan Fritsch] 658 659 *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses, 660 per RFC 2616, 13.8. PR15866. [Dan Poirier] 661 662 *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if 663 the request is a CONNECT request. PR 47928. 664 [Bill Zajac <billz consultla.com>] 665 666 *) mod_cache: correctly consider s-maxage in cacheability 667 decisions. [Dan Poirier] 668 669 *) core: Return APR_EOF if request body is shorter than the length announced 670 by the client. PR 33098. [Stefan Fritsch] 671 672 *) mod_rewrite: Add scgi scheme detection. [André Malo] 673 674 *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and 675 LocationMatch sections. PR 47754. [Dan Poirier] 676 677 *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g. 678 [Guenter Knauf] 679 680Changes with Apache 2.2.14 681 682 *) SECURITY: CVE-2009-2699 (cve.mitre.org) 683 Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support 684 (Event Port backend) which could trigger hangs in the prefork and event 685 MPMs on that platform. PR 47645. [Jeff Trawick] 686 687 *) SECURITY: CVE-2009-3095 (cve.mitre.org) 688 mod_proxy_ftp: sanity check authn credentials. 689 [Stefan Fritsch <sf fritsch.de>, Joe Orton] 690 691 *) SECURITY: CVE-2009-3094 (cve.mitre.org) 692 mod_proxy_ftp: NULL pointer dereference on error paths. 693 [Stefan Fritsch <sf fritsch.de>, Joe Orton] 694 695 *) mod_proxy_scgi: Backport from trunk. [André Malo] 696 697 *) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL 698 has been defined at a very high level. PR 45946. [Eric Covener] 699 700 *) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] 701 702 *) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries 703 usage() in synch with the manual and the implementation (0 and -1 704 both disable the cache). [Eric Covener] 705 706 *) mod_ssl: The error message when SSLCertificateFile is missing should 707 at least give the name or position of the problematic virtual host 708 definition. [Stefan Fritsch sf sfritsch.de] 709 710 *) htdbm: Fix possible buffer overflow if dbm database has very 711 long values. PR 30586 [Dan Poirier] 712 713 *) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>] 714 715 *) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute 716 type. PR 45107. [Michael Ströder <michael stroeder.com>, 717 Peter Sylvester <peter.sylvester edelweb.fr>] 718 719 *) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore 720 defined session identifiers encoded in the URL when caching. 721 [Ruediger Pluem] 722 723 *) mod_mem_cache: fix seg fault under load due to pool concurrency problem 724 PR: 47672 [Dan Poirier <poirier pobox.com>] 725 726 *) mod_autoindex: Correctly create an empty cell if the description 727 for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>] 728 729Changes with Apache 2.2.13 730 731 *) SECURITY: CVE-2009-2412 (cve.mitre.org) 732 Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow 733 in pools and rmm, where size alignment was taking place. 734 [Matt Lewis <mattlewis@google.com>, Sander Striker] 735 736 *) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report 737 warnings compiling mod_ssl against OpenSSL to the httpd developers. 738 [Guenter Knauf] 739 740 *) mod_cgid: Do not add an empty argument when calling the CGI script. 741 PR 46380 [Ruediger Pluem] 742 743 *) Fix potential segfaults with use of the legacy ap_rputs() etc 744 interfaces, in cases where an output filter fails. PR 36780. 745 [Joe Orton] 746 747Changes with Apache 2.2.12 748 749 *) SECURITY: CVE-2009-1891 (cve.mitre.org) 750 Fix a potential Denial-of-Service attack against mod_deflate or other 751 modules, by forcing the server to consume CPU time in compressing a 752 large file after a client disconnects. PR 39605. 753 [Joe Orton, Ruediger Pluem] 754 755 *) SECURITY: CVE-2009-1195 (cve.mitre.org) 756 Prevent the "Includes" Option from being enabled in an .htaccess 757 file if the AllowOverride restrictions do not permit it. 758 [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton, 759 Ruediger Pluem, Jeff Trawick] 760 761 *) SECURITY: CVE-2009-1890 (cve.mitre.org) 762 Fix a potential Denial-of-Service attack against mod_proxy in a 763 reverse proxy configuration, where a remote attacker can force a 764 proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton] 765 766 *) SECURITY: CVE-2009-1191 (cve.mitre.org) 767 mod_proxy_ajp: Avoid delivering content from a previous request which 768 failed to send a request body. PR 46949 [Ruediger Pluem] 769 770 *) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) 771 The bundled copy of the APR-util library has been updated, fixing three 772 different security issues which may affect particular configurations 773 and third-party modules. 774 775 *) mod_headers: Make 'Header set Content-Type' effective on responses 776 that already have a Content-Type. [Issac Goldstand] 777 778 *) mod_include: fix potential segfault when handling back references 779 on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew] 780 781 *) mod_alias: check sanity in Redirect arguments. 782 PR 44729 [Sönke Tesch <st kino-fahrplan.de>, Jim Jagielski] 783 784 *) mod_proxy_http: fix Host: header for literal IPv6 addresses. 785 PR 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>] 786 787 *) mod_rewrite: Remove locking for writing to the rewritelog. 788 PR 46942 789 790 *) mod_alias: Ensure Redirect emits HTTP-compliant URLs. 791 PR 44020 792 793 *) mod_proxy_http: fix case sensitivity checking transfer encoding 794 PR 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>] 795 796 *) mod_rewrite: Fix the error string returned by RewriteRule. 797 RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd 798 argument of RewriteRule was not started with "[" or not ended with "]". 799 PR 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>] 800 801 *) mod_proxy: Complete ProxyPassReverse to handle balancer URL's. Given; 802 BalancerMember balancer://alias http://example.com/foo 803 ProxyPassReverse /bash balancer://alias/bar 804 backend url http://example.com/foo/bar/that is now translated /bash/that 805 [William Rowe] 806 807 *) New piped log syntax: Use "||process args" to launch the given process 808 without invoking the shell/command interpreter. Use "|$command line" 809 (the default behavior of "|command line" in 2.2) to invoke using shell, 810 consuming an additional shell process for the lifetime of the logging 811 pipe program but granting additional process invocation flexibility. 812 [William Rowe] 813 814 *) mod_ssl: Add server name indication support (RFC 4366) and better 815 support for name based virtual hosts with SSL. PR 34607 816 [Peter Sylvester <peter.sylvester edelweb.fr>, 817 Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton, 818 Ruediger Pluem] 819 820 *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid 821 HTML injections and HTTP response splitting. PR 46837. 822 [Geoff Keating <geoffk apple.com>] 823 824 *) mod_include: Prevent a case of SSI timefmt-smashing with filter chains 825 including multiple INCLUDES filters. PR 39369 [Joe Orton] 826 827 *) mod_rewrite: When evaluating a proxy rule in directory context, do 828 escape the filename by default. PR 46428 [Joe Orton] 829 830 *) mod_proxy_ajp: Check more strictly that the backend follows the AJP 831 protocol. [Mladen Turk] 832 833 *) mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives 834 to enable stricter checking of remote server certificates. 835 [Ruediger Pluem] 836 837 *) mod_substitute: Fix a memory leak. PR 44948 838 [Dan Poirier <poirier pobox.com>] 839 840 *) mod_proxy_ajp: Forward remote port information by default. 841 [Rainer Jung] 842 843 *) mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders 844 directive to correctly remove headers before storing them. 845 [Lars Eilebrecht] 846 847 *) mod_deflate: revert changes in 2.2.8 that caused an invalid 848 etag to be emitted for on-the-fly gzip content-encoding. 849 PR 39727 will require larger fixes and this fix was far more 850 harmful than the original code. PR 45023. [Roy T. Fielding] 851 852 *) mod_disk_cache: The module now turns off sendfile support if 853 'EnableSendfile off' is defined globally. PR 41218. 854 [Lars Eilebrecht, Issac Goldstand] 855 856 *) prefork: Fix child process hang during graceful restart/stop in 857 configurations with multiple listening sockets. PR 42829. [Joe Orton, 858 Jeff Trawick] 859 860 *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the 861 size of the buffer used for the request-body where necessary 862 during a per-dir renegotiation. PR 39243. [Joe Orton] 863 864 *) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome 865 way that per-directory rewrites append the previous notion of PATH_INFO 866 to each substitution before evaluating subsequent rules. 867 PR38642 [Eric Covener] 868 869 *) mod_authnz_ldap: Reduce number of initialization debug messages and make 870 information more clear. PR 46342 [Dan Poirier] 871 872 *) mod_cache: Introduce 'no-cache' per-request environment variable 873 to prevent the saving of an otherwise cacheable response. 874 [Eric Covener] 875 876 *) core: Translate the status line to ASCII on EBCDIC platforms in 877 ap_send_interim_response() and for locally generated "100 Continue" 878 responses. [Eric Covener] 879 880 *) CGI: return 504 (Gateway timeout) rather than 500 when a script 881 times out before returning status line/headers. 882 PR 42190 [Nick Kew] 883 884 *) prefork: Log an error instead of segfaulting when child startup fails 885 due to pollset creation failures. PR 46467. [Jeff Trawick] 886 887 *) mod_ext_filter: fix error handling when the filter prog fails to start, 888 and introduce an onfail configuration option to abort the request 889 or to remove the broken filter and continue. 890 PR 41120 [Nick Kew] 891 892 *) mod_include: support generating non-ASCII characters as entities in SSI 893 PR 25202 [Nick Kew] 894 895 *) core/utils: Enhance ap_escape_html API to support escaping non-ASCII 896 chars [Nick Kew] 897 898 *) mod_rewrite: fix "B" flag breakage by reverting r589343 899 PR 45529 [Bob Ionescu <bobsiegen googlemail.com>] 900 901 *) mod_cgid: fix segfault problem on solaris. 902 PR 39332 [Masaoki Kobayashi <masaoki techfirm.co.jp>, Jeff Trawick] 903 904 *) mod_ldap: Avoid a segfault when result->rc is checked in 905 uldap_connection_init when result is NULL. This could happen if LDAP 906 initialization failed. PR 45994. [Dan Poirier <poirier pobox.com>] 907 908 *) Set Listen protocol to "https" if port is set to 443 and no proto is 909 specified (as documented but not implemented). PR 46066 910 [Dan Poirier <poirier pobox.com>] 911 912 *) mod_cache: Correctly save Content-Encoding of cachable entity. PR 46401 913 [Dan Poirier <poirier pobox.com>] 914 915 *) Output -M and -S dumps (modules and vhosts) to stdout instead of stderr. 916 PR 42571 and PR 44266 (dup). [Dan Poirier <poirier pobox.com>] 917 918 *) mod_cache: When an explicit Expires or Cache-Control header is set, cache 919 normally non-cacheable response statuses. PR 46346. 920 [Alex Polvi <alex polvi.net>] 921 922Changes with Apache 2.2.11 923 924 *) core: When the ap_http_header_filter processes an error bucket, cleanup 925 the passed brigade before returning AP_FILTER_ERROR down the filter 926 chain. This unambiguously ensures the same error bucket isn't revisited 927 [Ruediger Pluem] 928 929 *) core: Error responses set by filters were being coerced into 500 errors, 930 sometimes appended to the original error response. Log entry of: 931 'Handler for (null) returned invalid result code -3' 932 [Eric Covener] 933 934 *) configure: Don't reject libtool 2.x 935 PR 44817 [Arfrever Frehtes Taifersar Arahesis <Arfrever.FTA gmail.com>] 936 937 *) mod_autoindex: add configuration option to insert string 938 in HTML HEAD (IndexHeadInsert). [Nick Kew] 939 940 *) Add new LogFormat parameter, %k, which logs the number of 941 keepalive requests on this connection for this request. 