Newer
Older
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
*) mod_proxy: Add the forcerecovery balancer parameter that determines if
recovery for balancer workers is enforced. [Ruediger Pluem]
*) Fix MPM DSO load failure on AIX. [Jeff Trawick]
*) mod_proxy: Correctly set up reverse proxy worker. PR 52935.
[Petter Berntsen <petterb gmail.com>]
*) mod_sed: Don't define PATH_MAX to a potentially undefined value, causing
compile problems on GNU hurd. [Stefan Fritsch]
*) core: Add ap_runtime_dir_relative() and DefaultRuntimeDir.
[Jeff Trawick]
*) core: Fix breakage of Listen directives with MPMs that use a
per-directory config. PR 52904. [Stefan Fritsch]
*) core: Disallow directives in AllowOverrideList which are only allowed
in VirtualHost or server context. These are usually not prepared to be
called in .htaccess files. [Stefan Fritsch]
*) core: In AllowOverrideList, do not allow 'None' together with other
directives. PR 52823. [Stefan Fritsch]
*) mod_slotmem_shm: Support DEFAULT_REL_RUNTIMEDIR for file-based shm.
[Jim Jagielski]
*) core: Fix merging of AllowOverrideList and ContentDigest.
[Stefan Fritsch]
*) mod_request: Fix validation of the KeptBodySize argument so it
doesn't always throw a configuration error. PR 52981 [Eric Covener]
*) core: Add filesystem paths to access denied / access failed messages
AH00035 and AH00036. [Eric Covener]
*) mod_dumpio: Properly handle errors from subsequent input filters.
PR 52914. [Stefan Fritsch]
*) Unix MPMs: Fix small memory leak in parent process if connect()
failed when waking up children. [Joe Orton]
*) "DirectoryIndex disabled" now undoes DirectoryIndex settings in
the current configuration section, not just previous config sections.
PR 52845. [Eric Covener]
*) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
response headers not being sent. PR 52766. [Stefan Fritsch]
*) mod_ssl: Properly free the GENERAL_NAMEs. PR 32652. [Kaspar Brand]
*) core: Check during config test that directories for the access
logs actually exist. PR 29941. [Stefan Fritsch]
*) mod_xml2enc, mod_proxy_html: Enable per-module loglevels.
[Stefan Fritsch]
*) mod_filter: Fix segfault with AddOutputFilterByType. PR 52755.
[Stefan Fritsch]
*) mod_session: Sessions are encoded as application/x-www-form-urlencoded
strings, however we do not handle the encoding of spaces properly.
Fixed. [Graham Leggett]
*) Configuration: Example in comment should use a path consistent
with the default configuration. PR 52715.
[Rich Bowen, Jens Schleusener, Rainer Jung]
*) Configuration: Switch documentation links from trunk to 2.4.
[Rainer Jung]
*) configure: Fix out of tree build using apr and apr-util in srclib.
[Rainer Jung]
Changes with Apache 2.4.1
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
Fix an issue in error responses that could expose "httpOnly" cookies
when no custom ErrorDocument is specified for status code 400.
[Eric Covener]
*) mod_proxy_balancer: Fix crash on Windows. PR 52402 [Mladen Turk]
*) core: Check during configtest that the directories for error logs exist.
PR 29941 [Stefan Fritsch]
*) Core configuration: add AllowOverride option to treat syntax
errors in .htaccess as non-fatal. PR 52439 [Nick Kew, Jim Jagielski]
*) core: Fix memory consumption in core output filter with streaming
bucket types like CGI or PIPE. [Joe Orton, Stefan Fritsch]
*) configure: Disable modules at configure time if a prerequisite module
is not enabled. PR 52487. [Stefan Fritsch]
*) Rewrite and proxy now decline what they don't support rather
than fail the request. [Joe Orton]
*) Fix building against external apr plus apr-util if apr is not installed
in a system default path. [Rainer Jung]
*) Doxygen fixes and improvements. [Joe Orton, Igor Galić]
*) core: Fix building against PCRE 8.30 by switching from the obsolete
pcre_info() to pcre_fullinfo(). PR 52623 [Ruediger Pluem, Rainer Jung]
Changes with Apache 2.4.0
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
Fix scoreboard issue which could allow an unprivileged child process
to cause the parent to crash at shutdown rather than terminate
cleanly. [Joe Orton]
*) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
string is in use and a client sends a nameless, valueless cookie, causing
a denial of service. The issue existed since version 2.2.17 and 2.3.3.
PR 52256. [Rainer Canavan <rainer-apache 7val com>]
*) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.
[Kaspar Brand]
*) mod_ssl: set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1
or later, to improve binary compatibility with future OpenSSL releases.
[Kaspar Brand]
*) mod_mime: Don't arbitrarily bypass AddOutputFilter during a ProxyPass,
but then allow AddOutputFilter during a RewriteRule [P]. Make mod_mime
behave identically in both cases. PR52342. [Graham Leggett]
*) Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with
corresponding man pages. [Graham Leggett]
*) Distinguish properly between the bindir and sbindir directories when
installing binaries. Previously all binaries were silently installed to
sbindir, whether they were system administration commands or not.
