Newer
Older
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
Daniel Gruno
committed
*) mod_lua: Don't quote Expires and Path values. PR 56734.
[Keith Mashinter, <kmashint yahoo com>]
*) SECURITY: CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which allowed a denial
of service attack against a reverse proxy with a threaded MPM.
[Ben Reser]
*) SECURITY: CVE-2014-3523 (cve.mitre.org)
Fix a memory consumption denial of service in the WinNT MPM, used in all
Windows installations. Workaround: AcceptFilter <protocol> {none|connect}
*) SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow. [Joe Orton, Eric Covener]
*) SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to
avoid denial of service via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
*) SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
[Rainer Jung, Eric Covener, Yann Ylavic]
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077). [Rainer Jung]
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer"). PR 56196. [Christoph Fausak <christoph fausak glueckkanja.com>]
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port. [Rainer Jung]
*) core: Include any error notes set by modules in the canned error
response for 403 errors. [Jeff Trawick]
*) mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck. [Jeff Trawick]
*) mod_ssl: Fix issue with redirects to error documents when handling
SNI errors. [Jeff Trawick]
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys. [Ruediger Pluem,
Joe Orton]
*) mod_dav: Fix improper encoding in PROPFIND responses. PR 56480.
[Ben Reser]
*) WinNT MPM: Improve error handling for termination events in child.
[Jeff Trawick]
*) mod_proxy: When ping/pong is configured for a worker, don't send or
forward "100 Continue" (interim) response to the client if it does
not expect one. [Yann Ylavic]
*) mod_ldap: Be more conservative with the last-used time for
LDAPConnectionPoolTTL. PR54587 [Eric Covener]
*) mod_ldap: LDAP connections used for authn were not respecting
LDAPConnectionPoolTTL. PR54587 [Eric Covener]
*) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
[Jeff Trawick]
*) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
or occasional missed mod_status updates under load. PR 56639.
[Edward Lu <Chaosed0 gmail com>]
*) mod_authnz_ldap: Support primitive LDAP servers do not accept
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
filter "none" to be specified in AuthLDAPURL. [Eric Covener]
*) mod_deflate: Fix inflation of files larger than 4GB. PR 56062.
[Lukas Bezdicka <social v3.sk>]
Yann Ylavic
committed
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks. PR 46146. [Yann Ylavic]
*) mod_proxy: Allow reverse-proxy to be set via explicit handler.
[ryo takatsuki <ryotakatsuki gmail com>]
*) ab: support custom HTTP method with -m argument. PR 56604.
[Roman Jurkov <winfinit gmail.com>]
Jim Jagielski
committed
*) mod_proxy_balancer: Correctly encode user provided data in management
interface. PR 56532 [Maksymilian, <max cert.cx>]
*) mod_proxy_fcgi: Support iobuffersize parameter. [Jeff Trawick]
Jim Jagielski
committed
*) mod_auth_form: Add a debug message when the fields on a form are not
recognised. [Graham Leggett]
*) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
response. PR 55547. [Yann Ylavic]
*) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
scheme. PR55320. [Alex Liu <alex.leo.ca gmail.com>]
*) mod_socache_shmcb: Correct counting of expirations for status display.
Expirations happening during retrieval were not counted. [Rainer Jung]
*) mod_cache: Retry unconditional request with the full URL (including the
query-string) when the origin server's 304 response does not match the
conditions used to revalidate the stale entry. [Yann Ylavic].
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch. [Eric Covener]
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
PR 55547. [Yann Ylavic]
*) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
Support default SCGI port (4000). [Jeff Trawick]
*) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
is enabled. [Eric Covener]
*) mod_expires: don't add Expires header to error responses (4xx/5xx),
be they generated or forwarded. PR 55669. [Yann Ylavic]
*) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
(regression in 2.4.9 release) [Jeff Trawick]
*) mod_authn_socache: Fix crash at startup in certain configurations.
PR 56371. (regression in 2.4.7) [Jan Kaluza]
*) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups. [Kaspar Brand]
*) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
OCSP requests should use a nonce to be checked against the responder's
one. PR 56233. [Yann Ylavic, Kaspar Brand]
*) mod_ssl: "SSLEngine off" will now override a Listen-based default
and does disable mod_ssl for the vhost. [Joe Orton]
*) mod_lua: Enforce the max post size allowed via r:parsebody()
[Daniel Gruno]
*) mod_lua: Use binary comparison to find boundaries for multipart
objects, as to not terminate our search prematurely when hitting
a NULL byte. [Daniel Gruno]
*) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
versions before 0.9.8h and not specifying an SSLCertificateChainFile
(regression introduced with 2.4.8). PR 56410. [Kaspar Brand]
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts,
and limit startup warnings to cases where an OpenSSL version
without TLS extension support is used. PR 56241. [Kaspar Brand]
*) mod_proxy_html: Avoid some possible memory access violation in case of
specially crafted files, when the ProxyHTMLMeta directive is turned on.
Follow up of PR 56287 [Christophe Jaillet]
*) mod_auth_form: Make sure the optional functions are loaded even when
the AuthFormProvider isn't specified. [Graham Leggett]
*) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
(and logging garbled file names). PR 56306. [Kaspar Brand]
*) mod_ssl: fix merging of global and vhost-level settings with the
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
directives. PR 56353. [Kaspar Brand]
*) mod_headers: Allow the "value" parameter of Header and RequestHeader to
contain an ap_expr expression if prefixed with "expr=". [Eric Covener]
*) rotatelogs: Avoid creation of zombie processes when -p is used on
Unix platforms. [Joe Orton]
*) mod_authnz_fcgi: New module to enable FastCGI authorizer
applications to authenticate and/or authorize clients.
[Jeff Trawick]
Loading full blame...