Skip to content
CHANGES 136 KiB
Newer Older
                                                         -*- coding: utf-8 -*-
Ruediger Pluem's avatar
Ruediger Pluem committed

Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.7

  *) ab: Fix potential buffer overflows when processing the T and X
     command-line options.  PR 55360.
     [Mike Rumph <mike.rumph oracle.com>]

  *) fcgistarter: Specify SO_REUSEADDR to allow starting a server
     with old connections in TIME_WAIT.  [Jeff Trawick]

  *) core: Add open_htaccess hook which, in conjunction with dirwalk_stat
     and post_perdir_config (introduced in 2.4.5), allows mpm-itk to be 
     used without patches to httpd core. [Stefan Fritsch]
Christophe Jaillet's avatar
Christophe Jaillet committed
  *) support/htdbm: fix processing of -t command line switch. Regression
     introduced in 2.4.4
     PR 55264 [Jo Rhett <jrhett netconsonance com>]
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.6

Jim Jagielski's avatar
Jim Jagielski committed
  *) Revert a broken fix for PR54948 that was applied to 2.4.5 (which was
     not released) and found post-2.4.5 tagging.
Jim Jagielski's avatar
Jim Jagielski committed
Changes with Apache 2.4.5

  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
     the source href (sent as part of the request body as XML) pointing to a
     URI that is not configured for DAV will trigger a segfault. [Ben Reser
     <ben reser.org>]

Jim Jagielski's avatar
Jim Jagielski committed
  *) SECURITY: CVE-2013-2249 (cve.mitre.org)
     mod_session_dbd: Make sure that dirty flag is respected when saving
     sessions, and ensure the session ID is changed each time the session
     changes. This changes the format of the updatesession SQL statement.
     Existing configurations must be changed.
     [Takashi Sato, Graham Leggett]
  *) mod_auth_basic: Add a generic mechanism to fake basic authentication
     using the ap_expr parser. AuthBasicFake allows the administrator to 
     construct their own username and password for basic authentication based 
     on their needs. [Graham Leggett]

  *) mpm_event: Check that AsyncRequestWorkerFactor is not negative. PR 54254.
     [Jackie Zhang <jackie qq zhang gmail com>]

  *) mod_proxy: Ensure we don't attempt to amend a table we are iterating
     through, ensuring that all headers listed by Connection are removed.
     [Graham Leggett, Co-Advisor <coad measurement-factory.com>]

  *) mod_proxy_http: Make the proxy-interim-response environment variable
     effective by formally overriding origin server behaviour. [Graham
     Leggett, Co-Advisor <coad measurement-factory.com>]
  *) mod_proxy: Fix seg-faults when using the global pool on threaded
     MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
     Jim Jagielski]

  *) mod_deflate: Remove assumptions as to when an EOS bucket might arrive.
     Gracefully step aside if the body size is zero. [Graham Leggett]

Joe Orton's avatar
Joe Orton committed
  *) mod_ssl: Fix possible truncation of OCSP responses when reading from the
     server.  [Joe Orton]

  *) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
     on Linux kernel versions 3.x and above.  PR 55121.  [Bradley Heilbrun
     <apache heilbrun.org>]

  *) mod_cache_socache: Make sure the CacheSocacheMaxSize directive is merged
     correctly. [Jens Låås <jelaas gmail.com>]

Rainer Jung's avatar
Rainer Jung committed
  *) rotatelogs: add -n number-of-files option to rotate through a number
     of fixed-name logfiles. [Eric Covener]

  *) mod_proxy: Support web-socket tunnels via mod_proxy_wstunnel.
     [Jim Jagielski]

  *) mod_cache_socache: Use the name of the socache implementation when performing
     a lookup rather than using the raw arguments. [Martin Ksellmann
     <martin@ksellmann.de>]

  *) core: Add dirwalk_stat hook.  [Jeff Trawick]
  *) core: Add post_perdir_config hook.
     [Steinar Gunderson <sgunderson bigfoot.com>]

  *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
     [Christophe Jaillet]

  *) mod_remoteip: close file in error path. [Christophe Jaillet]

  *) core: make the "default" parameter of the "ErrorDocument" option case
     insensitive. PR 54419 [Tianyin Xu <tixu cs ucsd edu>]

  *) mod_proxy_html: make the "ProxyHTMLFixups" options case insensitive.
     PR 54420 [Tianyin Xu <tixu cs ucsd edu>]