942 PR 45762 [Dan Poirier <poirier pobox.com>, Jim Jagielski] 943 944 *) Export and install the mod_rewrite.h header to ensure the optional 945 rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are 946 available to third party modules. [Graham Leggett] 947 948 *) mod_cache: Convert age of cached object to seconds before comparing it to 949 age supplied by the request when checking whether to send a Warning 950 header for a stale response. PR 39713. [Owen Taylor <otaylor redhat.com>] 951 952 *) Build: Correctly set SSL_LIBS during openssl detection if pkgconfig is 953 not available. PR 46018 [Ruediger Pluem] 954 955 *) mod_proxy_ajp: Do not fail if response data is sent before all request 956 data is read. PR 45911 [Ruediger Pluem] 957 958 *) mod_proxy_balancer: Add in forced recovery for balancer members if 959 all are in error state. [Mladen Turk] 960 961 *) mod_proxy: Prevent segmentation faults by correctly adjusting the 962 lifetime of the buckets read from the proxy backend. PR 45792 963 [Ruediger Pluem] 964 965 *) mod_expires: Do not sets negative max-age / Expires header in the past. 966 PR 39774 [Jim Jagielski] 967 968 *) mod_info: Was displaying the wrong value for the KeepAliveTimeout 969 value. [Jim Jagielski] 970 971 *) mod_proxy_ajp: Fix wrongly formatted requests where client 972 sets Content-Length header, but doesn't provide a body. 973 Servlet container always expects that next packet is 974 body whenever C-L is present in the headers. This can lead 975 to wrong interpretation of the packets. In this case 976 send the empty body packet, so container can deal with 977 that. [Mladen Turk] 978 979 *) core: Add ap_timeout_parameter_parse to public API. [Ruediger Pluem] 980 981 *) mod_proxy: Add the possibility to set the worker parameters 982 connectiontimeout and ping in milliseconds. [Ruediger Pluem] 983 984 *) Worker MPM: Crosscheck that idle workers are still available before using 985 them and thus preventing an overflow of the worker queue which causes 986 a SegFault. PR 45605 [Denis Ustimenko <denusk gmail.com>] 987 988 *) Windows: Always build the odbc dbd driver on windows, to be consistent 989 with the apr-util default. [Tom Donovan] 990 991Changes with Apache 2.2.10 992 993 *) SECURITY: CVE-2008-2939 (cve.mitre.org) 994 mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of 995 the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] 996 997 *) Allow for smax to be 0 for balancer members so that all idle 998 connections are able to be dropped should they exceed ttl. 999 PR 43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>, 1000 Jim Jagielski] 1001 1002 *) mod_proxy_http: Don't trigger a retry by the client if a failure to 1003 read the response line was the result of a timeout. 1004 [Adam Woodworth <mirkperl gmail.com>] 1005 1006 *) Support chroot on Unix-family platforms 1007 PR 43596 [Dimitar Pashev <mitko banksoft-bg.com>] 1008 1009 *) mod_ssl: implement dynamic mutex callbacks for the benefit of 1010 OpenSSL. [Sander Temme] 1011 1012 *) mod_proxy_balancer: Add 'bybusyness' load balance method. 1013 [Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski] 1014 1015 *) mod_authn_alias: Detect during startup when AuthDigestProvider 1016 is configured to use an incompatible provider via AuthnProviderAlias. 1017 PR 45196 [Eric Covener] 1018 1019 *) mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be 1020 used as a session path separator/delim PR 45158. [Jim Jagielski] 1021 1022 *) mod_charset_lite: Avoid dropping error responses by handling meta buckets 1023 correctly. PR 45687 [Dan Poirier <poirier pobox.com>] 1024 1025 *) mod_proxy_http: Introduce environment variable proxy-initial-not-pooled 1026 to avoid reusing pooled connections if the client connection is an 1027 initial connection. PR 37770. [Ruediger Pluem] 1028 1029 *) mod_rewrite: Allow Cookie option to set secure and HttpOnly flags. 1030 PR 44799 [Christian Wenz <christian wenz.org>] 1031 1032 *) mod_ssl: Rewrite shmcb to avoid memory alignment issues. PR 42101. 1033 [Geoff Thorpe] 1034 1035 *) mod_proxy: Add connectiontimeout parameter for proxy workers in order to 1036 be able to set the timeout for connecting to the backend separately. 1037 PR 45445. [Ruediger Pluem, rahul <rahul sun.com>] 1038 1039 *) mod_dav_fs: Retrieve minimal system information about directory 1040 entries when walking a DAV fs, resolving a performance degradation on 1041 Windows. PR 45464. [Joe Orton, Jeff Trawick] 1042 1043 *) mod_cgid: Pass along empty command line arguments from an ISINDEX 1044 query that has consecutive '+' characters in the QUERY_STRING, 1045 matching the behavior of mod_cgi. 1046 [Eric Covener] 1047 1048 *) mod_headers: Prevent Header edit from processing only the first header 1049 of possibly multiple headers with the same name and deleting the 1050 remaining ones. PR 45333. [Ruediger Pluem] 1051 1052 *) mod_proxy_balancer: Move nonce field in the balancer manager page inside 1053 the html form where it belongs. PR 45578. [Ruediger Pluem] 1054 1055 *) mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to 1056 known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. 1057 [Ruediger Pluem] 1058 1059 *) mod_rewrite: Preserve the query string when [proxy,noescape]. PR 45247. 1060 [Tom Donovan] 1061 1062Changes with Apache 2.2.9 1063 1064 *) SECURITY: CVE-2008-2364 (cve.mitre.org) 1065 mod_proxy_http: Better handling of excessive interim responses 1066 from origin server to prevent potential denial of service and high 1067 memory usage. Reported by Ryujiro Shibuya. [Ruediger Pluem, 1068 Joe Orton, Jim Jagielski] 1069 1070 *) SECURITY: CVE-2007-6420 (cve.mitre.org) 1071 mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager 1072 interface. [Joe Orton] 1073 1074 *) core: Fix address-in-use startup failure on some platforms caused 1075 by creating an IPv4 listener which overlaps with an existing IPv6 1076 listener. [Jeff Trawick] 1077 1078 *) mod_proxy: Make all proxy modules nocanon aware and do not add the 1079 query string again in this case. PR 44803. 1080 [Jim Jagielski, Ruediger Pluem] 1081 1082 *) mod_unique_id: Fix timestamp value in UNIQUE_ID. 1083 PR 37064 [Kobayashi <kobayashi firstserver.co.jp>] 1084 1085 *) htpasswd: Fix salt generation weakness. PR 31440 1086 [Andreas Krennmair <ak synflood.at>, Peter Watkins <peterw tux.org>, 1087 Paul Querna] 1088 1089 *) core: Add the filename of the configuration file to the warning message 1090 about the useless use of AllowOverride. PR 39992. 1091 [Darryl Miles <darryl darrylmiles.org>] 1092 1093 *) scoreboard: Remove unused proxy load balancer elements from scoreboard 1094 image (not scoreboard memory itself). [Chris Darroch] 1095 1096 *) mod_proxy: Support environment variable interpolation in reverse 1097 proxying directives. [Nick Kew] 1098 1099 *) suexec: When group is given as a numeric gid, validate it by looking up 1100 the actual group name such that the name can be used in log entries. 1101 PR 7862 [<y-koga apache.or.jp>, Leif W <warp-9.9 usa.net>] 1102 1103 *) Fix garbled TRACE response on EBCDIC platforms. 1104 [David Jones <oscaremma gmail.com>] 1105 1106 *) ab: Include <limits.h> earlier if available since we may need 1107 INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS. 1108 PR 45024 [Ruediger Pluem] 1109 1110 *) ab: Improve client performance by clearing connection pool instead 1111 of destroying it. PR 40054 [Brad Roberts <braddr puremagic.com>] 1112 1113 *) ab: Don't stop sending a request if EAGAIN is returned, which 1114 will only happen if both the write and subsequent wait are 1115 returning EAGAIN, and count posted bytes correctly when the initial 1116 write of a request is not complete. PR 10038, 38861, 39679 1117 [Patrick McManus <mcmanus datapower.com>, 1118 Stefan Fleiter <stefan.fleiter web.de>, 1119 Davanum Srinivas, Roy T. Fielding] 1120 1121 *) ab: Overhaul stats collection and reporting to avoid integer 1122 truncation and time divisions within the test loop, retain 1123 native time resolution until output, remove unused data, 1124 consistently round milliseconds, and generally avoid losing 1125 accuracy of calculation due to type casts. PR 44878, 44931. 1126 [Roy T. Fielding] 1127 1128 *) ab: Add -r option to continue after socket receive errors. 1129 [Filip Hanik <devlist hanik.com>] 1130 1131 *) core: Do not allow Options ALL if not all options are allowed to be 1132 overwritten. PR 44262 [Michał Grzędzicki <lazy iq.pl>] 1133 1134 *) mod_cache: Handle If-Range correctly if the cached resource was stale. 1135 PR 44579 [Ruediger Pluem] 1136 1137 *) mod_proxy: Do not try a direct connection if the connection via a 1138 remote proxy failed before and the request has a request body. 1139 [Ruediger Pluem] 1140 1141 *) mod_proxy_ajp: Do not retry request in the case that we either failed to 1142 sent a part of the request body or if the request is not idempotent. 1143 PR 44334 [Ruediger Pluem] 1144 1145 *) mod_rewrite: Initialize hash needed by ap_register_rewrite_mapfunc early 1146 enough. PR 44641 [Daniel Lescohier <daniel.lescohier cnet.com>] 1147 1148 *) mod_dav: Return "method not allowed" if the destination URI of a WebDAV 1149 copy / move operation is no DAV resource. PR 44734 [Ruediger Pluem] 1150 1151 *) http_filters: Don't return 100-continue on redirects. PR 43711 1152 [Ruediger Pluem] 1153 1154 *) mod_ssl: Fix a memory leak with connections that have zlib compression 1155 turned on. PR 44975 [Joe Orton, Amund Elstad <Amund.Elstad ist.com>, 1156 Dr Stephen Henson <steve openssl.org>] 1157 1158 *) mod_proxy: Trigger a retry by the client in the case we fail to read the 1159 response line from the backend by closing the connection to the client. 1160 PR 37770 [Ruediger Pluem] 1161 1162 *) gen_test_char: add double-quote to the list of T_HTTP_TOKEN_STOP. 1163 PR 9727 [Ville Skytt <ville.skytta iki.fi>] 1164 1165 *) core: reinstate location walk to fix config for subrequests 1166 PR 41960 [Jose Kahan <jose w3.org>] 1167 1168 *) rotatelogs: Log the current file size and error code/description 1169 when failing to write to the log file. [Jeff Trawick] 1170 1171 *) rotatelogs: Added '-f' option to force rotatelogs to create the 1172 logfile as soon as started, and not wait until it reads the 1173 first entry. [Jim Jagielski] 1174 1175 *) rotatelogs: Don't leak memory when reopening the logfile. 1176 PR 40183 [Ruediger Pluem, Takashi Sato <serai lans-tv.com>] 1177 1178 *) rotatelogs: Improve atomicity when using -l and cleaup code. 1179 PR 44004 [Rainer Jung] 1180 1181 *) mod_authn_dbd: Disambiguate and tidy database authentication 1182 error messages. PR 43210. [Chris Darroch, Phil Endecott 1183 <spam_from_apache_bugzilla chezphil.org>] 1184 1185 *) mod_headers: Add 'merge' option to avoid duplicate values within 1186 the same header. [Chris Darroch] 1187 1188 *) mod_cgid: Explicitly set permissions of the socket (ScriptSock) shared by 1189 mod_cgid and request processing threads, for OS'es such as HPUX and AIX 1190 that do not use umask for AF_UNIX socket permissions. 1191 [Eric Covener, Jeff Trawick] 1192 1193 *) mod_cgid: Don't try to restart the daemon if it fails to initialize 1194 the socket. [Jeff Trawick] 1195 1196 *) mod_log_config: Add format options for %p so that the actual local 1197 or remote port can be logged. PR 43415. [Adam Hasselbalch Hansen 1198 <ahh@one.com>, Ruediger Pluem, Jeff Trawick] 1199 1200 *) Added 'disablereuse' option for ProxyPass which, essentially, 1201 disables connection pooling for the backend servers. 1202 [Jim Jagielski] 1203 1204 *) mod_speling: remove regression from 1.3/2.0 behavior and 1205 drop dependency between mod_speling and AcceptPathInfo. 1206 PR 43562 [Jose Kahan <jose w3.org>] 1207 1208 *) mod_substitute: The default is now flattening the buckets after 1209 each substitution. The newly added 'q' flag allows for the 1210 quicker, more efficient bucket-splitting if the user so 1211 desires. [Jim Jagielski] 1212 1213 *) http_filters: Don't spin if get an error when reading the 1214 next chunk. PR 44381 [Ruediger Pluem] 1215 1216 *) ab: Do not try to read non existing response bodies of HEAD requests. 1217 PR 34275 [Takashi Sato <serai lans-tv.com>] 1218 1219 *) ab: Use a 64 bit unsigned int instead of a signed long to count the 1220 bytes transferred to avoid integer overflows. PR 44346 [Ruediger Pluem] 1221 1222 *) ProxyPassReverse is now balancer aware. [Jim Jagielski] 1223 1224 *) mod_include: Correctly handle SSI directives split over multiple filter 1225 passes. PR 44447 [Harald Niesche <harald brokenerror.de>] 1226 1227 *) mod_cache: Revalidate cache entities which have Cache-Control: no-cache 1228 set in their response headers. PR 44511 [Ruediger Pluem] 1229 1230 *) mod_rewrite: Check all files used by DBM maps for freshness, mod_rewrite 1231 didn't pick up on updated sdbm maps due to this. 1232 PR41190 [Niklas Edmundsson] 1233 1234 *) mod_proxy: Lower memory consumption for short lived connections. 1235 PR 44026. [Ruediger Pluem] 1236 1237 *) mod_proxy: Keep connections to the backend persistent in the HTTPS case. 1238 [Ruediger Pluem] 1239 1240 *) Don't add bogus duplicate Content-Language entries 1241 PR 11035 [Davi Arnaut] 1242 1243 *) Worker / Event MPM: Fix race condition in pool recycling that leads to 1244 segmentation faults under load. PR 44402 1245 [Basant Kumar Kukreja <basant.kukreja sun.com>] 1246 1247 *) mod_proxy_ftp: Fix base for directory listings. 1248 PR 27834 [Nick Kew] 1249 1250 *) mod_logio: Provide optional function to allow modules to adjust the 1251 bytes_in count [Eric Covener] 1252 1253 *) http_filters: Don't return 100-continue on client error 1254 PR 43711 [Chetan Reddy <chetanreddy gmail.com>] 1255 1256 *) mod_charset_lite: Add TranslateAllMimeTypes sub-option to 1257 CharsetOptions, allowing the administrator to skip the 1258 mimetype checking that precedes translation. 