Newer
Older
Martin Kraemer
committed
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
*) Fix issue which could cause piped loggers to be orphaned and never
terminate after a graceful restart. PR 40651. [Joe Orton,
Ruediger Pluem]
*) mod_headers: support regexp-based editing of HTTP headers [Nick Kew]
*) mod_cache: Eliminate a bogus error in the log when a filter returns
AP_FILTER_ERROR. [Niklas Edmundsson <nikke acc.umu.se>]
*) mod_disk_cache: Make caching of large files possible on 32bit machines
by determining whether the cached file should be copied on disk rather
than loaded into RAM. PR39380 [Niklas Edmundsson <nikke acc.umu.se>]
*) mod_mem_cache: Convert mod_mem_cache to use APR memory pool functions
by creating a root pool for object persistence across requests. This
also eliminates the need for custom serialization code.
[Davi Arnaut <davi haxent.com.br>]
*) mod_mem_cache: Memory leak fix: Unconditionally free the buffer.
[Davi Arnaut <davi haxent.com.br>]
*) mod_cache: From RFC3986 (section 6.2.3.) if a URI contains an
authority component and an empty path, the empty path is to be equivalent
to "/". It explicitly cites the following four URIs as equivalents:
http://example.com
http://example.com/
http://example.com:/
http://example.com:80/
[Davi Arnaut <davi haxent.com.br>]
Graham Leggett
committed
*) mod_cache: Don't cache requests with a expires date in the past;
otherwise mod_cache will always try to cache the URL. This bug
might lead to numerous rename() errors on win32 if the URL was
previously cached. [Davi Arnaut <davi haxent.com.br>]
*) mod_disk_cache: Make sure that only positive integers are accepted
for the CacheMaxFileSize and CacheMinFileSize parameters in the
config file. PR39380 [Niklas Edmundsson <nikke acc.umu.se>]
Ruediger Pluem
committed
*) mod_proxy_balancer: Set the new environment variable BALANCER_ROUTE_CHANGED
if a worker with a route different from the one supplied by the client
had been chosen or if the client supplied no routing information for
a balancer with sticky sessions. [Ruediger Pluem]
Ruediger Pluem
committed
*) mod_proxy: Print the correct error message for erroneous configured
ProxyPass directives. PR 40439. [serai lans-tv.com]
*) Allow htcacheclean, httxt2dbm, and fcgistarter to link apr/apr-util
statically like the older support programs.
[Eric Covener <covener gmail.com>]
*) ap_get_server_version() has been removed. Third-party modules must
now use ap_get_server_banner() or ap_get_server_description().
[Jeff Trawick]
*) mod_proxy_balancer: Extract stickysession routing information contained as
parameter in the URL correctly. PR 40400.
[Ruediger Pluem, Tomokazu Harada <harada sysrdc.ns-sol.co.jp>]
*) mod_ext_filter: Handle filter names which include capital letters.
PR 40323. [Jeff Trawick]
*) mod_deflate: Rework inflate output and deflate output filter to fix several
issues: Incorrect handling of flush buckets, potential memory leaks,
excessive memory usage in inflate output filter for large compressed
content. PR 39854. [Ruediger Pluem, Nick Kew, Justin Erenkrantz]
*) All MPMs: Introduce a check_config phase between pre_config and
open_logs, to allow modules to review interdependent configuration
directive values and adjust them while messages can still be logged
to the console. Handle relevant MPM directives during this phase
and format messages for both the console and the error log, as
appropriate. [Chris Darroch]
*) mod_proxy: Don't try to use dead backend connection. PR 37770.
*) mod_proxy: don't URLencode tilde in path component
[Stijn Hoop <stijn sandcat.nl>]
*) mpm_winnt: Fix return values from wait_for_many_objects.
The return value is index to the signaled thread in the
creted_threads array. We can not use WAIT_TIMEOUT because
his value is defined as 258, thus limiting the MaxThreads
to that value. [Mladen Turk]
*) SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
[Mark Cox]
*) mod_cache: While serving a cached entity ensure that filters that have
been applied to this cached entity before saving it to the cache are not
applied again. PR 40090. [Ruediger Pluem]
*) mod_proxy_ajp: Added cping/cpong support for the AJP protocol.
A new worker directive ping=timeout will cause CPING packet
to be send expecting CPONG packet within defined timeout.
In case the backend is too busy this will fail instead
sending the full header. [Mladen Turk]
Ruediger Pluem
committed
*) core: Do not allow internal redirects like the DirectoryIndex of mod_dir
Ruediger Pluem
committed
to circumvent the symbolic link checks imposed by FollowSymLinks and
SymLinksIfOwnerMatch. [Nick Kew, Ruediger Pluem, William Rowe]
*) mod_proxy: Support environment variable interpolation in reverse
proxying directives. [Nick Kew]
*) core: Add the filename of the configuration file to the warning message
about the useless use of AllowOverride. PR 39992.
[Darryl Miles <darryl darrylmiles.org>]
*) mod_proxy_balancer: Add information about the route, the sticky session
and the worker used during a request as environment variables. PR 39806.