[Graham Leggett]
Changes with Apache 2.3.16
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
backend network exposure in some configurations.
[Joe Orton]
*) core: Limit line length in .htaccess to 8K like in 2.2.x, to avoid
additional DoS potential. [Stefan Fritsch]
*) core, all modules: Add unique tag to most error log messages. [Stefan
Fritsch]
*) mod_socache_memcache: Change provider name from "mc" to "memcache" to
match module name. [Stefan Fritsch]
*) mod_slotmem_shm: Change provider name from "shared" to "shm" to match
module name. [Stefan Fritsch]
*) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
requires an apr-util fix in which is available in apr-util >= 1.4.0.
PR 42682. [Stefan Fritsch]
*) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
for RewriteRules to be placed in .htaccess files that match the directory
with no trailing slash. PR 48304.
[Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>]
*) mod_session_crypto: Add a SessionCryptoPassphraseFile directive so that
the administrator can hide the keys from the configuration. [Graham
Leggett]
*) Introduce a per request version of the remote IP address, which can be
optionally modified by a module when the effective IP of the client
is not the same as the real IP of the client (such as a load balancer).
Introduce a per connection "peer_ip" and a per request "client_ip" to
distinguish between the raw IP address of the connection and the effective
IP address of the request. [Graham Leggett]
*) ap_pass_brigade_fchk() function added. [Jim Jagielski]
*) core: Pass ap_errorlog_info struct to error log hook. [Stefan Fritsch]
*) mod_cache_disk: Make sure we check return codes on all writes and
attempts to close, and clean up after ourselves in these cases.
PR43589. [Graham Leggett]
*) mod_cache_disk: Remove the unnecessary intermediate brigade while
writing to disk. Fixes a problem where mod_disk_cache was leaving
buckets in the intermediate brigade and not passing them to out on
exit. [Florian S. <f_los_ch yahoo.com>, Graham Leggett]
*) mod_ssl: use a shorter setting for SSLCipherSuite in the default
default configuration file, and add some more information about
configuring a speed-optimized alternative.
[Kaspar Brand]
*) mod_ssl: drop support for the SSLv2 protocol. [Kaspar Brand]
*) mod_lua: Stop losing track of all but the most specific LuaHook* directives
when multiple per-directory config sections are used. Adds LuaInherit
directive to control how parent sections are merged. [Eric Covener]
*) Server directive display (-L): Include directives of DSOs.
[Jeff Trawick]
*) mod_cache: Make sure we merge headers correctly when we handle a
non cacheable conditional response. PR52120. [Graham Leggett]
*) Pre GA removal of components that will not be included:
- mod_noloris was superseded by mod_reqtimeout
- mod_serf
- mpm_simple
[Rainer Jung]
*) core: Set MaxMemFree 2048 by default. [Stefan Fritsch]
*) mpm_event: Fix assertion failure during very high load. [Stefan Fritsch]
*) configure: Additional modules loaded by default: mod_headers.
Modules moved from module set "few" to "most" and no longer loaded
by default: mod_actions, mod_allowmethods, mod_auth_form, mod_buffer,
mod_cgi(d), mod_include, mod_negotiation, mod_ratelimit, mod_request,
mod_userdir. [Rainer Jung]
*) mod_lua: Use the right lua scope when used as a hook. [Rainer Jung]
*) configure: Only load the really imporant modules (i.e. those enabled by
the 'few' selection) by default. Don't handle modules enabled with
--enable-foo specially. [Stefan Fritsch]
*) end-generation hook: Fix false notification of end-of-generation for
temporary intervals with no active MPM children. [Jeff Trawick]
*) mod_ssl: Add support for configuring persistent TLS session ticket
encryption/decryption keys (useful for clustered environments).
[Paul Querna, Kaspar Brand]
*) mod_usertrack: Use random value instead of remote IP address.
[Stefan Fritsch]
Changes with Apache 2.3.15
*) SECURITY: CVE-2011-3348 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
recognized. [Jean-Frederic Clere]
*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
<lowprio20 gmail.com>]
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
some reverse proxy configurations. [Joe Orton]
*) configure: Load all modules in the generated default configuration
when using --enable-load-all-modules. [Rainer Jung]
*) mod_reqtimeout: Change the default to set some reasonable timeout
values. [Stefan Fritsch]
*) core, mod_dav_fs: Change default ETag to be "size mtime", i.e. remove
the inode. PR 49623. [Stefan Fritsch]
*) mod_lua: Expose SSL variables via r:ssl_var_lookup(). [Eric Covener]
*) mod_lua: LuaHook{AccessChecker,AuthChecker,CheckUserID,TranslateName}
can now additionally be run as "early" or "late" relative to other modules.
[Eric Covener]
*) configure: By default, only load those modules that are either required
or explicitly selected by a configure --enable-foo argument. The
LoadModule statements for modules enabled by --enable-mods-shared=most
and friends will be commented out. [Stefan Fritsch]
*) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
LuaHookQuickHandler) from being configured in <Directory>, <Files>,
and htaccess where the configuration would have been ignored.