1259 PR 44458 [Eric Covener] 1260 1261 *) mod_proxy_http: Fix processing of chunked responses if 1262 Connection: Transfer-Encoding is set in the response of the proxied 1263 system. PR 44311 [Ruediger Pluem] 1264 1265 *) mod_proxy_http: Return HTTP status codes instead of apr_status_t 1266 values for errors encountered while forwarding the request body 1267 PR 44165 [Eric Covener] 1268 1269 *) mod_rewrite: Don't canonicalise URLs with [P,NE] 1270 PR 43319 [<rahul sun.com>] 1271 1272Changes with Apache 2.2.8 1273 1274 *) core: Fix regression in 2.2.7 in chunk filtering with massively 1275 chunked requests. [Ruediger Pluem, Nick Kew] 1276 1277 *) winnt_mpm: Resolve modperl issues by redirecting console mode stdout 1278 to /Device/Nul as the server is starting up, mirroring unix MPM's. 1279 PR: 43534 [Tom Donovan <Tom.Donovan acm.org>, William Rowe] 1280 1281 *) winnt_mpm: Restore Win32DisableAcceptEx On directive and Win9x platform 1282 by recreating the bucket allocator each time the trans pool is cleared. 1283 PR: 11427 #16 (follow-on) [Tom Donovan <Tom.Donovan acm.org>] 1284 1285 *) mod_dav: Fix evaluation of If-Match * and If-None-Match * conditionals. 1286 PR 38034 [Paritosh Shah <shah.paritosh gmail.com>] 1287 1288Changes with Apache 2.2.7 (not released) 1289 1290 *) SECURITY: CVE-2007-6421 (cve.mitre.org) 1291 mod_proxy_balancer: Correctly escape the worker route and the worker 1292 redirect string in the HTML output of the balancer manager. 1293 Reported by SecurityReason. [Ruediger Pluem] 1294 1295 *) SECURITY: CVE-2007-6422 (cve.mitre.org) 1296 Prevent crash in balancer manager if invalid balancer name is passed 1297 as parameter. Reported by SecurityReason. [Ruediger Pluem] 1298 1299 *) SECURITY: CVE-2007-6388 (cve.mitre.org) 1300 mod_status: Ensure refresh parameter is numeric to prevent 1301 a possible XSS attack caused by redirecting to other URLs. 1302 Reported by SecurityReason. [Mark Cox, Joe Orton] 1303 1304 *) SECURITY: CVE-2007-5000 (cve.mitre.org) 1305 mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. 1306 [Joe Orton] 1307 1308 *) SECURITY: CVE-2008-0005 (cve.mitre.org) 1309 Introduce the ProxyFtpDirCharset directive, allowing the administrator 1310 to identify a default, or specific servers or paths which list their 1311 contents in other-than ISO-8859-1 charset (e.g. utf-8). [Ruediger Pluem] 1312 1313 *) mod_dav: Adjust etag generation to produce identical results on 32-bit 1314 and 64-bit platforms and avoid a regression with conditional PUT's on 1315 lock and etag. PR 44152. 1316 [Michael Clark <michael metaparadigm.com>, Ruediger Pluem] 1317 1318 *) mod_ssl: Fix handling of the buffered request body during a per-location 1319 renegotiation, when an internal redirect occurs. PR 43738. 1320 [Joe Orton] 1321 1322 *) mod_ldap: Try to establish a new backend LDAP connection when the 1323 Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. after the 1324 LDAP server has closed the connection due to a timeout. 1325 PR 39095 [Eric Covener] 1326 1327 *) log.c: Ensure Win32 resurrects its lost robust logger processes. 1328 [William Rowe] 1329 1330 *) mod_disk_cache: Delete temporary files if they cannot be renamed to their 1331 final name. [Davi Arnaut <davi haxent.com.br>] 1332 1333 *) Add explicit charset to the output of various modules to work around 1334 possible cross-site scripting flaws affecting web browsers that do not 1335 derive the response character set as required by RFC2616. One of these 1336 reported by SecurityReason [Joe Orton] 1337 1338 *) http_protocol: Escape request method in 405 error reporting. 1339 This has no security impact since the browser cannot be tricked 1340 into sending arbitrary method strings. [Jeff Trawick] 1341 1342 *) mod_ssl: Fix SSL client certificate extensions parsing bug. PR 44073. 1343 [yl <yl bee-ware.net>] 1344 1345 *) mod_proxy_ajp: Use 64K as maximum AJP packet size. This is the maximum 1346 length we can squeeze inside the AJP message packet. 1347 [Mladen Turk] 1348 1349 *) core: Lower memory consumption of ap_r* functions by reusing the brigade 1350 instead of recreating it during each filter pass. 1351 [Stefan Fritsch <sf sfritsch.de>] 1352 1353 *) core: Lower memory consumption in case that flush buckets are passed thru 1354 the chunk filter as last bucket of a brigade. PR 23567. 1355 [Stefan Fritsch <sf sfritsch.de>] 1356 1357 *) core: Fix broken chunk filtering that causes all non blocking reads to be 1358 converted into blocking reads. PR 19954, 41056. 1359 [Jean-Frederic Clere, Jim Jagielski] 1360 1361 *) mod_rewrite: Add the novary flag to RewriteCond. 1362 [Ruediger Pluem] 1363 1364 *) core: Change etag generation to produce identical results on 1365 32-bit and 64-bit platforms. PR 40064. [Joe Orton] 1366 1367 *) http_protocol: Escape request method in 413 error reporting. 1368 Determined to be not generally exploitable, but a flaw in any case. 1369 PR 44014 [Victor Stinner <victor.stinner inl.fr>] 1370 1371 *) mod_filter: Don't segfault on (unsupported) chained FilterProvider usage. 1372 PR 43956 [Nick Kew, Ruediger Pluem] 1373 1374 *) core: Handle unrecognised transfer-encodings. 1375 PR 43882 [Nick Kew, Jeff Trawick] 1376 1377 *) mod_include: Add an "if" directive syntax to test whether an URL 1378 is accessible, and if so, conditionally display content. This 1379 allows a webmaster to hide a link to a private page when the user 1380 has no access to that page. [Graham Leggett] 1381 1382 *) Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009 1383 [Christophe Jaillet <christophe.jaillet wanadoo.fr>] 1384 1385 *) mod_proxy_http: Correctly forward unexpected interim (HTTP 1xx) 1386 responses from the backend according to RFC2616. But make it 1387 configurable in case something breaks on it. 1388 PR 16518 [Nick Kew] 1389 1390 *) mod_substitute: Added a new output filter, which performs 1391 inline response content pattern matching (including regex) 1392 and substitution. [Jim Jagielski, Ruediger Pluem] 1393 1394 *) rotatelogs: Change command-line parsing to report more types 1395 of errors. Allow local timestamps to be used when rotating based 1396 on file size. [Jeff Trawick] 1397 1398 *) mod_proxy: Canonicalisation improvements. Add "nocanon" keyword to 1399 ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also, 1400 don't escape/unescape forward-proxied URLs. 1401 PR 41798, 42592 [Nick Kew, Ruediger Pluem, Roy Fielding, Jim Jagielski] 1402 1403 *) mod_status: Add SeeRequestTail directive, which determines if 1404 ExtendedStatus displays the 1st 63 characters of the request 1405 or the last 63. Useful for those requests with large string 1406 lengths and which only vary with the last several characters. 1407 [Jim Jagielski] 1408 1409 *) mod_ssl: Prevent memory corruption of version string. 1410 PR 43865, 43334 [William Rowe, Joe Orton] 1411 1412 *) core: Avoid some unexpected connection closes by telling the client 1413 that the connection is not persistent if the MPM process handling 1414 the request is already exiting when the response header is built. 1415 [Jeff Trawick] 1416 1417 *) mod_autoindex: Generate valid XHTML output by adding the xhtml 1418 namespace. PR 43649 [Jose Kahan <jose w3.org>] 1419 1420 *) mod_ldap: Give callers a reference to data copied into the request 1421 pool instead of references directly into the cache 1422 PR 43786 [Eric Covener] 1423 1424 *) mod_ldap: Stop passing a reference to pconf around for 1425 (limited) use during request processing, avoiding possible 1426 memory corruption and crashes. [Eric Covener] 1427 1428 *) Event MPM: Add support for running under mod_ssl, by reverting to the 1429 Worker MPM behaviors, when run under an input filter that buffers 1430 its own data. [Paul Querna] 1431 1432 *) mod_charset_lite: Don't crash when the request has no associated 1433 filename. [Jeff Trawick] 1434 1435 *) Core: fix possible crash at startup in case of nonexistent DocumentRoot. 1436 PR 39722 [Adrian Buckley <adrian.buckley ntlworld.com>] 1437 1438 *) HTTP protocol: Add "DefaultType none" option. 1439 PR 13986 and PR 16139 [Nick Kew] 1440 1441 *) mod_rewrite: Add option to suppress URL unescaping 1442 PR 34602 [Guenther Gsenger <guenther.gsenger gmail.com>] 1443 1444 *) mpm_winnt: Eliminate wait_for_many_objects. Allows the clean 1445 shutdown of the server when the MaxClients is higher then 257, 1446 in a more responsive manner [Mladen Turk, William Rowe] 1447 1448 *) mod_proxy_http: Remove Warning headers with wrong date 1449 PR 16138 [Nick Kew] 1450 1451 *) mod_proxy_http: Correctly parse all Connection headers in proxy. 1452 PR 43509 [Nick Kew] 1453 1454 *) mod_proxy_http: add Via header correctly (if enabled) to 1455 response, even where other Via headers exist. 1456 PR 19439 [Nick Kew] 1457 1458 *) http_core: OPTIONS * no longer maps to local storage or URI 1459 space. Note that unlike previous versions, OPTIONS * no 1460 longer returns an Allow: header. PR 43519 [Jim Jagielski] 1461 1462 *) mod_proxy_http: strip hop-by-hop response headers 1463 PR 43455 [Nick Kew] 1464 1465 *) mod_proxy: Don't by default violate RFC2616 by setting 1466 Max-Forwards when the client didn't send it to us. 1467 Leave that as a configuration option. 1468 PR 16137 [Nick Kew] 1469 1470 *) scoreboard: improve error message on apr_shm_create failure 1471 PR 40037 [Nick Kew] 1472 1473 *) proxy: Fix persistent backend connections. 1474 PR 43472 [Ruediger Pluem] 1475 1476 *) mod_deflate: initialise inflate-out filter correctly when the 1477 first brigade contains no data buckets. 1478 PR 43512 [Nick Kew] 1479 1480 *) mod_proxy_ajp: Ignore any ajp13 flush packets received before 1481 we send the response headers. See Tomcat PR 43478. 1482 [Jim Jagielski] 1483 1484 *) mod_proxy_balancer: Do not reset lbstatus, lbfactor and lbset when 1485 starting a new child. 1486 PR 39907 [Vinicius Petrucci <vpetrucci gmail.com>, Ruediger Pluem] 1487 1488 *) mod_proxy_http: Propagate Proxy-Authorization header correctly. 1489 PR 25947 [Nick Kew] 1490 1491 *) mod_proxy_ajp: Differentiate within AJP between GET and HEAD 1492 requests. PR 43060 [Jim Jagielski] 1493 1494 *) Don't send spurious "100 Continue" response lines. 1495 PR 38014 [Basant Kumar Kukreja <basant.kukreja sun.com>] 1496 1497 *) mod_proxy_ftp: Don't segfault on bad line in FTP listing 1498 PR 40733 [Ulf Harnhammar <metaur telia.com>] 1499 1500 *) mod_proxy: escape error-notes correctly 1501 PR 40952 [Thijs Kinkhorst <thijs debian.org>] 1502 1503 *) mod_proxy: check ProxyBlock for all blocked addresses 1504 PR 36987 [Timo Viipuri <timo.viipuri f-secure.com>] 1505 1506 *) mod_proxy: Don't lose bytes when a response line arrives in small chunks. 1507 PR 40894 [Andrew Rucker Jones <arjones simultan.dyndns.org>] 1508 1509Changes with Apache 2.2.6 1510 1511 *) SECURITY: CVE-2007-3847 (cve.mitre.org) 1512 mod_proxy: Prevent reading past the end of a buffer when parsing 1513 date-related headers. PR 41144. 1514 [Davi Arnaut, Nick Kew] 1515 1516 *) SECURITY: CVE-2007-1863 (cve.mitre.org) 1517 mod_cache: Prevent a segmentation fault if attributes are listed in a 1518 Cache-Control header without any value. 1519 [Niklas Edmundsson <nikke acc.umu.se>] 1520 1521 *) SECURITY: CVE-2007-3304 (cve.mitre.org) 1522 prefork, worker, event MPMs: Ensure that the parent process cannot 1523 be forced to kill processes outside its process group. 1524 [Joe Orton, Jim Jagielski] 1525 1526 *) SECURITY: CVE-2006-5752 (cve.mitre.org) 1527 mod_status: Fix a possible XSS attack against a site with a public 1528 server-status page and ExtendedStatus enabled, for browsers which 1529 perform charset "detection". Reported by Stefan Esser. [Joe Orton] 1530 1531 *) SECURITY: CVE-2007-1862 (cve.mitre.org) 1532 mod_mem_cache: Copy headers into longer lived storage; header names and 1533 values could previously point to cleaned up storage. PR 41551. 1534 [Davi Arnaut <davi haxent.com.br>] 1535 1536 *) mod_info: mod_info outputs invalid XHTML 1.0 transitional. 1537 PR 42847 [Rici Lake <rici ricilake.net>] 1538 1539 *) mod_ssl: Fix spurious hostname mismatch warning for valid 1540 wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>] 1541 1542 *) mod_mem_cache: Increase the minimum and default value for 1543 MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not 1544 make sense and leads to a division by zero. PR 40576. 1545 [Xuekun Hu <xuekun.hu gmail.com>] 1546 1547 *) mod_cache: Remove expired content from cache that cannot be revalidated. 1548 PR 30370. [Ruediger Pluem] 1549 1550 *) mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as synonymous. 1551 PR 43183 [Brian Rectanus <Brian.Rectanus breach.com>, Vincent Bray] 1552 1553 *) mod_proxy: Ensure that at least scheme://hostname[:port] matches between 1554 worker and URL when searching for the best fitting worker for a given 1555 URL. PR 40910 [Ruediger Pluem] 1556 1557 *) mod_proxy: Improve network performance by setting APR_TCP_NODELAY 1558 (disable Nagle algorithm) on sockets if implemented. 1559 PR 42871 [Christian BOITEL <christian_boitel yahoo.fr>, Jim Jagielski] 1560 1561 *) core: Do not replace a Date header set by a proxied backend server. 1562 PR 40232 [Ruediger Pluem] 1563 1564 *) mod_proxy: Add a missing assignment in an error checking code path. 1565 PR 40865 [Andrew Rucker Jones <arjones simultan.dyndns.org>] 1566 1567 *) mod_proxy_connect: avoid segfault on DNS lookup failure. 1568 PR 40756 [Trevin Beattie <tbeattie boingo.com>] 1569 1570 *) mod_proxy: enable Ignore Errors option on ProxyPass Status. 