[Brian <brectanu gmail.com>]
*) mod_isapi: Avoid double trailing slashes in HSE_REQ_MAP_URL_TO_PATH
support. Also corrects the slashes for Windows. PR 15993. [William Rowe]
*) mod_isapi: Handle "HTTP/1.1 200 OK" style status lines correctly, the
token parser worked while the resulting length was misinterpreted.
PR 29098 [Brock Bland <bbland serena.com>]
*) mod_isapi: Return 0 (failure) for more of the various ap_pass_brigade
attempts to stream the response at the client. PR 30022 [William Rowe]
William A. Rowe Jr
committed
*) mod_isapi: Ensure we walk through all the methods the developer may have
employed to report their HTTP status result code.
PR 16637 30033 28089 [Matt Lewandowsky <matt iamcode.net>, William Rowe]
*) New SSLLogLevelDebugDump [ None (default) | IO (not bytes) | Bytes ]
configures the I/O Dump of SSL traffic, when LogLevel is set to Debug.
The default is none as this is far greater debugging resolution than
the typical administrator is prepared to untangle. [William Rowe]
*) mod_disk_cache: If possible, check if the size of an object to cache is
within the configured boundaries before actually saving data.
[Niklas Edmundsson <nikke acc.umu.se>]
*) mod_cache: Convert all values to seconds before comparing them when
checking whether to send a Warning header for a stale response.
PR 39713. [Owen Taylor <otaylor redhat.com>]
Ruediger Pluem
committed
*) mod_disk_cache: Delete temporary files if they cannot be renamed to their
final name. [Davi Arnaut <davi haxent.com.br>]
*) Worker and event MPMs: Remove improper scoreboard updates which were
performed in the event of a fork() failure. [Chris Darroch]
*) Add support for fcgi:// proxies to mod_rewrite.
[Markus Schiegl <ms schiegl.com>]
*) Remove incorrect comments from scoreboard.h regarding conditional
loading of worker_score structure with mod_status, and remove unused
definitions relating to old life_status field.
[Chris Darroch <chrisd pearsoncmg.com>]
*) Remove allocation of memory for unused array of lb_score pointers
in ap_init_scoreboard(). [Chris Darroch <chrisd pearsoncmg.com>]
*) Add mod_proxy_fcgi, a FastCGI back end for mod_proxy.
[Garrett Rooney, Jim Jagielski, Paul Querna]
*) Event MPM: Fill in the scoreboard's tid field. PR 38736.
[Chris Darroch <chrisd pearsoncmg.com>]
*) mod_charset_lite: Remove Content-Length when output filter can
invalidate it. Warn when input filter can invalidate it.
[Jeff Trawick]
*) mod_ssl: Fix spurious hostname mismatch warning for valid
wildcard certificates. PR 37911. [Nick Burch <nick torchbox.com>]
*) Authz: Add the new module mod_authn_core that will provide common
authn directives such as 'AuthType', 'AuthName'. Move the directives
'AuthType' and 'AuthName' out of the core module and merge mod_authz_alias
into mod_authn_core. [Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Mark the directives 'Order', 'Allow', 'Deny' and 'Satisfy' as
deprecated and move them into the new module mod_access_compat which
can be loaded to provide backwards compatibility for these directives.
[Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Move the 'Require' directive from the core module as well as
add the directives '<SatisfyAll>', '<SatisfyOne>', '<RequireAlias>'
and 'Reject' to mod_authz_core. The new directives introduce 'AND/OR'
logic into the authorization processing. [Brad Nicholes]
Ruediger Pluem
committed
*) Authz: Add the new module mod_authz_core which acts as the
authorization provider vector and contains common authz
directives. [Brad Nicholes]
*) Authz: Renamed mod_authz_dbm authz providers from 'group' and
'file-group' to 'dbm-group' and 'dbm-file-group'. [Brad Nicholes]
*) Authz: Added the new authz providers 'env', 'ip', 'host', 'all' to handle
host-based access control provided by mod_authz_host and invoked
through the 'Require' directive. [Brad Nicholes]
*) Authz: Convert all of the authz modules from hook based to
provider based. [Brad Nicholes]
Ruediger Pluem
committed
Ruediger Pluem
committed
*) mod_cache: Add CacheMinExpire directive to set the minimum time in
seconds to cache a document.
[Brian Akins <brian.akins turner.com>, Ruediger Pluem]
*) mod_authz_dbd: SQL authz with Login/Session support [Nick Kew]
*) Fix typo in ProxyStatus syntax error message.
[Christophe Jaillet <christophe.jaillet wanadoo.fr>]
*) Asynchronous write completion for the Event MPM. [Brian Pane]
*) Added an End-Of-Request bucket type. The logging of a request and
the freeing of its pool are now done when the EOR bucket is destroyed.
This has the effect of delaying the logging until right after the last
of the response is sent; ap_core_output_filter() calls the access logger
indirectly when it destroys the EOR bucket. [Brian Pane]
*) Rewrite of logresolve support utility: IPv6 addresses are now supported
and the format of statistical output has changed. [Colm MacCarthaigh]
*) Rewrite of ap_coreoutput_filter to do nonblocking writes [Brian Pane]
*) Added new connection states for handler and write completion
[Brian Pane]
*) mod_cgid: Refuse to work on Solaris 10 due to OS bugs. PR 34264.