[Eric Covener]
*) mod_lua: Resolve "attempt to index local 'r' (a userdata value)" errors
in LuaMapHandler scripts [Eric Covener]
*) mod_log_debug: Rename optional argument from if= to expr=, to be more
in line with other config directives. [Stefan Fritsch]
*) mod_headers: Require an expression to be specified with expr=, to be more
in line with other config directives. [Stefan Fritsch]
*) mod_substitute: To prevent overboarding memory usage, limit line length
to 1MB. [Stefan Fritsch]
*) mod_lua: Make the query string (r.args) writable. [Eric Covener]
*) mod_include: Add support for application/x-www-form-urlencoded encoding
and decoding. [Graham Leggett]
*) rotatelogs: Add -c option to force logfile creation in every rotation
interval, even if empty. [Jan Kaluža <jkaluza redhat.com>]
*) core: Limit ap_pregsub() to 64K, add ap_pregsub_ex() for longer strings.
[Stefan Fritsch]
*) mod_session_crypto: Refactor to support the new apr_crypto API.
[Graham Leggett]
*) http: Add missing Location header if local URL-path is used as
ErrorDocument for 30x. [Stefan Fritsch]
*) mod_buffer: Make sure we step down for subrequests, but not for internal
redirects triggered by mod_rewrite. [Graham Leggett]
*) mod_lua: add r:construct_url as a wrapper for ap_construct_url.
[Eric Covener]
*) mod_remote_ip: Fix configuration of internal proxies. PR 49272.
[Jim Riggs <jim riggs me>]
*) mpm_winnt: Handle AcceptFilter 'none' mode correctly; resolve specific
server IP endpoint and remote client IP upon connection. [William Rowe]
*) mod_setenvif: Remove OID match which is obsoleted by SetEnvIfExpr with
PeerExtList(). [Stefan Fritsch]
*) mpm_prefork, mpm_worker, mpm_event: If a child is created just before
graceful restart and then exits because of a missing lock file, don't
shutdown the whole server. PR 39311. [Shawn Michael
<smichael rightnow com>]
*) mpm_event: Check the return value from ap_run_create_connection.
PR 41194. [Davi Arnaut]
*) mod_mime_magic: Add signatures for PNG and SWF to the example config.
PR 48352. [Jeremy Wagner-Kaiser <jwagner-kaiser adknowledge com>]
*) core, unixd: Add -D DUMP_RUN_CFG option to dump some configuration items
from the parsed (or default) config. This is useful for init scripts that
need to setup temporary directories and permissions. [Stefan Fritsch]
*) core, mod_actions, mod_asis: Downgrade error log messages which accompany
a 404 request status from loglevel error to info. PR 35768. [Stefan
Fritsch]
*) core: Fix hook sorting with Perl modules. PR 45076. [Torsten Foertsch
<torsten foertsch gmx net>]
*) core: Enforce LimitRequestFieldSize after multiple headers with the same
name have been merged. [Stefan Fritsch]
*) mod_ssl: If MaxMemFree is set, ask OpenSSL >= 1.0.0 to reduce memory
usage. PR 51618. [Cristian Rodríguez <crrodriguez opensuse org>,
Stefan Fritsch]
*) mod_ssl: At startup, when checking a server certificate whether it
matches the configured ServerName, also take dNSName entries in the
subjectAltName extension into account. PR 32652, PR 47051. [Kaspar Brand]
*) mod_substitute: Reduce memory usage and copying of data. PR 50559.
[Stefan Fritsch]
*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]
*) Add wrappers for malloc, calloc, realloc that check for out of memory
situations and use them in many places. PR 51568, PR 51569, PR 51571.
[Stefan Fritsch]
*) Fix cross-compilation of mod_cgi/mod_cgid when APR_HAVE_STRUCT_RLIMIT is
false but RLIMIT_* are defined. PR51371. [Eric Covener]
*) core: Correctly obey ServerName / ServerAlias if the Host header from the
request matches the VirtualHost address.
PR 51709. [Micha Lenk <micha lenk.info>]
*) mod_unique_id: Use random number generator to initialize counter.
PR 45110. [Stefan Fritsch]
*) core: Add convenience API for apr_random. [Stefan Fritsch]
*) core: Add MaxRangeOverlaps and MaxRangeReversals directives to control
the number of overlapping and reversing ranges (respectively) permitted
before returning the entire resource, with a default limit of 20.
[Jim Jagielski]
*) mod_ldap: Optional function uldap_ssl_supported(r) always returned false
if called from a virtual host with mod_ldap directives in it. Did not
affect mod_authnz_ldap's usage of mod_ldap. [Eric Covener]
*) mod_filter: Instead of dropping the Accept-Ranges header when a filter
registered with AP_FILTER_PROTO_NO_BYTERANGE is present,
set the header value to "none". [Eric Covener, Ruediger Pluem]
*) core: Allow MaxRanges none|unlimited|default and set 'Accept-Ranges: none'
in the case Ranges are being ignored with MaxRanges none.