1571 PR 43167 [Francisco Gimeno <kikov kikov.org> 1572 1573 *) mod_proxy_http: Don't try to read body of a HEAD request before 1574 responding. PR 41644 [Stuart Children <stuart terminus.co.uk>] 1575 1576 *) mod_authnz_ldap: Don't return HTTP_UNAUTHORIZED during authorization when 1577 LDAP authentication is configured but we haven't seen any 1578 'Require ldap-*' directives, allowing authorization to be passed to lower 1579 level modules (e.g. Require valid-user) 1580 PR 43281 [Eric Covener] 1581 1582 *) mod_proxy: don't URLencode tilde in path component 1583 PR 38448 [Stijn Hoop <stijn sandcat.nl>] 1584 1585 *) proxy/ajp_header.c: Fixed header token string comparisons 1586 Matching of header tokens failed to include the trailing NIL byte 1587 and could misinterpret a longer header token for a shorter. 1588 Additionally, a "Content-Type" comparison was made case insensitive. 1589 [Martin Kraemer] 1590 1591 *) proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC 1592 On EBCDIC machines, the status_line string was incorrectly converted 1593 twice. [Jean-Frederic Clere, Martin Kraemer] 1594 1595 *) mod_dumpio: Fix for correct dumping of traffic on EBCDIC hosts 1596 Data had been incorrectly converted twice, resulting in 1597 garbled log output. [Martin Kraemer] 1598 1599 *) mod_autoindex: Add in Type and Charset options to IndexOptions 1600 directive. This allows the admin to explicitly set the 1601 content-type and charset of the generated page and is therefore 1602 a viable workaround for buggy browsers affected by CVE-2007-4465 1603 (cve.mitre.org). [Jim Jagielski] 1604 1605 *) log core: ensure we use a special pool for stderr logging, so that 1606 the stderr channel remains valid from the time plog is destroyed, 1607 until the time the open_logs hook is called again. [William Rowe] 1608 1609 *) mod_negotiation: preserve Query String in resolving a type map 1610 PR 33112 [Jørgen Thomsen <apache jth.net>, Nick Kew] 1611 1612 *) mod_ssl: Version reporting update; displays 'compiled against' 1613 Apache and build-time SSL Library versions at loglevel [info], 1614 while reporting the run-time SSL Library version in the server 1615 info tags. Helps to identify a mod_ssl built against one flavor 1616 of OpenSSL but running against another (also adds SSL-C version 1617 number reporting.) [William Rowe] 1618 1619 *) mime.types: Many updates to sync with IANA registry and common 1620 unregistered types that the owners refuse to register. Admins 1621 are encouraged to update their installed mime.types file. 1622 PR: 35550, 37798, 39317, 31483 [Roy T. Fielding] 1623 1624 *) mod_expires: don't crash on bad configuration data 1625 PR 43213 [Julien Perez <julien.perez epsylonia.net>] 1626 1627 *) mod_dbd: Introduce configuration groups to allow inheritance by virtual 1628 hosts of database configurations from the main server. Determine the 1629 minimal set of distinct configurations and share connection pools 1630 whenever possible. Allow virtual hosts to override inherited SQL 1631 statements. PR 41302. [Chris Darroch] 1632 1633 *) mod_dbd: Create memory sub-pools for each DB connection and close 1634 DB connections in a pool cleanup function. Ensure prepared statements 1635 are destroyed before DB connection is closed. When using reslists, 1636 prevent segfaults when child processes exit, and stop memory leakage 1637 of ap_dbd_t structures. Avoid use of global s->process->pool, which 1638 isn't destroyed by exiting child processes in most multi-process MPMs. 1639 PR 39985. [Chris Darroch, Nick Kew] 1640 1641 *) mod_dbd: Handle error conditions in dbd_construct() properly. 1642 Simplify ap_dbd_open() and use correct arguments to apr_dbd_error() 1643 when non-threaded. Register correct cleanup data in non-threaded 1644 ap_dbd_acquire() and ap_dbd_cacquire(). Clean up configuration data 1645 and merge function. Use ap_log_error() wherever possible. 1646 [Chris Darroch, Nick Kew] 1647 1648 *) mod_dbd: Stash DBD connections in request_config of initial request 1649 only, or else sub-requests and internal redirections may cause 1650 entire DBD pool to be stashed in a single HTTP request. [Chris Darroch] 1651 1652 *) main core: Emit errors during the initial apr_app_initialize() 1653 or apr_pool_create() (when apr-based error reporting is not ready). 1654 [William Rowe, Jeff Trawick] 1655 1656 *) log core: fix the new piped logger case where we couldn't connect 1657 the replacement stderr logger's stderr to the NULL stdout stream. 1658 Continue in this case, since the previous alternative of no error 1659 logging at all (/dev/null) is far worse. [William Rowe] 1660 1661 *) mpm_winnt: Prevent the parent-child pipe from leaking into other 1662 spawned processes, and ensure we have a /Device/null handle for 1663 stdout when running as-a-service. [William Rowe] 1664 1665 *) mod_ldap: Avoid possible crashes, hangs, and busy loops due to 1666 improper merging of the cache lock in vhost config 1667 PR 43164 [Eric Covener] 1668 1669 *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] 1670 1671 *) mod_deflate: fix protocol handling in deflate input filter 1672 PR 23287 [Nick Kew] 1673 1674 *) mime.types: add Registered Javascript/ECMAScript MIME types (RFC4329) 1675 PR 40299 [Dave Hodder <dmh dmh.org.uk>] 1676 1677 *) mod_filter: fix integer comparisons in dispatch rules 1678 PR 41835 [Nick Kew] 1679 1680 *) mod_filter: fix merging of ! and = in FilterChain 1681 PR 42186 [Issac Goldstand <margol beamartyr.net>] 1682 1683 *) mod_deflate: don't try to process metadata buckets as data. what should 1684 have been a 413 error was logged as a 500 and a blank screen appeared 1685 at the browser. 1686 [Greg Ames, Ruediger Pluem] 1687 1688 *) mod_cgi, mod_cgid: Fix use of CGI scripts as ErrorDocuments. 1689 PR 39710. [Paul Querna, Ruediger Pluem] 1690 1691 *) mod_proxy: Allow to use different values for sessionid 1692 in url encoded id and cookies. PR 41897. [Jean-Frederic Clere] 1693 1694 *) mod_proxy: Fix the 503 returned when session route does 1695 not match any of the balancer members. [Mladen Turk] 1696 1697 *) mod_proxy: Added ProxyPassMatch directive, which is similar 1698 to ProxyPass but takes a regex local path prefix. [Jim Jagielski] 1699 1700 *) mod_cache: Do not set Date or Expires when they are missing from 1701 the original response or are invalid. [Justin Erenkrantz] 1702 1703 *) mod_cache: Correctly handle HEAD requests on expired cache content. 1704 PR 41230. [Niklas Edmundsson <nikke acc.umu.se>] 1705 1706 *) mod_cache: Let Cache-Control max-age set the expiration of the cached 1707 representation if Expires is not set. [Justin Erenkrantz] 1708 1709 *) mod_cache: Allow caching of requests with query arguments when 1710 Cache-Control max-age is explicitly specified. [Justin Erenkrantz] 1711 1712 *) mod_disk_cache: Allow Vary'd responses to be refreshed properly. 1713 [Justin Erenkrantz] 1714 1715 *) mod_proxy: Print the correct error message for erroneous configured 1716 ProxyPass directives. PR 40439. [Takashi Sato <serai lans-tv.com>] 1717 1718 *) mod_so: Provide more helpful LoadModule feedback when an error occurs. 1719 [William Rowe] 1720 1721 *) mod_alias: Accept path components (URL part) in Redirects. PR 35314. 1722 [Nick Kew] 1723 1724 *) mod_headers: Allow % at the end of a Header value. PR 36609. 1725 [Nick Kew, Ruediger Pluem] 1726 1727 *) mod_cache: Use the same cache key throughout the whole request processing 1728 to handle escaped URLs correctly. PR 41475. [Ruediger Pluem] 1729 1730 *) mod_cache: Add CacheIgnoreQueryString directive. PR 41484. 1731 [Fredrik Widlund <fredrik.widlund qbrick.com>] 1732 1733 *) mod_cache: While serving a cached entity ensure that filters that have 1734 been applied to this cached entity before saving it to the cache are not 1735 applied again. PR 40090. [Ruediger Pluem] 1736 1737 *) mod_cache: Correctly cache objects whose URL query string has been 1738 modified by mod_rewrite. PR 40805. [Ruediger Pluem] 1739 1740 *) HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses alone. Only 1741 processing of error responses (4xx, 5xx) will be altered. PR 39245. 1742 [Jeff Trawick, Bart van der Schans <schans hippo.nl>] 1743 1744 *) htdbm: Enable crypt support on platforms with crypt() but not 1745 <crypt.h>, such as z/OS. [David Jones <oscaremma gmail.com>] 1746 1747 *) mod_ssl: initialize thread locks before initializing the hardware 1748 acceleration library, so the latter can make use of the former. 1749 PR 20951. [<adunn at ncipher.com>] 1750 1751 *) ab.c: Correct behavior of HTTP request headers sent by ab 1752 in presence of -H command-line overrides. PR 31268, 26554. 1753 [Arvind Srinivasan <arvind.srinivasan sun.com>] 1754 1755 *) ab.c: The apr_port_t type is unsigned, but ab was using a 1756 signed format code in its reports. PR 42070. 1757 [Takashi Sato <serai lans-tv.com>] 1758 1759 *) mod_ldap: Remove the hardcoded size limit parameter for 1760 ldap_search_ext_s and replace it with an APR_ defined value that 1761 is set according to the LDAP SDK being used, resolving a problem 1762 with SDKs that define LDAP_NO_LIMIT to something other than -1. 1763 [David Jones <oscaremma gmail com>] 1764 1765 *) core: Correct a regression since 2.0.x in the handling of AllowOverride 1766 Options. PR 41829. [Torsten Förtsch <torsten.foertsch gmx.net>] 1767 1768 *) mod_proxy_http: Handle request bodies larger than 2 GB by converting 1769 the Content-Length header of the request correctly. PR 40883. 1770 [Ruediger Pluem, toadie <toadie643 gmail.com>] 1771 1772 *) mod_proxy: Fix some proxy setting inheritance problems (eg: 1773 ProxyTimeout). PR 11540. [Stuart Children <stuart terminus.co.uk>] 1774 1775 *) Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory 1776 can work after that terminating signal. 1777 [Eric Covener] 1778 1779 *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005) 1780 including embedding the .manifest information into each binary. 1781 [William Rowe] 1782 1783There was no Apache 2.2.5 1784 1785Changes with Apache 2.2.4 1786 1787 *) mod_isapi: Correctly present SERVER_PORT_SECURE. 1788 PR: 40573. [Matt Eaton <asf divinehawk.com>] 1789 1790 *) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util 1791 statically like the older support programs. 1792 [Eric Covener <covener gmail.com>] 1793 1794 *) core: Fix NONBLOCK status of listening sockets on restart/graceful 1795 PR 37680. [Darius Davis <darius-abz free-range.com.au>] 1796 1797 *) mod_deflate: Rework inflate output and deflate output filter to fix 1798 several issues: Incorrect handling of flush buckets, potential memory 1799 leaks, excessive memory usage in inflate output filter for large 1800 compressed content. PR 39854. 1801 [Ruediger Pluem, Nick Kew, Justin Erenkrantz] 1802 1803 *) mod_mem_cache: Memory leak fix: Unconditionally free the buffer. 1804 [Davi Arnaut <davi haxent.com.br>] 1805 1806 *) Allow mod_dumpio to log at other than DEBUG levels via 1807 the new DumpIOLogLevel directive. [Jim Jagielski] 1808 1809 *) rotatelogs: Improve error message for open failures. PR 39487. 1810 [Joe Orton] 1811 1812 *) mod_dbd: share per-request database handles across subrequests 1813 and internal redirects [Chris Darroch] 1814 1815 *) mod_dbd: key connection pools to virtual hosts correctly even when 1816 ServerName is unset/unavailable [Graham Leggett] 1817 1818 *) Better detection and clean up of ldap connection that has been 1819 terminated by the ldap server. PR 40878. 1820 [Rob Baily <rbaily servicebench com>] 1821 1822 *) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions 1823 by creating a root pool for object persistence across requests. This 1824 also eliminates the need for custom serialization code. 1825 [Davi Arnaut <davi haxent.com.br>] 1826 1827 *) mod_authnz_ldap: Add an AuthLDAPRemoteUserAttribute directive. If 1828 set, REMOTE_USER will be set to this attribute, rather than the 1829 username supplied by the user. Useful for example when you want users 1830 to log in using an email address, but need to supply a userid instead 1831 to the backend. [Graham Leggett] 1832 1833 *) mod_cgi and mod_cgid: Don't use apr_status_t error return 1834 from input filters as HTTP return value from the handler. 1835 PR 31759. [Nick Kew] 1836 1837 *) mod_cache: Eliminate a bogus error in the log when a filter returns 1838 AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>] 1839 1840 *) core: Fix issue which could cause piped loggers to be orphaned and never 1841 terminate after a graceful restart. PR 40651. 1842 [Joe Orton, Ruediger Pluem] 1843 1844 *) core: Fix address-in-use startup failure caused by corruption of the list 1845 of listen sockets in some configurations with multiple generic Listen 1846 directives. [Jeff Trawick] 1847 1848 *) mod_headers: Support regexp-based editing of HTTP headers. [Nick Kew] 1849 1850 *) mod_proxy: Add explicit flushing feature. When Servlet container sends 1851 AJP body message with size 0, this means that Servlet container has asked 1852 for an explicit flush. Create flush bucket in that case. This feature has 1853 been added to the recent Tomcat versions without breaking the AJP 1854 protocol. [Mladen Turk] 1855 1856 *) mod_proxy_balancer: Set the new environment variable 1857 BALANCER_ROUTE_CHANGED if a worker with a route different from the one 1858 supplied by the client had been chosen or if the client supplied no 1859 routing information for a balancer with sticky sessions. 