[Justin Erenkrantz]
*) Teach mod_ssl to use arbitrary OIDs in an SSLRequire directive,
allowing string-valued client certificate attributes to be used for
access control, as in: SSLRequire "value" in OID("1.3.6.1.4.1.18060.1")
[Martin Kraemer, David Reid]
Changes with Apache 2.2.4
*) mod_echo: Fix precedence problem in if statement. PR 40658.
[Larry Cipriani <lvc lucent.com>]
*) mod_mime_magic: Fix precedence problem in if statement. PR 40656.
[Larry Cipriani <lvc lucent.com>]
*) The full server version information is now included in the error log at
startup as well as server status reports, irrespective of the setting
of the ServerTokens directive. ap_get_server_version() is now
deprecated, and is replaced by ap_get_server_banner() and
ap_get_server_description(). [Jeff Trawick]
*) mod_proxy_balancer: Workers can now be defined as part of
a balancer cluster "set" in which members of a lower-numbered set
are preferred over higher numbered ones. [Jim Jagielski]
*) mod_proxy_balancer: Workers can now be defined as "hot standby" which
will only be used if all other workers are unusable (eg: in
error or disabled). Also, the balancer-manager displays the election
count and I/O counts of all workers. [Jim Jagielski]
*) mod_proxy_ajp: Close connection to backend if reading of request body
fails. PR 40310. [Ian Abel <ianabel mxtelecom.com>]
*) mod_proxy_balancer: Retry worker chosen by route / redirect worker if
it is in error state before sending "Service Temporarily Unavailable".
PR 38962. [Christian Boitel <cboitel lfdj.com>]
*) mod_authn_alias: Add a check to make sure that the base provider and the
alias names are different and also that the alias has not been registered
before. PR 40051. [Brad Nicholes]
*) mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
[Ray Price <dohrayme yahoo.com>, Josh Fenlason <jfenlason ptc.com>]
*) mod_cache: Do not overwrite the Content-Type in the cache, for
successfully revalidated cached objects. PR 39647. [Ruediger Pluem]
*) mod_speling: Add directive to deal with case corrections only
and ignore other misspellings [Olivier Thereaux <ot w3.org>]
*) mod_dbd: Fix dependence on virtualhost configuration in
defining prepared statements (possible segfault at startup
in user modules such as mod_authn_dbd). [Nick Kew]
*) Add optional 'scheme://' prefix to ServerName directive,
allowing correct determination of the canonical server URL
for use behind a proxy or offload device handling SSL; fixing
redirect generation in those cases. PR 33398. [Sander Temme]
*) Added server_scheme field to server_rec for above. Minor MMN bump.
[Sander Temme]
*) mod_cache: Make caching of reverse SSL proxies possible again. PR 39593.
[Ruediger Pluem, Joe Orton]
*) Worker MPM: On graceless shutdown or restart, send signals to
each worker thread to wake them up if they're polling on a
Keep-Alive connection. PR 38737. [Chris Darroch]
*) worker and event MPMs: fix excessive forking if fork() or child_init
take a long time. PR 39275.
[Greg Ames, Jeff Trawick, Chris Darroch <chrisd pearsoncmg.com> ]
*) configure: Add "--with-included-apr" flag to force use of the
bundled version of APR at build time. [Joe Orton]
*) Respect GracefulShutdownTimeout in the worker and event MPMs.
[Chris Darroch, Garrett Rooney]
*) mod_mem_cache: Set content type correctly when delivering data from
cache. PR 39266. [Ruediger Pluem]
*) mod_autoindex: Fix filename escaping with FancyIndexing disabled.
PR 38910. [Robby Griffin <rmg terc.edu>]
*) mod_charset_lite: Bypass translation when the source and dest charsets
are the same. [Jeff Trawick]
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
*) mod_deflate: Allow mod_deflate to handle internal redirects.
[Brian J. France <list firehawksystems.com>]
*) mod_proxy_balancer: Initialize members of a balancer correctly.
PR 38227. [James A. Robinson <jim.robinson stanford.edu>]
*) mod_proxy: Do not release connections from connection pool twice.
PR 38793. [Ruediger Pluem, matthias <mk-asf gigacodes.de>]
*) core: Prevent reading uninitialized memory while reading a line of
protocol input. PR 39282. [Davi Arnaut <davi haxent.com.br>]
*) mod_dbd: Update defaults, improve error reporting.
[Chris Darroch <chrisd pearsoncmg com>, Nick Kew]
*) mod_dbd: Create own pool and mutex to avoid problem use of
process pool in request processing.
[Chris Darroch <chrisd pearsoncmg com>]
*) HTML-escape the Expect error message. Not classed as security as
an attacker has no way to influence the Expect header a victim will
send to a target site. Reported by Thiago Zaninotti
<thiango nstalker.com>. [Mark Cox]
*) htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
[Jeff Trawick]
*) htdbm: Warn the user when adding a plaintext password on a platform
where it wouldn't work with the server (i.e., anywhere that has
crypt()). [Jeff Trawick]
*) mod_proxy: don't reuse a connection that may be to the wrong backend
PR 39253 [Ruediger Pluem]
*) Default handler: Don't return output filter apr_status_t values.
