Newer
Older
Changes with Apache 2.3.6
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
[Joe Orton, and with thanks to the OpenSSL Team]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
*) core: Add microsecond timestamp fractions, process id and thread id
to the error log. [Rainer Jung]
*) configure: The "most" module set gets build by default. [Rainer Jung]
*) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
*) configure: Fix broken VPATH build when using included APR.
[Rainer Jung]
*) mod_session_crypto: Fix configure problem when building
with APR 2 and for VPATH builds with included APR.
[Rainer Jung]
*) mod_session_crypto: API compatibility with APR 2 crypto and
APR Util 1.x crypto. [Rainer Jung]
*) ab: Fix memory leak with -v2 and SSL. PR 49383.
[Pavel Kankovsky <peak argo troja mff cuni cz>]
*) core: Add per-module and per-directory loglevel configuration.
Add some more trace logging.
mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
mod_ssl: Replace LogLevelDebugDump with trace log levels.
mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
and debug.
mod_dumpio: Replace DumpIOLogLevel with trace log levels.
[Stefan Fritsch]
*) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
title page only) when any mod_ldap directives were used in VirtualHost
context. [Eric Covener]
*) mod_disk_cache: Decline the opportunity to cache if the response is
a 206 Partial Content. This stops a reverse proxied partial response
from becoming cached, and then being served in subsequent responses.
[Graham Leggett]
*) mod_deflate: avoid the risk of forwarding data before headers are set.
PR 49369 [Matthew Steele <mdsteele google.com>]
*) mod_authnz_ldap: Ensure nested groups are checked when the
top-level group doesn't have any direct non-group members
of attributes in AuthLDAPGroupAttribute. [Eric Covener]
*) mod_authnz_ldap: Search or Comparison during authorization phase
can use the credentials from the authentication phase
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
PR 48340 [Domenico Rotiroti, Eric Covener]
*) mod_authnz_ldap: Allow the initial DN search during authentication
to use the HTTP username/pass instead of an anonymous or hard-coded
LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
[Eric Covener]
Eric Covener
committed
*) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
when this module is used for authorization. See AuthLDAPAuthorizePrefix.
PR 45584 [Eric Covener]
*) apxs -q: Stop filtering out ':' characters from the reported values.
PR 45343. [Bill Cole]
*) prefork MPM: Run cleanups for final request when process exits gracefully.
PR 43857. [Tom Donovan]
*) ab: fix number of requests sent by ab when keepalive is enabled. PR 48497.
[Bryn Dole <dole blekko.com>]
Eric Covener
committed
*) Log an error for failures to read a chunk-size, and return 408 instead of
413 when this is due to a read timeout. This change also fixes some cases
of two error documents being sent in the response for the same scenario.
[Eric Covener] PR49167
*) mod_proxy_balancer: Add new directive BalancerNonce to allow admin
to control/set the nonce used in the balancer-manager application.
[Jim Jagielski]
*) mod_proxy_connect: Support port ranges in AllowConnect. PR 23673.
[Stefan Fritsch]
*) Proxy balancer: support setting error status according to HTTP response
code from a backend. PR 48939. [Daniel Ruggeri <DRuggeri primary.net>]
*) htcacheclean: Introduce the ability to clean specific URLs from the
cache, if provided as an optional parameter on the command line.
[Graham Leggett]
*) core: Introduce the IncludeStrict directive, which explicitly fails
server startup if no files or directories match a wildcard path.
[Graham Leggett]
*) htcacheclean: Report additional statistics about entries deleted.
PR 48944. [Mark Drayton mark markdrayton.info]
*) Introduce SSLFIPS directive to support OpenSSL FIPS_mode; permits all
builds of mod_ssl to use 'SSLFIPS off' for portability, but the proper
build of openssl is required for 'SSLFIPS on'. PR 46270.
[Dr Stephen Henson <steve openssl.org>, William Rowe]
*) mod_proxy_http: Log the port of the remote server in various messages.
PR 48812. [Igor Galić <i galic brainsware org>]
*) mod_reqtimeout: Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). [Stefan Fritsch]
*) mod_proxy_ajp: Really regard the operation a success, when the client
aborted the connection. In addition adjust the log message if the client
aborted the connection. [Ruediger Pluem]
*) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
allows insecure renegotiation with clients which do not yet
support the secure renegotiation protocol. [Joe Orton]
*) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
is configured for client cert auth. PR 46952. [Joe Orton]
*) core: Only log a 408 if it is no keepalive timeout. PR 39785
[Ruediger Pluem, Mark Montague <markmont umich.edu>]
*) support/rotatelogs: Add -L option to create a link to the current
log file. PR 48761 [<lyndon orthanc.ca>, Dan Poirier]
Eric Covener
committed
*) mod_ldap: Update LDAPTrustedClientCert to consistently be a per-directory
setting only, matching most of the documentation and examples.
PR 46541 [Paul Reder, Eric Covener]
*) mod_ldap: LDAPTrustedClientCert now accepts CA_DER/CA_BASE64 argument
types previously allowed only in LDAPTrustedGlobalCert. [Eric Covener]
*) mod_negotiation: Preserve query string over multiviews negotiation.
This buglet was fixed for type maps in 2.2.6, but the same issue
affected multiviews and was overlooked.
PR 33112 [Joergen Thomsen <apache jth.net>]
Eric Covener
committed
*) mod_ldap: Eliminate a potential crash with multiple LDAPTrustedClientCert
when some are not password-protected. [Eric Covener]
*) Fix startup segfault when the Mutex directive is used but no loaded
modules use httpd mutexes. PR 48787. [Jeff Trawick]
Nick Kew
committed
*) Proxy: get the headers right in a HEAD request with
ProxyErrorOverride, by checking for an overridden error
before not after going into a catch-all code path.
PR 41646. [Nick Kew, Stuart Children]
Nick Kew
committed
*) support/rotatelogs: Support the simplest log rotation case, log
truncation. Useful when the log is being processed in real time
using a command like tail. [Graham Leggett]
*) support/htcacheclean: Teach it how to write a pid file (modelled on
httpd's writing of a pid file) so that it becomes possible to run
more than one instance of htcacheclean on the same machine.
[Graham Leggett]
*) Log command line on startup, so there's a record of command line
arguments like -f. PR 48752. [Dan Poirier]
*) Introduce mod_reflector, a handler capable of reflecting POSTed
request bodies back within the response through the output filter
stack. Can be used to turn an output filter into a web service.
[Graham Leggett]
*) mod_proxy_http: Make sure that when an ErrorDocument is served
from a reverse proxied URL, that the subrequest respects the status
of the original request. This brings the behaviour of proxy_handler
in line with default_handler. PR 47106. [Graham Leggett]
*) Support wildcards in both the directory and file components of
the path specified by the Include directive. [Graham Leggett]
Loading full blame...