1860 [Ruediger Pluem] 1861 1862 *) mod_proxy_balancer: Add information about the route, the sticky session 1863 and the worker used during a request as environment variables. PR 39806. 1864 [Brian <brectanu gmail.com>] 1865 1866 *) mod_proxy: Don't try to use dead backend connection. PR 37770. 1867 [Olivier BOEL <ob dorrboel.com>] 1868 1869 *) mod_proxy_balancer: Extract stickysession routing information contained 1870 as parameter in the URL correctly. PR 40400. 1871 [Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>] 1872 1873 *) mod_proxy_ajp: Added cping/cpong support for the AJP protocol. 1874 A new worker directive ping=timeout will cause CPING packet 1875 to be send expecting CPONG packet within defined timeout. 1876 In case the backend is too busy this will fail instead 1877 sending the full header. [Mladen Turk] 1878 1879 *) mod_disk_cache: Make sure that only positive integers are accepted 1880 for the CacheMaxFileSize and CacheMinFileSize parameters in the 1881 config file. PR39380. [Niklas Edmundsson <nikke acc.umu.se>] 1882 1883 *) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an 1884 authority component and an empty path, the empty path is to be equivalent 1885 to "/". It explicitly cites the following four URIs as equivalents: 1886 http://example.com 1887 http://example.com/ 1888 http://example.com:/ 1889 http://example.com:80/ 1890 [Davi Arnaut <davi haxent.com.br>] 1891 1892 *) mod_cache: Don't cache requests with a expires date in the past; 1893 otherwise mod_cache will always try to cache the URL. This bug 1894 might lead to numerous rename() errors on win32 if the URL was 1895 previously cached. [Davi Arnaut <davi haxent.com.br>] 1896 1897 *) core: Deal with the widespread use of apr_status_t return values 1898 as HTTP status codes, as documented in PR#31759 (a bug shared by 1899 the default handler, mod_cgi, mod_cgid, mod_proxy, and probably 1900 others). PR31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] 1901 1902 *) mod_ext_filter: Handle filter names which include capital letters. 1903 PR 40323. [Jeff Trawick] 1904 1905 *) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH 1906 support. Also corrects the slashes for Windows. 1907 PR 15993. [William Rowe] 1908 1909 *) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the 1910 token parser worked while the resulting length was misinterpreted. 1911 PR 29098. [Brock Bland <bbland serena.com>] 1912 1913 *) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade 1914 attempts to stream the response at the client. Log these as well. 1915 PR 30022, 40470. [William Rowe, Matt Eaton <asf divinehawk.com>] 1916 1917 *) mod_isapi: Ensure we walk through all the methods the developer may have 1918 employed to report their HTTP status result code. PR 16637 30033 28089 1919 [Matt Lewandowsky <matt iamcode.net>, William Rowe] 1920 1921 *) mod_echo: Fix precedence problem in if statement. PR 40658. 1922 [Larry Cipriani <lvc lucent.com>] 1923 1924 *) mod_mime_magic: Fix precedence problem in if statement. PR 40656. 1925 [Larry Cipriani <lvc lucent.com>] 1926 1927 *) The full server version information is now included in the error log at 1928 startup as well as server status reports, irrespective of the setting 1929 of the ServerTokens directive. ap_get_server_version() is now 1930 deprecated, and is replaced by ap_get_server_banner() and 1931 ap_get_server_description(). [Jeff Trawick] 1932 1933 *) mod_proxy_balancer: Workers can now be defined as part of 1934 a balancer cluster "set" in which members of a lower-numbered set 1935 are preferred over higher numbered ones. [Jim Jagielski] 1936 1937 *) mod_proxy_balancer: Workers can now be defined as "hot standby" which 1938 will only be used if all other workers are unusable (eg: in 1939 error or disabled). Also, the balancer-manager displays the election 1940 count and I/O counts of all workers. [Jim Jagielski] 1941 1942 *) mod_proxy_ajp: Close connection to backend if reading of request body 1943 fails. PR 40310. [Ian Abel <ianabel mxtelecom.com>] 1944 1945 *) mod_proxy_balancer: Retry worker chosen by route / redirect worker if 1946 it is in error state before sending "Service Temporarily Unavailable". 1947 PR 38962. [Christian Boitel <cboitel lfdj.com>] 1948 1949Changes with Apache 2.2.3 1950 1951 *) SECURITY: CVE-2006-3747 (cve.mitre.org) 1952 mod_rewrite: Fix an off-by-one security problem in the ldap scheme 1953 handling. For some RewriteRules this could lead to a pointer being 1954 written out of bounds. Reported by Mark Dowd of McAfee. 1955 [Mark Cox] 1956 1957 *) Win32: Minor fixes to build more cleanly under Visual Studio 2005 1958 with command line builds. [William Rowe] 1959 1960 *) mod_authn_alias: Add a check to make sure that the base provider and the 1961 alias names are different and also that the alias has not been registered 1962 before. PR 40051. [Brad Nicholes] 1963 1964 *) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP 1965 client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529. 1966 [Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>] 1967 1968 *) mod_cache: Do not overwrite the Content-Type in the cache, for 1969 successfully revalidated cached objects. PR 39647. [Ruediger Pluem] 1970 1971 *) mod_speling: Add directive to deal with case corrections only 1972 and ignore other misspellings [Olivier Thereaux <ot w3.org>] 1973 1974 *) mod_dbd: Fix dependence on virtualhost configuration in 1975 defining prepared statements (possible segfault at startup 1976 in user modules such as mod_authn_dbd). [Nick Kew] 1977 1978 *) Add optional 'scheme://' prefix to ServerName directive, 1979 allowing correct determination of the canonical server URL 1980 for use behind a proxy or offload device handling SSL; fixing 1981 redirect generation in those cases. PR 33398. [Sander Temme] 1982 1983 *) Added server_scheme field to server_rec for above. Minor MMN bump. 1984 [Sander Temme] 1985 1986 *) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593. 1987 [Ruediger Pluem, Joe Orton] 1988 1989 *) Worker MPM: On graceless shutdown or restart, send signals to 1990 each worker thread to wake them up if they're polling on a 1991 Keep-Alive connection. PR 38737. [Chris Darroch] 1992 1993 *) worker and event MPMs: fix excessive forking if fork() or child_init 1994 take a long time. PR 39275. 1995 [Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ] 1996 1997 *) configure: Add "--with-included-apr" flag to force use of the 1998 bundled version of APR at build time. [Joe Orton] 1999 2000 *) Respect GracefulShutdownTimeout in the worker and event MPMs. 2001 [Chris Darroch, Garrett Rooney] 2002 2003 *) mod_mem_cache: Set content type correctly when delivering data from 2004 cache. PR 39266. [Ruediger Pluem] 2005 2006 *) mod_autoindex: Fix filename escaping with FancyIndexing disabled. 2007 PR 38910. [Robby Griffin <rmg terc.edu>] 2008 2009 *) mod_charset_lite: Bypass translation when the source and dest charsets 2010 are the same. [Jeff Trawick] 2011 2012Changes with Apache 2.2.2 2013 2014 *) mod_deflate: work correctly in an internal redirect 2015 [Brian J. France <list firehawksystems com>] 2016 2017 *) mod_proxy_balancer: Initialize members of a balancer correctly. 2018 PR 38227. [James A. Robinson <jim.robinson stanford.edu>] 2019 2020 *) mod_proxy: Do not release connections from connection pool twice. 2021 PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>] 2022 2023 *) core: Prevent reading uninitialized memory while reading a line of 2024 protocol input. PR 39282. [Davi Arnaut <davi haxent com br>] 2025 2026 *) mod_dbd: Update defaults, improve error reporting. 2027 [Chris Darroch <chrisd pearsoncmg com>, Nick Kew] 2028 2029 *) mod_dbd: Create own pool and mutex to avoid problem use of 2030 process pool in request processing. 2031 [Chris Darroch <chrisd pearsoncmg com>] 2032 2033 *) HTML-escape the Expect error message. Not classed as security as 2034 an attacker has no way to influence the Expect header a victim will 2035 send to a target site. Reported by Thiago Zaninotti 2036 <thiango nstalker.com>. [Mark Cox] 2037 2038 *) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX. 2039 [Jeff Trawick] 2040 2041 *) htdbm: Warn the user when adding a plaintext password on a platform 2042 where it wouldn't work with the server (i.e., anywhere that has 2043 crypt()). [Jeff Trawick] 2044 2045 *) mod_proxy: don't reuse a connection that may be to the wrong backend 2046 PR 39253 [Ruediger Pluem] 2047 2048 *) Default handler: Don't return output filter apr_status_t values. 2049 PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton] 2050 2051Changes with Apache 2.2.1 2052 2053 *) SECURITY: CVE-2005-3357 (cve.mitre.org) 2054 mod_ssl: Fix a possible crash during access control checks if a 2055 non-SSL request is processed for an SSL vhost (such as the 2056 "HTTP request received on SSL port" error message when an 400 2057 ErrorDocument is configured, or if using "SSLEngine optional"). 2058 PR 37791. [Rüdiger Plüm, Joe Orton] 2059 2060 *) SECURITY: CVE-2005-3352 (cve.mitre.org) 2061 mod_imagemap: Escape untrusted referer header before outputting 2062 in HTML to avoid potential cross-site scripting. Change also 2063 made to ap_escape_html so we escape quotes. Reported by JPCERT. 2064 [Mark Cox] 2065 2066 *) mod_proxy_ajp: Flushing of the output after each AJP chunk is now 2067 configurable at runtime via the 'flushpackets' and 'flushwait' worker 2068 params. Minor MMN bump. [Jim Jagielski] 2069 2070 *) mod_proxy: Fix incorrect usage of local and shared worker init. 2071 PR 38403. [Jim Jagielski] 2072 2073 *) mod_isapi: Fix compiler errors on Unix platforms. 2074 [William Rowe] 2075 2076 *) mod_proxy_http: Do send keep-alive header if the client sent 2077 connection: keep-alive and do not close backend connection if the client 2078 sent connection: close. PR 38524. [Ruediger Pluem, Joe Orton] 2079 2080 *) mod_disk_cache: Return the correct error codes from bucket read 2081 failures, instead of APR_EGENERAL. 2082 [Brian Akins <brian.akins turner.com>] 2083 2084 *) Add APR/APR-Util Compiled and Runtime Version numbers to the 2085 output of 'httpd -V'. [William Rowe] 2086 2087 *) http: If a connection is aborted while waiting for a chunked line, 2088 flag the connection as errored out. [Justin Erenkrantz] 2089 2090 *) core: Reject invalid Expect header immediately. PR 38123. 2091 [Ruediger Pluem] 2092 2093 *) Fix mis-shifted 32 bit scope, masked to 64 bits as a method. 2094 [Will Rowe, Joe Orton] 2095 2096 *) mod_proxy: Fix KeepAlives not being allowed and set to 2097 backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski] 2098 2099 *) Fix instdso.sh "sed syntax error" installation issue on some 2100 platforms. PR 38108. [Masaoki Kobayashi <masaoki techfirm.co.jp>] 2101 2102 *) mod_ssl: Fix possible crashes in shmcb with gcc 4 on platforms 2103 requiring word-aligned pointers. PR 38838. [Joe Orton] 2104 2105 *) mod_proxy: If we get an error reading the upstream response, 2106 close the connection. [Justin Erenkrantz, Roy T. Fielding, 2107 Jim Jagielski, Ruediger Pluem] 2108 2109 *) mod_proxy_ajp: Support common headers of the AJP protocol in responses. 2110 PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>] 2111 2112 *) mod_proxy_balancer: Do not overwrite the status of initialized workers 2113 and respect the configured status of uninitilized workers when creating 2114 a new child process. [Ruediger Pluem] 2115 2116 *) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of 2117 the ajp message to prevent mod_proxy_ajp from reading beyond the buffer 2118 boundaries and thus revealing possibly sensitive memory contents to the 2119 client. [Ruediger Pluem] 2120 2121 *) Ensure that the proper status line is written to the client, fixing 2122 incorrect status lines caused by filters which modify r->status without 2123 resetting r->status_line, such as the built-in byterange filter. 2124 [Jeff Trawick] 2125 2126 *) mod_speling: Stop crashing with certain non-file requests. 2127 [Jeff Trawick] 2128 2129 *) mod_cache: Make caching of reverse proxies possible again. PR 38017. 2130 [Ruediger Pluem] 2131 2132 *) Modify apr[util] .h detection to avoid breakage on VPATH builds 2133 using Solaris make (amoung others) and avoid breakage in ./buildconf 2134 when srclib/apr[-util] are symlinks rather than directories proper. 2135 [William Rowe] 2136 2137 *) Avoid Server-driven negotiation when a script has emitted an 2138 explicit Status: header. PR 38070. [Nick Kew] 2139 2140 *) Fix to avoid feeding C99 to C++ compilers. [Joe Orton] 2141 2142 *) Chunk filter: Fix chunk filter to create correct chunks in the case that 2143 a flush bucket is surrounded by data buckets. [Ruediger Pluem] 2144 2145 *) Fix syntax error in httpd.h with strict compilers. PR 37840. 2146 [Per Olausson <pao darkheim.freeserve.co.uk>] 2147 2148 *) Fix recursive ErrorDocument handling. PR 36090. 2149 [Chris Darroch <chrisd pearsoncmg.com>] 2150 2151 *) Don't hang on error return from post_read_request. PR 37790. 