PR 31759. [Jeff Trawick, Ruediger Pluem, Joe Orton]
Changes with Apache 2.2.1
*) SECURITY: CVE-2005-3357 (cve.mitre.org)
mod_ssl: Fix a possible crash during access control checks if a
non-SSL request is processed for an SSL vhost (such as the
"HTTP request received on SSL port" error message when an 400
ErrorDocument is configured, or if using "SSLEngine optional").
PR 37791. [Rüdiger Plüm, Joe Orton]
*) SECURITY: CVE-2005-3352 (cve.mitre.org)
mod_imagemap: Escape untrusted referer header before outputting
in HTML to avoid potential cross-site scripting. Change also
made to ap_escape_html so we escape quotes. Reported by JPCERT.
[Mark Cox]
*) mod_proxy_ajp: Flushing of the output after each AJP chunk is now
configurable at runtime via the 'flushpackets' and 'flushwait' worker
params. Minor MMN bump. [Jim Jagielski]
*) mod_proxy: Fix incorrect usage of local and shared worker init.
PR 38403. [Jim Jagielski]
*) mod_isapi: Fix compiler errors on Unix platforms.
[William Rowe]
*) mod_proxy_http: Send HTTP Keep-Alive Headers. PR 38524.
[Rüdiger Plüm, Joe Orton]
*) mod_disk_cache: Return the correct error codes from bucket read
failures, instead of APR_EGENERAL.
[Brian Akins <brian.akins turner.com>]
*) Add APR/APR-Util Compiled and Runtime Version numbers to the
output of 'httpd -V'. [William Rowe]
*) http: If a connection is aborted while waiting for a chunked line,
flag the connection as errored out. [Justin Erenkrantz]
*) core: Reject invalid Expect header immediately. PR 38123.
[Ruediger Pluem]
*) mod_proxy: Fix KeepAlives not being allowed and set to
backend servers. PR 38602. [Ruediger Pluem, Jim Jagielski]
*) mod_proxy: If we get an error reading the upstream response,
close the connection. [Justin Erenkrantz, Roy T. Fielding,
Jim Jagielski, Ruediger Pluem]
*) mod_proxy_ajp: Support common headers of the AJP protocol in responses.
PR 38340. [Aleksey Pesternikov <apesternikov yahoo.com>]
*) mod_proxy_balancer: Do not overwrite the status of initialized workers and
respect the configured status of uninitilized workers when creating a new
child process. [Ruediger Pluem]
*) mod_proxy_ajp: Crosscheck the length of the body chunk with the length of
the ajp message to prevent mod_proxy_ajp from reading beyond the buffer
boundaries and thus revealing possibly sensitive memory contents to the
client. [Ruediger Pluem]
*) Ensure that the proper status line is written to the client, fixing
incorrect status lines caused by filters which modify r->status without
resetting r->status_line, such as the built-in byterange filter.
[Jeff Trawick]
*) mod_speling: Stop crashing with certain non-file requests. [Jeff Trawick]
*) mod_cache: Make caching of reverse proxies possible again. PR 38017.
[Ruediger Pluem]
*) Modify apr[util] .h detection to avoid breakage on VPATH builds
using Solaris make (amoung others) and avoid breakage in ./buildconf
when srclib/apr[-util] are symlinks rather than directories proper.
[William Rowe]
*) Chunk filter: Fix chunk filter to create correct chunks in the case that
a flush bucket is surrounded by data buckets. [Ruediger Pluem]
*) Fix syntax error in httpd.h with strict compilers. PR 38740.
[Per Olausson <pao darkheim.freeserve.co.uk>]
*) Preserve the Content-Length header for a proxied HEAD response.
PR 18757. [Greg Ames]
*) Fix recursive ErrorDocument handling. PR 36090.
[Chris Darroch <chrisd pearsoncmg.com>]
*) Don't hang on error return from post_read_request. PR37790 [Nick Kew]
*) Fix off-by-one error in proxy_balancer. PR37753
[Kazuhiro Osawa <ko yappo ne jp>]
Changes with Apache 2.2.0
*) mod_negotiation: Minor performance tweak by reusing already calculated
strlen.
[Ruediger Pluem, Christophe Jaillet <christophe.jaillet wanadoo.fr>]
Justin Erenkrantz
committed
*) Remove support for 'On' and 'Off' for AuthBasicProvider and
AuthDigestProvider. [Joshua Slive, Justin Erenkrantz]
*) Add in new UseCanonicalPhysicalPort directive, which controls
whether or not Apache will ever use the actual physical port
when constructing the canonical port number. [Jim Jagielski]
*) mod_dav: Fix a null pointer dereference in an error code path during the
handling of MKCOL.
[Ruediger Pluem, Ghassan Misherghi <ghassanm ucdavis.edu>]
*) Fix DESTDIR=... installation when using bundled copy of APR.
