Newer
Older
*) vhosts: Do not allow _default_ in NameVirtualHost, or mixing *
and non-* ports on NameVirtualHost, or multiple NameVirtualHost
directives for the same address:port, or NameVirtualHost
directives with no matching VirtualHosts, or multiple ip-based
VirtualHost sections for the same address:port. These were
previously accepted with a warning, but the behavior was
undefined. [Dan Poirier]
*) mod_remoteip: Fix a segfaulti when using mod_remoteip in conjunction with
Allow/Deny. PR 49838. [Andrew Skalski <voltara gmail.com>]
*) core: DirectoryMatch can now match on the end of line character ($),
and sub-directories of matched directories are no longer implicitly
matched. PR49809 [Eric Covener]
*) suexec: Support large log files. PR 45856. [Stefan Fritsch]
*) core: Abort with sensible error message if no or more than one MPM is
loaded. [Stefan Fritsch]
*) mod_proxy: Rename erroronstatus to failonstatus.
[Daniel Ruggeri <DRuggeri primary.net>]
*) mod_dav_fs: Fix broken "creationdate" property.
Regression in version 2.3.7. [Rainer Jung]
Paul Querna
committed
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
mod_dav, mod_cache, mod_session: Fix Handling of requests without a path
segment. PR: 49246 [Mark Drayton, Jeff Trawick]
Stefan Fritsch
committed
*) mod_ldap: Properly check the result returned by apr_ldap_init. PR 46076.
[Stefan Fritsch]
*) mod_rewrite: Log errors if rewrite map files cannot be opened. PR 49639.
[Stefan Fritsch]
*) mod_proxy_http: Support the 'ping' property for backend HTTP/1.1 servers
via leveraging 100-Continue as the initial "request".
[Jim Jagielski]
*) core/mod_authz_core: Introduce new access_checker_ex hook that enables
mod_authz_core to bypass authentication if access should be allowed by
IP address/env var/... [Stefan Fritsch]
*) core: Introduce note_auth_failure hook to allow modules to add support
for additional auth types. This makes ap_note_auth_failure() work with
mod_auth_digest again. PR 48807. [Stefan Fritsch]
*) socache modules: return APR_NOTFOUND when a lookup is not found [Nick Kew]
*) configure: Add reallyall option for --enable-mods-shared. [Stefan Fritsch]
*) Fix Windows build when using VC6. [Gregg L. Smith <lists glewis com>]
*) mod_rewrite: Allow to set environment variables without explicitly
giving a value. [Rainer Jung]
*) mod_rewrite: Remove superfluous EOL from rewrite logging. [Rainer Jung]
*) mod_include: recognise "text/html; parameters" as text/html
PR 49616 [Andrey Chernov <ache nagual.pp.ru>]
*) CGI vars: allow PATH to be set by SetEnv, consistent with LD_LIBRARY_PATH
PR 43906 [Nick Kew]
*) Core: Extra robustness: don't try authz and segfault if authn
fails to set r->user. Log bug and return 500 instead.
PR 42995 [Nick Kew]
*) HTTP protocol filter: fix handling of longer chunk extensions
PR 49474 [<tee.bee gmx.de>]
*) Update SSL cipher suite and add example for SSLHonorCipherOrder.
[Lars Eilebrecht, Rainer Jung]
*) move AddOutputFilterByType from core to mod_filter. This should
fix nasty side-effects that happen when content_type is set
more than once in processing a request, and make it fully
compatible with dynamic and proxied contents. [Nick Kew]
*) mod_log_config: Implement logging for sub second timestamps and
request end time. [Rainer Jung]
Changes with Apache 2.3.6
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
and offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol, RFC 5746.
[Joe Orton, and with thanks to the OpenSSL Team]
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
*) SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola <niku.toivola sulake.com>]
*) SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
*) core: Filter init functions are now run strictly once per request
before handler invocation. The init functions are no longer run
for connection filters. PR 49328. [Joe Orton]
*) core: Adjust the output filter chain correctly in an internal
redirect from a subrequest, preserving filters from the main
request as necessary. PR 17629. [Joe Orton]
*) mod_cache: Explicitly allow cache implementations to cache a 206 Partial
Response if they so choose to do so. Previously an attempt to cache a 206
was arbitrarily allowed if the response contained an Expires or
Cache-Control header, and arbitrarily denied if both headers were missing.
[Graham Leggett]
*) core: Add microsecond timestamp fractions, process id and thread id
to the error log. [Rainer Jung]
*) configure: The "most" module set gets build by default. [Rainer Jung]
*) configure: Building dynamic modules (DSO) by default. [Rainer Jung]
*) configure: Fix broken VPATH build when using included APR.
[Rainer Jung]
*) mod_session_crypto: Fix configure problem when building
with APR 2 and for VPATH builds with included APR.
[Rainer Jung]
*) mod_session_crypto: API compatibility with APR 2 crypto and
APR Util 1.x crypto. [Rainer Jung]
*) ab: Fix memory leak with -v2 and SSL. PR 49383.
[Pavel Kankovsky <peak argo troja mff cuni cz>]
*) core: Add per-module and per-directory loglevel configuration.
Add some more trace logging.
mod_rewrite: Replace RewriteLog/RewriteLogLevel with trace log levels.
mod_ssl: Replace LogLevelDebugDump with trace log levels.
mod_ssl/mod_proxy*: Adjust loglevels to be less verbose at levels info
and debug.
mod_dumpio: Replace DumpIOLogLevel with trace log levels.
[Stefan Fritsch]
*) mod_ldap: LDAP caching was suppressed (and ldap-status handler returns
title page only) when any mod_ldap directives were used in VirtualHost
context. [Eric Covener]
*) mod_disk_cache: Decline the opportunity to cache if the response is
a 206 Partial Content. This stops a reverse proxied partial response
from becoming cached, and then being served in subsequent responses.
[Graham Leggett]
*) mod_deflate: avoid the risk of forwarding data before headers are set.
PR 49369 [Matthew Steele <mdsteele google.com>]
*) mod_authnz_ldap: Ensure nested groups are checked when the
top-level group doesn't have any direct non-group members
of attributes in AuthLDAPGroupAttribute. [Eric Covener]
*) mod_authnz_ldap: Search or Comparison during authorization phase
can use the credentials from the authentication phase
(AuthLDAPSearchAsUSer,AuthLDAPCompareAsUser).
PR 48340 [Domenico Rotiroti, Eric Covener]
*) mod_authnz_ldap: Allow the initial DN search during authentication
to use the HTTP username/pass instead of an anonymous or hard-coded
LDAP id (AuthLDAPInitialBindAsUser, AuthLDAPInitialBindPattern).
[Eric Covener]
Eric Covener
committed
*) mod_authnz_ldap: Publish requested LDAP data with an AUTHORIZE_ prefix
when this module is used for authorization. See AuthLDAPAuthorizePrefix.
PR 45584 [Eric Covener]
*) apxs -q: Stop filtering out ':' characters from the reported values.
PR 45343. [Bill Cole]
*) prefork MPM: Run cleanups for final request when process exits gracefully.
PR 43857. [Tom Donovan]
Loading full blame...