2152 [Nick Kew] 2153 2154 *) Fix off-by-one error in proxy_balancer. PR 37753. 2155 [Kazuhiro Osawa <ko yappo ne jp>] 2156 2157Changes with Apache 2.2.0 2158 2159 *) mod_negotiation: Minor performance tweak by reusing already calculated 2160 strlen. 2161 [Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>] 2162 2163 *) Remove support for 'On' and 'Off' for AuthBasicProvider and 2164 AuthDigestProvider. [Joshua Slive, Justin Erenkrantz] 2165 2166 *) Add in new UseCanonicalPhysicalPort directive, which controls 2167 whether or not Apache will ever use the actual physical port 2168 when constructing the canonical port number. [Jim Jagielski] 2169 2170 *) mod_dav: Fix a null pointer dereference in an error code path during the 2171 handling of MKCOL. 2172 [Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>] 2173 2174 *) mod_proxy_balancer: When finding best worker, use case insensitive 2175 match for scheme and host, but case sensitive for the rest of 2176 the path. [Jim Jagielski, Ruediger Pluem] 2177 2178 *) Require use of APR >= 1.2.0 and APR-util >= 1.2.0 when configured 2179 to use external copies of the libraries. [Joe Orton] 2180 2181 *) Fix DESTDIR=... installation when using bundled copy of APR. 2182 [Torsten Foertsch <torsten.foertsch gmx.net>] 2183 2184 *) mod_dav: Fix handling of unknown state tokens in If: headers. 2185 PR: 37288. [Joe Orton] 2186 2187 *) Strip out Experimental MPMs that have gone nowhere since 2.0 2188 (perchild, threadpool, leader). [Nick Kew] 2189 2190Changes with Apache 2.1.9 2191 2192 *) Add mod_authn_dbd (SQL-based authentication) [Nick Kew] 2193 2194 *) mod_proxy_ajp: Do not spool the entire response from AJP backend before 2195 sending it up the filter chain. PR 37100. [Ruediger Pluem] 2196 2197 *) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which 2198 only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that 2199 subrequests to non-local resources work again. [Ruediger Pluem] 2200 2201 *) mod_proxy: Do not lowercase the entire worker name of a BalancerMember 2202 since this breaks case sensitive URI's. PR 36906. [Ruediger Pluem] 2203 2204 *) core: AddOutputFilterByType is ignored for proxied requests. PR 31226. 2205 [Joe Orton, Ruediger Pluem] 2206 2207 *) mod_proxy_http: Prevent data corruption of POST request bodies when 2208 client accesses proxied resources with SSL. PR 37145. 2209 [Ruediger Pluem, William Rowe] 2210 2211 *) mod_ssl: Fix issue which could cause spurious warnings about use 2212 of name-based vhosts. PR 37051. [Joe Orton] 2213 2214 *) ab: Fix to ensure that only the expected number of requests are run. 2215 PR 36966. [Joe Orton] 2216 2217 *) mod_proxy_balancer: BalancerManager and proxies correctly handle 2218 member workers with paths. PR 36816. [Ruediger Pluem, Jim Jagielski] 2219 2220 *) mod_log_config: %{hextid}P will log the thread id in hex with APR 2221 versions 1.2.0 or higher. [Jeff Trawick] 2222 2223 *) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as 2224 in 1.3. [Jeff Trawick] 2225 2226 *) Support dbd connection tied to conn_rec in mod_dbd. [Nick Kew] 2227 2228 *) Fix use of pools in mod_dbd. [Brian J France, Nick Kew] 2229 2230 *) Promote modules from "experimental": mod_dbd, mod_filter, 2231 mod_charset_lite. [Nick Kew] 2232 2233 *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL 2234 connections. PR 36883. 2235 [William Barker <william.barker wilshire.com>, Ruediger Pluem] 2236 2237 *) Eliminated the NET_TIME filter, restructuring the timeout logic. 2238 This provides a working mod_echo on all platforms, and ensures any 2239 custom protocol module is at least given an initial timeout value 2240 based on the <VirtualHost > context's Timeout directive. 2241 [William Rowe] 2242 2243 *) mod_proxy: Run the request_status hook also if there are no free workers 2244 or all workers are in error state. 2245 [Ruediger Pluem, Brian Akins <brian.akins turner.com>] 2246 2247 *) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which 2248 trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951. 2249 [Jeff Trawick, Ruediger Pluem] 2250 2251 *) mod_proxy_balancer: Fix handling of sticky sessions with Tomcat. 2252 PR 36507. [Ruediger Pluem] 2253 2254 *) SECURITY: CVE-2005-2970 (cve.mitre.org) 2255 worker MPM: Fix a memory leak which can occur after an aborted 2256 connection in some limited circumstances. [Greg Ames] 2257 2258 *) Doxygen fixups. [Neale Ranns <neale ranns.org>, Ian Holsman] 2259 2260 *) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing 2261 mod_dir from serving indexes correctly with mod_cache enabled. 2262 [Colm MacCarthaigh] 2263 2264Changes with Apache 2.1.8 2265 2266 *) Fix lingering close implementation to match 1.3.x behaviour. 2267 PR 35292. [Joe Orton] 2268 2269 *) mod_ssl: Support limited buffering of request bodies to allow 2270 per-location renegotiation to proceed. PR 12355. [Joe Orton] 2271 2272 *) Fix regression since 2.0.x in AllowOverride Options handling. 2273 PR 35330. [kabe <kabe sra-tohoku.co.jp>] 2274 2275 *) mod_ssl: Fix memory leak in ssl_util_algotypeof(). 2276 PR 25659. [David Blake <dblake hp com>, Martin Kraemer] 2277 2278 *) prefork, worker and event MPMs: Support a graceful-stop procedure: 2279 Server will wait until existing requests are finished or until 2280 "GracefulShutdownTimeout" number of seconds before exiting. 2281 [Colm MacCarthaigh, Ken Coar, Bill Stoddard] 2282 2283 *) prefork, worker and event MPMs: Prevent children from holding open 2284 listening ports upon graceful restart or stop. PR 28167. 2285 [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>] 2286 2287 *) SECURITY: CVE-2005-2700 (cve.mitre.org) 2288 mod_ssl: Fix a security issue where "SSLVerifyClient" was not 2289 enforced in per-location context if "SSLVerifyClient optional" 2290 was configured in the vhost configuration. [Joe Orton] 2291 2292 *) mod_ssl: Catch parse errors from misconfigured or malformed 2293 CRLs. PR 36438. [Joe Orton] 2294 2295 *) mod_proxy/mod_proxy_balancer: lbmethods now implemented as 2296 providers. Prevent problems when no Vhost containers were 2297 configured with proxy balancers. [Jim Jagielski] 2298 2299 *) New provider function to list all available provider names in a 2300 specific group and version (ap_list_provider_names). [Jim Jagielski] 2301 2302 *) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a 2303 per-protocol, per-host and per-path basis. Intended for proxy 2304 configurations. [Colm MacCarthaigh] 2305 2306 *) mod_disk_cache: Canonicalise the storage key, for improved hit/miss 2307 ratio. [Colm MacCarthaigh] 2308 2309 *) mod_cgid: Append .PID to the script socket filename and remove the 2310 script socket on exit. [Colm MacCarthaigh, Jim Jagielski] 2311 2312 *) mod_cgid: run the get_suexec_identity hook within the request-handler 2313 instead of within cgid. PR 36410. [Colm MacCarthaigh] 2314 2315 *) Linux 2.0: remove support for threaded MPM's due to linuxthreads use 2316 of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh] 2317 2318Changes with Apache 2.1.7 2319 2320 *) SECURITY: CVE-2005-2491 (cve.mitre.org): 2321 Fix integer overflows in PCRE in quantifier parsing which could 2322 be triggered by a local user through use of a carefully-crafted 2323 regex in an .htaccess file. [Philip Hazel] 2324 2325 *) mod_proxy/mod_proxy_balancer: Provide a simple, functional 2326 interface to add additional balancer lb selection methods 2327 without requiring code changes to mod_proxy/mod_proxy_balancer; 2328 these can be implemented via sub-modules now. [Jim Jagielski] 2329 2330 *) mod_cache: Fix incorrectly served 304 responses when expired cache 2331 entity is valid, but cache is unwritable and headers cannot be 2332 updated. [Colm MacCarthaigh <colm stdlib.net>] 2333 2334 *) mod_cache: Remove entities from the cache when re-validation 2335 receives a 404 or other content-no-longer-present error. 2336 [Rüdiger Plüm ruediger.pluem vodafone.com] 2337 2338 *) mod_disk_cache: Properly remove files from cache when needed. 2339 [Rüdiger Plüm ruediger.pluem vodafone.com] 2340 2341 *) mod_disk_cache: Support htcacheclean removing directories. 2342 [Andreas Steinmetz] 2343 2344 *) htcacheclean: Add -t option to remove empty directories. 2345 [Colm MacCarthaigh <colm stdlib.net>] 2346 2347 *) Remove the base href tag from mod_proxy_ftp, as it breaks relative 2348 links for clients not using an Authorization header. [Graham Leggett, 2349 Jon Snow <jsnow27 gatesec.net>] 2350 2351 *) mod_cache: Restore the HTTP status of cached responses. 2352 [Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>] 2353 2354 *) mod_cache: Store varied contents all in the same prefix for a varied URI. 2355 [Paul Querna] 2356 2357 *) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content 2358 filters. [Paul Querna] 2359 2360 *) mod_negotiation: Correctly report 404 instead of 403 for missing files. 2361 [Paul Querna] 2362 2363 *) new hook (request_status) that gets ran in proxy_handler just before 2364 the final return. This gives modules an opportunity to do something 2365 based on the proxy status. (minor MMN bump) 2366 [Brian Akins <bakins turner.com>, Ian Holsman] 2367 2368 *) Add additional SSLSessionCache option, 'nonenotnull', which is 2369 similar to 'none' (disabling any external shared cache) but forces 2370 OpenSSL to provide a non-null session ID. [Jim Jagielski] 2371 2372 *) Add httxt2dbm to support/ for creating RewriteMap DBM Files. 2373 [Paul Querna] 2374 2375 *) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note 2376 the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>] 2377 2378 *) Fixed complaints about unpackaged files within the RPM build 2379 after changes to the config files. [Graham Leggett] 2380 2381 *) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of 2382 just closing the socket, a HTTP request is made, to make sure the child is 2383 always awakened. [Paul Querna] 2384 2385Changes with Apache 2.1.6 2386 2387 *) Fix htdbm password validation for records which included comments. 2388 [Eric Covener <covener gmail.com>] 2389 2390 *) mod_cgid: Fix buffer overflow processing ScriptSock directive. 2391 [Steve Kemp <steve steve.org.uk>] 2392 2393Changes with Apache 2.1.5 2394 2395 *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 2396 'SSLEngine on' command. [Paul Querna] 2397 2398 *) core: Refactor the mapping of Accept Filters to Sockets. Add the 2399 AcceptFilter and Protocol directives to aid in mapping filter types. 2400 Extend the Listen directive to optionally take a protocol name. 2401 [Paul Querna] 2402 2403 *) mod_disk_cache: Support storing multiple variations of one URL. PR 35211. 2404 [Paul Querna] 2405 2406 *) mod_disk_cache: Atomically create the header data file. [Paul Querna] 2407 2408 *) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125. 2409 [Paul Querna] 2410 2411 *) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'. 2412 [Paul Querna] 2413 2414 *) mod_mime_magic: Handle CRLF-format magic files so that it works with 2415 the default installation on Windows. [Jeff Trawick] 2416 2417 *) core: Allow multiple modules to register interest in a single 2418 configuration command. [Paul Querna] 2419 2420 *) authn_provider_alias: Adds the configuration block tag 2421 <AuthnProviderAlias baseProvider Alias> 2422 Authentication directives contained within this block can be 2423 referenced as a new authProvider using the AuthBasicProvider or 2424 AuthDigestProvider directive. These directives will be merged in to 2425 the per_dir configuration just before the base provider is called. 2426 [Brad Nicholes] 2427 2428 *) ap_getword_conf: Fix backslashes at the end of configuration directives. 2429 PR 34834. [Timo Viipuri <viipuri dlc.fi>] 2430 2431 *) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml 2432 Provide module hooks for apr_dbd; optimise for httpd 2433 threaded and non-threaded arch [Nick Kew] 2434 2435 *) ab: SSL support rewritten, improved, and enabled if SSL is enabled 2436 during the build; -f and -Z arguments added to specify SSL protocol 2437 options. [Masaoki Kobayashi <masaoki techfirm.co.jp>] 2438 2439 *) mod_info: Show the Quick Handler [Paul Querna] 2440 2441 *) mod_ldap: Add the directive LDAPVerifyServerCert to specify 2442 whether to force verification of the server certificate when 2443 establishing an SSL connection to the LDAP server. 2444 [Brad Nicholes] 2445 2446 *) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name 2447 hook. [Paul Querna] 2448 2449 *) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump) 2450 [Paul Querna] 2451 2452 *) ap_get_local_host() rewritten for APR. [Jim Jagielski] 2453 2454 *) Add the ap_vhost_iterate_given_conn function to expose the information 2455 used in Name Based Virtual Hosting. (minor MMN bump) 2456 [Paul Querna] 2457 2458 *) Remove the never working ap_method_list_do and ap_method_list_vdo. 2459 [Paul Querna] 2460 2461 *) Added makefile and doc for building mod_ssl on the NetWare 2462 platform. [Guenter Knauf, Brad Nicholes] 2463 2464 *) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes 2465 applications that send the Vary Header themselves, and also apply 2466 mod_deflate as an output filter. [Paul Querna] 2467 2468 *) Change the default (when not present in the config file) setting 2469 for UseCanonicalName to Off. 2470 [Joshua Slive] 2471 2472 *) mod_userdir: The module no longer does any remapping unless the 2473 UserDir directive is present in the config file. 2474 [Joshua Slive] 2475 2476 *) Massively simplify the distributed httpd.conf by removing 2477 many features and many directives that are at their default 2478 setting. Add a selection of example config excerpts for adding 2479 extra features in the conf/extra/ directory. Install the 2480 distributed config and the extra config examples in the 2481 conf/original/ directory during make install. 