[Eric Covener]
*) mod_ssl: revamp CRL-based revocation checking when validating
certificates of clients or proxied servers. Completely delegate
CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck
directive for controlling the revocation checking mode. [Kaspar Brand]
*) core: Add MaxRanges directive to control the number of ranges permitted
before returning the entire resource, with a default limit of 200.
[Eric Covener]
*) mod_cache: Ensure that CacheDisable can correctly appear within
a LocationMatch. [Graham Leggett]
*) mod_cache: Fix the moving of the CACHE filter, which erroneously
stood down if the original filter was not added by configuration.
[Graham Leggett]
*) mod_ssl: improve certificate error logging. PR 47408. [Kaspar Brand]
*) mod_authz_groupfile: Increase length limit of lines in the group file to
16MB. PR 43084. [Stefan Fritsch]
*) core: Increase length limit of lines in the configuration file to 16MB.
PR 45888. PR 50824. [Stefan Fritsch]
*) core: Add API for resizable buffers. [Stefan Fritsch]
*) mod_ldap: Enable LDAPConnectionTimeout for LDAP toolkits that have
LDAP_OPT_CONNECT_TIMEOUT instead of LDAP_OPT_NETWORK_TIMEOUT, such
as Tivoli Directory Server 6.3 and later. [Eric Covener]
*) mod_ldap: Change default number of retries from 10 to 3, and add
an LDAPRetries and LDAPRetryDelay directives. [Eric Covener]
*) mod_authnz_ldap: Don't retry during authentication, because this just
multiplies the ample retries already being done by mod_ldap. [Eric Covener]
*) configure: Allow to explicitly disable modules even with module selection
'reallyall'. [Stefan Fritsch]
*) mod_rewrite: Check validity of each internal (int:) RewriteMap even if the
RewriteEngine is disabled in server context, avoiding a crash while
referencing the invalid int: map at runtime. PR 50994.
[Ben Noordhuis <info noordhuis nl>]
*) mod_ssl, configure: require OpenSSL 0.9.7 or later. [Kaspar Brand]
*) mod_ssl: remove ssl_toolkit_compat layer. [Kaspar Brand]
*) mod_ssl, configure, ab: drop support for RSA BSAFE SSL-C toolkit.
[Kaspar Brand]
*) mod_usertrack: Run mod_usertrack earlier in the fixups hook to ensure the
cookie is set when modules such as mod_rewrite trigger a redirect. Also
use r->err_headers_out for the cookie, for the same reason. PR29755.
[Sami J. Mäkinen <sjm almamedia fi>, Eric Covener]
*) mod_proxy_http, mod_proxy_connect: Add 'proxy-status' and
'proxy-source-port' request notes for logging. PR 30195. [Stefan Fritsch]
*) configure: Enable ldap modules in 'all' and 'most' selections if ldap
is compiled into apr-util. [Stefan Fritsch]
*) core: Add ap_check_cmd_context()-check if a command is executed in
.htaccess file. [Stefan Fritsch]
*) mod_deflate: Fix endless loop if first bucket is metadata. PR 51590.
[Torsten Foertsch <torsten foertsch gmx net>]
*) mod_authn_socache: Fix to work in .htaccess if not configured anywhere
in httpd.conf, and introduce an AuthnCacheEnable directive.
PR 51991 [Nick Kew]
*) mod_xml2enc: new (formerly third-party) module supporting
internationalisation for filters via smart charset sniffing
and conversion. [Nick Kew]
*) mod_proxy_html: new (formerly third-party) module to fix up
HTML links in a reverse proxy situation, where a backend
generates URLs that are not resolvable by Clients. [Nick Kew]
Changes with Apache 2.3.14
*) mod_proxy_ajp: Improve trace logging. [Rainer Jung]
*) mod_proxy_ajp: Respect "reuse" flag in END_REPONSE packets.
[Rainer Jung]
*) mod_proxy: enable absolute URLs to be rewritten with ProxyPassReverse,
e.g. to reverse proxy "Location: https://other-internal-server/login"
[Nick Kew]
*) prefork, worker, event: Make sure crashes are logged to the error log if
httpd has already detached from the console. [Stefan Fritsch]
*) prefork, worker, event: Reduce period during startup/restart where a
successive signal may be lost. PR 43696. [Arun Bhalla <arun shme net>]
*) mod_allowmethods: Correct Merging of "reset" and do not allow an
empty parameter list for the AllowMethods directive. [Rainer Jung]
*) configure: Update selection of modules for 'all' and 'most'. 'all' will
now enable all modules except for example and test modules. Make the
selection for 'most' more useful (including ssl and proxy). Both 'all'
and 'most' will now disable modules if dependencies are missing instead
of aborting. If a specific module is requested with --enable-XXX=yes,
missing dependencies will still cause configure to exit with an error.