[Torsten Foertsch <torsten.foertsch gmx.net>]
*) mod_proxy_balancer: When finding best worker, use case insensitive
match for scheme and host, but case sensitive for the rest of
the path. [Jim Jagielski, Ruediger Pluem]
Changes with Apache 2.1.9
*) Add mod_authn_dbd (SQL-based authentication) [Nick Kew]
*) mod_proxy_ajp: Do not spool the entire response from AJP backend before
sending it up the filter chain. PR37100. [Ruediger Pluem]
*) mod_cache: Create new filters CACHE_OUT_SUBREQ / CACHE_SAVE_SUBREQ which
only differ by the type from CACHE_OUT / CACHE_SAVE to ensure that
subrequests to non local resources work again. [Ruediger Pluem]
Ruediger Pluem
committed
*) mod_proxy: Do not lowercase the entire worker name of a BalancerMember
since this breaks case sensitive URI's. PR36906. [Ruediger Pluem]
*) core: AddOutputFilterByType is ignored for proxied requests. PR31226.
[Joe Orton, Ruediger Pluem]
*) mod_proxy_http: Prevent data corruption of POST request bodies when
client accesses proxied resources with SSL. PR37145.
[Ruediger Pluem, William Rowe]
*) mod_proxy_balancer: BalancerManager and proxies correctly handle
member workers with paths. PR36816. [Ruediger Pluem, Jim Jagielski]
*) mod_log_config: %{hextid}P will log the thread id in hex with APR
versions 1.2.0 or higher. [Jeff Trawick]
*) httpd.exe/apachectl -V: display the DYNAMIC_MODULE_LIMIT setting, as
in 1.3. [Jeff Trawick]
*) Support dbd connections tied to the conn_rec [Nick Kew]
*) Move mod_dbd to /modules/database/ [Nick Kew]
*) Move mod_filter and mod_charset_lite to /modules/filters/ [Nick Kew]
*) Fix mod_dbd's config [Brian J. France <list firehawksystems.com>]
*) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL
connections. PR36883.
[William Barker <william.barker wilshire.com>, Ruediger Pluem]
*) Elimiated the NET_TIME filter, restructuring the timeout logic.
This provides a working mod_echo on all platforms, and ensures any
custom protocol module is at least given an initial timeout value
based on the <VirtualHost > context's Timeout directive.
[William Rowe]
*) mod_proxy: Run the request_status hook also if there are no free workers
or all workers are in error state.
[Ruediger Pluem, Brian Akins <brian.akins turner.com>]
*) mod_proxy_balancer: mod_proxy_balancer does not handle sticky sessions
with tomcat correctly. PR36507. [Ruediger Pluem]
*) mod_proxy_connect: Fix high CPU loop on systems like UnixWare which
trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951.
[Jeff Trawick, Ruediger Pluem]
*) SECURITY: CVE-2005-2970 (cve.mitre.org)
worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances. [Greg Ames]
Colm MacCarthaigh
committed
*) Doxygen fixup [Neale Ranns <neale ranns.org>, Ian Holsman]
*) mod_cache/mod_dir: Correct a subrequest lookup bug which was preventing
mod_dir from serving indexes correctly with mod_cache enabled.
[Colm MacCarthaigh]
*) Fix lingering close implementation to match 1.3.x behaviour.
PR 35292. [Joe Orton]
*) mod_ssl: Support limited buffering of request bodies to allow
per-location renegotiation to proceed. PR 12355. [Joe Orton]
*) Fix regression since 2.0.x in AllowOverride Options handling.
PR 35330. [kabe <kabe sra-tohoku.co.jp>]
*) mod_ssl: Fix memory leak in ssl_util_algotypeof().
PR 25659. [David Blake <dblake hp com>, Martin Kraemer]
*) prefork, worker and event MPMs: Support a graceful-stop procedure:
Server will wait until existing requests are finished or until
"GracefulShutdownTimeout" number of seconds before exiting.
[Colm MacCarthaigh, Ken Coar, Bill Stoddard]
*) prefork, worker and event MPMs: Prevent children from holding open
listening ports upon graceful restart or stop. PR 28167.
[Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
*) SECURITY: CVE-2005-2700 (cve.mitre.org)
mod_ssl: Fix a security issue where "SSLVerifyClient" was not
enforced in per-location context if "SSLVerifyClient optional"
was configured in the vhost configuration. [Joe Orton]
*) mod_ssl: Catch parse errors from misconfigured or malformed
CRLs. PR 36438. [Joe Orton]
*) mod_proxy/mod_proxy_balancer: lbmethods now implemented as
providers. Prevent problems when no Vhost containers were
configured with proxy balancers. [Jim Jagielski]
*) New provider function to list all available provider names in a
specific group and version (ap_list_provider_names). [Jim Jagielski]
*) mod_cache: Enhance CacheEnable/CacheDisable to control caching on a
per-protocol, per-host and per-path basis. Intended for proxy
configurations. [Colm MacCarthaigh]
*) mod_disk_cache: Canonicalise the storage key, for improved hit/miss
ratio. [Colm MacCarthaigh]
*) mod_cgid: Append .PID to the script socket filename and remove the
script socket on exit. [Colm MacCarthaigh, Jim Jagielski]
*) mod_cgid: run the get_suexec_identity hook within the request-handler
instead of within cgid. PR 36410. [Colm MacCarthaigh]
*) Linux 2.0: remove support for threaded MPM's due to linuxthreads use
of SIGUSR1 clashing with graceful restart signal. [Colm MacCarthaigh]
*) SECURITY: CVE-2005-2491 (cve.mitre.org):
Fix integer overflows in PCRE in quantifier parsing which could
be triggered by a local user through use of a carefully-crafted
regex in an .htaccess file. [Philip Hazel]
Jim Jagielski
committed
*) mod_proxy/mod_proxy_balancer: Provide a simple, functional
interface to add additional balancer lb selection methods
without requiring code changes to mod_proxy/mod_proxy_balancer;
these can be implemented via sub-modules now. [Jim Jagielski]
*) mod_cache: Fix incorrectly served 304 responses when expired cache
entity is valid, but cache is unwritable and headers cannot be
updated. [Colm MacCarthaigh <colm stdlib.net>]
*) mod_cache: Remove entities from the cache when re-validation
receives a 404 or other content-no-longer-present error.