2482 [Joshua Slive, Justin Erenkrantz] 2483 2484 *) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap, 2485 mod_userdir and mod_autoindex as shared modules rather than 2486 built-in modules within the NetWare build. 2487 [Brad Nicholes] 2488 2489 *) Rename mod_imap to mod_imagemap. 2490 [Paul Querna] 2491 2492 *) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap 2493 by changing the mod_ldap exported functions to optional functions. 2494 [Brad Nicholes] 2495 2496Changes with Apache 2.1.4 2497 2498 *) Don't let a subrequest inherit headers describing the original request's 2499 body. [Greg Ames] 2500 2501 *) Fix Windows CompContext buff size miscalculation 2502 [Allan Edwards] 2503 2504 *) Add ReceiveBufferSize directive to control the TCP receive buffer. 2505 [Eric Covener <covener gmail.com>] 2506 2507 *) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the 2508 end of the request body to work with really old HTTP servers. 2509 [Justin Erenkrantz] 2510 2511 *) util_ldap: Keep track of the number of attributes retrieved from 2512 LDAP so that all the values can be properly cached even if the 2513 value is NULL. PR 33901 [Brad Nicholes] 2514 2515 *) mod_cache: Fix error where incoming Cache-Control would be ignored. 2516 [Justin Erenkrantz] 2517 2518 *) mod_cache: Correctly handle originally conditional requests. 2519 [Sander Striker] 2520 2521 *) mod_disk_cache: Correctly update cached headers on revalidated responses. 2522 [Sander Striker, Justin Erenkrantz] 2523 2524 *) worker MPM/mod_status: Support per-worker tracking of pid and 2525 generation in the scoreboard so that mod_status can accurately 2526 represent workers in processes which are gracefully terminating. 2527 (major MMN bump) 2528 [Jeff Trawick] 2529 2530 *) Correctly export all mod_dav public functions. 2531 [Branko Čibej <brane xbc.nu>] 2532 2533Changes with Apache 2.1.3 2534 2535 *) mod_ssl: Add ssl_ext_lookup optional function for accessing 2536 certificate extensions. [David Reid, Joe Orton] 2537 2538 *) Add support for use of an external PCRE library; pass the 2539 --with-pcre flag to configure. PR 27550. [Joe Orton, 2540 Andres Salomon <dilinger voxel.net>] 2541 2542 *) Renamed regex interfaces to be namespace-safe, and moved from 2543 pcreposix.h header to ap_regex.h: regex_t->ap_regex_t, 2544 regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions 2545 reg*->ap_reg*. PR 27550. [Andres Salomon <dilinger voxel.net>, 2546 Joe Orton] 2547 2548 *) Only recompile buildmark.c when we have to relink httpd. 2549 [Justin Erenkrantz] 2550 2551 *) mod_cache: Fix up handling of revalidated responses. 2552 [Justin Erenkrantz] 2553 2554 *) mod_disk_cache: Properly load cached ETag from on-disk structures. 2555 [Justin Erenkrantz] 2556 2557 *) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL 2558 to allow it to override the connection type set in mod_ldap. This 2559 parameter can be set to NONE, SSL or TLS | STARTTLS. 2560 [Brad Nicholes] 2561 2562 *) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740. 2563 [Max Bowsher <maxb ukf.net>] 2564 2565 *) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170. 2566 [Rici Lake <rici ricilake.net>] 2567 2568 *) mod_proxy: Fix ap_proxy_canonenc API. 2569 PR 32459. [Jim Jagielski] 2570 2571 *) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive. 2572 [Justin Erenkrantz] 2573 2574 *) Add --enable-pie flag to configure, to build httpd as a Position 2575 Independent Executable where supported (GCC/binutils). 2576 [Joe Orton] 2577 2578 *) proxy_balancer: Add in load-balancing via weighted traffic 2579 byte count. [Jim Jagielski] 2580 2581 *) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI 2582 scripts to be properly cached. [Justin Erenkrantz, Sander Striker] 2583 2584 *) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option() 2585 API for the setting of server and client SSL certificates. Replaced 2586 LDAPTrustedCA directive with LDAPTrustedGlobalCert and 2587 LDAPTrustedClientCert directives to correctly support global certs 2588 (CA certs / Netware client certs) and per connection client certs 2589 as supported by Netware, OpenLDAP and Netscape/Mozilla. 2590 [Graham Leggett] 2591 2592 *) mod_cache: Remove unimplemented CacheForceCompletion directive. 2593 [Justin Erenkrantz] 2594 2595 *) support/check_forensic: Fix temp file usage 2596 [Javier Fernandez-Sanguino Pen~a <jfs computer.org>] 2597 2598 *) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives 2599 which can be used to configure a specific list of CA names to send 2600 in a client certificate request. PR 32848. 2601 [Tim Taylor <tim.taylor dfas.mil>] 2602 2603 *) --with-module can now take more than one module to be statically 2604 linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,... 2605 If the <modtype>-subdirectory doesn't exist it will be created and 2606 populated with a standard Makefile.in. [Erik Abele] 2607 2608 *) Remove some compiler warnings within the LDAP modules [Graham Leggett] 2609 2610 *) Add a build script to create a solaris package. [Graham Leggett] 2611 2612 *) ap_http_scheme() replaced with ap_http_method() - this function 2613 returns the scheme (http v.s. https). 2614 [William Rowe] 2615 2616 *) mod_proxy: Fix a request corruption problem and a buffering problem 2617 which sometimes prevented proxy-sendchunks from working. 2618 [Jeff Trawick] 2619 2620 *) Fix the RPM spec file so that an RPM build now works. An RPM 2621 build now requires system installations of APR and APR-util. 2622 [Graham Leggett] 2623 2624 *) Significantly simplify the load balancer scheduling algorithm 2625 for the proxy BalancerMember weighting. loadfactors (lbfactors) 2626 are now normalized with respect to each other. [Jim Jagielski] 2627 2628 *) mod_dumpio: Added to the available module suite; it is an 2629 I/O logging/dumping module. Placed in the (new) debug module 2630 subdirectory. mod_bucketeer moved to that directory as well. 2631 [Jim Jagielski] 2632 2633 *) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting 2634 of a connection until data is available. 2635 [Paul Querna] 2636 2637Changes with Apache 2.1.2 2638 2639 *) mod_proxy: Respect errors reported by pre_connection hooks. 2640 [Jeff Trawick] 2641 2642 *) core: Error out on sections that are missing an argument instead of 2643 silently consuming the section. PR 25460. 2644 [Geoffrey Young, Paul Querna] 2645 2646 *) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental. 2647 2648 *) Upgraded PCRE to version 5.0. [Brian Pane] 2649 2650 *) mod_cgid: Catch configuration problem where two web server instances 2651 share same ServerRoot but admin forgot to use ScriptSock. 2652 [Jeff Trawick] 2653 2654 *) mod_cgi: Ensure that all stderr is logged for a script which returns 2655 a Location header to generate a non-local redirect. PR 20111. 2656 [Joe Orton] 2657 2658 *) Added the Event MPM to more efficiently handle clients during a 2659 Keep Alive request. 2660 [Paul Querna, Greg Ames] 2661 2662Changes with Apache 2.1.1 2663 2664 *) mod_proxy_http: Stream content better - always flush buffered data to 2665 the client before blocking waiting for new data. PR 19954. 2666 [Joe Orton] 2667 2668 *) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which 2669 will dump the filenames of all configured SSL certificates to stdout. 2670 [Joe Orton] 2671 2672 *) mod_disk_cache: Remove a bunch of non-implemented garbage collection 2673 and cache size directives that are now available through htcacheclean. 2674 [Justin Erenkrantz] 2675 2676 *) Add htcacheclean to support/ for assistance with mod_disk_cache. 2677 [Andreas Steinmetz] 2678 2679 *) mod_authnz_ldap: Added the directive "Requires ldap-filter" that 2680 allows the module to authorize a user based on a complex LDAP 2681 search filter. [Brad Nicholes] 2682 2683 *) mod_usertrack: Run the fixups hook before other modules. 2684 PR 29755. [Paul Querna] 2685 2686 *) Allow mod_authnz_ldap authorization functionality to be used 2687 without requiring the user to also be authenticated through 2688 mod_authnz_ldap. This allows other authentication modules to 2689 take advantage of LDAP authorization only [PR 28253] 2690 [Jari Ahonen jah progress.com, Brad Nicholes] 2691 2692 *) Log the client IP address when an error occurs disabling nagle on a 2693 connection, but log at a severity of debug since this error 2694 generally means that the connection was dropped before data was 2695 sent. Log the client IP address when reporting errors in the core 2696 output filter. [Jeff Trawick] 2697 2698 *) core: Add a warning message if the request line read fails. 2699 [Paul Querna] 2700 2701 *) mod_rewrite: Removed the MaxRedirects option in favor of the 2702 core LimitInternalRecursion directive. [André Malo] 2703 2704 *) mod_info: Added listing of the Request Hooks and added more build 2705 information like 'httpd -V' contains. Changed output to XHTML. 2706 [Paul Querna] 2707 2708 *) mod_info: Rewrote config tree walk using a recursive function. 2709 Added ?config option. Added printout of config filename and line numbers. 2710 [Rici Lake <rici ricilake.net>, Paul Querna] 2711 2712 *) mod_proxy: Fix type error that prevents proxy-sendchunks from working. 2713 [Justin Erenkrantz] 2714 2715 *) mod_proxy: Fix data corruption by properly setting aside buckets. 2716 [Justin Erenkrantz] 2717 2718 *) mod_proxy: If a request has a blank body and has a 0 Content-Length 2719 headers, pass that to the proxy. [Justin Erenkrantz] 2720 2721 *) Recognize QSA flag in mod_rewrite again. 2722 [Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>] 2723 2724 *) Restructured mod_auth_ldap to fit the new authentication model. 2725 The module is now called authnz_ldap and has been moved out of 2726 the modules/experimental area and into modules/aaa with the other 2727 auth modules. Both the authn_ldap provider and the authz_ldap 2728 handler are contained within the authnz_ldap module. The 2729 authz_ldap handler introduces 3 new "requires" values for handling 2730 authorization. These handlers are ldap-user, ldap-group and 2731 ldap-dn. [Brad Nicholes] 2732 2733 *) Fix some compiler warnings in proxy 2734 [Geoffrey Young <geoff@modperlcookbook.org>] 2735 2736 *) mod_ssl: Add SSL_CLIENT_V_REMAIN variable, representing the 2737 number of days until the client cert expires. [Joe Orton] 2738 2739 *) Add test_config hook, run only if httpd is invoked using -t. 2740 [Joe Orton] 2741 2742 *) Improve error handling for corrupted pid files. [Jeff Trawick] 2743 2744 *) mod_proxy.c and proxy_util.c: Enable compiling on 2.0-HEAD 2745 (for backwards compatibility): 2746 Avoids mod_ssl.h (not included in 2.0-HEAD) and 2747 use apr_socket_create_ex for 0.9.x 2748 [Mladen Turk] 2749 2750 *) Added proxy_ajp.c module for proxy support to ajp:// backends. 2751 [Jean Frederic Clere] 2752 2753 *) Fixes the build of proxy on Windows. Since the proxy_module is declared 2754 as extern using AP_MODULE_DECLARE_DATA that expands to dllexport, there 2755 is a LNK2001 error when building proxy_http. [Mladen Turk] 2756 2757 *) Remove LDAP toolkit specific code from util_ldap and mod_auth_ldap. 2758 [Graham Leggett] 2759 2760 *) Remove deprecated/removed APR_STATUS_IS_SUCCESS(). [Justin Erenkrantz] 2761 2762 *) perchild MPM: Fix thread safety problem in the use of longjmp(). 2763 [Tsuyoshi SASAMOTO <nazonazo super.win.ne.jp>] 2764 2765 *) Add load balancer support to the scoreboard in preparation for 2766 load balancing support in mod_proxy. [Mladen Turk] 2767 2768 *) mod_nw_ssl: Added the directive NWSSLUpgradeable to mod_nw_ssl to 2769 allow a non-secure connection to be upgraded to secure connections 2770 [Brad Nicholes] 2771 2772 *) core: Add Options= syntax to AllowOverride to specify which options 2773 may be overridden in .htaccess files. PR 29310. 2774 [Tom Alsberg <alsbergt cs.huji.ac.il>, Paul Querna] 2775 2776 *) ab: Handle long URLs with an error instead of an buffer overflow. 2777 PR 28204. [Erik Weide <erik.weidel mplus-technologies.de>, Paul Querna] 2778 2779 *) mod_so, core: Add new command line options to print all loaded 2780 modules. '-t -D DUMP_MODULES' and '-M' will show all static 2781 and shared modules as loaded from the configuration file. 2782 [Paul Querna] 2783 2784 *) mod_autoindex: Add ShowForbidden to IndexOptions to list files 2785 that are not shown because the subrequest returned 401 or 403. 