[Stefan Fritsch]
*) mod_ldap: Revert the integration of apr-ldap as ap_ldap which was done
in 2.3.13. [Stefan Fritsch]
*) core: For '*' or '_default_' vhosts, use a wildcard address of any
address family, rather than IPv4 only. [Joe Orton]
*) core, mod_rewrite, mod_ssl, mod_nw_ssl: Make the SERVER_NAME variable
include [ ] for literal IPv6 addresses, as mandated by RFC 3875.
PR 26005. [Stefan Fritsch]
*) mod_negotiation: Fix parsing of Content-Length in type maps. PR 42203.
[Nagae Hidetake <nagae eagan jp>]
*) core: Add more logging to ap_scan_script_header_err* functions. Add
ap_scan_script_header_err*_ex functions that take a module index for
logging.
mod_cgi, mod_cgid, mod_proxy_fcgi, mod_proxy_scgi, mod_isapi: Use the
new functions in order to make logging configurable per-module.
[Stefan Fritsch]
*) mod_dir: Add DirectoryIndexRedirect to send an external redirect to
the proper index. [Eric Covener]
*) mod_deflate: Don't try to compress requests with a zero sized body.
PR 51350. [Stefan Fritsch]
*) core: Fix startup on IPv6-only systems. PR 50592. [Joe Orton,
<root linkage white-void net>]
*) suexec: Add environment variables CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX,
REDIRECT_ERROR_NOTES, REDIRECT_SCRIPT_FILENAME, REQUEST_SCHEME to the
whitelist in suexec. PR 51499. [Graham Laverty <graham reg ca>,
Stefan Fritsch]
*) mod_rewrite: Fix regexp RewriteCond with NoCase. [Stefan Fritsch]
*) mod_log_debug: New module that allows to log custom messages at various
phases in the request processing. [Stefan Fritsch]
*) mod_ssl: Add some debug logging when loading server certificates.
PR 37912. [Nick Burch <nick burch alfresco com>]
*) configure: Support reallyall option also for --enable-mods-static.
[Rainer Jung]
*) mod_socache_dc: add --with-distcache to configure for choosing
the distcache installation directory. [Rainer Jung]
*) mod_socache_dc: use correct build variable MOD_SOCACHE_DC_LDADD
instead of MOD_SOCACHE_LDADD in build macro. [Rainer Jung]
*) mod_lua, mod_deflate: respect platform specific runpath linker
flag. [Rainer Jung]
*) configure: Only link the httpd binary against PCRE. No other support
binary needs PCRE. [Rainer Jung]
*) configure: tolerate dependency checking failures for modules if
they have been enabled implicitly. [Rainer Jung]
*) configure: Allow to specify module specific custom linker flags via
the MOD_XXX_LDADD variables. [Rainer Jung]
Changes with Apache 2.3.13
*) ab: Support specifying the local address to use. PR 48930.
[Peter Schuller <scode spotify com>]
*) core: Add support to ErrorLogFormat for logging the system unique
thread id under Linux. [Stefan Fritsch]
*) event: New AsyncRequestWorkerFactor directive to influence how many
connections will be accepted per process. [Stefan Fritsch]
*) prefork, worker, event: Rename MaxClients to MaxRequestWorkers which
describes more accurately what it does. [Stefan Fritsch]
*) rotatelogs: Add -p argument to specify custom program to invoke
after a log rotation. PR 51285. [Sven Ulland <sveniu ifi.uio.no>,
Joe Orton]
*) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
*) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
PR 48215. [Kaspar Brand]
*) mod_status: Display information about asynchronous connections in the
server-status. PR 44377. [Stefan Fritsch]
*) mpm_event: If the number of connections of a process is very high, or if
all workers are busy, don't accept new connections in that process.
[Stefan Fritsch]
*) mpm_event: Process lingering close asynchronously instead of tying up
worker threads. [Jeff Trawick, Stefan Fritsch]
*) mpm_event: If MaxMemFree is set, limit the number of pools that is kept
around. [Stefan Fritsch]
*) mpm_event: Fix graceful restart aborting connections. PR 43359.
[Takashi Sato <takashi lans-tv com>]
*) mod_ssl: Disable AECDH ciphers in example config. PR 51363.
[Rob Stradling <rob comodo com>]
*) core: Introduce new function ap_get_conn_socket() to access the socket of
a connection. [Stefan Fritsch]
*) mod_data: Introduce a filter to support RFC2397 data URLs. [Graham
Leggett]
*) mod_userdir/mod_alias/mod_vhost_alias: Correctly set DOCUMENT_ROOT,
CONTEXT_DOCUMENT_ROOT, CONTEXT_PREFIX. PR 26052. PR 46198.
[Stefan Fritsch]
*) core: Allow to override document_root on a per-request basis. Introduce
new context_document_root and context_prefix which provide information
about non-global URI-to-directory mappings (from e.g. mod_userdir or
mod_alias) to scripts. PR 49705. [Stefan Fritsch]
*) core: Add <ElseIf> and <Else> to complement <If> sections.