[Rüdiger Plüm ruediger.pluem vodafone.com]
*) mod_disk_cache: Properly remove files from cache when needed.
[Rüdiger Plüm ruediger.pluem vodafone.com]
*) mod_disk_cache: Support htcacheclean removing directories.
[Andreas Steinmetz]
*) htcacheclean: Add -t option to remove empty directories.
[Colm MacCarthaigh <colm stdlib.net>]
*) Remove the base href tag from mod_proxy_ftp, as it breaks relative
links for clients not using an Authorization header. [Graham Leggett,
Jon Snow <jsnow27 gatesec.net>]
*) mod_cache: Restore the HTTP status of cached responses.
[Hansjoerg Pehofer <hansjoerg.pehofer uibk.ac.at>]
*) mod_cache: Store varied contents all in the same prefix for a varied URI.
[Paul Querna]
*) mod_cache: Run the CACHE_SAVE and CACHE_OUT Filters after other content
filters. [Paul Querna]
Paul Querna
committed
*) mod_negotiation: Correctly report 404 instead of 403 for missing files.
[Paul Querna]
*) new hook (request_status) that gets ran in proxy_handler just before
the final return. This gives modules an opportunity to do something
based on the proxy status. (minor MMN bump)
[Brian Akins <bakins turner.com>, Ian Holsman]
*) Add additional SSLSessionCache option, 'nonenotnull', which is
similar to 'none' (disabling any external shared cache) but forces
OpenSSL to provide a non-null session ID. [Jim Jagielski]
Paul Querna
committed
*) Add httxt2dbm to support/ for creating RewriteMap DBM Files.
[Paul Querna]
*) Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>]
*) Fixed complaints about unpackaged files within the RPM build
after changes to the config files. [Graham Leggett]
*) Fix shutdown for the Worker MPM when an Accept Filter is used. Instead of
just closing the socket, a HTTP request is made, to make sure the child is
always awakened. [Paul Querna]
*) Fix htdbm password validation for records which included comments.
[Eric Covener <covener gmail.com>]
*) mod_cgid: Fix buffer overflow processing ScriptSock directive.
[Steve Kemp <steve steve.org.uk>]
*) mod_ssl: Setting the Protocol to 'https' can replace the use of the
'SSLEngine on' command. [Paul Querna]
*) core: Refactor the mapping of Accept Filters to Sockets. Add the
AcceptFilter and Protocol directives to aid in mapping filter types.
Extend the Listen directive to optionally take a protocol name.
[Paul Querna]
Paul Querna
committed
*) mod_disk_cache: Support storing multiple variations of one URL. PR 35211.
[Paul Querna]
Paul Querna
committed
*) mod_disk_cache: Atomically create the header data file. [Paul Querna]
Paul Querna
committed
*) mod_cache: Fix 'Vary: *' behavior to be RFC compliant. PR 16125.
[Paul Querna]
*) mod_cache: Rename 'generate_name' to 'ap_cache_generate_name'.
[Paul Querna]
*) mod_mime_magic: Handle CRLF-format magic files so that it works with
the default installation on Windows. [Jeff Trawick]
Paul Querna
committed
*) core: Allow multiple modules to register interest in a single
configuration command. [Paul Querna]
*) authn_provider_alias: Adds the configuration block tag
<AuthnProviderAlias baseProvider Alias>
Authentication directives contained within this block can be
referenced as a new authProvider using the AuthBasicProvider or
AuthDigestProvider directive. These directives will be merged in to
the per_dir configuration just before the base provider is called.
[Brad Nicholes]
*) ap_getword_conf: Fix backslashes at the end of configuration directives.
PR 34834. [Timo Viipuri <viipuri dlc.fi>]
*) mod_dbd: New additions: mod_dbd.c, mod_dbd.h, mod_dbd.xml
Provide module hooks for apr_dbd; optimise for httpd
threaded and non-threaded arch [Nick Kew]
*) ab: SSL support rewritten, improved, and enabled if SSL is enabled
during the build; -f and -Z arguments added to specify SSL protocol
options. [Masaoki Kobayashi <masaoki techfirm.co.jp>]
*) mod_info: Show the Quick Handler [Paul Querna]
*) mod_ldap: Add the directive LDAPVerifyServerCert to specify
whether to force verification of the server certificate when
establishing an SSL connection to the LDAP server.