2786 PR 10575. [Paul Querna] 2787 2788 *) mod_headers: implement "Early" processing option in post_read_request 2789 to enable Header and RequestHeader directives to be used to set up 2790 testcases for pre-fixups request phases [Nick Kew] 2791 2792 *) mod_proxy: multiple bugfixes, principally support cookies in 2793 ProxyPassReverse, and don't canonicalise URL passed to backend. 2794 Documentation correspondingly updated. [Nick Kew <nick webthing.com>] 2795 2796 *) mod_deflate: support gzip flags in inflate_out_filter 2797 [Nick Kew <nick webthing.com>] 2798 2799 *) Drop the ErrorHeader directive which turned out to be a misnomer. 2800 Instead there's a new optional flag for the Header directive 2801 ('always'), which keeps the former ErrorHeader functionality. 2802 [André Malo] 2803 2804 *) mod_deflate: Don't deflate responses with zero length 2805 e.g. proxied 304's [Allan Edwards] 2806 2807 *) <IfModule> now recognizes the module identifier in addition to the 2808 file name. PR 29003. [Edward Rudd <eddie omegaware.com>, André Malo] 2809 2810 *) mod_ssl: Add "SSLHonorCipherOrder" directive to enable the 2811 OpenSSL 0.9.7 flag which uses the server's cipher order rather 2812 than the client's. PR 28665. 2813 [Jim Schneider <jschneid netilla.com>] 2814 2815 *) mod_ssl: Drop support for the CompatEnvVars argument to 2816 SSLOptions, which was never actually implemented in 2.0. 2817 [Joe Orton] 2818 2819 *) Fix bug in mod_deflate that unconditionally sent deflate'd output 2820 even when Accept-Encoding is not present. [Justin Erenkrantz] 2821 2822 *) Pass environment variables through to piped loggers and start 2823 them via the shell, resolving regressions since 1.3. PR 28815 2824 [Ken Coar, Jeff Trawick] 2825 2826 *) External rewrite map responses are no longer limited to 2048 2827 bytes. [André Malo] 2828 2829 *) Proxy server was deleting cookies that Apache had already 2830 assigned if the origin server had set any cookies. PR 27023. 2831 [Jim Jagielski] 2832 2833 *) Removed old and unmaintained ap_add_named_module API and changed 2834 the following APIs to return an error instead of hard exiting: 2835 ap_add_module, ap_add_loaded_module, ap_setup_prelinked_modules, 2836 and ap_process_resource_config. [André Malo] 2837 2838 *) mod_headers: Allow %% in header values to represent a literal %. 2839 [André Malo] 2840 2841 *) mod_headers: Allow env clauses also for 'echo' and 'unset' actions. 2842 [André Malo] 2843 2844 *) mod_headers: Allow 'echo' also for ErrorHeaders. [André Malo] 2845 2846 *) mod_deflate: New option for DEFLATE output file (force-gzip), 2847 new output filter 'INFLATE' for uncompressing responses. 2848 [Nick Kew <Nick at WebThing dot com>, Ian Holsman] 2849 2850 *) Added new module mod_version, which provides version dependent 2851 configuration containers. [André Malo] 2852 2853 *) mod_log_config now logs all Set-Cookie headers if the %{Set-Cookie}o 2854 format is used. PR 27787. [André Malo] 2855 2856 *) Allow Digest providers to return AUTH_DENIED to propagate a 401 2857 status and terminate the provider chain prior to checking the password. 2858 [Geoffrey Young] 2859 2860 *) mod_cgid: Don't allow Scriptsock to be specified inside VirtualHost; 2861 Don't place script socket inside default server root instead of 2862 actual server root. PR 27886. [Jeff Trawick] 2863 2864 *) mod_proxy: Fix handling of non-200 success status codes when 2865 "ProxyErrorOverride On" is configured. PR 20183. 2866 [Marcus Janson <marcus.janson tre.se>, Joe Orton] 2867 2868 *) Threaded MPMs for Unix and Win32: Add support for ThreadStackSize 2869 directive (previously NetWare-only) to override default thread 2870 stack size for threads which handle client connections. Required 2871 for some third-party modules on platforms with small default 2872 thread stack size. [Jeff Trawick] 2873 2874 *) minor mod_auth_basic and mod_auth_digest sync. mod_auth_basic 2875 now populates r->user with the (possibly unauthenticated) user, 2876 and mod_auth_digest returns 500 when a provider returns 2877 AUTH_GENERAL_ERROR. 2878 [Geoffrey Young] 2879 2880 *) The whole codebase was relicensed and is now available under 2881 the Apache License, Version 2.0 (http://www.apache.org/licenses). 2882 [Apache Software Foundation] 2883 2884 *) Delete some make-generated files in the server directory during 2885 "make clean" processing. PR 26552. [Jeff Trawick] 2886 2887 *) Add core version query function (ap_get_server_revision) and 2888 accompanying ap_version_t structure (minor MMN bump). 2889 [André Malo] 2890 2891 *) mod_rewrite: EOLs sent by external rewritemaps are now consumed 2892 as whole. That way, on systems with more than one EOL character 2893 rewritemap programs no longer need to switch stdout to binary 2894 mode. PR 25635. [André Malo] 2895 2896 *) mod_rewrite: Introduce the ability to force a content handler via 2897 the [handler=...] flag. [André Malo] 2898 2899 *) mod_rewrite: Introduce the RewriteCond -x check, which returns 2900 true if the pattern is a file with execution permissions. 2901 [André Malo] 2902 2903 *) mod_rewrite: Allow proxying and RewriteRules in directory context 2904 for subrequests. PR 14648, 15114. [André Malo] 2905 2906 *) mod_rewrite: Allow setting of any valid HTTP response code. 2907 PR 25917. [André Malo] 2908 2909 *) mod_rewrite: Cookie creation now works locale independent. 2910 [André Malo] 2911 2912 *) mod_ssl: Add support for distributed session cache using 'distcache'. 2913 [Geoff Thorpe <geoff geoffthorpe.net>] 2914 2915 *) mod_dav: Disallow requests with an unescaped hash character in 2916 the Request-URI. PR 21779. [Amit Athavale <amit_athavale lycos.com>] 2917 2918 *) mod_proxy with ProxyErrorOverride On in a reverse-proxy configuration 2919 attaches a body to the 302 response and a wrong Content-Length header. 2920 PR: 22951 [Ermanno Scaglione scaglione ..at.. starnetone.de] 2921 2922 *) Bring ErrorHeader concept forward from 1.3, so that response 2923 header fields can be set for return even on errors or external 2924 redirects. [Ken Coar] 2925 2926 *) Fix <Limit> and <LimitExcept> parsing to require a closing '>' 2927 in the initial container. PR 25414. 2928 [Geoffrey Young <geoff apache.org>] 2929 2930 *) Clean up httpd -V output: Instead of displaying the MPM source 2931 directory, display the MPM name and some MPM properties. 2932 [Geoffrey Young <geoff apache.org>] 2933 2934 *) mod_ssl/mod_status: Re-enable support for output of SSL session 2935 cache information in server-status page. [Joe Orton] 2936 2937 *) mod_ssl: Remove the shmht session cache, shmcb should be used 2938 instead. [Joe Orton] 2939 2940 *) mod_logio: Account for some bytes handed to the network layer prior to 2941 dropped connections. [Jeff Trawick] 2942 2943 *) mod_autoindex: new directive IndexStyleSheet 2944 [Tyler Riddle <triddle_1999 yahoo.com>, Paul Querna <chip force-elite.com>] 2945 2946 *) Fix uninitialized gprof directory name in prefork MPM. PR 24450. 2947 [Chris Knight <Christopher.D.Knight nasa.gov>] 2948 2949 *) Log an error when requests for URIs which fail to map to a valid 2950 filesystem name are rejected with 403. [Jeff Trawick] 2951 2952 *) Switch to APR 1.0 API. 2953 2954 *) Major overhaul of mod_include's filter parser. The new parser code 2955 is expected to be more robust and should catch all of the edge cases 2956 that were not handled by the previous one. This includes a binary 2957 incompatible change of mod_include's external API. [André Malo] 2958 2959 *) mod_rewrite: Allow forced mimetypes [T=...] to get expanded. 2960 PR 14223. [André Malo] 2961 2962 *) mod_rewrite: Fix LA-U and LA-F lookups in directory context. Previously 2963 the current rewrite state was just used as lookup path, which lead to 2964 strange and often useless results. Related to PR 8493. [André Malo] 2965 2966 *) Change Listen directive to bind to all addresses when a hostname is 2967 not specified. [Justin Erenkrantz] 2968 2969 *) Correct failure with Listen directives on machines with IPv6 enabled. 2970 [Colm MacCárthaigh <colm stdlib.net>, Justin Erenkrantz] 2971 2972 *) Fix a link failure in mod_ssl when the OpenSSL libraries contain 2973 the ENGINE functions but the engine header files are missing. 2974 [Cliff Woolley] 2975 2976 *) mod_rewrite: RewriteRules in server context using the force 2977 type feature [T=...] no longer disable MultiViews. [André Malo] 2978 2979 *) mod_rewrite: Allow piped rewrite logs to be relative to ServerRoot. 2980 [André Malo] 2981 2982 *) mod_authz_groupfile: Strip trailing spaces of group names. This 2983 hopefully saves some hours of searching for typos. PR 12863. 2984 [André Malo] 2985 2986 *) mod_actions: Propagate the handler name to the action script via 2987 the REDIRECT_HANDLER environment variable. [André Malo] 2988 2989 *) mod_actions: Introduce the "virtual" modifier to the Action directive, 2990 which allows the use of handlers for virtual locations. PR 8431. 2991 [André Malo] 2992 2993 *) mod_speling: Recognize AcceptPathInfo setting for the particular 2994 location. Default is to reject path information. PR 21059. 2995 [André Malo] 2996 2997 *) mod_ext_filter: Add the ability to filter request bodies. 2998 [Philipp Reisner <philipp.reisner linbit.com>] 2999 3000 *) Fix some broken log messages in WinNT MPM. 3001 [Juan Rivera <Juan.Rivera citrix.com>] 3002 3003 *) prefork MPM: Use the right permissions for the directory created 3004 for gprof support. [Jim Carlson <jcarlson jnous.com>] 3005 3006 *) Fix a compile failure with recent OpenSSL and picky compilers 3007 (e.g., OpenSSL 0.9.7a and xlc_r on AIX). [Jeff Trawick] 3008 3009 *) OpenSSL headers should be included as "openssl/ssl.h", and not rely on 3010 the INCLUDE path to be defined properly. 3011 PR 11310. [Geoff Thorpe <geoff geoffthorpe.net>] 3012 3013 *) Modify APACHE_CHECK_SSL_TOOLKIT to detect SSL-C. [Madhusudan Mathihalli] 3014 3015 *) Replace the APACHE_CHECK_SSL_TOOLKIT method with a cleaner one, using 3016 autoconf tools (AC_CHECK_HEADER, AC_CHECK_LIB etc). 3017 [Geoff Thorpe <geoff geoffthorpe.net>] 3018 3019 *) change directive name from 'compressionlevel' to 'deflatecompressionlevel' 3020 [Ian Holsman, André Malo] 3021 3022 *) mod_negotiation: quality values are now parsed independent from 3023 the current locale. level values are now really parsed as integers. 3024 PR 17564. [André Malo] 3025 3026 *) Extend mod_negotiation to evaluate the environment variables 3027 no-gzip and gzip-only-text/html the same way as mod_deflate does. 3028 [André Malo] 3029 3030 *) mod_rewrite: Fix some problems reporting errors with mapping 3031 programs (RewriteMap prg:/something). [Jeff Trawick] 3032 3033 *) Return 413 if chunk-ext-header is too long rather than reading from 3034 the truncated line. PR 15857. [Justin Erenkrantz] 3035 3036 *) Allow restart of httpd to occur even with syntax errors in the config 3037 file. PR 16813. [Justin Erenkrantz] 3038 3039 *) Use APR_LAYOUT instead of APACHE_LAYOUT in configure. PR 15679. 3040 [Justin Erenkrantz] 3041 3042 *) Remove files on 'make distclean' that should be. PR 15592. 3043 [Justin Erenkrantz] 3044 3045 *) Allow apachectl to perform status with links and elinks as well. 3046 [Justin Erenkrantz] 3047 3048 *) mod_log_config change optional hook to return previous handler 3049 [Ian Holsman] 3050 3051 *) Forward port of mod_actions' ability to handle arbitrary methods 3052 with the Script directive. [André Malo] 3053 3054 *) Let suexec send a message to stderr, if it failed or its policy 3055 was violated. This message appears in the error log and allows 3056 for easier debugging. PR 5381, 7638, 8255, 10773. [André Malo] 3057 3058 *) Modify buildconf to copy all required files into httpd's tree. 3059 [Thom May <thom planetarytramp.net>] 3060 3061 *) Allow mod_dav to do weak entity comparison functions. 3062 [Justin Erenkrantz] 3063 3064 *) Move RFC 1413 ident requests from core to new module mod_ident. 3065 [André Malo] 3066 3067 *) Add mod_authz_owner - a forward port of "Require file-owner" 3068 and "Require file-group", which was already present in version 3069 1.3.21. [André Malo] 3070 3071 *) Add mod_dav_lock - a generic subset of the DAV locking implementation. 3072 [Justin Erenkrantz] 3073 3074 *) Replace some of the mutex locking in the worker MPM with 3075 atomic operations for higher concurrency. [Brian Pane] 3076 3077 *) Allow 'make depend' to work with non-GCC compilers. 3078 [Justin Erenkrantz] 3079 3080 *) If an httpd.conf has commented out AddModule directives, 3081 apxs -i -a will add an un-commented AddModule directive for 3082 the new module, which breaks the config. 3083 PR: 11212 [Joe Orton] 3084 3085 *) Fix mod_proxy handling of filtered input bodies. [Justin Erenkrantz] 3086 3087 *) Move the check of the Expect request header field after the hook 3088 for ap_post_read_request, since that is the only opportunity for 3089 modules to handle Expect extensions. [Justin Erenkrantz] 3090 3091 *) Rewrite of aaa modules to an authn/authz model. 3092 [Dirk-Willem van Gulik, Justin Erenkrantz] 3093 3094 [Apache 2.1.0-dev includes those bug fixes and changes with the 3095 Apache 2.0.xx tree as documented, and except as noted, below.] 3096 3097Changes with Apache 2.0.x and later: 3098 3099 *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup 3100 3101