[Stefan Fritsch]
*) mod_ext_filter: Remove DebugLevel option in favor of per-module loglevel.
[Stefan Fritsch]
*) mod_include: Make the "#if expr" element use the new "ap_expr" expression
parser. The old parser can still be used by setting the new directive
SSILegacyExprParser. [Stefan Fritsch]
*) core: Add some features to ap_expr for use by mod_include: a restricted
mode that does not allow to bypass request access restrictions; new
variables DOCUMENT_URI (alias for REQUEST_URI), LAST_MODIFIED; -A as an
alias for -U; an additional data entry in ap_expr_eval_ctx_t for use by
the consumer; an extensible ap_expr_exec_ctx() API that allows to use that
data entry. [Stefan Fritsch]
*) mod_include: Merge directory configs instead of one SSI* config directive
causing all other per-directory SSI* config directives to be reset.
[Stefan Fritsch]
*) mod_charset_lite: Remove DebugLevel option in favour of per-module
loglevel. [Stefan Fritsch]
*) core: Add ap_regexec_len() function that works with non-null-terminated
strings. PR 51231. [Yehezkel Horowitz <horowity checkpoint com>]
*) mod_authnz_ldap: If the LDAP server returns constraint violation,
don't treat this as an error but as "auth denied". [Stefan Fritsch]
*) mod_proxy_fcgi|scgi: Add support for "best guess" of PATH_INFO
for SCGI/FCGI. PR 50880, 50851. [Mark Montague <mark catseye.org>,
Jim Jagielski]
*) mod_cache: When content is served stale, and there is no means to
revalidate the content using ETag or Last-Modified, and we have
mandated no stale-on-error behaviour, stand down and don't cache.
Saves a cache write that will never be read.
[Graham Leggett]
*) mod_reqtimeout: Fix a timed out connection going into the keep-alive
state after a timeout when discarding a request body. PR 51103.
[Stefan Fritsch]
*) core: Add various file existence test operators to ap_expr.
[Stefan Fritsch]
*) mod_proxy_express: New mass reverse-proxy switch extension for
mod_proxy. [Jim Jagielski]
*) configure: Fix script error when configuring module set "reallyall".
[Rainer Jung]
Changes with Apache 2.3.12
*) configure, core: Provide easier support for APR's hook probe
capability. [Jim Jagielski, Jeff Trawick]
*) Silence autoconf 2.68 warnings. [Rainer Jung]
*) mod_authnz_ldap: Resolve crash when LDAP is used for authorization only
[Scott Hill <shill genscape.com>]
*) support: Make sure check_forensic works with mod_unique_id loaded
[Joe Schaefer]
*) Add child_status hook for tracking creation/termination of MPM child
processes. Add end_generation hook for notification when the last
MPM child of a generation exits. [Jeff Trawick]
*) mod_ldap: Make LDAPSharedCacheSize 0 create a non-shared-memory cache per
process as opposed to disabling caching completely. This allows to use
the non-shared-memory cache as a workaround for the shared memory cache
not being available during graceful restarts. PR 48958. [Stefan Fritsch]
*) Add new ap_reserve_module_slots/ap_reserve_module_slots_directive API,
necessary if a module (like mod_perl) registers additional modules late
in the startup phase. [Stefan Fritsch]
*) core: Prevent segfault if DYNAMIC_MODULE_LIMIT is reached. PR 51072.
[Torsten Förtsch <torsten foertsch gmx net>]
*) WinNT MPM: Improve robustness under heavy load. [Jeff Trawick]
*) MinGW build improvements. PR 49535. [John Vandenberg
<jayvdb gmail.com>, Jeff Trawick]
*) core: Support module names with colons in loglevel configuration.
[Torsten Förtsch <torsten foertsch gmx net>]
*) mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
[Stefan Fritsch]
*) core: Abort if the MPM is changed across restart. [Jeff Trawick]
*) mod_proxy_ajp: Add support for 'ProxyErrorOverride on'. PR 50945.
[Peter Pramberger <peter pramberger.at>, Jim Jagielski]
*) mod_proxy_fcgi: Add support for 'ProxyErrorOverride on'. PR 50913.
[Mark Montague <mark catseye.org>, Jim Jagielski]
*) core: Change the APIs of ap_cfg_getline() and ap_cfg_getc() to return an
error code. Abort with a nice error message if a config line is too long.
Partial fix for PR 50824. [Stefan Fritsch]
*) mod_info: Dump config to stdout during startup if -DDUMP_CONFIG is
specified. PR 31956. [Stefan Fritsch]
*) Restore visibility of DEFAULT_PIDLOG to core and modules. MPM
helper function ap_remove_pid() added. [Jeff Trawick]
*) Enable DEFAULT_REL_RUNTIMEDIR on Windows and NetWare. [various]
*) Correct C++ incompatibility with http_log.h. [Stefan Fritsch, Jeff
Trawick]
*) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch
<torsten.foertsch gmx.net>]
*) core: AllowEncodedSlashes new option NoDecode to allow encoded slashes
in request URL path info but not decode them. Change behavior of option
"On" to decode the encoded slashes as 2.0 and 2.2 do. PR 35256,
PR 46830. [Dan Poirier]
*) mod_ssl: Check SNI hostname against Host header case-insensitively.