[Brad Nicholes]
*) mod_proxy: Run mod_rewrite before mod_proxy in the translate_name
Paul Querna
committed
hook. [Paul Querna]
Paul Querna
committed
*) Add AP_INIT_TAKE_ARGV for configuration commands. (minor MMN bump)
[Paul Querna]
*) ap_get_local_host() rewritten for APR. [Jim Jagielski]
Paul Querna
committed
*) Add the ap_vhost_iterate_given_conn function to expose the information
used in Name Based Virtual Hosting. (minor MMN bump)
[Paul Querna]
Paul Querna
committed
*) Remove the never working ap_method_list_do and ap_method_list_vdo.
[Paul Querna]
*) Added makefile and doc for building mod_ssl on the NetWare
platform. [Guenter Knauf, Brad Nicholes]
Paul Querna
committed
*) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes
applications that send the Vary Header themselves, and also apply
mod_deflate as an output filter. [Paul Querna]
*) Change the default (when not present in the config file) setting
for UseCanonicalName to Off.
[Joshua Slive]
*) mod_userdir: The module no longer does any remapping unless the
UserDir directive is present in the config file.
[Joshua Slive]
*) Massively simplify the distributed httpd.conf by removing
many features and many directives that are at their default
setting. Add a selection of example config excerpts for adding
extra features in the conf/extra/ directory. Install the
distributed config and the extra config examples in the
conf/original/ directory during make install.
[Joshua Slive, Justin Erenkrantz]
*) NetWare: Reposition mod_asis, mod_actions, mod_cgi, mod_imagemap,
mod_userdir and mod_autoindex as shared modules rather than
built-in modules within the NetWare build.
[Brad Nicholes]
*) Rename mod_imap to mod_imagemap.
[Paul Querna]
*) util_ldap: Eliminate the load ordering of mod_ldap and mod_authnz_ldap
by changing the mod_ldap exported functions to optional functions.
[Brad Nicholes]
Greg Ames
committed
*) Don't let a subrequest inherit headers describing the original request's
body. [Greg Ames]
*) Fix Windows CompContext buff size miscalculation
[Allan Edwards]
*) Add ReceiveBufferSize directive to control the TCP receive buffer.
[Eric Covener <covener gmail.com>]
*) mod_proxy: Add proxy-sendextracrlf option to send an extra CRLF at the
end of the request body to work with really old HTTP servers.
[Justin Erenkrantz]
Bradley Nicholes
committed
*) util_ldap: Keep track of the number of attributes retrieved from
LDAP so that all the values can be properly cached even if the
value is NULL. PR 33901 [Brad Nicholes]
Justin Erenkrantz
committed
*) mod_cache: Fix error where incoming Cache-Control would be ignored.
[Justin Erenkrantz]
*) mod_cache: Correctly handle originally conditional requests.
[Sander Striker]
*) mod_disk_cache: Correctly update cached headers on revalidated responses.
[Sander Striker, Justin Erenkrantz]
*) worker MPM/mod_status: Support per-worker tracking of pid and
generation in the scoreboard so that mod_status can accurately
represent workers in processes which are gracefully terminating.
(major MMN bump)
[Jeff Trawick]
*) Correctly export all mod_dav public functions.
[Branko Čibej <brane xbc.nu>]
*) mod_ssl: Add ssl_ext_lookup optional function for accessing
certificate extensions. [David Reid, Joe Orton]
*) Add support for use of an external PCRE library; pass the
--with-pcre flag to configure. PR 27550. [Joe Orton,
Andres Salomon <dilinger voxel.net>]
*) Renamed regex interfaces to be namespace-safe, and moved from
pcreposix.h header to ap_regex.h: regex_t->ap_regex_t,
regmatch_t->ap_regmatch_t; REG_*->AP_REG_*; functions
reg*->ap_reg*. PR 27550. [Andres Salomon <dilinger voxel.net>,
Joe Orton]
*) Only recompile buildmark.c when we have to relink httpd.
[Justin Erenkrantz]
*) mod_cache: Fix up handling of revalidated responses.
Justin Erenkrantz
committed
[Justin Erenkrantz]
Justin Erenkrantz
committed
*) mod_disk_cache: Properly load cached ETag from on-disk structures.
[Justin Erenkrantz]
*) mod_authnz_ldap: Added an optional second parameter to AuthLDAPURL
to allow it to override the connection type set in mod_ldap. This
parameter can be set to NONE, SSL or TLS | STARTTLS.
[Brad Nicholes]
*) Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
[Max Bowsher <maxb ukf.net>]
*) mod_proxy: Fix ProxyRemoteMatch directive. PR 33170.
[Rici Lake <rici ricilake.net>]
*) mod_proxy: Fix ap_proxy_canonenc API.
PR 32459. [Jim Jagielski]
Justin Erenkrantz
committed
*) mod_cache: Add CacheStorePrivate and CacheStoreNoStore directive.
[Justin Erenkrantz]
*) Add --enable-pie flag to configure, to build httpd as a Position
Independent Executable where supported (GCC/binutils).