  *) mod_cache: Make option "CacheDisable" in mod_cache case insensitive.
     PR 54462 [Tianyin Xu <tixu cs ucsd edu>]
  *) mod_cache: If a 304 response indicates an entity not currently cached, then
     the cache MUST disregard the response and repeat the request without the
     conditional. [Graham Leggett, Co-Advisor <coad measurement-factory.com>]

  *) mod_cache: Ensure that we don't attempt to replace a cached response
     with an older response as per RFC2616 13.12. [Graham Leggett, Co-Advisor
     <coad measurement-factory.com>]

  *) core, mod_cache: Ensure RFC2616 compliance in ap_meets_conditions()
     with weak validation combined with If-Range and Range headers. Break
     out explicit conditional header checks to be useable elsewhere in the
     server. Ensure weak validation RFC compliance in the byteranges filter.
     Ensure RFC validation compliance when serving cached entities. PR 16142
     [Graham Leggett, Co-Advisor <coad measurement-factory.com>]

  *) core: Add the ability to do explicit matching on weak and strong ETags
     as per RFC2616 Section 13.3.3. [Graham Leggett, Co-Advisor
     <coad measurement-factory.com>]

  *) mod_cache: Ensure that updated responses to HEAD requests don't get
     mistakenly paired with a previously cached body. Ensure that any existing
     body is removed when a HEAD request is cached. [Graham Leggett,
     Co-Advisor <coad measurement-factory.com>]

  *) mod_cache: Honour Cache-Control: no-store in a request. [Graham Leggett]

  *) mod_cache: Make sure that contradictory entity headers present in a 304
     Not Modified response are caught and cause the entity to be removed.
     [Graham Leggett]

  *) mod_cache: Make sure Vary processing handles multivalued Vary headers and
     multivalued headers referred to via Vary. [Graham Leggett]

  *) mod_cache: When serving from cache, only the last header of a multivalued
     header was taken into account. Fixed. Ensure that Warning headers are
     correctly handled as per RFC2616. [Graham Leggett]

  *) mod_cache: Ignore response headers specified by no-cache=header and
     private=header as specified by RFC2616 14.9.1 What is Cacheable. Ensure
     that these headers are still processed when multiple Cache-Control
     headers are present in the response. PR 54706 [Graham Leggett,
     Yann Ylavic <ylavic.dev gmail.com>]

  *) mod_cache: Invalidate cached entities in response to RFC2616 Section
     13.10 Invalidation After Updates or Deletions. PR 15868 [Graham
     Leggett]

  *) mod_dav: Improve error handling in dav_method_put(), add new
     dav_join_error() function.  PR 54145.  [Ben Reser <ben reser.org>]

  *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
     property on a resource for which there is no dead property in the same
     namespace httpd segfaults. PR 52559 [Diego Santa Cruz
     <diego.santaCruz spinetix.com>]

  *) mod_dav: Sending an If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed for a COPY operation. PR54610
     [Timothy Wood <tjw omnigroup.com>]
  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]

  *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
     'standard' keyword . It was unused and not documented.
     PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]

  *) core: Do not over allocate memory within 'ap_rgetline_core' for
     the common case. [Christophe Jaillet]

  *) core: speed up (for common cases) and reduce memory usage of
     ap_escape_logitem(). This should save 70-100 bytes in the request
     pool for a default config. [Christophe Jaillet]

  *) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
     [Timothy Wood <tjw omnigroup.com>]

  *) mod_proxy: Reject invalid values for Max-Forwards. [Graham Leggett,
     Co-Advisor <coad measurement-factory.com>]

  *) mod_cache: RFC2616 14.9.3 The s-maxage directive also implies the
     semantics of the proxy-revalidate directive. [Graham Leggett]

  *) mod_ssl: add support for subjectAltName-based host name checking
     in proxy mode (SSLProxyCheckPeerName). PR 54030. [Kaspar Brand]
  *) core: Use the proper macro for HTTP/1.1. [Graham Leggett]

  *) event MPM: Provide error handling for ThreadStackSize. PR 54311
     [Tianyin Xu <tixu cs.ucsd.edu>, Christophe Jaillet]

  *) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
     PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]

  *) core: Improve error message where client's request-line exceeds
     LimitRequestLine. PR 54384 [Christophe Jaillet]

Loading full blame...