PR 49491. [Mayank Agrawal <magrawal.08 gmail.com>]
*) mod_ldap: Add LDAPConnectionPoolTTL to give control over lifetime
of bound backend LDAP connections. PR47634 [Eric Covener]
*) mod_cache: Make CacheEnable and CacheDisable configurable per
directory in addition to per server, making them work from within
a LocationMatch. [Graham Leggett]
*) worker, event, prefork: Correct several issues when built as
DSOs; most notably, the scoreboard was reinitialized during graceful
restart, such that processes of the previous generation were not
observable. [Jeff Trawick]
Changes with Apache 2.3.11
*) mod_win32: Added shebang check for '! so that .vbs scripts work as CGI.
Win32's cscript interpreter can only use a single quote as comment char.
[Guenter Knauf]
*) mod_proxy: balancer-manager now uses POST instead of GET.
[Jim Jagielski]
*) core: new util function: ap_parse_form_data(). Previously,
this capability was tucked away in mod_request. [Jim Jagielski]
*) core: new hook: ap_run_pre_read_request. [Jim Jagielski]
*) modules: Fix many modules that were not correctly initializing if they
were not active during server startup but got enabled later during a
graceful restart. [Stefan Fritsch]
*) core: Create new ap_state_query function that allows modules to determine
if the current configuration run is the initial one at server startup,
and if the server is started for testing/config dumping only.
[Stefan Fritsch]
*) mod_proxy: Runtime configuration of many parameters for existing
balancers via the balancer-manager. [Jim Jagielski]
*) mod_proxy: Runtime addition of new workers (BalancerMember) for existing
balancers via the balancer-manager. [Jim Jagielski]
*) mod_cache: When a bad Expires date is present, we need to behave as if
the Expires is in the past, not as if the Expires is missing. PR 16521.
[Co-Advisor <coad measurement-factory.com>]
*) mod_cache: We must ignore quoted-string values that appear in a
Cache-Control header. PR 50199. [Graham Leggett]
*) mod_dav: Revert change to send 501 error if unknown Content-* header is
received for a PUT request. PR 42978. [Stefan Fritsch]
*) mod_cache: Respect s-maxage as described by RFC2616 14.9.3, which must
take precedence if present. PR 35247. [Graham Leggett]
*) mod_ssl: Fix a possible startup failure if multiple SSL vhosts
are configured with the same ServerName and private key file.
[Masahiro Matsuya <mmatsuya redhat.com>, Joe Orton]
*) mod_socache_dc: Make module compile by fixing some typos.
PR 50735 [Mark Montague <mark catseye.org>]
*) prefork: Update MPM state in children during a graceful stop or
restart. PR 41743. [Andrew Punch <andrew.punch 247realmedia.com>]
*) mod_mime: Ignore leading dots when looking for mime extensions.
PR 50434 [Stefan Fritsch]
*) core: Add support to set variables with the 'Define' directive. The
variables that can then be used in the config using the ${VAR} syntax
known from envvar interpolation. [Stefan Fritsch]
*) mod_proxy_http: make adding of X-Forwarded-* headers configurable.
ProxyAddHeaders defaults to On. [Vincent Deffontaines]
*) mod_slotmem_shm: Increase memory alignment for slotmem data.
[Rainer Jung]
*) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
[Kaspar Brand <httpd-dev.2011 velox.ch>]
*) mod_ssl: Revamp output buffering to reduce network overhead for
output fragmented into many buckets, such as chunked HTTP responses.
[Joe Orton]
*) core: Apply <If> sections to all requests, not only to file base requests.
Allow to use <If> inside <Directory>, <Location>, and <Files> sections.
The merging of <If> sections now happens after the merging of <Location>
sections, even if an <If> section is embedded inside a <Directory> or
<Files> section. [Stefan Fritsch]
*) mod_proxy: Refactor usage of shared data by dropping the scoreboard
and using slotmem. Create foundation for dynamic growth/changes of
members within a balancer. Remove BalancerNonce in favor of a
per-balancer 'nonce' parameter. [Jim Jagielski]
*) mod_status: Don't show slots which are disabled by MaxClients as open.
PR 47022 [Jordi Prats <jordi prats gmail com>, Stefan Fritsch]
*) mpm_prefork: Fix ap_mpm_query results for AP_MPMQ_MAX_DAEMONS and
AP_MPMQ_MAX_THREADS.
*) mod_authz_core: Fix bug in merging logic if user-based and non-user-based
authorization directives were mixed. [Stefan Fritsch]
*) mod_authn_socache: change directive name from AuthnCacheProvider
to AuthnCacheProvideFor. The term "provider" is overloaded in
this module, and we should avoid confusion between the provider
of a backend (AuthnCacheSOCache) and the authn provider(s) for
which this module provides cacheing (AuthnCacheProvideFor).