[Joe Orton]
*) proxy_balancer: Add in load-balancing via weighted traffic
byte count. [Jim Jagielski]
Justin Erenkrantz
committed
*) mod_disk_cache: Cache r->err_headers_out headers. This allows CGI
scripts to be properly cached. [Justin Erenkrantz, Sander Striker]
*) mod_ldap: Updated to use the new apr-util v1.1 apr_ldap_*_option()
API for the setting of server and client SSL certificates. Replaced
LDAPTrustedCA directive with LDAPTrustedGlobalCert and
LDAPTrustedClientCert directives to correctly support global certs
(CA certs / Netware client certs) and per connection client certs
as supported by Netware, OpenLDAP and Netscape/Mozilla.
[Graham Leggett]
*) mod_cache: Remove unimplemented CacheForceCompletion directive.
[Justin Erenkrantz]
*) support/check_forensic: Fix temp file usage
[Javier Fernandez-Sanguino Pen~a <jfs computer.org>]
*) mod_ssl: Add SSLCADNRequestFile and SSLCADNRequestPath directives
which can be used to configure a specific list of CA names to send
in a client certificate request. PR 32848.
[Tim Taylor <tim.taylor dfas.mil>]
*) --with-module can now take more than one module to be statically
linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
If the <modtype>-subdirectory doesn't exist it will be created and
populated with a standard Makefile.in. [Erik Abele]
*) Remove some compiler warnings within the LDAP modules [Graham Leggett]
*) Add a build script to create a solaris package. [Graham Leggett]
*) ap_http_scheme() replaced with ap_http_method() - this function
returns the scheme (http v.s. https).
[William Rowe]
*) mod_proxy: Fix a request corruption problem and a buffering problem
which sometimes prevented proxy-sendchunks from working.
[Jeff Trawick]
*) Fix the RPM spec file so that an RPM build now works. An RPM
build now requires system installations of APR and APR-util.
[Graham Leggett]
*) Significantly simplify the load balancer scheduling algorithm
for the proxy BalancerMember weighting. loadfactors (lbfactors)
are now normalized with respect to each other. [Jim Jagielski]
*) mod_dumpio: Added to the available module suite; it is an
I/O logging/dumping module. Placed in the (new) debug module
subdirectory. mod_bucketeer moved to that directory as well.
[Jim Jagielski]
*) core: Add support for APR_TCP_DEFER_ACCEPT to defer accepting
of a connection until data is available.
[Paul Querna]
*) mod_proxy: Respect errors reported by pre_connection hooks.
[Jeff Trawick]
Paul Querna
committed
*) core: Error out on sections that are missing an argument instead of
silently consuming the section. PR 25460.
[Geoffrey Young, Paul Querna]
*) mod_cache/mod_mem_cache/mod_disk_cache: Move out of experimental.
*) Upgraded PCRE to version 5.0. [Brian Pane]
*) mod_cgid: Catch configuration problem where two web server instances
share same ServerRoot but admin forgot to use ScriptSock.
[Jeff Trawick]
*) mod_cgi: Ensure that all stderr is logged for a script which returns
a Location header to generate a non-local redirect. PR 20111.
[Joe Orton]
*) Added the Event MPM to more efficiently handle clients during a
Keep Alive request.
[Paul Querna, Greg Ames]
*) mod_proxy_http: Stream content better - always flush buffered data to
the client before blocking waiting for new data. PR 19954.
[Joe Orton]
*) mod_ssl: Add support for command-line option "-t -DDUMP_CERTS" which
will dump the filenames of all configured SSL certificates to stdout.
[Joe Orton]
*) mod_disk_cache: Remove a bunch of non-implemented garbage collection
and cache size directives that are now available through htcacheclean.
[Justin Erenkrantz]
*) Add htcacheclean to support/ for assistance with mod_disk_cache.
[Andreas Steinmetz]
Bradley Nicholes
committed
*) mod_authnz_ldap: Added the directive "Requires ldap-filter" that
allows the module to authorize a user based on a complex LDAP
search filter. [Brad Nicholes]
*) mod_usertrack: Run the fixups hook before other modules.
PR 29755. [Paul Querna]
*) Allow mod_authnz_ldap authorization functionality to be used
without requiring the user to also be authenticated through
mod_authnz_ldap. This allows other authentication modules to
take advantage of LDAP authorization only [PR 28253]
[Jari Ahonen jah progress.com, Brad Nicholes]
*) Log the client IP address when an error occurs disabling nagle on a
connection, but log at a severity of debug since this error
generally means that the connection was dropped before data was
sent. Log the client IP address when reporting errors in the core
output filter. [Jeff Trawick]
*) core: Add a warning message if the request line read fails.
[Paul Querna]
*) mod_rewrite: Removed the MaxRedirects option in favor of the
core LimitInternalRecursion directive. [André Malo]
*) mod_info: Added listing of the Request Hooks and added more build
information like 'httpd -V' contains. Changed output to XHTML.
[Paul Querna]
*) mod_info: Rewrote config tree walk using a recursive function.
Added ?config option. Added printout of config filename and line numbers.
[Rici Lake <rici ricilake.net>, Paul Querna]
*) mod_proxy: Fix type error that prevents proxy-sendchunks from working.
[Justin Erenkrantz]
*) mod_proxy: Fix data corruption by properly setting aside buckets.