[Nick Kew]
*) mod_proxy_http: Allocate the fake backend request from a child pool
of the backend connection, instead of misusing the pool of the frontend
request. Fixes a thread safety issue where buckets set aside in the
backend connection leak into other threads, and then disappear when
the frontend request is cleaned up, in turn causing corrupted buckets
to make other threads spin. [Graham Leggett]
*) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.
*) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
scripts and mod_rewrite. [Stefan Fritsch]
*) mod_rewrite: Allow to use arbitrary boolean expressions (ap_expr) in
RewriteCond. [Stefan Fritsch]
*) mod_rewrite: Allow to unset environment variables using E=!VAR.
PR 49512. [Mark Drayton <mark markdrayton info>, Stefan Fritsch]
*) mod_headers: Restore the 2.3.8 and earlier default for the first
argument of the Header directive ("onsuccess"). [Eric Covener]
*) core: Disallow the mixing of relative and absolute Options PR 33708.
[Sönke Tesch <st kino-fahrplan.de>]
*) core: When exporting request headers to HTTP_* environment variables,
drop variables whose names contain invalid characters. Describe in the
docs how to restore the old behaviour. [Malte S. Stretz <mss apache org>]
*) core: When selecting an IP-based virtual host, favor an exact match for
the port over a wildcard (or omitted) port instead of favoring the one
that came first in the configuration file. [Eric Covener]
*) core: Overlapping virtual host address/port combinations now implicitly
enable name-based virtual hosting for that address. The NameVirtualHost
directive has no effect, and _default_ is interpreted the same as "*".
[Eric Covener]
*) core: In the absence of any Options directives, the default is now
"FollowSymlinks" instead of "All". [Igor Galić]
*) rotatelogs: Add -e option to write logs through to stdout for optional
further processing. [Graham Leggett]
*) mod_ssl: Correctly read full lines in input filter when the line is
incomplete during first read. PR 50481. [Ruediger Pluem]
*) mod_authz_core: Add AuthzSendForbiddenOnFailure directive to allow
sending '403 FORBIDDEN' instead of '401 UNAUTHORIZED' if authorization
fails for an authenticated user. PR 40721. [Stefan Fritsch]
Changes with Apache 2.3.10
*) mod_rewrite: Don't implicitly URL-escape the original query string
when no substitution has changed it. PR 50447. [Eric Covener]
*) core: Honor 'AcceptPathInfo OFF' during internal redirects,
such as per-directory mod_rewrite substitutions. PR 50349.
[Eric Covener]
*) mod_rewrite: Add 'RewriteOptions InheritBefore' to put the base
rules/conditions before the overridden rules/conditions. PR 39313.
[Jérôme Grandjanny <jerome.grandjanny cea.fr>]
*) mod_autoindex: add IndexIgnoreReset to reset the list of IndexIgnored
filenames in higher precedence configuration sections. PR 24243.
[Eric Covener]
*) mod_cgid: RLimit* directive support for mod_cgid. PR 42135
[Eric Covener]
*) core: Fail startup when the argument to ServerName looks like a glob
or a regular expression instead of a hostname (*?[]). PR 39863
[Rahul Nair <rahul.g.nair gmail.com>]
*) mod_userdir: Add merging of enable, disable, and filename arguments
to UserDir directive, leaving enable/disable of userlists unmerged.
PR 44076 [Eric Covener]
*) httpd: When no -k option is provided on the httpd command line, the server
was starting without checking for an existing pidfile. PR 50350
[Eric Covener]
*) mod_proxy: Put the worker in error state if the SSL handshake with the
backend fails. PR 50332.
[Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
*) mod_cache_disk: Fix Windows build which was broken after renaming
the module. [Gregg L. Smith]
Changes with Apache 2.3.9
*) SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against mod_reqtimeout.
[Stefan Fritsch]
*) mod_headers: Change default first argument of Header directive
from "onsuccess" to "always". [Eric Covener]
*) mod_include: Add the onerror attribute to the include element,
allowing an URL to be specified to include on error. [Graham
Leggett]
*) mod_cache_disk: mod_disk_cache renamed to mod_cache_disk, to be
consistent with the naming of other modules. [Graham Leggett]
*) mod_setenvif: Add SetEnvIfExpr directive to set env var depending on
expression. [Stefan Fritsch]
*) mod_proxy: Fix ProxyPassInterpolateEnv directive. PR 50292.
[Stefan Fritsch]
*) suEXEC: Add Suexec directive to disable suEXEC without renaming the
binary (Suexec Off), or force startup failure if suEXEC is required
but not supported (Suexec On). Change SuexecUserGroup to fail
startup instead of just printing a warning if suEXEC is disabled.
[Jeff Trawick]
*) core: Add Error directive for aborting startup or htaccess processing
with a specified error message. [Jeff Trawick]
*) mod_rewrite: Fix the RewriteEngine directive to work within a
location. Previously, once RewriteEngine was switched on globally,
it was impossible to switch off. [Graham Leggett]